security: enhance logging for denied privileged method calls

Improved security audit trail for attempted container privilege escalation:

- Added detailed logging when containers attempt privileged methods
- Logs UID, GID, PID, correlation ID, and method name
- Marked with "SECURITY:" prefix for easy filtering/alerting
- Helps operators detect and investigate compromise attempts

Example log output:
  SECURITY: Container attempted to call privileged method - access denied
  method=ensure_cluster_keys uid=101000 gid=101000 pid=12345

Addresses Codex recommendation for comprehensive logging of denied
privileged RPCs to enable monitoring and alerting on attempted abuse.
This commit is contained in:
rcourtman 2025-10-19 16:40:42 +00:00
parent 1e25fa572a
commit 1519390f08

View file

@ -400,9 +400,13 @@ func (p *Proxy) handleConnection(conn net.Conn) {
// Privileged methods can only be called from host (not from containers)
if p.isIDMappedRoot(cred) {
resp.Error = "method requires host-level privileges"
logger.Warn().
log.Warn().
Str("method", req.Method).
Msg("Container attempted to call privileged method")
Uint32("uid", cred.uid).
Uint32("gid", cred.gid).
Uint32("pid", cred.pid).
Str("corr_id", req.CorrelationID).
Msg("SECURITY: Container attempted to call privileged method - access denied")
p.sendResponse(conn, resp)
p.metrics.rpcRequests.WithLabelValues(req.Method, "unauthorized").Inc()
return