enforcer

package

v0.0.0-...-9ce5979 Latest Latest Go to latest Published: Jun 20, 2024 License: Apache-2.0 Imports: 20 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubearmor/KubeArmor

Links

Open Source Insights

Documentation ¶

Overview ¶

Package enforcer is responsible for setting up and handling policy updates for supported enforcers including AppArmor, SELinux and BPFLSM

Index ¶

Constants
type AppArmorEnforcer
- func NewAppArmorEnforcer(node tp.Node, logger *fd.Feeder) *AppArmorEnforcer
type FromSourceConfig
type Profile
- func (p *Profile) Init()
type ProfileHeader
- func (h *ProfileHeader) Init()
type RuleConfig
type Rules
- func (r *Rules) Init()
type RuntimeEnforcer
- func NewRuntimeEnforcer(node tp.Node, pinpath string, logger *fd.Feeder, monitor *mon.SystemMonitor) *RuntimeEnforcer
type SELinuxEnforcer
- func NewSELinuxEnforcer(node tp.Node, logger *fd.Feeder) *SELinuxEnforcer

Constants ¶

View Source

const (
	AppArmorDefaultPreStart = `

#include <abstractions/base>
umount,
file,
network,
capability,

`
	AppArmorPrivilegedPreStart = AppArmorDefaultPreStart +
		`

## == For privileged workloads == ##
mount,
signal,
unix,
ptrace,

`

	AppArmorPrivilegedPostStart = `` /* 410-byte string literal not displayed */

	AppArmorDefaultPostStart = AppArmorPrivilegedPostStart +
		`

deny mount,

`
)

View Source

const BaseTemplate = `` /* 6564-byte string literal not displayed */

BaseTemplate for AppArmor profiles

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AppArmorEnforcer ¶

type AppArmorEnforcer struct {
	// logs
	Logger *fd.Feeder

	// default profile
	ApparmorDefault string
	// default privileged profile
	ApparmorDefaultPrivileged string

	// host profile
	HostProfile string

	// profiles for containers
	AppArmorProfiles     map[string][]string
	AppArmorProfilesLock *sync.RWMutex

	// to keep track of privileged profiles for clean deletion
	AppArmorPrivilegedProfiles     map[string]struct{}
	AppArmorPrivilegedProfilesLock *sync.RWMutex
	// contains filtered or unexported fields
}

AppArmorEnforcer Structure

func NewAppArmorEnforcer ¶

func NewAppArmorEnforcer(node tp.Node, logger *fd.Feeder) *AppArmorEnforcer

NewAppArmorEnforcer Function

func (*AppArmorEnforcer) AllowedHostCapabilitiesMatchCapabilities ¶

func (ae *AppArmorEnforcer) AllowedHostCapabilitiesMatchCapabilities(cap tp.CapabilitiesCapabilityType, fromSources map[string][]string)

AllowedHostCapabilitiesMatchCapabilities Function

func (*AppArmorEnforcer) AllowedHostFileMatchDirectories ¶

func (ae *AppArmorEnforcer) AllowedHostFileMatchDirectories(dir tp.FileDirectoryType, fromSources map[string][]string)

AllowedHostFileMatchDirectories Function

func (*AppArmorEnforcer) AllowedHostFileMatchPaths ¶

func (ae *AppArmorEnforcer) AllowedHostFileMatchPaths(path tp.FilePathType, fromSources map[string][]string)

AllowedHostFileMatchPaths Function

func (*AppArmorEnforcer) AllowedHostNetworkMatchProtocols ¶

func (ae *AppArmorEnforcer) AllowedHostNetworkMatchProtocols(proto tp.NetworkProtocolType, fromSources map[string][]string)

AllowedHostNetworkMatchProtocols Function

func (*AppArmorEnforcer) AllowedHostProcessMatchDirectories ¶

func (ae *AppArmorEnforcer) AllowedHostProcessMatchDirectories(dir tp.ProcessDirectoryType, fromSources map[string][]string)

AllowedHostProcessMatchDirectories Function

func (*AppArmorEnforcer) AllowedHostProcessMatchPaths ¶

func (ae *AppArmorEnforcer) AllowedHostProcessMatchPaths(path tp.ProcessPathType, fromSources map[string][]string)

AllowedHostProcessMatchPaths Function

func (*AppArmorEnforcer) BlockedHostCapabilitiesMatchCapabilities ¶

func (ae *AppArmorEnforcer) BlockedHostCapabilitiesMatchCapabilities(cap tp.CapabilitiesCapabilityType, fromSources map[string][]string)

BlockedHostCapabilitiesMatchCapabilities Function

func (*AppArmorEnforcer) BlockedHostFileMatchDirectories ¶

func (ae *AppArmorEnforcer) BlockedHostFileMatchDirectories(dir tp.FileDirectoryType, fileBlackList *[]string, fromSources map[string][]string)

BlockedHostFileMatchDirectories Function

func (*AppArmorEnforcer) BlockedHostFileMatchPaths ¶

func (ae *AppArmorEnforcer) BlockedHostFileMatchPaths(path tp.FilePathType, fileBlackList *[]string, fromSources map[string][]string)

BlockedHostFileMatchPaths Function

func (*AppArmorEnforcer) BlockedHostFileMatchPatterns ¶

func (ae *AppArmorEnforcer) BlockedHostFileMatchPatterns(pat tp.FilePatternType, fileBlackList *[]string)

BlockedHostFileMatchPatterns Function

func (*AppArmorEnforcer) BlockedHostNetworkMatchProtocols ¶

func (ae *AppArmorEnforcer) BlockedHostNetworkMatchProtocols(proto tp.NetworkProtocolType, fromSources map[string][]string)

BlockedHostNetworkMatchProtocols Function

func (*AppArmorEnforcer) BlockedHostProcessMatchDirectories ¶

func (ae *AppArmorEnforcer) BlockedHostProcessMatchDirectories(dir tp.ProcessDirectoryType, processBlackList *[]string, fromSources map[string][]string)

BlockedHostProcessMatchDirectories Function

func (*AppArmorEnforcer) BlockedHostProcessMatchPaths ¶

func (ae *AppArmorEnforcer) BlockedHostProcessMatchPaths(path tp.ProcessPathType, processBlackList *[]string, fromSources map[string][]string)

BlockedHostProcessMatchPaths Function

func (*AppArmorEnforcer) BlockedHostProcessMatchPatterns ¶

func (ae *AppArmorEnforcer) BlockedHostProcessMatchPatterns(pat tp.ProcessPatternType, processBlackList *[]string)

BlockedHostProcessMatchPatterns Function

func (*AppArmorEnforcer) ClearKubeArmorHostFile ¶

func (ae *AppArmorEnforcer) ClearKubeArmorHostFile(fileName string)

ClearKubeArmorHostFile Function

func (*AppArmorEnforcer) CreateAppArmorHostProfile ¶

func (ae *AppArmorEnforcer) CreateAppArmorHostProfile() error

CreateAppArmorHostProfile Function

func (*AppArmorEnforcer) DestroyAppArmorEnforcer ¶

func (ae *AppArmorEnforcer) DestroyAppArmorEnforcer() error

DestroyAppArmorEnforcer Function

func (*AppArmorEnforcer) GenerateAppArmorHostProfile ¶

func (ae *AppArmorEnforcer) GenerateAppArmorHostProfile(secPolicies []tp.HostSecurityPolicy, defaultPosture tp.DefaultPosture) (int, string, bool)

GenerateAppArmorHostProfile Function

func (*AppArmorEnforcer) GenerateAppArmorProfile ¶

func (ae *AppArmorEnforcer) GenerateAppArmorProfile(appArmorProfile string, securityPolicies []tp.SecurityPolicy, defaultPosture tp.DefaultPosture, privileged bool) (int, string, bool)

GenerateAppArmorProfile Function

func (*AppArmorEnforcer) GenerateHostProfileBody ¶

func (ae *AppArmorEnforcer) GenerateHostProfileBody(securityPolicies []tp.HostSecurityPolicy, defaultPosture tp.DefaultPosture) (int, string)

GenerateHostProfileBody Function

func (*AppArmorEnforcer) GenerateHostProfileFoot ¶

func (ae *AppArmorEnforcer) GenerateHostProfileFoot() string

GenerateHostProfileFoot Function

func (*AppArmorEnforcer) GenerateHostProfileHead ¶

func (ae *AppArmorEnforcer) GenerateHostProfileHead() string

GenerateHostProfileHead Function

func (*AppArmorEnforcer) GenerateProfileBody ¶

func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPolicy, defaultPosture tp.DefaultPosture, privileged bool) (int, Profile)

GenerateProfileBody Function

func (*AppArmorEnforcer) RegisterAppArmorHostProfile ¶

func (ae *AppArmorEnforcer) RegisterAppArmorHostProfile() bool

RegisterAppArmorHostProfile Function

func (*AppArmorEnforcer) RegisterAppArmorProfile ¶

func (ae *AppArmorEnforcer) RegisterAppArmorProfile(podName, profileName string, privileged bool) bool

RegisterAppArmorProfile Function

func (*AppArmorEnforcer) ResolvedProcessWhiteListConflicts ¶

func (ae *AppArmorEnforcer) ResolvedProcessWhiteListConflicts(prof *Profile)

ResolvedProcessWhiteListConflicts Function

func (*AppArmorEnforcer) SetCapabilitiesMatchCapabilities ¶

func (ae *AppArmorEnforcer) SetCapabilitiesMatchCapabilities(cap tp.CapabilitiesCapabilityType, prof *Profile, deny bool, head bool)

SetCapabilitiesMatchCapabilities Function

func (*AppArmorEnforcer) SetFileMatchDirectories ¶

func (ae *AppArmorEnforcer) SetFileMatchDirectories(dir tp.FileDirectoryType, prof *Profile, deny bool, head bool)

SetFileMatchDirectories Function

func (*AppArmorEnforcer) SetFileMatchPaths ¶

func (ae *AppArmorEnforcer) SetFileMatchPaths(path tp.FilePathType, prof *Profile, deny bool, head bool)

SetFileMatchPaths Function

func (*AppArmorEnforcer) SetFileMatchPatterns ¶

func (ae *AppArmorEnforcer) SetFileMatchPatterns(pat tp.FilePatternType, prof *Profile, deny bool, head bool)

SetFileMatchPatterns Function

func (*AppArmorEnforcer) SetNetworkMatchProtocols ¶

func (ae *AppArmorEnforcer) SetNetworkMatchProtocols(proto tp.NetworkProtocolType, prof *Profile, deny bool, head bool)

SetNetworkMatchProtocols Function

func (*AppArmorEnforcer) SetProcessMatchDirectories ¶

func (ae *AppArmorEnforcer) SetProcessMatchDirectories(dir tp.ProcessDirectoryType, prof *Profile, deny bool, head bool)

SetProcessMatchDirectories Function

func (*AppArmorEnforcer) SetProcessMatchPaths ¶

func (ae *AppArmorEnforcer) SetProcessMatchPaths(path tp.ProcessPathType, prof *Profile, deny bool, head bool)

SetProcessMatchPaths Function

func (*AppArmorEnforcer) SetProcessMatchPatterns ¶

func (ae *AppArmorEnforcer) SetProcessMatchPatterns(pat tp.ProcessPatternType, prof *Profile, deny bool, head bool)

SetProcessMatchPatterns Function

func (*AppArmorEnforcer) UnregisterAppArmorHostProfile ¶

func (ae *AppArmorEnforcer) UnregisterAppArmorHostProfile() bool

UnregisterAppArmorHostProfile Function

func (*AppArmorEnforcer) UnregisterAppArmorProfile ¶

func (ae *AppArmorEnforcer) UnregisterAppArmorProfile(podName, profileName string, privileged bool) bool

UnregisterAppArmorProfile Function

func (*AppArmorEnforcer) UpdateAppArmorHostProfile ¶

func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecurityPolicy)

UpdateAppArmorHostProfile Function

func (*AppArmorEnforcer) UpdateAppArmorProfile ¶

func (ae *AppArmorEnforcer) UpdateAppArmorProfile(endPoint tp.EndPoint, appArmorProfile string, securityPolicies []tp.SecurityPolicy)

UpdateAppArmorProfile Function

func (*AppArmorEnforcer) UpdateHostSecurityPolicies ¶

func (ae *AppArmorEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)

UpdateHostSecurityPolicies Function

func (*AppArmorEnforcer) UpdateSecurityPolicies ¶

func (ae *AppArmorEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint)

UpdateSecurityPolicies Function

type FromSourceConfig ¶

type FromSourceConfig struct {
	Fusion bool
	ProfileHeader
	Rules
}

FromSourceConfig has details for individual from source subprofiles

type Profile ¶

type Profile struct {
	Name string
	ProfileHeader
	Rules
	FromSource  map[string]FromSourceConfig
	NativeRules []string
}

Profile header has all the details for a new AppArmor profile

func (*Profile) Init ¶

func (p *Profile) Init()

Init initialises elements Profike Structure

type ProfileHeader ¶

type ProfileHeader struct {
	File, Network, Capabilities, Privileged bool
}

ProfileHeader contain sAppArmor Profile/SubProfile header config

func (*ProfileHeader) Init ¶

func (h *ProfileHeader) Init()

Init sets the presence of Entity headers to true by default

type RuleConfig ¶

type RuleConfig struct {
	Dir, Recursive, ReadOnly, OwnerOnly, Deny, Allow bool
}

RuleConfig contains details for individual apparmor rules

type Rules ¶

type Rules struct {
	FilePaths         map[string]RuleConfig
	ProcessPaths      map[string]RuleConfig
	NetworkRules      map[string]RuleConfig
	CapabilitiesRules map[string]RuleConfig
}

Rules contains configuration for the AppArmor Profile/SubProfile Body

func (*Rules) Init ¶

func (r *Rules) Init()

Init initialises elements Rule Structure

type RuntimeEnforcer ¶

type RuntimeEnforcer struct {
	// logger
	Logger *fd.Feeder

	// LSM type
	EnforcerType string
	// contains filtered or unexported fields
}

RuntimeEnforcer Structure

func NewRuntimeEnforcer ¶

func NewRuntimeEnforcer(node tp.Node, pinpath string, logger *fd.Feeder, monitor *mon.SystemMonitor) *RuntimeEnforcer

NewRuntimeEnforcer Function

func (*RuntimeEnforcer) DestroyRuntimeEnforcer ¶

func (re *RuntimeEnforcer) DestroyRuntimeEnforcer() error

DestroyRuntimeEnforcer Function

func (*RuntimeEnforcer) RegisterContainer ¶

func (re *RuntimeEnforcer) RegisterContainer(containerID string, pidns, mntns uint32)

RegisterContainer registers container identifiers to BPFEnforcer Map

func (*RuntimeEnforcer) UnregisterContainer ¶

func (re *RuntimeEnforcer) UnregisterContainer(containerID string)

UnregisterContainer removes container identifiers from BPFEnforcer Map

func (*RuntimeEnforcer) UpdateAppArmorProfiles ¶

func (re *RuntimeEnforcer) UpdateAppArmorProfiles(podName string, action string, profiles map[string]string, privilegedProfiles map[string]struct{})

UpdateAppArmorProfiles Function

func (*RuntimeEnforcer) UpdateHostSecurityPolicies ¶

func (re *RuntimeEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)

UpdateHostSecurityPolicies Function

func (*RuntimeEnforcer) UpdateSecurityPolicies ¶

func (re *RuntimeEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint)

UpdateSecurityPolicies Function

type SELinuxEnforcer ¶

type SELinuxEnforcer struct {
	// logs
	Logger *fd.Feeder

	// policy enforcer
	SELinuxTemplatePath string

	// host profile
	HostProfile         string
	SELinuxProfilesLock *sync.Mutex
}

SELinuxEnforcer Structure

func NewSELinuxEnforcer ¶

func NewSELinuxEnforcer(node tp.Node, logger *fd.Feeder) *SELinuxEnforcer

NewSELinuxEnforcer Function

func (*SELinuxEnforcer) AllowedHostFileMatchDirectories ¶

func (se *SELinuxEnforcer) AllowedHostFileMatchDirectories(dir tp.FileDirectoryType, fromSources map[string][]tp.SELinuxRule)

AllowedHostFileMatchDirectories Function

func (*SELinuxEnforcer) AllowedHostFileMatchPaths ¶

func (se *SELinuxEnforcer) AllowedHostFileMatchPaths(path tp.FilePathType, fromSources map[string][]tp.SELinuxRule)

AllowedHostFileMatchPaths Function

func (*SELinuxEnforcer) AllowedHostNetworkMatchProtocols ¶

func (se *SELinuxEnforcer) AllowedHostNetworkMatchProtocols(proto tp.NetworkProtocolType, networkFromSources map[string]string)

AllowedHostNetworkMatchProtocols Function

func (*SELinuxEnforcer) AllowedHostProcessMatchDirectories ¶

func (se *SELinuxEnforcer) AllowedHostProcessMatchDirectories(dir tp.ProcessDirectoryType, fromSources map[string][]tp.SELinuxRule)

AllowedHostProcessMatchDirectories Function

func (*SELinuxEnforcer) AllowedHostProcessMatchPaths ¶

func (se *SELinuxEnforcer) AllowedHostProcessMatchPaths(path tp.ProcessPathType, fromSources map[string][]tp.SELinuxRule)

AllowedHostProcessMatchPaths Function

func (*SELinuxEnforcer) BlockedHostFileMatchDirectories ¶

func (se *SELinuxEnforcer) BlockedHostFileMatchDirectories(dir tp.FileDirectoryType, fileBlackList *[]tp.SELinuxRule, fromSources map[string][]tp.SELinuxRule)

BlockedHostFileMatchDirectories Function

func (*SELinuxEnforcer) BlockedHostFileMatchPaths ¶

func (se *SELinuxEnforcer) BlockedHostFileMatchPaths(path tp.FilePathType, fileBlackList *[]tp.SELinuxRule, fromSources map[string][]tp.SELinuxRule)

BlockedHostFileMatchPaths Function

func (*SELinuxEnforcer) BlockedHostNetworkMatchProtocols ¶

func (se *SELinuxEnforcer) BlockedHostNetworkMatchProtocols(proto tp.NetworkProtocolType, networkFromSources map[string]string)

BlockedHostNetworkMatchProtocols Function

func (*SELinuxEnforcer) BlockedHostProcessMatchDirectories ¶

func (se *SELinuxEnforcer) BlockedHostProcessMatchDirectories(dir tp.ProcessDirectoryType, processBlackList *[]tp.SELinuxRule, fromSources map[string][]tp.SELinuxRule)

BlockedHostProcessMatchDirectories Function

func (*SELinuxEnforcer) BlockedHostProcessMatchPaths ¶

func (se *SELinuxEnforcer) BlockedHostProcessMatchPaths(path tp.ProcessPathType, processBlackList *[]tp.SELinuxRule, fromSources map[string][]tp.SELinuxRule)

BlockedHostProcessMatchPaths Function

func (*SELinuxEnforcer) ContainsElement ¶

func (se *SELinuxEnforcer) ContainsElement(rules []tp.SELinuxRule, newRule tp.SELinuxRule) bool

ContainsElement Function

func (*SELinuxEnforcer) DestroySELinuxEnforcer ¶

func (se *SELinuxEnforcer) DestroySELinuxEnforcer() error

DestroySELinuxEnforcer Function

func (*SELinuxEnforcer) GenerateSELinuxHostProfile ¶

func (se *SELinuxEnforcer) GenerateSELinuxHostProfile(securityPolicies []tp.HostSecurityPolicy, defaultPosture tp.DefaultPosture) (int, string, bool)

GenerateSELinuxHostProfile Function

func (*SELinuxEnforcer) InstallSELinuxModulesIfNeeded ¶

func (se *SELinuxEnforcer) InstallSELinuxModulesIfNeeded() bool

InstallSELinuxModulesIfNeeded Function

func (*SELinuxEnforcer) RegisterSELinuxHostProfile ¶

func (se *SELinuxEnforcer) RegisterSELinuxHostProfile() bool

RegisterSELinuxHostProfile Function

func (*SELinuxEnforcer) RestoreSELinuxLabels ¶

func (se *SELinuxEnforcer) RestoreSELinuxLabels(profilePath string) bool

RestoreSELinuxLabels Function

func (*SELinuxEnforcer) UnregisterSELinuxHostProfile ¶

func (se *SELinuxEnforcer) UnregisterSELinuxHostProfile() bool

UnregisterSELinuxHostProfile Function

func (*SELinuxEnforcer) UpdateHostSecurityPolicies ¶

func (se *SELinuxEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)

UpdateHostSecurityPolicies Function

func (*SELinuxEnforcer) UpdateSELinuxHostProfile ¶

func (se *SELinuxEnforcer) UpdateSELinuxHostProfile(secPolicies []tp.HostSecurityPolicy)

UpdateSELinuxHostProfile Function

func (*SELinuxEnforcer) UpdateSELinuxLabels ¶

func (se *SELinuxEnforcer) UpdateSELinuxLabels(profilePath string) bool

UpdateSELinuxLabels Function

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
bpflsm Package bpflsm is responsible for setting/cleaning up objects for BPF LSM enforcer and handle updates for the same	Package bpflsm is responsible for setting/cleaning up objects for BPF LSM enforcer and handle updates for the same

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL