release v0.6.2

What's Changed

• Added child's mnt ns id into monitor list if it's in a new mnt namespace during behavior modeling.
• Return directly when the behavior data is too large.
• Added a debug flag to control whether to generate the debug files for behavior modeling.
• Added the disallow-load-all-bpf-prog rule for Seccomp enforcer to prohibit loading any types of eBPF programs.
• Fixed: Create varmor-classifier-svc service in the namespace where varmor is installed

Full Changelog: v0.6.1...v0.6.2

release v0.6.1

What's Changed

• fixed: Always render the agent environment variables
• Upgrade the net package to fix CVE-2024-45338

Full Changelog: v0.6.0...v0.6.1

release v0.6.0

What's Changed

• feat: Adapt AppArmor enforcer for K8s v1.30 and above
• feat: Add monitoring metrics and support integration with Prometheus and Grafana
• feat: Support violation auditing feature for BPF enforcer
• feat: Enrich the violation audit logs of the BPF enforcer to include container and pod information
• feat: Integrate the violation auditing features of AppArmor and BPF enforcer
• feat: Unify the audit event format of AppArmor and BPF enforcers, and save the audit events into /var/log/varmor/violations.log
• feat: Support enforcing access control on socket creation for BPF enforcer.
• feat: Support wildcard for all bpf permissions and flags.
• feat: Add new networking built-in rules for BPF and AppArmor enforcer
• feat: Run agent in an unprivileged container
• feat: Allow running the agent in host's network namespace
• refactor: Abstract the processtracer and auditor modules to collect events for behavior modeling and violation auditing features
• refactor: Refactor behavior modeling and violation auditing features, no longer dependent on syslog or auditd, and no manual configuration required.
• refactor: Change fields in CRD from objects to pointers
• refactor: Integrate the logic of updating policy objects
• Auto adjust GOMAXPROCS for container limit
• Pass node name and readiness port to agent via environment variable
• Standardize the name of UserAgent
• Added version flag
• Added helm configuration options for new features
• fixed: Remove the finalizers of zombie ArmorProfile object
• fixed: Always retry for object updates if a conflict occurs
• fixed: The child profile should inherit rules from parent without attack protection rules
• fixed: Output error information when the agent service start fails
• docs: Further improve the repo documentation
• website: Official website launched (https://varmor.org)

New Contributors

• @eltociear made their first contribution in #104

Full Changelog: v0.5.11...v0.6.0

release v0.6.0-rc1

Upgrade golang.org/x/crypto

release v0.6.0-alpha1

Upgrade path-to-regexp package

release v0.5.11

What's Changed

• Retry removal of ArmorProfile's finalizers upon conflict
• Gin logger now logs only unsuccessful requests
• Fixed: Load BPF profile when container starts
• Fixed: Return an error when the service response unauthorized

Full Changelog: v0.5.10...v0.5.11

release v0.5.10

What's Changed

• Fixed: Correct typo in capability denial by @Danny-Wei in #95

Full Changelog: v0.5.9...v0.5.10

release v0.5.9

What's Changed

• Added a disable-chmod-s-bit built-in rule for Seccomp enforcer.
• Refactor Seccomp enforcer, and merge rules as much as possible.
• Added AlwaysAllow and RuntimeDefault mode for Seccomp enforcer.
• Synchronized the upstream rules from the containerd to the AppArmor profile templates.
• Merge the same child profiles for the AppArmor enforcer.
• Introduced a violations audit feature to the AppArmor enforcer.
• Support modifying existing policies and dynamically adding enforcers.
• Optimized the status of VarmorClusterPolicy/VarmorPolicy CR to display more error information.
• Added ownerReference and finalizers to the ArmorProfile CR to prevent unintended deletion.
• The Policy Advisor can now generate policy templates with behavior model data.
• Updated docs.
• Fixed: CI workflow login use docker/login-action
• Fixed: Ignore the privileged option of enhanceProtect for Seccomp enforcer.
• Fixed: Ensure the cleanup logic of CR is properly executed.
• Fixed: Update chart template to generate fixed full name for the k8s resources.
• Fixed: Update ArmorProfileModel CR when modeling is completed.

Full Changelog: v0.5.8...v0.5.9

release v0.5.9-rc4

Merge pull request #86 from bytedance/use-template-to-generate-fullname

fix: Use template to generate fullname instead of using fixed resourc…

release v0.5.9-rc3

Merge pull request #82 from bytedance/add-owner-reference

Add owner reference