consider default posture when atleast one allow policy OR from source…

… allow policy Signed-off-by: daemon1024 <[email protected]>
kubearmor · Mar 2, 2022 · a3ce1d4 · a3ce1d4
1 parent 8f92a2c
commit a3ce1d4
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go
@@ -816,17 +816,22 @@ func (ae *AppArmorEnforcer) GenerateProfileHead(processWhiteList, fileWhiteList,
 	profileHead := "  #include <abstractions/base>\n"
 	profileHead = profileHead + "  umount,\n"
 
-	if len(processWhiteList) > 0 || len(fileWhiteList) > 0 || (!file && cfg.GlobalCfg.DefaultFilePosture == "block") {
+	// Block Access to Resource when
+	// -> Default Posture is Block
+	// AND
+	// -> Atleast one allow policy OR from source allow policy
+
+	if cfg.GlobalCfg.DefaultFilePosture == "block" && ((len(processWhiteList) > 0 || len(fileWhiteList) > 0) || !file) {
 	} else {
 		profileHead = profileHead + "  file,\n"
 	}
 
-	if len(networkWhiteList) > 0 || (!network && cfg.GlobalCfg.DefaultNetworkPosture == "block") {
+	if cfg.GlobalCfg.DefaultNetworkPosture == "block" && (len(networkWhiteList) > 0 || !network) {
 	} else {
 		profileHead = profileHead + "  network,\n"
 	}
 
-	if len(capabilityWhiteList) > 0 && (!capability && cfg.GlobalCfg.DefaultCapabilitiesPosture == "block") {
+	if cfg.GlobalCfg.DefaultCapabilitiesPosture == "block" && (len(capabilityWhiteList) > 0 || !capability) {
 	} else {
 		profileHead = profileHead + "  capability,\n"
 	}

diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go
@@ -874,7 +874,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 					}
 
 					if !matched {
-						if secPolicy.IsFromSource && secPolicy.Action == "Allow" {
+						if secPolicy.Action == "Allow" {
 							considerFilePosture = true
 						}
 					}
@@ -900,7 +900,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 							continue
 						}
 					}
-					if secPolicy.IsFromSource && secPolicy.Action == "Allow" {
+					if secPolicy.Action == "Allow" {
 						considerNetworkPosture = true
 					}
 				}
@@ -1051,7 +1051,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 					return log
 				}
 			} else if log.Operation == "Capabilities" {
-				if setLogFields(cfg.GlobalCfg.DefaultCapabilitiesPosture, log.CapabilitiesVisibilityEnabled, &log, true) {
+				if setLogFields(cfg.GlobalCfg.DefaultCapabilitiesPosture, log.CapabilitiesVisibilityEnabled, &log, false) {
 					return log
 				}
 			}