Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support wildcard for all bpf permissions and flags #136

Merged
merged 9 commits into from
Dec 2, 2024
Merged

feat: Support wildcard for all bpf permissions and flags #136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
7d6dc71
feat: Support wildcard for all bpf permissions and flags.
Danny-Wei Nov 30, 2024
9e8ac74
docs: Update interface specifications
Danny-Wei Nov 30, 2024
573a05a
docs: Fix typo
Danny-Wei Nov 30, 2024
9ee864e
docs: Fix typo
Danny-Wei Nov 30, 2024
0dba70a
docs: Fix typo
Danny-Wei Nov 30, 2024
ab98b64
Update CRD description
Danny-Wei Nov 30, 2024
515c1b1
docs: Fix hyperlinks
Danny-Wei Dec 1, 2024
954bf13
docs: Fix typo
Danny-Wei Dec 1, 2024
a02d08b
docs: Updare interface specifications
Danny-Wei Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,23 +37,23 @@ vArmor was created by the **Elkeid Team** of the endpoint security department at
## Documentation
vArmor reference documents are available at [varmor.org](https://varmor.org).

⏩ **[Quick Start](https://www.varmor.org/docs/introduction#quick-start)**
⏩ **[Quick Start](https://www.varmor.org/docs/main/introduction)**

⚙️ **[Installation](https://www.varmor.org/docs/getting_started/installation)**
⚙️ **[Installation](https://www.varmor.org/docs/main/getting_started/installation)**

📔 **[Usage Instructions](https://www.varmor.org/docs/getting_started/usage_instructions)**
📔 **[Usage Instructions](https://www.varmor.org/docs/main/getting_started/usage_instructions)**

📜 **[Policies and Rules](https://www.varmor.org/docs/guides/policies_and_rules)**
📜 **[Policies and Rules](https://www.varmor.org/docs/main/guides/policies_and_rules)**

⏱️ **[Performance Specifications](https://www.varmor.org/docs/guides/performance)**
⏱️ **[Performance Specifications](https://www.varmor.org/docs/main/guides/performance)**


## Contributing
Thanks for your interest in contributing to vArmor! Here are some steps to help get you started:

🤝🏻 Read and agree to the [code of conduct](./CODE_OF_CONDUCT.md).

🛠️ Read the [development guide](docs/development_guide.md).
🛠️ Read the [development guide](https://www.varmor.org/docs/main/guides/development).

💬 Join vArmor [Lark group](https://applink.larkoffice.com/client/chat/chatter/add_by_link?link_token=ae5pfb2d-f8a4-4f0b-b12e-15f24fdaeb24&qr_code=true).

Expand Down
51 changes: 25 additions & 26 deletions apis/varmor/v1beta1/varmorpolicy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,14 @@ type Target struct {
// Kind is used to specify the type of workloads for the protection targets.
// Available values: Deployment, StatefulSet, DaemonSet, Pod.
Kind string `json:"kind"`
// Name is used to specify a specific workload name. Note that the name field and selector field are mutually exclusive.
// Name is used to specify a specific workload name.
// +optional
Name string `json:"name,omitempty"`
// Containers are used to specify the names of the protected containers. If it is empty, sandbox protection
// will be enabled for all containers within the workload (excluding initContainers and ephemeralContainers).
// +optional
Containers []string `json:"containers,omitempty"`
// LabelSelector is used to match workloads that meet the specified conditions
//
// Note:
// The type of workloads is determined by the KIND field.
// LabelSelector is used to match workloads that meet the specified conditions. Note that the selector field and name field are mutually exclusive.
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty"`
}
Expand All @@ -58,14 +55,17 @@ type FileRule struct {
// Pattern can be any string (maximum length 128 bytes) that conforms to the policy syntax, used for matching file paths and filenames
Pattern string `json:"pattern"`
// Permissions are used to specify the file permissions to be disabled.
//
// Available values: all(*), read(r), write(w), exec(x), append(a)
//
Permissions []string `json:"permissions"`
}

type NetworkEgressRule struct {
// IPBlock defines policy on a particular IPBlock with CIDR. If this field is set then neither of the IP field can be.
// IPBlock defines policy on a particular IPBlock with CIDR.
// +optional
IPBlock string `json:"ipBlock,omitempty"`
// IP defines policy on a particular IP. If this field is set then neither of the IPBlock field can be.
// IP defines policy on a particular IP. Note that the ip field and ipBlock field are mutually exclusive.
// +optional
IP string `json:"ip,omitempty"`
// Port defines policy on a particular port. If this field is zero or missing, this rule matches all ports.
Expand All @@ -77,23 +77,22 @@ type NetworkSocketRule struct {
// Domains specifies the communication domains of socket.
//
// Available values:
// *, all, unix, inet, ax25, ipx, appletalk, netrom, bridge, atmpvc, x25,
// all(*), unix, inet, ax25, ipx, appletalk, netrom, bridge, atmpvc, x25,
// inet6, rose, netbeui, security, key, netlink, packet, ash, econet, atmsvc,
// rds, sna, irda, pppox, wanpipe, llc, ib, mpls, can, tipc, bluetooth, iucv,
// rxrpc, isdn, phonet, ieee802154, caif, alg, nfc, vsock, kcm, qipcrtr, smc,
// xdp, mctp
//
Domains []string `json:"domains,omitempty"`
// Types specifies the communication semantics of socket. Note that the types field and protocols field
// are mutually exclusive.
// Types specifies the communication semantics of socket.
//
// Available values: *, all, stream, dgram, raw, rdm, seqpacket, dccp, packet
// Available values: all(*), stream, dgram, raw, rdm, seqpacket, dccp, packet
//
Types []string `json:"types,omitempty"`
// Protocols specifies the particular protocols to be used with the socket. Note that the protocols field
// and types field are mutually exclusive.
//
// Available values: *, all, icmp, tcp, udp
// Available values: all(*), icmp, tcp, udp
//
Protocols []string `json:"protocols,omitempty"`
}
Expand All @@ -106,25 +105,26 @@ type NetworkRule struct {
}

type PtraceRule struct {
// StrictMode is used to indicate whether to restrict ptrace permissions for all source and destination processes.
// StrictMode is used to indicate whether to restrict ptrace operations for all source and destination processes.
// Default is false.
// If set to false, it restricts ptrace-related permissions only for processes in other containers.
// If set to true, it restricts ptrace-related permissions for all processes, except those within the init mnt namespace.
// If set to false, it allows a process to perform trace and read operations on other processes within the same container,
// and also allows a process to be subjected to traceby and readby operations by other processes within the same container.
// If set to true, it prohibits all trace, read, traceby, and readby operations within the container.
// +optional
StrictMode bool `json:"strictMode,omitempty"`
// Permissions are used to indicate which ptrace-related permissions of the target container should be restricted.
// Available values: trace, traceby, read, readby.
//
// trace, traceby
// Available values: all(*), trace, traceby, read, readby.
// - trace: prohibiting tracing of other processes.
// - read: prohibiting reading of other processes.
// - traceby: prohibiting being traced by other processes (excluding the host processes).
// - readby: prohibiting being read by other processes (excluding the host processes).
//
// For "write" operations, or other operations that are more dangerous, such as: ptrace attaching (PTRACE_ATTACH) to
// another process or calling process_vm_writev(2).
//
// read, readby
//
// For "read" operations or other operations that are less dangerous, such as: get_robust_list(2); kcmp(2); reading
// /proc/pid/auxv, /proc/pid/environ, or /proc/pid/stat; or readlink(2) of a /proc/pid/ns/* file.
// The trace, traceby permissions for "write" operations, or other operations that are more dangerous, such as:
// ptrace attaching (PTRACE_ATTACH) to another process or calling process_vm_writev(2).
//
// The read, readby permissions for "read" operations or other operations that are less dangerous, such as:
// get_robust_list(2); kcmp(2); reading /proc/pid/auxv, /proc/pid/environ, or /proc/pid/stat; or readlink(2) of a /proc/pid/ns/* file.
Permissions []string `json:"permissions"`
}

Expand All @@ -136,8 +136,7 @@ type MountRule struct {
// Flags are used to specify the mount flags to enforce. They are almost the same as the 'MOUNT FLAGS LIST' of AppArmor.
//
// Available values:
//
// All Flags: all
// All Flags: all(*)
// Command Flags: ro(r, read-only), rw(w), suid, nosuid, dev, nodev, exec, noexec,
// sync, async, mand, nomand, dirsync, atime, noatime, diratime, nodiratime,
// silent, loud, relatime, norelatime, iversion, noiversion, strictatime,
Expand Down
7 changes: 3 additions & 4 deletions config/crds/crd.varmor.org_armorprofiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,12 +247,11 @@ spec:
type: string
name:
description: Name is used to specify a specific workload name.
Note that the name field and selector field are mutually exclusive.
type: string
selector:
description: "LabelSelector is used to match workloads that meet
the specified conditions \n Note: The type of workloads is determined
by the KIND field."
description: LabelSelector is used to match workloads that meet
the specified conditions. Note that the selector field and name
field are mutually exclusive.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
Expand Down
77 changes: 42 additions & 35 deletions config/crds/crd.varmor.org_varmorclusterpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,8 +126,9 @@ spec:
syntax, used for matching file paths and filenames
type: string
permissions:
description: Permissions are used to specify the
file permissions to be disabled.
description: "Permissions are used to specify the
file permissions to be disabled. \n Available
values: all(*), read(r), write(w), exec(x), append(a)"
items:
type: string
type: array
Expand All @@ -143,7 +144,7 @@ spec:
description: "Flags are used to specify the mount
flags to enforce. They are almost the same as
the 'MOUNT FLAGS LIST' of AppArmor. \n Available
values: \n All Flags: all Command Flags: ro(r,
values: All Flags: all(*) Command Flags: ro(r,
read-only), rw(w), suid, nosuid, dev, nodev, exec,
noexec, sync, async, mand, nomand, dirsync, atime,
noatime, diratime, nodiratime, silent, loud, relatime,
Expand Down Expand Up @@ -181,13 +182,12 @@ spec:
properties:
ip:
description: IP defines policy on a particular
IP. If this field is set then neither of the
IPBlock field can be.
IP. Note that the ip field and ipBlock field
are mutually exclusive.
type: string
ipBlock:
description: IPBlock defines policy on a particular
IPBlock with CIDR. If this field is set then
neither of the IP field can be.
IPBlock with CIDR.
type: string
port:
description: Port defines policy on a particular
Expand All @@ -203,8 +203,8 @@ spec:
properties:
domains:
description: "Domains specifies the communication
domains of socket. \n Available values: *,
all, unix, inet, ax25, ipx, appletalk, netrom,
domains of socket. \n Available values: all(*),
unix, inet, ax25, ipx, appletalk, netrom,
bridge, atmpvc, x25, inet6, rose, netbeui,
security, key, netlink, packet, ash, econet,
atmsvc, rds, sna, irda, pppox, wanpipe, llc,
Expand All @@ -218,17 +218,16 @@ spec:
description: "Protocols specifies the particular
protocols to be used with the socket. Note
that the protocols field and types field are
mutually exclusive. \n Available values: *,
all, icmp, tcp, udp"
mutually exclusive. \n Available values: all(*),
icmp, tcp, udp"
items:
type: string
type: array
types:
description: "Types specifies the communication
semantics of socket. Note that the types field
and protocols field are mutually exclusive.
\n Available values: *, all, stream, dgram,
raw, rdm, seqpacket, dccp, packet"
semantics of socket. \n Available values:
all(*), stream, dgram, raw, rdm, seqpacket,
dccp, packet"
items:
type: string
type: array
Expand All @@ -244,8 +243,9 @@ spec:
syntax, used for matching file paths and filenames
type: string
permissions:
description: Permissions are used to specify the
file permissions to be disabled.
description: "Permissions are used to specify the
file permissions to be disabled. \n Available
values: all(*), read(r), write(w), exec(x), append(a)"
items:
type: string
type: array
Expand All @@ -259,28 +259,36 @@ spec:
permissions:
description: "Permissions are used to indicate which
ptrace-related permissions of the target container
should be restricted. Available values: trace, traceby,
read, readby. \n trace, traceby \n For \"write\"
should be restricted. \n Available values: all(*),
trace, traceby, read, readby. - trace: prohibiting
tracing of other processes. - read: prohibiting
reading of other processes. - traceby: prohibiting
being traced by other processes (excluding the host
processes). - readby: prohibiting being read by
other processes (excluding the host processes).
\n The trace, traceby permissions for \"write\"
operations, or other operations that are more dangerous,
such as: ptrace attaching (PTRACE_ATTACH) to another
process or calling process_vm_writev(2). \n read,
readby \n For \"read\" operations or other operations
that are less dangerous, such as: get_robust_list(2);
kcmp(2); reading /proc/pid/auxv, /proc/pid/environ,
or /proc/pid/stat; or readlink(2) of a /proc/pid/ns/*
file."
process or calling process_vm_writev(2). \n The
read, readby permissions for \"read\" operations
or other operations that are less dangerous, such
as: get_robust_list(2); kcmp(2); reading /proc/pid/auxv,
/proc/pid/environ, or /proc/pid/stat; or readlink(2)
of a /proc/pid/ns/* file."
items:
type: string
type: array
strictMode:
description: StrictMode is used to indicate whether
to restrict ptrace permissions for all source and
to restrict ptrace operations for all source and
destination processes. Default is false. If set
to false, it restricts ptrace-related permissions
only for processes in other containers. If set to
true, it restricts ptrace-related permissions for
all processes, except those within the init mnt
namespace.
to false, it allows a process to perform trace and
read operations on other processes within the same
container, and also allows a process to be subjected
to traceby and readby operations by other processes
within the same container. If set to true, it prohibits
all trace, read, traceby, and readby operations
within the container.
type: boolean
required:
- permissions
Expand Down Expand Up @@ -392,12 +400,11 @@ spec:
type: string
name:
description: Name is used to specify a specific workload name.
Note that the name field and selector field are mutually exclusive.
type: string
selector:
description: "LabelSelector is used to match workloads that meet
the specified conditions \n Note: The type of workloads is determined
by the KIND field."
description: LabelSelector is used to match workloads that meet
the specified conditions. Note that the selector field and name
field are mutually exclusive.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
Expand Down
Loading