Vulnerability Mitigation

These rules are used to mitigate specific vulnerabilities.

cgroups-lxcfs-escape-mitigation

Mitigate cgroups & lxcfs escape.

Description

If users mount the host's cgroupfs into a container or use lxcfs to provide a resource view for the container, there may be a risk of container escape in both scenarios. Attackers could manipulate cgroupfs from within the container to achieve container escape.

This rule can also be used to defend against CVE-2022-0492 vulnerability exploitation.

Principle & Impact

AppArmor Enforcer prevents writing to：

• /**/release_agent
• /**/devices/device.allow
• /**/devices/**/device.allow
• /**/devices/cgroup.procs
• /**/devices/**/cgroup.procs
• /**/devices/task
• /**/devices/**/task

BPF Enforcer prevents writing to：

• /**/release_agent
• /**/devices.allow
• /**/cgroup.procs
• /**/devices/tasks

Supported Enforcer

• AppArmor
• BPF

runc-override-mitigation

Mitigate the ability to override runc to escape.

Description

The rule is designed to mitigate vulnerabilities such as CVE-2019-5736 that exploit container escape by tampering with the host machine's runc.

Principle & Impact

Disallow writing to /**/runc files.

Supported Enforcer

• AppArmor
• BPF

dirty-pipe-mitigation

Mitigate the 'Dirty Pipe' exploit to escape.

Description

The rule is designed to defend against attacks exploiting the CVE-2022-0847 (Dirty Pipe) vulnerability for container escape. You can use this rule to harden container, before upgrading or patching the kernel.

Note: While this rule may cause issues in some software packages, blocking the syscall usually does not have an effect on legitimate applications, since use of this syscall is relatively rare.

Principle & Impact

Disallow calling splice syscall.

Supported Enforcer

• Seccomp

ingress-nightmare-mitigation

Mitigate the exploitation of the IngressNightmare vulnerability.

Description

This rule is designed to mitigate the IngressNightmare (CVE-2025-1974) vulnerability in Ingress-nginx.

Ingress-nginx is an Ingress controller for Kubernetes. It uses nginx as a reverse proxy and load-balancing server. Attackers with Pod network access can exploit this vulnerability to execute arbitrary code within the ingress-nginx controller, thereby obtaining all secrets of the cluster and taking over the cluster. You can use this rule to mitigate the vulnerability before upgrading Ingress-nginx to a secure version.

Refer to the following links for further information.

• IngressNightmare: CVE-2025-1974 - 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
• CVE-2025-1974: ingress-nginx admission controller RCE escalation

Principle & Impact

This rule prohibits container processes from accessing the ingress-nginx-controller-admission service and its endpoints in the ingress-nginx and kube-system namespaces.

If you deploy ingress-nginx in other namespaces, you can customize rules for defense according to the service interface of vArmor.

Supported Enforcer

• BPF