From 2bc2b3233e7935918fca1e1e1852d99aef638dcf Mon Sep 17 00:00:00 2001 From: sailikhith-stepsecurity Date: Wed, 28 Aug 2024 15:57:16 +0530 Subject: [PATCH 1/3] fix dns resolver for docker --- dnsconfig.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsconfig.go b/dnsconfig.go index d5ffe9b..a07e320 100644 --- a/dnsconfig.go +++ b/dnsconfig.go @@ -25,7 +25,7 @@ const ( // https://unix.stackexchange.com/questions/508397/what-is-the-recommended-way-to-set-a-global-dns-server-override-on-a-system-usin // Domains=~. instructs systemd-resolved to always use the global nameservers // and to never query any DHCP-supplied nameservers - localDnsServer = "[Resolve]\nDNS=127.0.0.1\nDomains=~.\n" + localDnsServer = "[Resolve]\nDNS=127.0.0.1 172.17.0.1\nDomains=~.\n" ) func updateDockerConfig(configPath string) error { @@ -46,7 +46,7 @@ func updateDockerConfig(configPath string) error { return errors.Wrap(err, "failed to unmarshal config file") } - m["dns"] = []string{dockerDnsServer} + // m["dns"] = []string{dockerDnsServer} m["live-restore"] = true // m["userns-remap"] = "runner:runner" // Checkout: https://docs.docker.com/engine/security/userns-remap/#enable-userns-remap-on-the-daemon From 3850ce0c6db27da4562283dfdaa56df966c14a07 Mon Sep 17 00:00:00 2001 From: sailikhith-stepsecurity Date: Wed, 28 Aug 2024 16:07:33 +0530 Subject: [PATCH 2/3] fix go tests --- dnsconfig_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dnsconfig_test.go b/dnsconfig_test.go index fa134db..7616c8a 100644 --- a/dnsconfig_test.go +++ b/dnsconfig_test.go @@ -41,11 +41,11 @@ func Test_updateDockerConfig(t *testing.T) { }{ {name: "existing file", args: args{configPath: tmpFileName}, - want: "{\"cgroup-parent\":\"/actions_job\",\"dns\":[\"172.17.0.1\"],\"live-restore\":true}", + want: "{\"cgroup-parent\":\"/actions_job\",\"live-restore\":true}", wantErr: false}, {name: "non existent file", args: args{configPath: mockDockerConfigPath}, - want: "{\"dns\":[\"172.17.0.1\"],\"live-restore\":true}", + want: "{\"live-restore\":true}", wantErr: false}, } @@ -79,7 +79,7 @@ func Test_writeResolveConfig(t *testing.T) { }{ {name: "overwrite file", args: args{configPath: tmpFileName}, - want: "[Resolve]\nDNS=127.0.0.1\nDomains=~.\n", + want: "[Resolve]\nDNS=127.0.0.1 172.17.0.1\nDomains=~.\n", wantErr: false}, } for _, tt := range tests { From 909c4e349fe9d8d5722474aa78a6a787a7a3cc4d Mon Sep 17 00:00:00 2001 From: sailikhith-stepsecurity Date: Wed, 28 Aug 2024 19:32:34 +0530 Subject: [PATCH 3/3] add functionality to switch to audit mode when domain resolution fails --- agent.go | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/agent.go b/agent.go index e182fa4..9fa0738 100644 --- a/agent.go +++ b/agent.go @@ -125,10 +125,22 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, // this will cause domain, IP mapping to be cached ipAddress, err := dnsProxy.getIPByDomain(domainName) if err != nil { - WriteLog(fmt.Sprintf("Error resolving allowed domain %v", err)) - WriteAnnotation(fmt.Sprintf("%s Reverting agent since allowed endpoint %s could not be resolved", StepSecurityAnnotationPrefix, strings.Trim(domainName, "."))) - RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig, sudo) - return err + WriteLog(fmt.Sprintf("Error resolving allowed domain in Block mode %v", err)) + WriteLog("Switching to Audit mode.") + + // Change the policy to Audit + config.EgressPolicy = EgressPolicyAudit + apiclient.EgressPolicy = EgressPolicyAudit + + // Reinitialize the Cache with the new Audit policy + Cache = InitCache(config.EgressPolicy) + + // Update DNSProxy with the new cache and EgressPolicy + dnsProxy.Cache = &Cache + dnsProxy.EgressPolicy = EgressPolicyAudit + + // Exit the loop as we have switched to Audit policy + break } for _, endpoint := range endpoints { // create list of ip address to be added to firewall