From d2a9a881f970b9f4040c0dc02a326aee4e037cc6 Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Wed, 30 Oct 2024 22:00:40 +0530 Subject: [PATCH 1/2] fix(apparmor): clone non conflicting proc rules to from source subprofiles Signed-off-by: daemon1024 --- KubeArmor/enforcer/appArmorProfile.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go index 6068824db0..a1e2accc5b 100644 --- a/KubeArmor/enforcer/appArmorProfile.go +++ b/KubeArmor/enforcer/appArmorProfile.go @@ -433,6 +433,12 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo ae.Logger.Errf("Error while copying global rules to local profile for %s: %s", source, err.Error()) continue } + for proc, config := range profile.ProcessPaths { + add := checkIfGlobalRuleToBeAdded(proc, val.ProcessPaths) + if add { + newval.ProcessPaths[proc] = config + } + } for file, config := range profile.FilePaths { add := checkIfGlobalRuleToBeAdded(file, val.FilePaths) if add { From f16ad023d7de33bc2f9b3cb061592747223cbd70 Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Wed, 6 Nov 2024 00:30:09 +0530 Subject: [PATCH 2/2] fix(apparmor): use regex replace to remove all special characters to maintain older apparmor compat Signed-off-by: daemon1024 --- KubeArmor/enforcer/appArmorTemplate.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/KubeArmor/enforcer/appArmorTemplate.go b/KubeArmor/enforcer/appArmorTemplate.go index 70ac278880..a4411e9bc8 100644 --- a/KubeArmor/enforcer/appArmorTemplate.go +++ b/KubeArmor/enforcer/appArmorTemplate.go @@ -79,7 +79,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { {{template "file-section" . }} ## == DISPATCHER START == ## {{- range $source, $value:= $.FromSource}} - {{$source}} px -> {{$v := $.Name | split "."}}{{$v._0}}_{{ $source | replace "/" "" | replace "." "" }}, + {{$source}} px -> {{$v := $.Name | split "."}}{{$v._0}}_{{ regexReplaceAllLiteral "[^a-z A-Z 0-9]" $source "" }}, {{- end}} {{- range $value, $data := .ProcessPaths}} {{- $suffix := ""}} @@ -146,7 +146,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { ## == FromSource per binary profiles START == ## {{- range $source, $value := $.FromSource}} -profile {{$v := $.Name | split "."}}{{$v._0}}_{{ $source | replace "/" "" | replace "." "" }} { +profile {{$v := $.Name | split "."}}{{$v._0}}_{{ regexReplaceAllLiteral "[^a-z A-Z 0-9]" $source "" }} { {{$source}} rix, {{template "pre-section" $value }} {{template "file-section" $value}}