consider default posture if fromsourceallowpolicy exists

This commit also fixes the bug where default deny didn't work if we only had fromSource based Allow Policies

Signed-off-by: daemon1024 <[email protected]>

KubeArmor/enforcer/appArmorProfile.go

@@ -812,19 +812,22 @@ func (ae *AppArmorEnforcer) BlockedCapabilitiesMatchCapabilities(cap tp.Capabili
 // == //
 
 // GenerateProfileHead Function
-func (ae *AppArmorEnforcer) GenerateProfileHead(processWhiteList, fileWhiteList, networkWhiteList, capabilityWhiteList []string) string {
+func (ae *AppArmorEnforcer) GenerateProfileHead(processWhiteList, fileWhiteList, networkWhiteList, capabilityWhiteList []string, file, network, capability bool) string {
 	profileHead := "  #include <abstractions/base>\n"
 	profileHead = profileHead + "  umount,\n"
 
-	if len(processWhiteList) == 0 && len(fileWhiteList) == 0 && cfg.GlobalCfg.DefaultFilePosture != "block" {
+	if len(processWhiteList) > 0 || len(fileWhiteList) > 0 || (!file && cfg.GlobalCfg.DefaultFilePosture == "block") {
+	} else {
 		profileHead = profileHead + "  file,\n"
 	}
 
-	if len(networkWhiteList) == 0 && cfg.GlobalCfg.DefaultNetworkPosture != "block" {
+	if len(networkWhiteList) > 0 || (!network && cfg.GlobalCfg.DefaultNetworkPosture == "block") {
+	} else {
 		profileHead = profileHead + "  network,\n"
 	}
 
-	if len(capabilityWhiteList) == 0 && cfg.GlobalCfg.DefaultCapabilitiesPosture != "block" {
+	if len(capabilityWhiteList) > 0 && (!capability && cfg.GlobalCfg.DefaultCapabilitiesPosture == "block") {
+	} else {
 		profileHead = profileHead + "  capability,\n"
 	}
 
@@ -882,6 +885,10 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 
 	fusionProcessWhiteList := []string{}
 
+	globalFile := true
+	globalNetwork := true
+	globalCapability := true
+
 	// preparation
 
 	for _, secPolicy := range securityPolicies {
@@ -985,10 +992,6 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 	// Resolve conflicts
 	ae.ResolvedProcessWhiteListConflicts(&processWhiteList, fromSources, &fusionProcessWhiteList)
 
-	// head
-
-	profileHead := "  ## == PRE START == ##\n" + ae.GenerateProfileHead(processWhiteList, fileWhiteList, networkWhiteList, capabilityWhiteList) + "  ## == PRE END == ##\n\n"
-
 	// body
 
 	profileBody := ""
@@ -1087,11 +1090,13 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 		for _, line := range lines {
 			if strings.Contains(line, "  network") {
 				network = false
+				globalNetwork = false
 				continue
 			}
 
 			if strings.Contains(line, "  capability") {
 				capability = false
+				globalCapability = false
 				continue
 			}
 
@@ -1104,17 +1109,21 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 			}
 
 			file = false
+			globalFile = false
 		}
 
-		if file && len(processWhiteList) == 0 && len(fileWhiteList) == 0 {
+		if cfg.GlobalCfg.DefaultFilePosture == "block" && ((len(processWhiteList) > 0 || len(fileWhiteList) > 0) || !file) {
+		} else {
 			bodyFromSource = bodyFromSource + "    file,\n"
 		}
 
-		if network && len(networkWhiteList) == 0 {
+		if cfg.GlobalCfg.DefaultNetworkPosture == "block" && (len(networkWhiteList) > 0 || !network) {
+		} else {
 			bodyFromSource = bodyFromSource + "    network,\n"
 		}
 
-		if capability && len(capabilityWhiteList) == 0 {
+		if cfg.GlobalCfg.DefaultCapabilitiesPosture == "block" && (len(capabilityWhiteList) > 0 || !capability) {
+		} else {
 			bodyFromSource = bodyFromSource + "    capability,\n"
 		}
 
@@ -1146,6 +1155,10 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 		count = count + len(source)
 	}
 
+	// head
+
+	profileHead := "  ## == PRE START == ##\n" + ae.GenerateProfileHead(processWhiteList, fileWhiteList, networkWhiteList, capabilityWhiteList, globalFile, globalNetwork, globalCapability) + "  ## == PRE END == ##\n\n"
+
 	// body - together
 
 	profileBody = "  ## == POLICY START == ##\n" + profileBody + bodyFromSource + "  ## == POLICY END == ##\n\n"