feat(config): Added option to disable restrictions

Signed-off-by: Kohei Morita <[email protected]>
mrtc0 · Mar 18, 2022 · 61028cf · 61028cf
1 parent fec3499
commit 61028cf
Show file tree

Hide file tree

Showing 10 changed files with 49 additions and 3 deletions.
diff --git a/docs/configuration/file-access-restriction/configuration.md b/docs/configuration/file-access-restriction/configuration.md
@@ -3,6 +3,7 @@
 
 | Config | Type | Description |
 |:------:|:----|:-----------:|
+| `enable` | Enum with the following possible values: `true`, `false` | Whether to enable restrictions or not. Default is `true`. |
 | `mode` | Enum with the following possible values: `monitor`, `block` | If `monitor` is specified, events are only logged. If `block` is specified, network access is blocked. |
 | `target` | Enum with the following possible values: `host`, `container` | Selecting `host` applies the restriction to the host-wide. Selecting `container` will apply the restriction only to containers. |
 | `allow` | A list of allow file paths | |

diff --git a/docs/configuration/mount-restriction/configuration.md b/docs/configuration/mount-restriction/configuration.md
@@ -3,6 +3,7 @@
 
 | Config | Type | Description |
 |:------:|:----|:-----------:|
+| `enable` | Enum with the following possible values: `true`, `false` | Whether to enable restrictions or not. Default is `true`. |
 | `mode` | Enum with the following possible values: `monitor`, `block` | If `monitor` is specified, events are only logged. If `block` is specified, network access is blocked. |
 | `target` | Enum with the following possible values: `host`, `container` | Selecting `host` applies the restriction to the host-wide. Selecting `container` will apply the restriction only to containers. |
 | `deny` | A list of allow file paths | |

diff --git a/docs/configuration/network-restriction/configuration.md b/docs/configuration/network-restriction/configuration.md
@@ -2,6 +2,7 @@
 
 | Config | Type | Description |
 |:------:|:----|:-----------:|
+| `enable` | Enum with the following possible values: `true`, `false` | Whether to enable restrictions or not. Default is `true`. |
 | `mode` | Enum with the following possible values: `monitor`, `block` | If `monitor` is specified, events are only logged. If `block` is specified, network access is blocked. |
 | `target` | Enum with the following possible values: `host`, `container` | Selecting `host` applies the restriction to the host-wide. Selecting `container` will apply the restriction only to containers. |
 | `cidr` | List containing the following sub-keys:<br><li>`allow: [cidr list]`</li><li>`deny: [cidr list]`</li>| Allow or Deny CIDRs. |

diff --git a/pkg/audit/fileaccess/audit.go b/pkg/audit/fileaccess/audit.go
@@ -55,7 +55,11 @@ func setupBPFProgram() (*libbpfgo.Module, error) {
 	return mod, nil
 }
 
-func RunAudit(conf *config.Config) {
+func RunAudit(conf *config.Config) error {
+	if !conf.RestrictedFileAccessConfig.Enable {
+		return nil
+	}
+
 	quit := make(chan os.Signal)
 	signal.Notify(quit, os.Interrupt)
 
@@ -96,6 +100,8 @@ func RunAudit(conf *config.Config) {
 
 	<-quit
 	mgr.Stop()
+
+	return nil
 }
 
 func newAuditLog(event auditLog) log.RestrictedFileAccessLog {

diff --git a/pkg/audit/fileaccess/audit_test.go b/pkg/audit/fileaccess/audit_test.go
@@ -106,6 +106,12 @@ func TestAudit_Container(t *testing.T) {
 	}
 }
 
+func TestRunAudit_Conf(t *testing.T) {
+	config := config.DefaultConfig()
+	config.RestrictedFileAccessConfig.Enable = false
+	RunAudit(config)
+}
+
 type TestAuditManager struct {
 	manager Manager
 	cmd     *exec.Cmd

diff --git a/pkg/audit/mount/audit.go b/pkg/audit/mount/audit.go
@@ -53,7 +53,11 @@ func setupBPFProgram() (*libbpfgo.Module, error) {
 	return mod, nil
 }
 
-func RunAudit(conf *config.Config) {
+func RunAudit(conf *config.Config) error {
+	if !conf.RestrictedMountConfig.Enable {
+		return nil
+	}
+
 	quit := make(chan os.Signal)
 	signal.Notify(quit, os.Interrupt)
 
@@ -94,6 +98,8 @@ func RunAudit(conf *config.Config) {
 
 	<-quit
 	mgr.Stop()
+
+	return nil
 }
 
 func newAuditLog(event auditLog) log.RestrictedMountLog {

diff --git a/pkg/audit/mount/audit_test.go b/pkg/audit/mount/audit_test.go
@@ -57,6 +57,12 @@ func TestAudit_Mount(t *testing.T) {
 	assert.Nil(t, err)
 }
 
+func TestRunAudit_Conf(t *testing.T) {
+	config := config.DefaultConfig()
+	config.RestrictedMountConfig.Enable = false
+	assert.Nil(t, RunAudit(config))
+}
+
 type TestAuditManager struct {
 	manager Manager
 	cmd     *exec.Cmd

diff --git a/pkg/audit/network/audit.go b/pkg/audit/network/audit.go
@@ -125,7 +125,11 @@ func UpdateDomainList(mgr Manager) {
 	}
 }
 
-func RunAudit(conf *config.Config) {
+func RunAudit(conf *config.Config) error {
+	if !conf.RestrictedNetworkConfig.Enable {
+		return nil
+	}
+
 	quit := make(chan os.Signal)
 	signal.Notify(quit, os.Interrupt)
 
@@ -172,6 +176,8 @@ func RunAudit(conf *config.Config) {
 
 	<-quit
 	mgr.Stop()
+
+	return nil
 }
 
 func newAuditLog(header eventHeader, body detectEvent) log.RestrictedNetworkLog {

diff --git a/pkg/audit/network/audit_test.go b/pkg/audit/network/audit_test.go
@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/mrtc0/bouheki/pkg/audit/helpers"
+	"github.com/mrtc0/bouheki/pkg/config"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -486,6 +487,12 @@ func TestAuditContainerDoNotCaptureHostEvents(t *testing.T) {
 	mgr.mod.Close()
 }
 
+func TestRunAudit_Conf(t *testing.T) {
+	config := config.DefaultConfig()
+	config.RestrictedNetworkConfig.Enable = false
+	assert.Nil(t, RunAudit(config))
+}
+
 func runAuditWithOnce(configPath string, execCmd []string, eventsChannel chan []byte) TestAuditManager {
 	config := loadFixtureConfig(configPath)
 	mgr := createManager(config, &SpyIntegrationDNSResolver{})

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -7,6 +7,7 @@ import (
 )
 
 type RestrictedNetworkConfig struct {
+	Enable  bool
 	Mode    string        `yaml:"mode"`
 	Target  string        `yaml:"target"`
 	Command CommandConfig `yaml:"command"`
@@ -17,13 +18,15 @@ type RestrictedNetworkConfig struct {
 }
 
 type RestrictedFileAccessConfig struct {
+	Enable bool
 	Mode   string   `yaml:"mode"`
 	Target string   `yaml:"target"`
 	Allow  []string `yaml:"allow"`
 	Deny   []string `yaml:"deny"`
 }
 
 type RestrictedMountConfig struct {
+	Enable         bool
 	Mode           string   `yaml:"mode"`
 	Target         string   `yaml:"target"`
 	DenySourcePath []string `yaml:"deny"`
@@ -72,6 +75,7 @@ type Config struct {
 func DefaultConfig() *Config {
 	return &Config{
 		RestrictedNetworkConfig: RestrictedNetworkConfig{
+			Enable:  true,
 			Mode:    "monitor",
 			Target:  "host",
 			Command: CommandConfig{Allow: []string{}, Deny: []string{}},
@@ -81,12 +85,14 @@ func DefaultConfig() *Config {
 			GID:     GIDConfig{Allow: []uint{}, Deny: []uint{}},
 		},
 		RestrictedFileAccessConfig: RestrictedFileAccessConfig{
+			Enable: true,
 			Mode:   "monitor",
 			Target: "host",
 			Allow:  []string{"/"},
 			Deny:   []string{},
 		},
 		RestrictedMountConfig: RestrictedMountConfig{
+			Enable:         true,
 			Mode:           "monitor",
 			Target:         "host",
 			DenySourcePath: []string{},