Disallow Proc Mount
Description
The default /proc masks are set up to reduce attack surface, and should be required. This security control ensures nothing but the default procMount can be specified.
Restricted Fields
- spec.containers[*].securityContext.procMount
- spec.initContainers[*].securityContext.procMount
- spec.ephemeralContainers[*].securityContext.procMount
Allowed Values
- Undefined/nil
- Default
Risks
It is recommended that you use the Default
procMount as it defaults for readonly and masked paths for /proc
. Most container runtimes mask certain paths in /proc
to avoid accidental security exposure of special devices or information. When procMount
is set to Unmasked
, we encounter the following risks:
-
Exposure of Sensitive Information
: With “Unmasked”, the container has access to the entire/proc
filesystem without restrictions. This can expose sensitive information about the host such ascpuinfo
,devices
,diskstats
and other system related information. -
Increased Attack Surface
: An unmasked/proc
can reveal detailed information about system processes and kernel internals. This can assist attackers in crafting more targeted attacks or exploits.
Kyverno Policy
Refer to the Nirmata curated policies - disallow-proc-mount.yaml
References
Configuration Settings
The below configuration indicates that if the deployed resource contains one of ephemeralContainers
or initContainers
or containers
in their spec
field, AND if securityContext.procMount
field is present, then the only acceptable value is Default
to be conformant with this security control. If the securityContext
field is not present, then the resource is conformant by default.
=(ephemeralContainers):
- =(securityContext):
=(procMount): "Default"
=(initContainers):
- =(securityContext):
=(procMount): "Default"
containers:
- =(securityContext):
=(procMount): "Default"
Resource Example
Below is a Deployment
resource example where securityContext.procMount
is set to Default
for both initContainers
and containers
.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
initContainers:
- name: initcontainer01
image: dummyimagename
securityContext:
procMount: Default
- name: initcontainer02
image: dummyimagename
containers:
- name: container01
image: dummyimagename
securityContext:
procMount: Default