docs: Fix typo

bytedance · Nov 30, 2024 · 0dba70a · 0dba70a
1 parent 9ee864e
commit 0dba70a
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 36 deletions.
diff --git a/apis/varmor/v1beta1/varmorpolicy_types.go b/apis/varmor/v1beta1/varmorpolicy_types.go
@@ -30,7 +30,7 @@ type Target struct {
 	// Kind is used to specify the type of workloads for the protection targets.
 	// Available values: Deployment, StatefulSet, DaemonSet, Pod.
 	Kind string `json:"kind"`
-	// Name is used to specify a specific workload name. Note that the name field and selector field are mutually exclusive.
+	// Name is used to specify a specific workload name.
 	// +optional
 	Name string `json:"name,omitempty"`
 	// Containers are used to specify the names of the protected containers. If it is empty, sandbox protection
@@ -84,8 +84,7 @@ type NetworkSocketRule struct {
 	//       xdp, mctp
 	//
 	Domains []string `json:"domains,omitempty"`
-	// Types specifies the communication semantics of socket. Note that the types field and protocols field
-	// are mutually exclusive.
+	// Types specifies the communication semantics of socket.
 	//
 	// Available values: all(*), stream, dgram, raw, rdm, seqpacket, dccp, packet
 	//

diff --git a/docs/getting_started/interface_specification.md b/docs/getting_started/interface_specification.md
@@ -6,9 +6,9 @@ English | [简体中文](interface_specification.zh_CN.md)
 | Field | Subfield | Subfield | Description |
 |-------|----------|----------|-------------|
 |target|kind<br />*string*|-|Kind is used to specify the type of workloads for the protection targets.<br />Available values: Deployment, StatefulSet, DaemonSet, Pod|
-|      |name<br />*string*|-|Optional. Name is used to specify a specific workload name. <br />*Note that the name field and selector field are mutually exclusive.*|
+|      |name<br />*string*|-|Optional. Name is used to specify a specific workload name.|
 |      |containers<br />*string array*|-|Optional. Containers are used to specify the names of the protected containers. If it is empty, sandbox protection will be enabled for all containers within the workload (excluding initContainers and ephemeralContainers).|
-|      |selector<br />*[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#labelselector-v1-meta)*|-|Optional. LabelSelector is used to match workloads that meet the specified conditions. <br />*Note that the selector field and name field are mutually exclusive.*|
+|      |selector<br />*[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#labelselector-v1-meta)*|-|Optional. LabelSelector is used to match workloads that meet the specified conditions. <br />Note that the selector field and name field are mutually exclusive.|
 |policy|enforcer<br />*string*|-|Enforcer is used to specify which LSM to use for mandatory access control. <br />Available values: AppArmor, BPF, Seccomp, AppArmorBPF, AppArmorSeccomp, BPFSeccomp, AppArmorBPFSeccomp|
 |      |mode<br />*string*|-|Used to specify the protection mode.<br />Available values: AlwaysAllow, RuntimeDefault, EnhanceProtect, BehaviorModeling, DefenseInDepth|
 |      |enhanceProtect|hardeningRules<br />*string array*|Optional. HardeningRules are used to specify the built-in hardening rules.|
@@ -41,7 +41,7 @@ English | [简体中文](interface_specification.zh_CN.md)
 |network<br />*NetworkRule*     |sockets<br />*[NetworkSocketRule](#networksocketrule) array*|Optional. Sockets are the list of socket rules to be applied to restrict all [SOCKET(2)](https://man7.org/linux/man-pages/man2/socket.2.html) operations.|
 |                               |egresses<br />*[NetworkEgressRule](#networkegressrule) array*|Optional. Egresses are the list of egress rules to be applied to restrict particular IPs and ports.|
 |ptrace<br />*PtraceRule*       |strictMode<br />*bool*|Optional. If set to false, it allows a process to perform trace and read operations on other processes within the same container, and also allows a process to be subjected to traceby and readby operations by other processes within the same container. If set to true, it prohibits all trace, read, traceby, and readby operations within the container. (Default: false)|
-|                             |permissions<br />*string array*|Prohibited ptrace-related operations. Available values: `all(*), trace, traceby, read, readby`. <br />- `trace`: prohibiting tracing of other processes. <br />- `read`: prohibiting reading of other processes. <br />- `traceby`: prohibiting being traced by other processes (excluding the host processes). <br />- `readby`: prohibiting being read by other processes (excluding the host processes).|
+|                             |permissions<br />*string array*|Prohibited ptrace-related operations. <br />Available values: `all(*), trace, traceby, read, readby`. <br />- trace: prohibiting tracing of other processes. <br />- read: prohibiting reading of other processes. <br />- traceby: prohibiting being traced by other processes (excluding the host processes). <br />- readby: prohibiting being read by other processes (excluding the host processes).|
 |mounts<br />*MountRule array*  |sourcePattern<br />*string*|Any string (maximum length 128 bytes) that conforms to the policy syntax of BPF enforcer, used for matching the source paramater of [MOUNT(2)](https://man7.org/linux/man-pages/man2/mount.2.html), the target paramater of [UMOUNT(2)](https://man7.org/linux/man-pages/man2/umount.2.html), and the from_pathname paramater of MOVE_MOUNT(2).|
 |                             |fstype<br />*string*|Any string (maximum length 16 bytes), used for matching the type of filesystem. `'*'` represents matching any filesystem.|
 |                             |flags<br />*string array*|Prohibited mount flags. They are similar to AppArmor's [MOUNT FLAGS](https://manpages.ubuntu.com/manpages/focal/man5/apparmor.d.5.html). <br />Available values: `all(*), ro(r, read-only), rw(w), suid, nosuid, dev, nodev, exec, noexec, sync, async, mand, nomand, dirsync, atime, noatime, diratime, nodiratime, silent, loud, relatime, norelatime, iversion, noiversion, strictatime, nostrictatime, remount, bind(B), move(M), rbind(R), make-unbindable, make-private(private), make-slave(slave), make-shared(shared), make-runbindable, make-rprivate, make-rslave, make-rshared, umount`|
@@ -52,8 +52,8 @@ English | [简体中文](interface_specification.zh_CN.md)
 | Field | Description |
 |-------|-------------|
 |domains<br />*string array*|Optional. Domains specifies the communication domains of socket. <br />Available values: `all(*), unix, inet, ax25, ipx, appletalk, netrom, bridge, atmpvc, x25, inet6, rose, netbeui, security, key, netlink, packet, ash, econet, atmsvc, rds, sna, irda, pppox, wanpipe, llc, ib, mpls, can, tipc, bluetooth, iucv, rxrpc, isdn, phonet, ieee802154, caif, alg, nfc, vsock, kcm, qipcrtr, smc, xdp, mctp`|
-|types<br />*string array*|Optional. Types specifies the communication semantics of socket. Note that the types field and protocols field are mutually exclusive. <br />Available values: `all(*), stream, dgram, raw, rdm, seqpacket, dccp, packet`|
-|protocols<br />*string array*|Optional. Protocols specifies the particular protocols to be used with the socket. Note that the protocols field and types field are mutually exclusive. <br />Available values: `all(*), icmp, tcp, udp`|
+|types<br />*string array*|Optional. Types specifies the communication semantics of socket. <br />Available values: `all(*), stream, dgram, raw, rdm, seqpacket, dccp, packet`|
+|protocols<br />*string array*|Optional. Protocols specifies the particular protocols to be used with the socket. <br />Available values: `all(*), icmp, tcp, udp`<br /><br />Note that the protocols field and types field are mutually exclusive. |
 |PLACEHOLDER|
 
 ## NetworkEgressRule

diff --git a/docs/getting_started/interface_specification.zh_CN.md b/docs/getting_started/interface_specification.zh_CN.md
@@ -6,9 +6,9 @@
 |字段|子字段|子字段|描述|
 |---|-----|-----|---|
 |target|kind<br />*string*|-|用于指定防护目标的 Workloads 类型。<br />可用值: Deployment, StatefulSet, DaemonSet, Pod。|
-|      |name<br />*string*|-|可选字段。用于指定防护目标的对象名称。注意：name 字段与 selector 字段互斥，不能同时存在。|
-|      |containers<br />*string array*|-|可选字段。用于指定防护目标的容器名，如果为空默认对 Workloads 中的所有容器开启沙箱防护。（注：不含 initContainers, ephemeralContainers）|
-|      |selector<br />*[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#labelselector-v1-meta)*|-|可选字段。用于根据标签选择器识别防护目标，并开启沙箱防护。注意 selector 字段与 name 字段互斥，不能同时存在。|
+|      |name<br />*string*|-|可选字段。用于指定防护目标的对象名称。|
+|      |containers<br />*string array*|-|可选字段。用于指定防护目标的容器名，如果为空默认对 Workloads 中的所有容器开启沙箱防护。（不含 initContainers, ephemeralContainers）|
+|      |selector<br />*[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#labelselector-v1-meta)*|-|可选字段。用于根据标签选择器识别防护目标，并开启沙箱防护。<br /><br />注意 selector 字段与 name 字段互斥，不能同时存在。|
 |policy|enforcer<br />*string*|-|指定要使用的 LSM。<br />可用值: AppArmor, BPF, Seccomp, AppArmorBPF, AppArmorSeccomp, BPFSeccomp, AppArmorBPFSeccomp|
 |      |mode<br />*string*|-|用于指定防护模式。<br />可用值：AlwaysAllow, RuntimeDefault, EnhanceProtect, BehaviorModeling, DefenseInDepth|
 |      |enhanceProtect|hardeningRules<br />*string array*|可选字段。用于指定要使用的内置加固规则。|
@@ -41,7 +41,7 @@
 |network<br />*NetworkRule*     |sockets<br />*[NetworkSocketRule](#networksocketrule) array*|对套接字 [SOCKET(2)](https://man7.org/linux/man-pages/man2/socket.2.html) 创建行为进行访问控制。|
 |                               |egresses<br />*[NetworkEgressRule](#networkegressrule) array*|对外联请求进行访问控制。|
 |ptrace<br />*PtraceRule*       |strictMode<br />*bool*|可选字段。如果设置为 false，将允许进程对同一容器内其他进程执行 trace、read 操作，以及允许进程被同一容器内其他进程执行 traceby、readby 操作。如果设置为 true，则将禁止容器内所有进程的 trace、read、traceby、readby 操作。（默认值：false）|
-|                             |permissions<br />*string array*|禁止使用 ptrace 相关操作，可用值: `all(*), trace, read, traceby, readby`<br />- `trace`: 禁止跟踪其他进程<br />- `read`: 禁止读取其他进程<br />- `traceby`: 禁止被其他进程跟踪，宿主机进程除外<br />- `readby`: 禁止被其他进程读取，宿主机进程除外|
+|                             |permissions<br />*string array*|禁止使用 ptrace 相关操作。<br />可用值: `all(*), trace, read, traceby, readby`<br />- trace: 禁止跟踪其他进程<br />- read: 禁止读取其他进程<br />- traceby: 禁止被其他进程跟踪，宿主机进程除外<br />- readby: 禁止被其他进程读取，宿主机进程除外|
 |mounts<br />*MountRule array*  |sourcePattern<br />*string*|任意符合策略语法的文件路径字符串（最大长度 128 bytes），用于匹配 [MOUNT(2)](https://man7.org/linux/man-pages/man2/mount.2.html) 的 source，[UMOUNT(2)](https://man7.org/linux/man-pages/man2/umount.2.html) 的 target，以及 MOVE_MOUNT(2) 的 from_pathname。|
 |                             |fstype<br />*string*|任意字符串（最大长度 16 bytes），用于匹配文件系统类型，`*` 代表匹配任意文件系统。|
 |                             |flags<br />*string array*|禁止使用的 mount flags，它们与 AppArmor 的 [MOUNT FLAGS](https://manpages.ubuntu.com/manpages/focal/man5/apparmor.d.5.html) 类似。<br />可用值：`all(*), ro(r, read-only), rw(w), suid, nosuid, dev, nodev, exec, noexec, sync, async, mand, nomand, dirsync, atime, noatime, diratime, nodiratime, silent, loud, relatime, norelatime, iversion, noiversion, strictatime, nostrictatime, remount, bind(B), move(M), rbind(R), make-unbindable, make-private(private), make-slave(slave), make-shared(shared), make-runbindable, make-rprivate, make-rslave, make-rshared, umount`|
@@ -52,14 +52,14 @@
 |---|----|
 |domains<br />*string array*|可选字段。用于指定禁止使用的套接字通信域。<br />可用值：`all(*), unix, inet, ax25, ipx, appletalk, netrom, bridge, atmpvc, x25, inet6, rose, netbeui, security, key, netlink, packet, ash, econet, atmsvc, rds, sna, irda, pppox, wanpipe, llc, ib, mpls, can, tipc, bluetooth, iucv, rxrpc, isdn, phonet, ieee802154, caif, alg, nfc, vsock, kcm, qipcrtr, smc, xdp, mctp`|
 |types<br />*string array*|可选字段。用于指定禁止使用的套接字通信语义。<br />可用值：`all(*), stream, dgram, raw, rdm, seqpacket, dccp, packet`|
-|protocols<br />*string array*|可选字段。用于指定禁止使用的套接字特定协议。<br />可用值：`all(*), icmp, tcp, udp`<br />注意：protocols 和 types 字段互斥，不能同时存在。|
+|protocols<br />*string array*|可选字段。用于指定禁止使用的套接字特定协议。<br />可用值：`all(*), icmp, tcp, udp`<br /><br />注意：protocols 和 types 字段互斥，不能同时存在。|
 |PLACEHOLDER|
 
 ## NetworkEgressRule
 
 |字段|描述|
 |---|----|
-|ipBlock<br />*string*|可选字段。可使用任意标准的 CIDR，支持 IPv6。用于对指定 CIDR 范围内的 IP 地址进行外联限制，例如<br />* 192.168.1.1/24 代表 192.168.1.0 ~ 192.168.1.255 范围内的 IP 地址。<br />* 2001:db8::/32 代表 2001:db8:: ~ 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 范围内的 IP 地址。<br />注意：同一个 NetworkEgressRule 中，IPBlock 和 IP 字段互斥，不能同时存在。|
+|ipBlock<br />*string*|可选字段。可使用任意标准的 CIDR，支持 IPv6。用于对指定 CIDR 范围内的 IP 地址进行外联限制，例如<br />* 192.168.1.1/24 代表 192.168.1.0 ~ 192.168.1.255 范围内的 IP 地址。<br />* 2001:db8::/32 代表 2001:db8:: ~ 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 范围内的 IP 地址。<br /><br />注意：同一个 NetworkEgressRule 中，IPBlock 和 IP 字段互斥，不能同时存在。|
 |ip<br />*string*|可选字段。任意标准的 IP 地址，支持 IPv6，用于对特定的 IP 地址进行外联限制。|
 |port<br />*int*|可选字段。用于对指定的端口进行外联限制，当为空时，默认对（匹配 IP 地址的）所有端口进行外联限制。否则仅对特定端口进行控制。<br />可用值：`1~65535`|
 |PLACEHOLDER||