Remove local config path dependency and make it a config flag

Fixes #103
Shopify · Jul 31, 2018 · fedcde1 · fedcde1
1 parent a241b15
commit fedcde1
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -391,6 +391,32 @@ WARN[0000] Allowed setting readOnlyRootFilesystem to false Reason="Write permiss
 
 <a name="contribute" />
 
+## Drop capabilities list
+
+Allows configuring the audit against drop capabilities. Sane defaults are as follows:
+
+```
+# SANE DEFAULTS:
+capabilitiesToBeDropped:
+  # https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
+  - SETPCAP #Modify process capabilities.
+  - MKNOD #Create special files using mknod(2).
+  - AUDIT_WRITE #Write records to kernel auditing log.
+  - CHOWN #Make arbitrary changes to file UIDs and GIDs (see chown(2)).
+  - NET_RAW #Use RAW and PACKET sockets.
+  - DAC_OVERRIDE #Bypass file read, write, and execute permission checks.
+  - FOWNER #Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
+  - FSETID #Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
+  - KILL #Bypass permission checks for sending signals.
+  - SETGID #Make arbitrary manipulations of process GIDs and supplementary GID list.
+  - SETUID #Make arbitrary manipulations of process UIDs.
+  - NET_BIND_SERVICE #Bind a socket to internet domain privileged ports (port numbers less than 1024).
+  - SYS_CHROOT #Use chroot(2), change root directory.
+  - SETFCAP #Set file capabilities.
+```
+
+This can be overridden by using `-d` flag and providing your own defaults in the yaml format as shown above.
+
 ## Contributing
 
 If you'd like to fix a bug, contribute a feature or just correct a typo, please feel free to do so as long as you follow our [Code of Conduct](https://github.com/Shopify/kubeaudit/blob/master/CODE_OF_CONDUCT.md).

diff --git a/cmd/capabilities.go b/cmd/capabilities.go
@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"io/ioutil"
+	"os"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -13,10 +14,36 @@ type capsDropList struct {
 	Drop []string `yaml:"capabilitiesToBeDropped"`
 }
 
+const defaultDropCapConfig = `
+# SANE DEFAULTS:
+capabilitiesToBeDropped:
+  # https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
+  - SETPCAP #Modify process capabilities.
+  - MKNOD #Create special files using mknod(2).
+  - AUDIT_WRITE #Write records to kernel auditing log.
+  - CHOWN #Make arbitrary changes to file UIDs and GIDs (see chown(2)).
+  - NET_RAW #Use RAW and PACKET sockets.
+  - DAC_OVERRIDE #Bypass file read, write, and execute permission checks.
+  - FOWNER #Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
+  - FSETID #Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
+  - KILL #Bypass permission checks for sending signals.
+  - SETGID #Make arbitrary manipulations of process GIDs and supplementary GID list.
+  - SETUID #Make arbitrary manipulations of process UIDs.
+  - NET_BIND_SERVICE #Bind a socket to internet domain privileged ports (port numbers less than 1024).
+  - SYS_CHROOT #Use chroot(2), change root directory.
+  - SETFCAP #Set file capabilities.
+`
+
 func recommendedCapabilitiesToBeDropped() (dropCapSet CapSet, err error) {
-	yamlFile, err := ioutil.ReadFile("config/capabilities-drop-list.yml")
-	if err != nil {
-		return
+	yamlFile := []byte(defaultDropCapConfig)
+	if rootConfig.dropCapConfig != "" {
+		if _, err = os.Stat(rootConfig.dropCapConfig); err != nil {
+			return
+		}
+		yamlFile, err = ioutil.ReadFile(rootConfig.dropCapConfig)
+		if err != nil {
+			return
+		}
 	}
 	caps := capsDropList{}
 	err = yaml.Unmarshal(yamlFile, &caps)

diff --git a/cmd/root.go b/cmd/root.go
@@ -11,13 +11,14 @@ import (
 var rootConfig rootFlags
 
 type rootFlags struct {
-	allPods    bool
-	json       bool
-	kubeConfig string
-	localMode  bool
-	manifest   string
-	namespace  string
-	verbose    string
+	allPods       bool
+	json          bool
+	kubeConfig    string
+	localMode     bool
+	manifest      string
+	namespace     string
+	verbose       string
+	dropCapConfig string
 }
 
 var RootCmd = &cobra.Command{
@@ -45,4 +46,5 @@ func init() {
 	RootCmd.PersistentFlags().BoolVarP(&rootConfig.allPods, "allPods", "a", false, "Audit againsts pods in all the phases (default Running Phase)")
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.namespace, "namespace", "n", apiv1.NamespaceAll, "Specify the namespace scope to audit")
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.manifest, "manifest", "f", "", "yaml configuration to audit")
+	RootCmd.PersistentFlags().StringVarP(&rootConfig.dropCapConfig, "dropCapConfig", "d", "", "yaml configuration to audit")
 }
diff --git a/config/capabilities-drop-list.yml b/config/capabilities-drop-list.yml