Skip to content

Commit

Permalink
Merge pull request #1861 from daemon1024/apparmor-host
Browse files Browse the repository at this point in the history
fix(apparmor/host): streamline host profile generation with container  template generation
  • Loading branch information
Aryan-sharma11 authored Sep 9, 2024
2 parents ae5f57c + a8fb83c commit dacac4a
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 853 deletions.
44 changes: 36 additions & 8 deletions KubeArmor/enforcer/appArmorEnforcer.go
Original file line number Diff line number Diff line change
Expand Up @@ -522,13 +522,16 @@ func (ae *AppArmorEnforcer) UpdateAppArmorProfile(endPoint tp.EndPoint, appArmor
ae.Logger.Warnf("Unable to update %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
}
if err := kl.RunCommandAndWaitWithErr("aa-disable", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to disable for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
}
if err := kl.RunCommandAndWaitWithErr("aa-enforce", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to enforce back for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return

if cfg.GlobalCfg.K8sEnv {
if err := kl.RunCommandAndWaitWithErr("aa-disable", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to disable for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
}
if err := kl.RunCommandAndWaitWithErr("aa-enforce", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to enforce back for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
}
}

ae.Logger.Printf("Updated %d security rule(s) to %s/%s/%s", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile)
Expand Down Expand Up @@ -579,7 +582,30 @@ func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecur
CapabilitiesAction: cfg.GlobalCfg.HostDefaultCapabilitiesPosture,
}

if policyCount, newProfile, ok := ae.GenerateAppArmorHostProfile(secPolicies, globalDefaultPosture); ok {
var hostPolicies []tp.SecurityPolicy

// Typecast HostSecurityPolicy spec to normal SecurityPolicies
for _, secPolicy := range secPolicies {
var hostPolicy tp.SecurityPolicy
if err := kl.Clone(secPolicy.Spec.Process, &hostPolicy.Spec.Process); err != nil {
ae.Logger.Warnf("Error cloning host policy spec process to sec policy construct")
}
if err := kl.Clone(secPolicy.Spec.File, &hostPolicy.Spec.File); err != nil {
ae.Logger.Warnf("Error cloning host policy spec file to sec policy construct")
}
if err := kl.Clone(secPolicy.Spec.Network, &hostPolicy.Spec.Network); err != nil {
ae.Logger.Warnf("Error cloning host policy spec network to sec policy construct")
}
if err := kl.Clone(secPolicy.Spec.Capabilities, &hostPolicy.Spec.Capabilities); err != nil {
ae.Logger.Warnf("Error cloning host policy spec capabilities to sec policy construct")
}
if err := kl.Clone(secPolicy.Spec.Syscalls, &hostPolicy.Spec.Syscalls); err != nil {
ae.Logger.Warnf("Error cloning host policy spec syscall to sec policy construct")
}
hostPolicies = append(hostPolicies, hostPolicy)
}

if policyCount, newProfile, ok := ae.GenerateAppArmorProfile("kubearmor.host /{usr/,}bin/*sh", hostPolicies, globalDefaultPosture, true); ok {
newfile, err := os.Create(filepath.Clean(appArmorHostFile))
if err != nil {
ae.Logger.Warnf("Unable to open the KubeArmor host profile in %s (%s)", cfg.GlobalCfg.Host, err.Error())
Expand Down Expand Up @@ -619,6 +645,8 @@ func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecur
ae.Logger.Printf("Updated %d host security rules to the KubeArmor host profile in %s", policyCount, cfg.GlobalCfg.Host)

ae.ClearKubeArmorHostFile(appArmorHostFile)
} else if newProfile != "" {
ae.Logger.Errf("Error Generating %s AppArmor profile: %s", appArmorHostFile, newProfile)
}
}

Expand Down
Loading

0 comments on commit dacac4a

Please sign in to comment.