Merge pull request #150 from oneiro-naut/native-apparmor

Add native AppArmor policy support in KubeArmorPolicy
kubearmor · Jun 14, 2021 · cc3b39c · cc3b39c
2 parents 530306a + 38fc028
commit cc3b39c
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 0 deletions.
diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go
@@ -2221,9 +2221,19 @@ func GenerateProfileBody(enableAuditd bool, oldContentsPreMid, oldConetntsMidPos
 
 	fromSources := map[string][]string{}
 
+	nativeAppArmorRules := []string{}
+
 	// preparation
 
 	for _, secPolicy := range securityPolicies {
+		if len(secPolicy.Spec.Apparmor) > 0 {
+			scanner := bufio.NewScanner(strings.NewReader(secPolicy.Spec.Apparmor))
+			for scanner.Scan() {
+				line := "  " + strings.TrimSpace(scanner.Text()) + "\n"
+				nativeAppArmorRules = append(nativeAppArmorRules, line)
+			}
+		}
+
 		if len(secPolicy.Spec.Process.MatchPaths) > 0 {
 			for _, path := range secPolicy.Spec.Process.MatchPaths {
 				if path.Action == "Allow" || path.Action == "AllowWithAudit" {
@@ -2468,6 +2478,17 @@ func GenerateProfileBody(enableAuditd bool, oldContentsPreMid, oldConetntsMidPos
 
 	profileBody = "  ## == POLICY START == ##\n" + bodyFromSource + profileBody + "  ## == POLICY END == ##\n"
 
+	// body - native apparmor
+	if len(nativeAppArmorRules) > 0 {
+		profileBody = profileBody + "\n  ## == NATIVE POLICY START == ##\n"
+		for _, nativeRule := range nativeAppArmorRules {
+			profileBody = profileBody + nativeRule
+		}
+		profileBody = profileBody + "  ## == NATIVE POLICY END == ##\n"
+	}
+
+	count = count + len(nativeAppArmorRules)
+
 	// foot
 
 	profileFoot := "  ## == POST START == ##\n" + GenerateProfileFoot() + "  ## == POST END == ##\n"
@@ -2541,6 +2562,12 @@ func (ae *AppArmorEnforcer) GenerateAppArmorProfile(appArmorProfile string, secu
 		} else if strings.Contains(line, "## == POST END == ##") {
 			pos = "FOOT"
 			continue
+		} else if strings.Contains(line, "## == NATIVE POLICY START == ##") {
+			pos = "NATIVE-START"
+			continue
+		} else if strings.Contains(line, "## == NATIVE POLICY END == ##") {
+			pos = "NATIVE-END"
+			continue
 		}
 
 		if pos == "HEAD" {

diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go
@@ -392,6 +392,8 @@ type SecuritySpec struct {
 	Capabilities CapabilitiesType `json:"capabilities,omitempty"`
 	Resource     ResourceType     `json:"resource,omitempty"`
 
+	Apparmor string `json:"apparmor,omitempty"`
+
 	Action string `json:"action"`
 }
 

diff --git a/helm/templates/security.accuknox.com_kubearmorpolicies.yaml b/helm/templates/security.accuknox.com_kubearmorpolicies.yaml
@@ -46,6 +46,8 @@ spec:
                 - AllowWithAudit
                 - BlockWithAudit
                 type: string
+              apparmor:
+                type: string
               capabilities:
                 properties:
                   action:

diff --git a/pkg/KubeArmorPolicy/api/v1/kubearmorpolicy_types.go b/pkg/KubeArmorPolicy/api/v1/kubearmorpolicy_types.go
@@ -304,6 +304,8 @@ type KubeArmorPolicySpec struct {
 	Capabilities CapabilitiesType `json:"capabilities,omitempty"`
 	Resource     ResourceType     `json:"resource,omitempty"`
 
+	Apparmor string `json:"apparmor,omitempty"`
+
 	// +kubebuilder:validation:optional
 	Severity SeverityType `json:"severity,omitempty"`
 	// +kubebuilder:validation:optional

diff --git a/pkg/KubeArmorPolicy/config/crd/bases/security.accuknox.com_kubearmorpolicies.yaml b/pkg/KubeArmorPolicy/config/crd/bases/security.accuknox.com_kubearmorpolicies.yaml
@@ -46,6 +46,8 @@ spec:
                 - AllowWithAudit
                 - BlockWithAudit
                 type: string
+              apparmor:
+                type: string
               capabilities:
                 properties:
                   action: