tetragon

1
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640
2
#
3
# Description
4
#  On Ubuntu kernels carrying both c914c0e27eb0 and
5
#  "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs",
6
#  an unprivileged user may set privileged extended attributes on the mounted files,
7
#  leading them to be set on the upper files without the appropriate security checks.
8
#
9
# Affected ubuntu kernel version:
10
#  6.2.0
11
#  5.19.0 tested on kernel 5.19.0-46
12
#  ...
13
#
14
# Prevention:
15
#  Prevents copying up security.capability xattr on overlayfs from a user namespace,
16
#  making it a nop.
17
#
18
# Prerequisites
19
#  Needs a kernel with a CONFIG_BPF_KPROBE_OVERRIDE=y
20
#
21
# Doing "getcap upper/binary" will display empty file capabilities.
22
#
23
apiVersion: cilium.io/v1alpha1
24
kind: TracingPolicy
25
metadata:
26
  name: "cve-2023-2460-overlayfs-ubuntu"
27
    #annotations:
28
      #url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640
29
      #description: "Prevents copying up security.capability xattr on overlayfs from a user namespace."
30
      #author: "Djalal Harouni"
31
spec:
32
  kprobes:
33
  - call: "security_inode_copy_up_xattr"
34
    syscall: false
35
    return: true
36
    args:
37
    - index: 0
38
      type: "string"
39
    returnArg:
40
      index: 0
41
      type: "int"
42
    selectors:
43
    - matchNamespaces:
44
      - namespace: User
45
        operator: NotIn
46
        values:
47
        - "host_ns"
48
      matchArgs:
49
      - index: 0
50
        operator: "Equal"
51
        values:
52
        - "security.capability\0"
53
      matchActions:
54
      - action: Override
55
        argError: 1  # Override with 1 avoids copying up security.capability, with -1 the copy up fails.
56