policylibrary: add userns to privileged-raise policy

Signed-off-by: Djalal Harouni <[email protected]>
cilium · Jan 10, 2024 · 2769e72 · 2769e72
1 parent bb8d654
commit 2769e72
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/examples/policylibrary/privileges/privileges-raise.yaml b/examples/policylibrary/privileges/privileges-raise.yaml
@@ -1,7 +1,9 @@
 # This 'privileges-raise' Tracing Policy monitors processes trying
 # to raise their privileges:
 #
-# 1. Change their uids/gids to user root.
+# 1. Unprivileged creating user namespace to gain new capabilities.
+#
+# 2. Change their uids/gids to user root.
 #
 #  __sys_setuid
 #    - __x64_sys_setuid
@@ -60,6 +62,22 @@ metadata:
     description: "Detects privileges raising operations"
 spec:
   kprobes:
+  - call: "create_user_ns"
+    syscall: false
+    return: true
+    message: "Unprivileged created a user namespace"
+    args:
+    - index: 0
+      type: "nop" # No need for argument as this targets unprivileged anyway.
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchCapabilities:
+      - type: Effective
+        operator: NotIn
+        values:
+        - "CAP_SYS_ADMIN"
   - call: "__sys_setuid"
     syscall: false
     return: true