Skip to content

Commit

Permalink
fix(apparmor/host): streamline host profile generation with container…
Browse files Browse the repository at this point in the history
… template generation

- deprecating special handling of host profiles
- making reload of apparmor profiles only in k8s env

Signed-off-by: daemon1024 <[email protected]>
  • Loading branch information
daemon1024 committed Sep 9, 2024
1 parent ae5f57c commit e67ba68
Show file tree
Hide file tree
Showing 5 changed files with 80 additions and 857 deletions.
51 changes: 39 additions & 12 deletions KubeArmor/enforcer/appArmorEnforcer.go
Original file line number Diff line number Diff line change
Expand Up @@ -518,17 +518,19 @@ func (ae *AppArmorEnforcer) UpdateAppArmorProfile(endPoint tp.EndPoint, appArmor
return
}

if err := kl.RunCommandAndWaitWithErr("apparmor_parser", []string{"-r", "-W", "/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to update %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
}
if err := kl.RunCommandAndWaitWithErr("aa-disable", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to disable for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
}
if err := kl.RunCommandAndWaitWithErr("aa-enforce", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to enforce back for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
if cfg.GlobalCfg.K8sEnv == true {
if err := kl.RunCommandAndWaitWithErr("apparmor_parser", []string{"-r", "-W", "/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to update %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
}
if err := kl.RunCommandAndWaitWithErr("aa-disable", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to disable for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
}
if err := kl.RunCommandAndWaitWithErr("aa-enforce", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
ae.Logger.Warnf("Unable to enforce back for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
return
}
}

ae.Logger.Printf("Updated %d security rule(s) to %s/%s/%s", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile)
Expand Down Expand Up @@ -579,7 +581,30 @@ func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecur
CapabilitiesAction: cfg.GlobalCfg.HostDefaultCapabilitiesPosture,
}

if policyCount, newProfile, ok := ae.GenerateAppArmorHostProfile(secPolicies, globalDefaultPosture); ok {
var hostPolicies []tp.SecurityPolicy

// Typecast HostSecurityPolicy spec to normal SecurityPolicies
for _, secPolicy := range secPolicies {
var hostPolicy tp.SecurityPolicy
if err := kl.Clone(secPolicy.Spec.Process, &hostPolicy.Spec.Process); err != nil {
ae.Logger.Warnf("Error cloning host policy spec process to sec policy construct")
}
if err := kl.Clone(secPolicy.Spec.File, &hostPolicy.Spec.File); err != nil {
ae.Logger.Warnf("Error cloning host policy spec file to sec policy construct")
}
if err := kl.Clone(secPolicy.Spec.Network, &hostPolicy.Spec.Network); err != nil {
ae.Logger.Warnf("Error cloning host policy spec network to sec policy construct")
}
if err := kl.Clone(secPolicy.Spec.Capabilities, &hostPolicy.Spec.Capabilities); err != nil {
ae.Logger.Warnf("Error cloning host policy spec capabilities to sec policy construct")
}
if err := kl.Clone(secPolicy.Spec.Syscalls, &hostPolicy.Spec.Syscalls); err != nil {
ae.Logger.Warnf("Error cloning host policy spec syscall to sec policy construct")
}
hostPolicies = append(hostPolicies, hostPolicy)
}

if policyCount, newProfile, ok := ae.GenerateAppArmorProfile("kubearmor.host /{usr/,}bin/*sh", hostPolicies, globalDefaultPosture, true); ok {
newfile, err := os.Create(filepath.Clean(appArmorHostFile))
if err != nil {
ae.Logger.Warnf("Unable to open the KubeArmor host profile in %s (%s)", cfg.GlobalCfg.Host, err.Error())
Expand Down Expand Up @@ -619,6 +644,8 @@ func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecur
ae.Logger.Printf("Updated %d host security rules to the KubeArmor host profile in %s", policyCount, cfg.GlobalCfg.Host)

ae.ClearKubeArmorHostFile(appArmorHostFile)
} else if newProfile != "" {
ae.Logger.Errf("Error Generating %s AppArmor profile: %s", appArmorHostFile, newProfile)
}
}

Expand Down
Loading

0 comments on commit e67ba68

Please sign in to comment.