Fix umh core pattern attacks (#298)

* fix umh core pattern

* adding index for mongodb query

pkg/kubehound/graph/edge/escape_umh_core_pattern.go

@@ -54,32 +54,32 @@ func (e *EscapeCorePattern) Stream(ctx context.Context, store storedb.Provider,
 		},
 		{
 			"$lookup": bson.M{
-				"as":   "procMountContainers",
-				"from": "volumes",
-				"let": bson.M{
-					"rootContainerId": "$container_id",
-				},
+				"as":           "procMountContainers",
+				"from":         "volumes",
+				"foreignField": "pod_id",
+				"localField":   "pod_id",
 				"pipeline": []bson.M{
 					{
 						"$match": bson.M{
 							"$and": bson.A{
-								bson.M{"$expr": bson.M{
-									"$eq": bson.A{
-										"$container_id", "$$rootContainerId",
-									},
+								bson.M{"type": shared.VolumeTypeHost},
+								bson.M{"source": bson.M{
+									"$in": ProcMountList,
 								}},
+								bson.M{"runtime.runID": e.runtime.RunID.String()},
+								bson.M{"runtime.cluster": e.runtime.ClusterName},
 							},
-							"type": shared.VolumeTypeHost,
-							"source": bson.M{
-								"$in": ProcMountList,
-							},
-							"runtime.runID":   e.runtime.RunID.String(),
-							"runtime.cluster": e.runtime.ClusterName,
 						},
 					},
 				},
 			},
 		},
+		{
+			"$unwind": bson.M{
+				"path":                       "$procMountContainers",
+				"preserveNullAndEmptyArrays": false,
+			},
+		},
 		{
 			"$project": bson.M{
 				"_id":     1,

pkg/kubehound/storage/storedb/index_builder.go

@@ -123,6 +123,14 @@ func (ib *IndexBuilder) containers(ctx context.Context) error {
 			},
 			Options: options.Index().SetName("byRun"),
 		},
+		{
+			Keys: bson.D{
+				{Key: "k8.securitycontext.runasuser", Value: 1},
+				{Key: "runtime.runID", Value: 1},
+				{Key: "runtime.cluster", Value: 1},
+			},
+			Options: options.Index().SetName("byRunAsUser"),
+		},
 	}
 
 	_, err := containers.Indexes().CreateMany(ctx, indices)