From 5a1f8ca4394a1157639199f59ce84a86aa7f34c2 Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Mon, 30 May 2022 15:47:06 +0000 Subject: [PATCH] fix ResolvedProcessWhiteListConflicts Signed-off-by: Jaehyun Nam --- KubeArmor/enforcer/appArmorProfile.go | 88 +++++++++++++++------------ 1 file changed, 50 insertions(+), 38 deletions(-) diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go index c67d2f9b0f..a3ec7e1fae 100644 --- a/KubeArmor/enforcer/appArmorProfile.go +++ b/KubeArmor/enforcer/appArmorProfile.go @@ -21,18 +21,20 @@ import ( func (ae *AppArmorEnforcer) ResolvedProcessWhiteListConflicts(processWhiteList *[]string, fromSources map[string][]string, fusionProcessWhiteList *[]string) { prunedProcessWhiteList := make([]string, len(*processWhiteList)) copy(prunedProcessWhiteList, *processWhiteList) - numOfRemovedElements := 0 - for index, line := range *processWhiteList { - for source := range fromSources { - if strings.Split(line, " ")[0] == source { - *fusionProcessWhiteList = append(*fusionProcessWhiteList, source) - - // remove line from WhiteList - prunedProcessWhiteList = kl.RemoveStringElement(prunedProcessWhiteList, index-numOfRemovedElements) - numOfRemovedElements = numOfRemovedElements + 1 - - break + for source := range fromSources { + for _, line := range *processWhiteList { + if source == strings.Split(strings.TrimSpace(line), " ")[0] { + if !kl.ContainsElement(*fusionProcessWhiteList, source) { + *fusionProcessWhiteList = append(*fusionProcessWhiteList, source) + + for idx, line := range prunedProcessWhiteList { + if source == strings.Split(strings.TrimSpace(line), " ")[0] { + prunedProcessWhiteList = append(prunedProcessWhiteList[:idx], prunedProcessWhiteList[idx+1:]...) + break + } + } + } } } } @@ -669,19 +671,25 @@ func (ae *AppArmorEnforcer) BlockedCapabilitiesMatchCapabilities(cap tp.Capabili // == // // GenerateProfileHead Function -func (ae *AppArmorEnforcer) GenerateProfileHead(processWhiteList, fileWhiteList, networkWhiteList, capabilityWhiteList []string, defaultPosture tp.DefaultPosture) string { +func (ae *AppArmorEnforcer) GenerateProfileHead(numProcessWhiteList, numFileWhiteList, numNetworkWhiteList, numCapabilityWhiteList int, fromSourceFile, fromSourceNetwork, fromSourceCapability bool, defaultPosture tp.DefaultPosture) string { profileHead := " #include \n" profileHead = profileHead + " umount,\n" - if !(defaultPosture.FileAction == "block" && (len(processWhiteList) > 0 || len(fileWhiteList) > 0)) { + if defaultPosture.FileAction == "block" && !(numProcessWhiteList > 0 || numFileWhiteList > 0 || !fromSourceFile) { + profileHead = profileHead + " file,\n" + } else if numProcessWhiteList == 0 && numFileWhiteList == 0 { profileHead = profileHead + " file,\n" } - if !(defaultPosture.NetworkAction == "block" && len(networkWhiteList) > 0) { + if defaultPosture.NetworkAction == "block" && !(numNetworkWhiteList > 0 || !fromSourceNetwork) { + profileHead = profileHead + " network,\n" + } else if numNetworkWhiteList == 0 { profileHead = profileHead + " network,\n" } - if !(defaultPosture.CapabilitiesAction == "block" && len(capabilityWhiteList) > 0) { + if defaultPosture.CapabilitiesAction == "block" && !(numCapabilityWhiteList > 0 || !fromSourceCapability) { + profileHead = profileHead + " capability,\n" + } else if numCapabilityWhiteList == 0 { profileHead = profileHead + " capability,\n" } @@ -737,6 +745,10 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo fusionProcessWhiteList := []string{} + fromSourceFile := true + fromSourceNetwork := true + fromSourceCapability := true + // preparation for _, secPolicy := range securityPolicies { @@ -825,6 +837,16 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo } } + // Count the number of global security rules + + numProcessWhiteList := len(processWhiteList) + numFileWhiteList := len(fileWhiteList) + numNetworkWhiteList := len(networkWhiteList) + numCapabilityWhiteList := len(capabilityWhiteList) + + count = count + numProcessWhiteList + numFileWhiteList + numNetworkWhiteList + numCapabilityWhiteList + count = count + len(processBlackList) + len(fileBlackList) + len(networkBlackList) + len(capabilityBlackList) + // Resolve conflicts ae.ResolvedProcessWhiteListConflicts(&processWhiteList, fromSources, &fusionProcessWhiteList) @@ -838,52 +860,36 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo profileBody = profileBody + line } - count = count + len(processWhiteList) - for _, line := range fileWhiteList { profileBody = profileBody + line } - count = count + len(fileWhiteList) - for _, line := range networkWhiteList { profileBody = profileBody + line } - count = count + len(networkWhiteList) - for _, line := range capabilityWhiteList { profileBody = profileBody + line } - count = count + len(capabilityWhiteList) - // body - black list for _, line := range processBlackList { profileBody = profileBody + line } - count = count + len(processBlackList) - for _, line := range fileBlackList { profileBody = profileBody + line } - count = count + len(fileBlackList) - for _, line := range networkBlackList { profileBody = profileBody + line } - count = count + len(networkBlackList) - for _, line := range capabilityBlackList { profileBody = profileBody + line } - count = count + len(capabilityBlackList) - // body - from source bodyFromSource := "" @@ -912,11 +918,13 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo for _, line := range lines { if strings.Contains(line, " network") { network = false + fromSourceNetwork = false continue } if strings.Contains(line, " capability") { capability = false + fromSourceCapability = false continue } @@ -929,20 +937,24 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo } file = false + fromSourceFile = false } - if defaultPosture.FileAction == "block" && ((len(processWhiteList) > 0 || len(fileWhiteList) > 0) || !file) { - } else { + if defaultPosture.FileAction == "block" && !(numProcessWhiteList > 0 || numFileWhiteList > 0 || !file) { + bodyFromSource = bodyFromSource + " file,\n" + } else if file { bodyFromSource = bodyFromSource + " file,\n" } - if defaultPosture.NetworkAction == "block" && (len(networkWhiteList) > 0 || !network) { - } else { + if defaultPosture.NetworkAction == "block" && !(numNetworkWhiteList > 0 || !network) { + bodyFromSource = bodyFromSource + " network,\n" + } else if network { bodyFromSource = bodyFromSource + " network,\n" } - if defaultPosture.CapabilitiesAction == "block" && (len(capabilityWhiteList) > 0 || !capability) { - } else { + if defaultPosture.CapabilitiesAction == "block" && !(numCapabilityWhiteList > 0 || !capability) { + bodyFromSource = bodyFromSource + " capability,\n" + } else if capability { bodyFromSource = bodyFromSource + " capability,\n" } @@ -976,7 +988,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo // head - profileHead := " ## == PRE START == ##\n" + ae.GenerateProfileHead(processWhiteList, fileWhiteList, networkWhiteList, capabilityWhiteList, defaultPosture) + " ## == PRE END == ##\n\n" + profileHead := " ## == PRE START == ##\n" + ae.GenerateProfileHead(numProcessWhiteList, numFileWhiteList, numNetworkWhiteList, numCapabilityWhiteList, fromSourceFile, fromSourceNetwork, fromSourceCapability, defaultPosture) + " ## == PRE END == ##\n\n" // body - together