github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/7_selinux_custom_options_set.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/7_selinux_custom_options_set.rego (about)

     1  # METADATA
     2  # title: "SELinux custom options set"
     3  # description: "Setting a custom SELinux user or role option should be forbidden."
     4  # scope: package
     5  # schemas:
     6  # - input: schema["kubernetes"]
     7  # related_resources:
     8  # - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
     9  # custom:
    10  #   id: KSV025
    11  #   avd_id: AVD-KSV-0025
    12  #   severity: MEDIUM
    13  #   short_code: no-custom-selinux-options
    14  #   recommended_action: "Do not set 'spec.securityContext.seLinuxOptions', spec.containers[*].securityContext.seLinuxOptions and spec.initContainers[*].securityContext.seLinuxOptions."
    15  #   input:
    16  #     selector:
    17  #     - type: kubernetes
    18  package builtin.kubernetes.KSV025
    19  
    20  import data.lib.kubernetes
    21  import data.lib.utils
    22  
    23  default failSELinux = false
    24  
    25  allowed_selinux_types := ["container_t", "container_init_t", "container_kvm_t"]
    26  
    27  getAllSecurityContexts[context] {
    28  	context := kubernetes.containers[_].securityContext
    29  }
    30  
    31  getAllSecurityContexts[context] {
    32  	context := kubernetes.pods[_].spec.securityContext
    33  }
    34  
    35  failSELinuxType[type] {
    36  	context := getAllSecurityContexts[_]
    37  
    38  	trace(context.seLinuxOptions.type)
    39  	context.seLinuxOptions != null
    40  	context.seLinuxOptions.type != null
    41  
    42  	not hasAllowedType(context.seLinuxOptions)
    43  
    44  	type := context.seLinuxOptions.type
    45  }
    46  
    47  failForbiddenSELinuxProperties[key] {
    48  	context := getAllSecurityContexts[_]
    49  
    50  	context.seLinuxOptions != null
    51  
    52  	forbiddenProps := getForbiddenSELinuxProperties(context)
    53  	key := forbiddenProps[_]
    54  }
    55  
    56  getForbiddenSELinuxProperties(context) = keys {
    57  	forbiddenProperties = ["role", "user"]
    58  	keys := {msg |
    59  		key := forbiddenProperties[_]
    60  		utils.has_key(context.seLinuxOptions, key)
    61  		msg := sprintf("'%s'", [key])
    62  	}
    63  }
    64  
    65  hasAllowedType(options) {
    66  	allowed_selinux_types[_] == options.type
    67  }
    68  
    69  deny[res] {
    70  	type := failSELinuxType[_]
    71  	msg := kubernetes.format(sprintf("%s '%s' uses invalid seLinux type '%s'", [kubernetes.kind, kubernetes.name, type]))
    72  	res := result.new(msg, input.spec)
    73  }
    74  
    75  deny[res] {
    76  	keys := failForbiddenSELinuxProperties
    77  	count(keys) > 0
    78  	msg := kubernetes.format(sprintf("%s '%s' uses restricted properties in seLinuxOptions: (%s)", [kubernetes.kind, kubernetes.name, concat(", ", keys)]))
    79  	res := result.new(msg, input.spec)
    80  }