rspec/rules/S5849/kubernetes/rule.adoc

Setting capabilities can lead to privilege escalation and container escapes.

Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges.

In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container.


== Ask Yourself Whether

Capabilities are granted:

* To a process that does not require all capabilities to do its job.
* To a not trusted process.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary capabilities are assigned.


== Sensitive Code Example

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    securityContext:
      capabilities:
        add: ["SYS_ADMIN"] # Sensitive
----

== Compliant Solution

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
----


== See

* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]
* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 -  Incorrect Privilege Assignment]
* https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Kubernetes Documentation] - Configure a Security Context for a Pod or Container
* https://man7.org/linux/man-pages/man7/capabilities.7.html[Linux manual page] - capabilities(7)


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure setting capabilities is safe here.


'''
== Comments And Links
(visible only on this page)


endif::env-github,rspecator-view[]
Create rule S5849: Setting capabilities is security-sensitive (#1026) 2022-07-19 10:46:58 +02:00			`Setting capabilities can lead to privilege escalation and container escapes.`

			Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges.

			In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container.


			`== Ask Yourself Whether`

			`Capabilities are granted:`

			`* To a process that does not require all capabilities to do its job.`
			`* To a not trusted process.`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary capabilities are assigned.`


			`== Sensitive Code Example`

			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: example`
			`spec:`
			`containers:`
			`- image: k8s.gcr.io/test-webserver`
			`name: test-container`
			`securityContext:`
			`capabilities:`
			`add: ["SYS_ADMIN"] # Sensitive`
			`----`

			`== Compliant Solution`

			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: example`
			`spec:`
			`containers:`
			`- image: k8s.gcr.io/test-webserver`
			`name: test-container`
			`----`


			`== See`

Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]`
			`* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment]`
Create rule S5849: Setting capabilities is security-sensitive (#1026) 2022-07-19 10:46:58 +02:00			`* https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Kubernetes Documentation] - Configure a Security Context for a Pod or Container`
			`* https://man7.org/linux/man-pages/man7/capabilities.7.html[Linux manual page] - capabilities(7)`


			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure setting capabilities is safe here.`

Create rule S5849: Setting capabilities is security-sensitive (#1026) 2022-07-19 10:46:58 +02:00
			`'''`
			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00

Create rule S5849: Setting capabilities is security-sensitive (#1026) 2022-07-19 10:46:58 +02:00			`endif::env-github,rspecator-view[]`