From 14d6a98e1faf569761b53fda306428c412832b51 Mon Sep 17 00:00:00 2001
From: Matheus Moraes <matheusfaria.moraes@gmail.com>
Date: Wed, 13 Mar 2024 12:24:15 -0300
Subject: [PATCH] feat: check non-zero runAsUser in M-113

---
 .../pss/restricted/M-113_run_as_non_root.yml  | 14 ++++++--
 .../restricted/M-113_run_as_non_root_test.yml | 32 +++++++++++++++++++
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/internal/builtins/pss/restricted/M-113_run_as_non_root.yml b/internal/builtins/pss/restricted/M-113_run_as_non_root.yml
index d5ea085..a811b17 100644
--- a/internal/builtins/pss/restricted/M-113_run_as_non_root.yml
+++ b/internal/builtins/pss/restricted/M-113_run_as_non_root.yml
@@ -43,9 +43,14 @@ match:
       version: v1
       resource: jobs
 variables:
+  # pod-level runAsNonRoot is explicitly set to true
   - name: podRunAsNonRoot
     expression: podSpec.?securityContext.?runAsNonRoot.orValue(false)
 
+  # pod-level runAsUser is explicitly set to non-zero
+  - name: podRunAsNonZeroUser
+    expression: podSpec.?securityContext.?runAsUser.orValue(0) != 0
+
   # containers that explicitly set runAsNonRoot=false
   - name: explicitlyBadContainers
     expression: >
@@ -53,11 +58,16 @@ variables:
           has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == false
       )
 
-  # containers that didn't set runAsNonRoot and aren't caught by a pod-level runAsNonRoot=true
+  # containers that
+  # - didn't set runAsNonRoot
+  # - aren't caught by a pod-level runAsNonRoot=true
+  # - didn't set non-zero runAsUser
+  # - aren't caught by a pod-level non-zero runAsUser
   - name: implicitlyBadContainers
     expression: >
       allContainers.filter(c,
-          !variables.podRunAsNonRoot && (!has(c.securityContext) || !has(c.securityContext.runAsNonRoot)) 
+          (!variables.podRunAsNonRoot && (!has(c.securityContext) || !has(c.securityContext.runAsNonRoot))) &&
+          (!variables.podRunAsNonZeroUser && c.?securityContext.?runAsUser.orValue(0) == 0)
       )
 
 validations:
diff --git a/internal/builtins/pss/restricted/M-113_run_as_non_root_test.yml b/internal/builtins/pss/restricted/M-113_run_as_non_root_test.yml
index b2517b7..f3af73f 100644
--- a/internal/builtins/pss/restricted/M-113_run_as_non_root_test.yml
+++ b/internal/builtins/pss/restricted/M-113_run_as_non_root_test.yml
@@ -151,3 +151,35 @@
       selector:
         matchLabels:
           app: nginx
+
+- name: "Pod set runAsUser to non-zero"
+  pass: true
+  input: |
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: nginx
+      labels:
+        app: nginx
+    spec:
+      securityContext:
+        runAsUser: 1
+      containers:
+        - name: nginx
+          image: nginx
+
+- name: "container set runAsUser to non-zero"
+  pass: true
+  input: |
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: nginx
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            runAsUser: 1