Disallow Proc Mount

Description

The default /proc masks are set up to reduce attack surface, and should be required. This security control ensures nothing but the default procMount can be specified.

Restricted Fields

  • spec.containers[*].securityContext.procMount
  • spec.initContainers[*].securityContext.procMount
  • spec.ephemeralContainers[*].securityContext.procMount

Allowed Values

  • Undefined/nil
  • Default

Risks

It is recommended that you use the Default procMount as it defaults for readonly and masked paths for /proc. Most container runtimes mask certain paths in /proc to avoid accidental security exposure of special devices or information. When procMount is set to Unmasked, we encounter the following risks:

  • Exposure of Sensitive Information: With “Unmasked”, the container has access to the entire /proc filesystem without restrictions. This can expose sensitive information about the host such as cpuinfo, devices, diskstats and other system related information.

  • Increased Attack Surface: An unmasked /proc can reveal detailed information about system processes and kernel internals. This can assist attackers in crafting more targeted attacks or exploits.

Kyverno Policy

Refer to the Nirmata curated policies - disallow-proc-mount.yaml

References

Configuration Settings

The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContext.procMount field is present, then the only acceptable value is Default to be conformant with this security control. If the securityContext field is not present, then the resource is conformant by default.

=(ephemeralContainers):
  - =(securityContext):
    =(procMount): "Default"
=(initContainers):
  - =(securityContext):
    =(procMount): "Default"
containers:
  - =(securityContext):
    =(procMount): "Default"

Resource Example

Below is a Deployment resource example where securityContext.procMount is set to Default for both initContainers and containers.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          procMount: Default
      - name: initcontainer02
        image: dummyimagename
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          procMount: Default