fix(apparmor/host): streamline host profile generation with container…

… template generation - deprecating special handling of host profiles - making reload of apparmor profiles only in k8s env Signed-off-by: daemon1024 <[email protected]>
kubearmor · Sep 9, 2024 · a8fb83c · a8fb83c
1 parent ae5f57c
commit a8fb83c
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 853 deletions.
diff --git a/KubeArmor/enforcer/appArmorEnforcer.go b/KubeArmor/enforcer/appArmorEnforcer.go
@@ -522,13 +522,16 @@ func (ae *AppArmorEnforcer) UpdateAppArmorProfile(endPoint tp.EndPoint, appArmor
 			ae.Logger.Warnf("Unable to update %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
 			return
 		}
-		if err := kl.RunCommandAndWaitWithErr("aa-disable", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
-			ae.Logger.Warnf("Unable to disable for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
-			return
-		}
-		if err := kl.RunCommandAndWaitWithErr("aa-enforce", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
-			ae.Logger.Warnf("Unable to enforce back for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
-			return
+
+		if cfg.GlobalCfg.K8sEnv {
+			if err := kl.RunCommandAndWaitWithErr("aa-disable", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
+				ae.Logger.Warnf("Unable to disable for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
+				return
+			}
+			if err := kl.RunCommandAndWaitWithErr("aa-enforce", []string{"/etc/apparmor.d/" + appArmorProfile}); err != nil {
+				ae.Logger.Warnf("Unable to enforce back for a weird issue %d security rule(s) to %s/%s/%s (%s)", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile, err.Error())
+				return
+			}
 		}
 
 		ae.Logger.Printf("Updated %d security rule(s) to %s/%s/%s", policyCount, endPoint.NamespaceName, endPoint.EndPointName, appArmorProfile)
@@ -579,7 +582,30 @@ func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecur
 		CapabilitiesAction: cfg.GlobalCfg.HostDefaultCapabilitiesPosture,
 	}
 
-	if policyCount, newProfile, ok := ae.GenerateAppArmorHostProfile(secPolicies, globalDefaultPosture); ok {
+	var hostPolicies []tp.SecurityPolicy
+
+	// Typecast HostSecurityPolicy spec to normal SecurityPolicies
+	for _, secPolicy := range secPolicies {
+		var hostPolicy tp.SecurityPolicy
+		if err := kl.Clone(secPolicy.Spec.Process, &hostPolicy.Spec.Process); err != nil {
+			ae.Logger.Warnf("Error cloning host policy spec process to sec policy construct")
+		}
+		if err := kl.Clone(secPolicy.Spec.File, &hostPolicy.Spec.File); err != nil {
+			ae.Logger.Warnf("Error cloning host policy spec file to sec policy construct")
+		}
+		if err := kl.Clone(secPolicy.Spec.Network, &hostPolicy.Spec.Network); err != nil {
+			ae.Logger.Warnf("Error cloning host policy spec network to sec policy construct")
+		}
+		if err := kl.Clone(secPolicy.Spec.Capabilities, &hostPolicy.Spec.Capabilities); err != nil {
+			ae.Logger.Warnf("Error cloning host policy spec capabilities to sec policy construct")
+		}
+		if err := kl.Clone(secPolicy.Spec.Syscalls, &hostPolicy.Spec.Syscalls); err != nil {
+			ae.Logger.Warnf("Error cloning host policy spec syscall to sec policy construct")
+		}
+		hostPolicies = append(hostPolicies, hostPolicy)
+	}
+
+	if policyCount, newProfile, ok := ae.GenerateAppArmorProfile("kubearmor.host /{usr/,}bin/*sh", hostPolicies, globalDefaultPosture, true); ok {
 		newfile, err := os.Create(filepath.Clean(appArmorHostFile))
 		if err != nil {
 			ae.Logger.Warnf("Unable to open the KubeArmor host profile in %s (%s)", cfg.GlobalCfg.Host, err.Error())
@@ -619,6 +645,8 @@ func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecur
 		ae.Logger.Printf("Updated %d host security rules to the KubeArmor host profile in %s", policyCount, cfg.GlobalCfg.Host)
 
 		ae.ClearKubeArmorHostFile(appArmorHostFile)
+	} else if newProfile != "" {
+		ae.Logger.Errf("Error Generating %s AppArmor profile: %s", appArmorHostFile, newProfile)
 	}
 }