diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go index d157993c07..3f6f421706 100644 --- a/KubeArmor/enforcer/appArmorProfile.go +++ b/KubeArmor/enforcer/appArmorProfile.go @@ -2221,9 +2221,19 @@ func GenerateProfileBody(enableAuditd bool, oldContentsPreMid, oldConetntsMidPos fromSources := map[string][]string{} + nativeAppArmorRules := []string{} + // preparation for _, secPolicy := range securityPolicies { + if len(secPolicy.Spec.Apparmor) > 0 { + scanner := bufio.NewScanner(strings.NewReader(secPolicy.Spec.Apparmor)) + for scanner.Scan() { + line := " " + strings.TrimSpace(scanner.Text()) + "\n" + nativeAppArmorRules = append(nativeAppArmorRules, line) + } + } + if len(secPolicy.Spec.Process.MatchPaths) > 0 { for _, path := range secPolicy.Spec.Process.MatchPaths { if path.Action == "Allow" || path.Action == "AllowWithAudit" { @@ -2468,6 +2478,17 @@ func GenerateProfileBody(enableAuditd bool, oldContentsPreMid, oldConetntsMidPos profileBody = " ## == POLICY START == ##\n" + bodyFromSource + profileBody + " ## == POLICY END == ##\n" + // body - native apparmor + if len(nativeAppArmorRules) > 0 { + profileBody = profileBody + "\n ## == NATIVE POLICY START == ##\n" + for _, nativeRule := range nativeAppArmorRules { + profileBody = profileBody + nativeRule + } + profileBody = profileBody + " ## == NATIVE POLICY END == ##\n" + } + + count = count + len(nativeAppArmorRules) + // foot profileFoot := " ## == POST START == ##\n" + GenerateProfileFoot() + " ## == POST END == ##\n" @@ -2541,6 +2562,12 @@ func (ae *AppArmorEnforcer) GenerateAppArmorProfile(appArmorProfile string, secu } else if strings.Contains(line, "## == POST END == ##") { pos = "FOOT" continue + } else if strings.Contains(line, "## == NATIVE POLICY START == ##") { + pos = "NATIVE-START" + continue + } else if strings.Contains(line, "## == NATIVE POLICY END == ##") { + pos = "NATIVE-END" + continue } if pos == "HEAD" { diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go index a5019c0726..543a46a386 100644 --- a/KubeArmor/types/types.go +++ b/KubeArmor/types/types.go @@ -392,6 +392,8 @@ type SecuritySpec struct { Capabilities CapabilitiesType `json:"capabilities,omitempty"` Resource ResourceType `json:"resource,omitempty"` + Apparmor string `json:"apparmor,omitempty"` + Action string `json:"action"` } diff --git a/helm/templates/security.accuknox.com_kubearmorpolicies.yaml b/helm/templates/security.accuknox.com_kubearmorpolicies.yaml index 37a80ef8d4..ce74991cd5 100644 --- a/helm/templates/security.accuknox.com_kubearmorpolicies.yaml +++ b/helm/templates/security.accuknox.com_kubearmorpolicies.yaml @@ -46,6 +46,8 @@ spec: - AllowWithAudit - BlockWithAudit type: string + apparmor: + type: string capabilities: properties: action: diff --git a/pkg/KubeArmorPolicy/api/v1/kubearmorpolicy_types.go b/pkg/KubeArmorPolicy/api/v1/kubearmorpolicy_types.go index 47c92e907a..68508a871b 100644 --- a/pkg/KubeArmorPolicy/api/v1/kubearmorpolicy_types.go +++ b/pkg/KubeArmorPolicy/api/v1/kubearmorpolicy_types.go @@ -304,6 +304,8 @@ type KubeArmorPolicySpec struct { Capabilities CapabilitiesType `json:"capabilities,omitempty"` Resource ResourceType `json:"resource,omitempty"` + Apparmor string `json:"apparmor,omitempty"` + // +kubebuilder:validation:optional Severity SeverityType `json:"severity,omitempty"` // +kubebuilder:validation:optional diff --git a/pkg/KubeArmorPolicy/config/crd/bases/security.accuknox.com_kubearmorpolicies.yaml b/pkg/KubeArmorPolicy/config/crd/bases/security.accuknox.com_kubearmorpolicies.yaml index 37a80ef8d4..ce74991cd5 100644 --- a/pkg/KubeArmorPolicy/config/crd/bases/security.accuknox.com_kubearmorpolicies.yaml +++ b/pkg/KubeArmorPolicy/config/crd/bases/security.accuknox.com_kubearmorpolicies.yaml @@ -46,6 +46,8 @@ spec: - AllowWithAudit - BlockWithAudit type: string + apparmor: + type: string capabilities: properties: action: