Add native AppArmor policy support in KubeArmorPolicy

This commit makes it possible for us to embed native apparmor rules in the YAML policy. It adds a new field in the spec called apparmor of type string. Fixes: #54 Signed-off-by: Ayush Dwivedi <ayush.dwivedi@accuknox.com>
kubearmor · Jun 12, 2021 · 9186d13 · 9186d13
1 parent 530306a
commit 9186d13
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 0 deletions.
diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go
@@ -2221,9 +2221,18 @@ func GenerateProfileBody(enableAuditd bool, oldContentsPreMid, oldConetntsMidPos
 
 	fromSources := map[string][]string{}
 
+	nativeAppArmorRules := []string{}
 	// preparation
 
 	for _, secPolicy := range securityPolicies {
+		if len(secPolicy.Spec.Apparmor) > 0 {
+			scanner := bufio.NewScanner(strings.NewReader(secPolicy.Spec.Apparmor))
+			for scanner.Scan() {
+				line := "  " + strings.TrimSpace(scanner.Text()) + "\n"
+				nativeAppArmorRules = append(nativeAppArmorRules, line)
+			}
+		}
+
 		if len(secPolicy.Spec.Process.MatchPaths) > 0 {
 			for _, path := range secPolicy.Spec.Process.MatchPaths {
 				if path.Action == "Allow" || path.Action == "AllowWithAudit" {
@@ -2468,6 +2477,17 @@ func GenerateProfileBody(enableAuditd bool, oldContentsPreMid, oldConetntsMidPos
 
 	profileBody = "  ## == POLICY START == ##\n" + bodyFromSource + profileBody + "  ## == POLICY END == ##\n"
 
+	// body - native apparmor
+	if len(nativeAppArmorRules) > 0 {
+		profileBody = profileBody + "  ## == NATIVE POLICY START == ##\n"
+		for _, nativeRule := range nativeAppArmorRules {
+			profileBody = profileBody + nativeRule
+		}
+		profileBody = profileBody + "  ## == NATIVE POLICY END == ##\n"
+	}
+
+	count = count + len(nativeAppArmorRules)
+
 	// foot
 
 	profileFoot := "  ## == POST START == ##\n" + GenerateProfileFoot() + "  ## == POST END == ##\n"
@@ -2541,6 +2561,12 @@ func (ae *AppArmorEnforcer) GenerateAppArmorProfile(appArmorProfile string, secu
 		} else if strings.Contains(line, "## == POST END == ##") {
 			pos = "FOOT"
 			continue
+		} else if strings.Contains(line, "## == NATIVE POLICY START == ##") {
+			pos = "NATIVE-START"
+			continue
+		} else if strings.Contains(line, "## == NATIVE POLICY END == ##") {
+			pos = "NATIVE-END"
+			continue
 		}
 
 		if pos == "HEAD" {

diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go
@@ -384,6 +384,7 @@ type SecuritySpec struct {
 	Tags     []string `json:"tags,omitempty"`
 	Message  string   `json:"message,omitempty"`
 
+	Apparmor string       `json:"apparmor,omitempty"`
 	Selector SelectorType `json:"selector"`
 
 	Process      ProcessType      `json:"process,omitempty"`

diff --git a/helm/templates/security.accuknox.com_kubearmorpolicies.yaml b/helm/templates/security.accuknox.com_kubearmorpolicies.yaml
@@ -46,6 +46,8 @@ spec:
                 - AllowWithAudit
                 - BlockWithAudit
                 type: string
+              apparmor:
+                type: string
               capabilities:
                 properties:
                   action:

diff --git a/pkg/KubeArmorPolicy/api/v1/kubearmorpolicy_types.go b/pkg/KubeArmorPolicy/api/v1/kubearmorpolicy_types.go
@@ -296,6 +296,7 @@ type KubeArmorPolicySpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
+	Apparmor string       `json:"apparmor,omitempty"`
 	Selector SelectorType `json:"selector"`
 
 	Process      ProcessType      `json:"process,omitempty"`

diff --git a/pkg/KubeArmorPolicy/config/crd/bases/security.accuknox.com_kubearmorpolicies.yaml b/pkg/KubeArmorPolicy/config/crd/bases/security.accuknox.com_kubearmorpolicies.yaml
@@ -46,6 +46,8 @@ spec:
                 - AllowWithAudit
                 - BlockWithAudit
                 type: string
+              apparmor:
+                type: string
               capabilities:
                 properties:
                   action: