Skip to content

Commit

Permalink
Extend the apparmor profile template with profile mode flag and adapt…
Browse files Browse the repository at this point in the history
… the generate profile

Change-Id: If59b953c69e48e68b2bb56198567342ca9483170
Signed-off-by: Cosmin Cojocar <[email protected]>
  • Loading branch information
ccojocar authored and k8s-ci-robot committed Dec 4, 2024
1 parent 22f7916 commit 1d05620
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 14 deletions.
2 changes: 1 addition & 1 deletion internal/pkg/cli/converter/converter.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func (p *Converter) Run() error {
programName = obj.Name
}

outStr, err := crd2armor.GenerateProfile(programName, &obj.Spec.Abstract)
outStr, err := crd2armor.GenerateProfile(programName, obj.Spec.ComplainMode, &obj.Spec.Abstract)
if err != nil {
return fmt.Errorf("build raw apparmor profile: %w", err)
}
Expand Down
40 changes: 35 additions & 5 deletions internal/pkg/cli/converter/converter_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,10 @@ func TestRun(t *testing.T) {
for _, tc := range []struct {
name string
input string
outputContains string
outputContains []string
}{
{
name: "AppArmor CRD",
name: "AppArmor CRD in enforce mode by default",
input: `
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: AppArmorProfile
Expand All @@ -53,7 +53,35 @@ spec:
readOnlyPaths:
- /dev/null
`,
outputContains: `deny /dev/null wl`,
outputContains: []string{`deny /dev/null wl`, `flags=(enforce,attach_disconnected,mediate_deleted)`},
},
{
name: "AppArmor CRD in enforce mode",
input: `
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: AppArmorProfile
spec:
complainMode: false
abstract:
filesystem:
readOnlyPaths:
- /dev/null
`,
outputContains: []string{`deny /dev/null wl`, `flags=(enforce,attach_disconnected,mediate_deleted)`},
},
{
name: "AppArmor CRD in complain mode",
input: `
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: AppArmorProfile
spec:
complainMode: true
abstract:
filesystem:
readOnlyPaths:
- /dev/null
`,
outputContains: []string{`deny /dev/null wl`, `flags=(complain,attach_disconnected,mediate_deleted)`},
},
{
name: "seccomp",
Expand All @@ -67,7 +95,7 @@ spec:
names:
- foo
`,
outputContains: `"defaultAction": "SCMP_ACT_ERRNO"`,
outputContains: []string{`"defaultAction": "SCMP_ACT_ERRNO"`},
},
} {
input := tc.input
Expand All @@ -83,7 +111,9 @@ spec:
err := sut.Run()
require.NoError(t, err)
_, actual, _ := mock.WriteFileArgsForCall(0)
require.Contains(t, string(actual), outputContains)
for _, contain := range outputContains {
require.Contains(t, string(actual), contain)
}
})
}

Expand Down
2 changes: 1 addition & 1 deletion internal/pkg/cli/recorder/recorder.go
Original file line number Diff line number Diff line change
Expand Up @@ -432,7 +432,7 @@ func (r *Recorder) buildAppArmorProfileRaw(writer io.Writer, spec *apparmorprofi
}

abstract := spec.Abstract
raw, err := crd2armor.GenerateProfile(programName, &abstract)
raw, err := crd2armor.GenerateProfile(programName, spec.ComplainMode, &abstract)
if err != nil {
return fmt.Errorf("build raw apparmor profile: %w", err)
}
Expand Down
2 changes: 1 addition & 1 deletion internal/pkg/daemon/apparmorprofile/apparmor_supported.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ func (a *aaProfileManager) InstallProfile(bp profilebasev1alpha1.StatusBaseUser)
return false, errors.New(errInvalidCustomResourceType)
}

policy, err := crd2armor.GenerateProfile(profile.GetProfileName(), &profile.Spec.Abstract)
policy, err := crd2armor.GenerateProfile(profile.GetProfileName(), profile.Spec.ComplainMode, &profile.Spec.Abstract)
if err != nil {
return false, fmt.Errorf("generating raw apparmor profile: %w", err)
}
Expand Down
21 changes: 15 additions & 6 deletions internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ import (
var appArmorTemplate = `
# Generated by https://github.com/kubernetes-sigs/security-profiles-operator, do not edit by hand.
#include <tunables/global>
profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
profile {{.Name}} flags=({{.ProfileMode}},attach_disconnected,mediate_deleted) {
#include <abstractions/base>
# Executable rules
Expand Down Expand Up @@ -91,18 +91,20 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
`

type apparmorTemplateArgs struct {
Name string
Abstract *apparmorprofileapi.AppArmorAbstract
Name string
ProfileMode string
Abstract *apparmorprofileapi.AppArmorAbstract
}

// GenerateProfile uses the CRD representation of an abstracted profile to generate a
// full AppArmor profile.
func GenerateProfile(name string, abstract *apparmorprofileapi.AppArmorAbstract) (string, error) {
func GenerateProfile(name string, complainMode bool, abstract *apparmorprofileapi.AppArmorAbstract) (string, error) {
var generated bytes.Buffer

templateArgs := apparmorTemplateArgs{
Name: name,
Abstract: abstract,
Name: name,
ProfileMode: profileMode(complainMode),
Abstract: abstract,
}

if abstract == nil {
Expand All @@ -118,3 +120,10 @@ func GenerateProfile(name string, abstract *apparmorprofileapi.AppArmorAbstract)
}
return generated.String(), nil
}

func profileMode(complainMode bool) string {
if complainMode {
return "complain"
}
return "enforce"
}

0 comments on commit 1d05620

Please sign in to comment.