diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go index 5cac28276f..9183951b4c 100644 --- a/KubeArmor/enforcer/appArmorProfile.go +++ b/KubeArmor/enforcer/appArmorProfile.go @@ -32,7 +32,7 @@ func (ae *AppArmorEnforcer) ResolvedProcessWhiteListConflicts(prof *Profile) { // SetProcessMatchPaths Function func (ae *AppArmorEnforcer) SetProcessMatchPaths(path tp.ProcessPathType, prof *Profile, deny bool, head bool) { - if deny == false { + if !deny { prof.File = head } rule := RuleConfig{} @@ -41,8 +41,11 @@ func (ae *AppArmorEnforcer) SetProcessMatchPaths(path tp.ProcessPathType, prof * rule.OwnerOnly = path.OwnerOnly if len(path.FromSource) == 0 { + if len(path.ExecName) > 0 { + addRuletoMap(rule, "/**/"+path.ExecName, prof.ProcessPaths) + return + } addRuletoMap(rule, path.Path, prof.ProcessPaths) - return } @@ -58,12 +61,16 @@ func (ae *AppArmorEnforcer) SetProcessMatchPaths(path tp.ProcessPathType, prof * fromsource.Rules.Init() prof.FromSource[source] = fromsource } - if deny == false { + if !deny { if val, ok := prof.FromSource[source]; ok { val.File = head prof.FromSource[source] = val } } + if len(path.ExecName) > 0 { + addRuletoMap(rule, "/**/"+path.ExecName, prof.FromSource[source].ProcessPaths) + continue + } addRuletoMap(rule, path.Path, prof.FromSource[source].ProcessPaths) } } diff --git a/KubeArmor/enforcer/bpflsm/rulesHandling.go b/KubeArmor/enforcer/bpflsm/rulesHandling.go index b627b260ca..dfe92924c2 100644 --- a/KubeArmor/enforcer/bpflsm/rulesHandling.go +++ b/KubeArmor/enforcer/bpflsm/rulesHandling.go @@ -115,11 +115,14 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec } if len(path.FromSource) == 0 { var key InnerKey - copy(key.Path[:], []byte(path.Path)) + if len(path.ExecName) > 0 { + copy(key.Path[:], []byte(path.ExecName)) + } else { + copy(key.Path[:], []byte(path.Path)) + } if path.Action == "Allow" { newrules.ProcWhiteListPosture = true newrules.ProcessRuleList[key] = val - } else if path.Action == "Block" { val[PROCESS] = val[PROCESS] | DENY newrules.ProcessRuleList[key] = val @@ -127,12 +130,14 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec } else { for _, src := range path.FromSource { var key InnerKey - copy(key.Path[:], []byte(path.Path)) + if len(path.ExecName) > 0 { + copy(key.Path[:], []byte(path.ExecName)) + } else { + copy(key.Path[:], []byte(path.Path)) + } copy(key.Source[:], []byte(src.Path)) if path.Action == "Allow" { - newrules.ProcWhiteListPosture = true - newrules.ProcessRuleList[key] = val } else if path.Action == "Block" { val[PROCESS] = val[PROCESS] | DENY diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index ee0202ef6c..2a923956fa 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -87,8 +87,13 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.Message = ppt.Message match.Operation = "Process" - match.Resource = ppt.Path - match.ResourceType = "Path" + if len(ppt.ExecName) > 0 { + match.Resource = ppt.ExecName + match.ResourceType = "ExecName" + } else { + match.Resource = ppt.Path + match.ResourceType = "Path" + } match.OwnerOnly = ppt.OwnerOnly @@ -1023,6 +1028,8 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { procMatch := secPolicy.Regexp.MatchString(log.ProcessName) // pattern (secPolicy.Resource) -> string (log.Resource) matchedRegex = fileMatch || procMatch } + case "ExecName": + matchedRegex = strings.HasSuffix(log.ProcessName, "/"+secPolicy.Resource) // processpath = */execname } // match resources