Vulnerability Mitigation
cgroups-lxcfs-escape-mitigation
Mitigate cgroups & lxcfs escape.
If users mount the host's cgroupfs into a container or use lxcfs to provide a resource view for the container, there may be a risk of container escape in both scenarios. Attackers could manipulate cgroupfs from within the container to achieve container escape.
This rule can also be used to defend against CVE-2022-0492 vulnerability exploitation.
AppArmor Enforcer prevents writing to:
/\*\*/release_agent/\*\*/devices/device.allow/\*\*/devices/\*\*/device.allow/\*\*/devices/cgroup.procs/\*\*/devices/\*\*/cgroup.procs/\*\*/devices/task/\*\*/devices/\*\*/task
BPF Enforcer prevents writing to:
/\*\*/release_agent/\*\*/devices.allow/\*\*/cgroup.procs/\*\*/devices/tasks
- AppArmor
- BPF
runc-override-mitigation
Mitigate the ability to override runc to escape.
The rule is designed to mitigate vulnerabilities such as CVE-2019-5736 that exploit container escape by tampering with the host machine's runc.
Disallow writing to /**/runc files.
- AppArmor
- BPF
dirty-pipe-mitigation
Mitigate the 'Dirty Pipe' exploit to escape.
The rule is designed to defend against attacks exploiting the CVE-2022-0847 (Dirty Pipe) vulnerability for container escape. You can use this rule to harden container, before upgrading or patching the kernel.
Note: While this rule may cause issues in some software packages, blocking the syscall usually does not have an effect on legitimate applications, since use of this syscall is relatively rare.
Disallow calling splice syscall.
- Seccomp