From da4491df5341a4e68362b71fee002798697046d4 Mon Sep 17 00:00:00 2001 From: "weiwei.danny" Date: Thu, 21 Dec 2023 18:29:46 +0800 Subject: [PATCH] fix: correct the detection logic for bind_roles --- lib/bind_roles.rego | 12 ++---------- lib/escalate_roles.rego | 10 +--------- lib/utils/builtins.rego | 11 +++++++++++ 3 files changed, 14 insertions(+), 19 deletions(-) diff --git a/lib/bind_roles.rego b/lib/bind_roles.rego index 8d0e5ce..a6ad9e6 100644 --- a/lib/bind_roles.rego +++ b/lib/bind_roles.rego @@ -3,7 +3,7 @@ import data.police_builtins as pb import future.keywords.in describe[{"desc": desc, "severity": severity}] { - desc := sprintf("Identities that can bind clusterrolebindings or bind rolebindings in privileged namespaces (%v) can grant admin-equivalent permissions to themselves", [concat(", ", pb.privileged_namespaces)]) + desc := sprintf("Identities that can bind clusterroles or bind roles in privileged namespaces (%v) can grant admin-equivalent permissions to themselves", [concat(", ", pb.privileged_namespaces)]) severity := "Critical" } targets := {"serviceAccounts", "nodes", "users", "groups"} @@ -12,15 +12,7 @@ evaluateRoles(roles, owner) { some role in roles pb.affectsPrivNS(role) some rule in role.rules - rolebindingsOrClusterrolebindings(rule.resources) + pb.rolesOrClusterroles(rule.resources) pb.valueOrWildcard(rule.verbs, "bind") pb.valueOrWildcard(rule.apiGroups, "rbac.authorization.k8s.io") } - -rolebindingsOrClusterrolebindings(resources) { - "clusterrolebindings" in resources -} { - "rolebindings" in resources -} { - pb.hasWildcard(resources) -} diff --git a/lib/escalate_roles.rego b/lib/escalate_roles.rego index 884bf1b..b60ea17 100644 --- a/lib/escalate_roles.rego +++ b/lib/escalate_roles.rego @@ -12,15 +12,7 @@ evaluateRoles(roles, owner) { some role in roles pb.affectsPrivNS(role) some rule in role.rules - rolesOrClusterroles(rule.resources) + pb.rolesOrClusterroles(rule.resources) pb.valueOrWildcard(rule.verbs, "escalate") pb.valueOrWildcard(rule.apiGroups, "rbac.authorization.k8s.io") } - -rolesOrClusterroles(resources) { - "clusterroles" in resources -} { - "roles" in resources -} { - pb.hasWildcard(resources) -} diff --git a/lib/utils/builtins.rego b/lib/utils/builtins.rego index 8b8bc78..179b48d 100644 --- a/lib/utils/builtins.rego +++ b/lib/utils/builtins.rego @@ -140,6 +140,17 @@ podControllerApiGroup(apiGroups) { hasWildcard(apiGroups) } + +# True if @resources includes either 'clusterroles', 'roles', or a wildcard +rolesOrClusterroles(resources) { + "clusterroles" in resources +} { + "roles" in resources +} { + hasWildcard(resources) +} + + # Return the roles referenced by @roleRefs effectiveRoles(roleRefs) = effectiveRoles { effectiveRoles := { effectiveRole |