Skip to content

Commit

Permalink
Merge pull request #4 from Danny-Wei/bind-clusterroles-roles
Browse files Browse the repository at this point in the history 
fix: correct the detection logic for bind_roles
  • Loading branch information
@yuvalavra
yuvalavra authored Jan 1, 2024
2 parents 776d9dc + da4491d commit 5713ae9
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 19 deletions.
12 changes: 2 additions & 10 deletions lib/bind_roles.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import data.police_builtins as pb
import future.keywords.in

describe[{"desc": desc, "severity": severity}] {
desc := sprintf("Identities that can bind clusterrolebindings or bind rolebindings in privileged namespaces (%v) can grant admin-equivalent permissions to themselves", [concat(", ", pb.privileged_namespaces)])
desc := sprintf("Identities that can bind clusterroles or bind roles in privileged namespaces (%v) can grant admin-equivalent permissions to themselves", [concat(", ", pb.privileged_namespaces)])
severity := "Critical"
}
targets := {"serviceAccounts", "nodes", "users", "groups"}
Expand All @@ -12,15 +12,7 @@ evaluateRoles(roles, owner) {
some role in roles
pb.affectsPrivNS(role)
some rule in role.rules
rolebindingsOrClusterrolebindings(rule.resources)
pb.rolesOrClusterroles(rule.resources)
pb.valueOrWildcard(rule.verbs, "bind")
pb.valueOrWildcard(rule.apiGroups, "rbac.authorization.k8s.io")
}

rolebindingsOrClusterrolebindings(resources) {
"clusterrolebindings" in resources
} {
"rolebindings" in resources
} {
pb.hasWildcard(resources)
}
10 changes: 1 addition & 9 deletions lib/escalate_roles.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,7 @@ evaluateRoles(roles, owner) {
some role in roles
pb.affectsPrivNS(role)
some rule in role.rules
rolesOrClusterroles(rule.resources)
pb.rolesOrClusterroles(rule.resources)
pb.valueOrWildcard(rule.verbs, "escalate")
pb.valueOrWildcard(rule.apiGroups, "rbac.authorization.k8s.io")
}

rolesOrClusterroles(resources) {
"clusterroles" in resources
} {
"roles" in resources
} {
pb.hasWildcard(resources)
}
11 changes: 11 additions & 0 deletions lib/utils/builtins.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,17 @@ podControllerApiGroup(apiGroups) {
hasWildcard(apiGroups)
}


# True if @resources includes either 'clusterroles', 'roles', or a wildcard
rolesOrClusterroles(resources) {
"clusterroles" in resources
} {
"roles" in resources
} {
hasWildcard(resources)
}


# Return the roles referenced by @roleRefs
effectiveRoles(roleRefs) = effectiveRoles {
effectiveRoles := { effectiveRole |
Expand Down

0 comments on commit 5713ae9

Please sign in to comment.