Feature Enhancement: Is warning/disabling limited to only a subset of system calls?
dejavudwh opened this issue · comments
Is warning/disabling restricted to the system calls involved in the KubeArmor/KubeArmor/BPF/system_monitor.c
file?
If so, is it possible to hook into raw_tracepoint/sys_enter
, disable the system calls of the current process based on the system call number and the binary executable file path information of the task_struct
, and then pass some key information to user space for further processing?"
@dejavudwh KubeArmor does not allow custom syscalls. We have predefines set of hooks which are safe to work with to do enforcement. We specifically use BPF LSM for that.
I believe if you create a Block Policy for the process you want to Block. KubeArmor should already be blocking it without needing to hook into sys_enter.