[WIP] initial default posture implementation

Signed-off-by: daemon1024 <[email protected]>
kubearmor · Feb 8, 2022 · 28371f5 · 28371f5
1 parent 72f1137
commit 28371f5
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 3 deletions.
diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go
@@ -29,6 +29,10 @@ type KubearmorConfig struct {
 	HostPolicy bool // Enable/Disable host policy enforcement
 	KVMAgent   bool // Enable/Disable KVM Agent
 
+	DefaultFileArmor       string // Default Enforcement Action in Global File Context
+	DefaultNetworkArmor    string // Default Enforcement Action in Global Network Context
+	DefaultCapabilityArmor string // Default Enforcement Action in Global Capability Context
+
 	CoverageTest bool // Enable/Disable Coverage Test
 }
 
@@ -65,6 +69,15 @@ const ConfigKubearmorHostPolicy string = "enableKubeArmorHostPolicy"
 // ConfigKubearmorVM Kubearmor VM key
 const ConfigKubearmorVM string = "enableKubeArmorVm"
 
+// ConfigDefaultFileArmor KubeArmor Default Global File Posture key
+const ConfigDefaultFileArmor string = "defaultFileArmor"
+
+// ConfigDefaultNetworkArmor KubeArmor Default Global Network Posture key
+const ConfigDefaultNetworkArmor string = "defaultNetworkArmor"
+
+// ConfigDefaultCapabilityArmor KubeArmor Default Global Capability Posture key
+const ConfigDefaultCapabilityArmor string = "defaultCapabilityArmor"
+
 // ConfigCoverageTest Coverage Test key
 const ConfigCoverageTest string = "coverageTest"
 
@@ -83,6 +96,10 @@ func readCmdLineParams() {
 	hostPolicyB := flag.Bool(ConfigKubearmorHostPolicy, false, "enabling KubeArmorHostPolicy")
 	kvmAgentB := flag.Bool(ConfigKubearmorVM, false, "enabling KubeArmorVM")
 
+	defaultFileArmor := flag.String(ConfigDefaultFileArmor, "allow", "configuring default enforcement action in global file context [allow,audit,block] (default allow)")
+	defaultNetworkArmor := flag.String(ConfigDefaultNetworkArmor, "allow", "configuring default enforcement action in global network context [allow,audit,block] (default allow)")
+	defaultCapabilityArmor := flag.String(ConfigDefaultCapabilityArmor, "allow", "configuring default enforcement action in global capability context [allow,audit,block] (default allow)")
+
 	coverageTestB := flag.Bool(ConfigCoverageTest, false, "enabling CoverageTest")
 
 	flag.Parse()
@@ -101,6 +118,10 @@ func readCmdLineParams() {
 	viper.Set(ConfigKubearmorHostPolicy, *hostPolicyB)
 	viper.Set(ConfigKubearmorVM, *kvmAgentB)
 
+	viper.Set(ConfigDefaultFileArmor, *defaultFileArmor)
+	viper.Set(ConfigDefaultNetworkArmor, *defaultNetworkArmor)
+	viper.Set(ConfigDefaultCapabilityArmor, *defaultCapabilityArmor)
+
 	viper.Set(ConfigCoverageTest, *coverageTestB)
 }
 
@@ -145,6 +166,10 @@ func LoadConfig() error {
 		GlobalCfg.HostPolicy = true
 	}
 
+	GlobalCfg.DefaultFileArmor = viper.GetString(ConfigDefaultFileArmor)
+	GlobalCfg.DefaultNetworkArmor = viper.GetString(ConfigDefaultNetworkArmor)
+	GlobalCfg.DefaultCapabilityArmor = viper.GetString(ConfigDefaultCapabilityArmor)
+
 	if GlobalCfg.HostVisibility == "" {
 		if GlobalCfg.KVMAgent {
 			GlobalCfg.HostVisibility = "process,file,network,capabilities"

diff --git a/KubeArmor/enforcer/appArmorEnforcer.go b/KubeArmor/enforcer/appArmorEnforcer.go
@@ -35,6 +35,11 @@ type AppArmorEnforcer struct {
 	// profiles for containers
 	AppArmorProfiles     map[string][]string
 	AppArmorProfilesLock *sync.RWMutex
+
+	// Default Action Context
+	File       bool
+	Network    bool
+	Capability bool
 }
 
 // NewAppArmorEnforcer Function
@@ -154,6 +159,22 @@ func NewAppArmorEnforcer(node tp.Node, logger *fd.Feeder) *AppArmorEnforcer {
 		}
 	}
 
+	ae.File = true
+	ae.Network = true
+	ae.Capability = true
+
+	if cfg.GlobalCfg.DefaultFileArmor == "block" {
+		ae.File = false
+	}
+
+	if cfg.GlobalCfg.DefaultNetworkArmor == "block" {
+		ae.Network = false
+	}
+
+	if cfg.GlobalCfg.DefaultCapabilityArmor == "block" {
+		ae.Capability = false
+	}
+
 	return ae
 }
 

diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go
@@ -1133,15 +1133,15 @@ func (ae *AppArmorEnforcer) GenerateProfileHead(processWhiteList, fileWhiteList,
 	profileHead := "  #include <abstractions/base>\n"
 	profileHead = profileHead + "  umount,\n"
 
-	if len(processWhiteList) == 0 && len(fileWhiteList) == 0 {
+	if len(processWhiteList) == 0 && len(fileWhiteList) == 0 && ae.File {
 		profileHead = profileHead + "  file,\n"
 	}
 
-	if len(networkWhiteList) == 0 {
+	if len(networkWhiteList) == 0 && ae.Network {
 		profileHead = profileHead + "  network,\n"
 	}
 
-	if len(capabilityWhiteList) == 0 {
+	if len(capabilityWhiteList) == 0 && ae.Capability {
 		profileHead = profileHead + "  capability,\n"
 	}