Merge pull request #326 from kubescape/feature/java-exception

Adding java exception on ld_preload rule

pkg/ruleengine/v1/r1011_ld_preload_hook.go

@@ -20,6 +20,7 @@ const (
 	R1011ID         = "R1011"
 	R1011Name       = "LD_PRELOAD Hook"
 	LD_PRELOAD_FILE = "/etc/ld.so.preload"
+	JAVA_COMM       = "java"
 )
 
 var LD_PRELOAD_ENV_VARS = []string{"LD_PRELOAD", "LD_AUDIT", "LD_LIBRARY_PATH"}
@@ -62,6 +63,11 @@ func (rule *R1011LdPreloadHook) DeleteRule() {
 }
 
 func (rule *R1011LdPreloadHook) handleExecEvent(execEvent *tracerexectype.Event, k8sObjCache objectcache.K8sObjectCache) ruleengine.RuleFailure {
+	// Java is a special case, we don't want to alert on it because it uses LD_LIBRARY_PATH.
+	if execEvent.Comm == JAVA_COMM {
+		return nil
+	}
+
 	envVars, err := utils.GetProcessEnv(int(execEvent.Pid))
 	if err != nil {
 		logger.L().Debug("Failed to get process environment variables", helpers.Error(err))

pkg/ruleengine/v1/r1011_ld_preload_hook_test.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/kubescape/node-agent/pkg/utils"
 
+	tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types"
 	traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types"
 	eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types"
 	corev1 "k8s.io/api/core/v1"
@@ -83,4 +84,24 @@ func TestR1011LdPreloadHook(t *testing.T) {
 	if ruleResult != nil {
 		t.Errorf("Expected ruleResult to be nil since LD_PRELOAD is set in pod spec")
 	}
+
+	// Create open event
+	e2 := &tracerexectype.Event{
+		Event: eventtypes.Event{
+			CommonData: eventtypes.CommonData{
+				K8s: eventtypes.K8sMetadata{
+					BasicK8sMetadata: eventtypes.BasicK8sMetadata{
+						ContainerName: "test",
+					},
+				},
+			},
+		},
+		Comm: "java",
+	}
+	// Test with exec event
+	ruleResult = r.ProcessEvent(utils.ExecveEventType, e2, &RuleObjectCacheMock{})
+	if ruleResult != nil {
+		t.Errorf("Expected ruleResult to be nil since exec event is on java")
+	}
+
 }