From 744583c7926fe55a1fd276225c39925bda567d8a Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Fri, 13 Dec 2024 16:43:52 +0000 Subject: [PATCH 1/2] Add note on `HOST_PROC` environment variable --- .../workload-identity/workload-attestation.mdx | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx b/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx index 9c3c6423f090a..5f4ccef84c109 100644 --- a/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx +++ b/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx @@ -37,11 +37,25 @@ available to be used when configuring rules for `tbot`'s Workload API service: | Field | Description | |-------------------|------------------------------------------------------------------------------| -| `unix.attested` | Indicates that the workload has been attested by the Unix Workload Attestor. | +| `unix.attested` | Indicates that the workload has been attested by the Unix Workload Attestor. | | `unix.pid` | The process ID of the attested workload. | | `unix.uid` | The effective user ID of the attested workload. | | `unix.gid` | The effective primary group ID of the attested workload. | +### Support for non-standard /proc mounting + +To resolve information about a process from the PID, the Unix Workload Attestor +reads information from the `/proc` filesystem. + +In some cases, the `/proc` filesystem may not be mounted at the default +location. If this is the case, you can configure the Unix Workload Attestor to +read from a different location by setting the `HOST_PROC` environment variable. + +This is a sensitive configuration option, and you should ensure that it is +set correctly or not set at all. If misconfigured, an attacker could provide +falsified information about processes, and this could lead to the issuance of +SVIDs to unauthorized workloads. + ## Kubernetes The Kubernetes Workload Attestor allows you to restrict the issuance of SVIDs From 7688566d7fe3ad002c885d18849fae0268e57481 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Mon, 16 Dec 2024 10:54:29 +0000 Subject: [PATCH 2/2] Clarify procfs --- .../workload-identity/workload-attestation.mdx | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx b/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx index 5f4ccef84c109..0f7ee2a3e1f52 100644 --- a/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx +++ b/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx @@ -42,14 +42,15 @@ available to be used when configuring rules for `tbot`'s Workload API service: | `unix.uid` | The effective user ID of the attested workload. | | `unix.gid` | The effective primary group ID of the attested workload. | -### Support for non-standard /proc mounting +### Support for non-standard procfs mounting To resolve information about a process from the PID, the Unix Workload Attestor -reads information from the `/proc` filesystem. +reads information from the procfs filesystem. By default, it expects procfs to +be mounted at `/proc`. -In some cases, the `/proc` filesystem may not be mounted at the default -location. If this is the case, you can configure the Unix Workload Attestor to -read from a different location by setting the `HOST_PROC` environment variable. +If procfs is mounted at a different location, you must configure the Unix +Workload Attestor to read from that alternative location by setting the +`HOST_PROC` environment variable. This is a sensitive configuration option, and you should ensure that it is set correctly or not set at all. If misconfigured, an attacker could provide