Releases: bytedance/vArmor
Releases · bytedance/vArmor
release v0.5.6
What's Changed
- Agent and Manager now interact through TLS.
- Add Seccomp enforcer with support for EnhanceProtect, BehaviorModeling, and DefenseInDepth modes.
- Cluster-scoped policy
VarmorClusterPolicy
now supports BehaviorModeling mode. - Support for the combination of different enforcers, now able to combine the use of AppArmor, BPF, Seccomp enforcers.
- Add
.spec.updateExistingWorkloads
field to the policy interface, allowing users to independently control the protection switch for existing workloads. - Enable the
--restartExistWorkloads
switch of Manager by default. - Move the
privileged
field of the policy interface to inside.spec.policy.enhanceProtect
. - Add built-in rules:
disallow-create-user-ns
,runc-override-mitigation
,dirty-pipe-mitigation
, *disallow-mount-securityfs
,disallow-access-kallsyms
. - Add CI workflows to automate the build and test processes.
- Add more demos and make them more comprehensible.
- Fix bugs.
New Contributors
Full Changelog: v0.5.5...v0.5.6
release v0.5.6-rc2
tag v0.5.6-rc2
release v0.5.6-rc
tag v0.5.6-rc
release 0.5.5
- Refactor the behavior modeling feature of the AppArmor enforcer.
- Introduce the BehaviorModeling mode to collect application behavior and generate models.
- Optimize the mount access control primitives of the BPF enforcer to address bypass issues.
- Fix the issue where abnormal nodes impact the status of policies.
- Upgrade Go to version 1.20 and build BPF programs inside containers.
- Support pulling images and charts from the Asia-Pacific Southeast region.
release 0.5.4
- Add mandatory access control primitives related to mount syscalls for the BPF enforcer.
- Introduce new built-in rules for the BPF enforcer, including disallow-mount, disallow-umount, disallow-mount-procfs, disallow-mount-cgroupfs, disallow-debug-disk-device, and disallow-mount-disk-device.
- Fine-tune partial built-in rules of the AppArmor enforcer to make them more precise and avoid unexpected behavior.
- By default, building enhanced protection rules on top of the RuntimeDefault rules.
- Improve the RuntimeDefault mode for the BPF enforcer.
- Introduce a cluster-scoped policy interface: the VarmorClusterPolicy CR.
- Improve documents.
release 0.5.3
- Optimize leader election logic.
- Add webhook matchlabel and BPF enforcer exclusive mode configuration options.
- Introduce ptrace primitives and built-in rules for BPF enforcer.
- Improve documents.
release-0.5.2
community initial release
v0.5.2-alpha
fix: do not ignore requirements.txt