Skip to content

Commit

Permalink
Merge pull request #134 from bytedance/support-socket-enforcement
Browse files Browse the repository at this point in the history 
feat: Support socket enforcement
  • Loading branch information
@Danny-Wei
Danny-Wei authored Nov 29, 2024
2 parents 8861692 + d1c2252 commit 8f09da1
Show file tree
Hide file tree
Showing 24 changed files with 704 additions and 115 deletions.
21 changes: 16 additions & 5 deletions apis/varmor/v1beta1/armorprofile_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,23 @@ type FileContent struct {
Pattern PathPattern `json:"pattern"`
}

type NetworkAddress struct {
IP string `json:"ip,omitempty"`
CIDR string `json:"cidr,omitempty"`
Port uint32 `json:"port,omitempty"`
}

type NetworkSocket struct {
Domains uint64 `json:"domains,omitempty"`
Types uint64 `json:"types,omitempty"`
Protocols uint64 `json:"protocols,omitempty"`
}

type NetworkContent struct {
Mode uint32 `json:"mode,omitempty"`
Flags uint32 `json:"flags"`
Address string `json:"address,omitempty"`
CIDR string `json:"cidr,omitempty"`
Port uint32 `json:"port,omitempty"`
Mode uint32 `json:"mode,omitempty"`
Flags uint32 `json:"flags"`
Socket *NetworkSocket `json:"socket,omitempty"`
Address *NetworkAddress `json:"address,omitempty"`
}

type PtraceContent struct {
Expand Down
29 changes: 28 additions & 1 deletion apis/varmor/v1beta1/varmorpolicy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,36 @@ type NetworkEgressRule struct {
Port int `json:"port,omitempty"`
}

type NetworkSocketRule struct {
// Domains specifies the communication domains of socket.
//
// Available values:
// *, all, unix, inet, ax25, ipx, appletalk, netrom, bridge, atmpvc, x25,
// inet6, rose, netbeui, security, key, netlink, packet, ash, econet, atmsvc,
// rds, sna, irda, pppox, wanpipe, llc, ib, mpls, can, tipc, bluetooth, iucv,
// rxrpc, isdn, phonet, ieee802154, caif, alg, nfc, vsock, kcm, qipcrtr, smc,
// xdp, mctp
//
Domains []string `json:"domains,omitempty"`
// Types specifies the communication semantics of socket. Note that the types field and protocols field
// are mutually exclusive.
//
// Available values: *, all, stream, dgram, raw, rdm, seqpacket, dccp, packet
//
Types []string `json:"types,omitempty"`
// Protocols specifies the particular protocols to be used with the socket. Note that the protocols field
// and types field are mutually exclusive.
//
// Available values: *, all, icmp, tcp, udp
//
Protocols []string `json:"protocols,omitempty"`
}

type NetworkRule struct {
// Sockets are the list of socket rules to restrict all socket(2) operations.
Sockets []NetworkSocketRule `json:"sockets,omitempty"`
// Egresses are the list of egress rules to be applied to restrict particular IPs and ports.
Egresses []NetworkEgressRule `json:"egresses"`
Egresses []NetworkEgressRule `json:"egresses,omitempty"`
}

type PtraceRule struct {
Expand Down
81 changes: 80 additions & 1 deletion apis/varmor/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 21 additions & 6 deletions config/crds/crd.varmor.org_armorprofilemodels.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,18 +217,33 @@ spec:
items:
properties:
address:
type: string
cidr:
type: string
properties:
cidr:
type: string
ip:
type: string
port:
format: int32
type: integer
type: object
flags:
format: int32
type: integer
mode:
format: int32
type: integer
port:
format: int32
type: integer
socket:
properties:
domains:
format: int64
type: integer
protocols:
format: int64
type: integer
types:
format: int64
type: integer
type: object
required:
- flags
type: object
Expand Down
27 changes: 21 additions & 6 deletions config/crds/crd.varmor.org_armorprofiles.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,18 +144,33 @@ spec:
items:
properties:
address:
type: string
cidr:
type: string
properties:
cidr:
type: string
ip:
type: string
port:
format: int32
type: integer
type: object
flags:
format: int32
type: integer
mode:
format: int32
type: integer
port:
format: int32
type: integer
socket:
properties:
domains:
format: int64
type: integer
protocols:
format: int64
type: integer
types:
format: int64
type: integer
type: object
required:
- flags
type: object
Expand Down
40 changes: 38 additions & 2 deletions config/crds/crd.varmor.org_varmorclusterpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,8 +196,44 @@ spec:
type: integer
type: object
type: array
required:
- egresses
sockets:
description: Sockets are the list of socket rules
to restrict all socket(2) operations.
items:
properties:
domains:
description: "Domains specifies the communication
domains of socket. \n Available values: *,
all, unix, inet, ax25, ipx, appletalk, netrom,
bridge, atmpvc, x25, inet6, rose, netbeui,
security, key, netlink, packet, ash, econet,
atmsvc, rds, sna, irda, pppox, wanpipe, llc,
ib, mpls, can, tipc, bluetooth, iucv, rxrpc,
isdn, phonet, ieee802154, caif, alg, nfc,
vsock, kcm, qipcrtr, smc, xdp, mctp"
items:
type: string
type: array
protocols:
description: "Protocols specifies the particular
protocols to be used with the socket. Note
that the protocols field and types field are
mutually exclusive. \n Available values: *,
all, icmp, tcp, udp"
items:
type: string
type: array
types:
description: "Types specifies the communication
semantics of socket. Note that the types field
and protocols field are mutually exclusive.
\n Available values: *, all, stream, dgram,
raw, rdm, seqpacket, dccp, packet"
items:
type: string
type: array
type: object
type: array
type: object
processes:
items:
Expand Down
40 changes: 38 additions & 2 deletions config/crds/crd.varmor.org_varmorpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,8 +195,44 @@ spec:
type: integer
type: object
type: array
required:
- egresses
sockets:
description: Sockets are the list of socket rules
to restrict all socket(2) operations.
items:
properties:
domains:
description: "Domains specifies the communication
domains of socket. \n Available values: *,
all, unix, inet, ax25, ipx, appletalk, netrom,
bridge, atmpvc, x25, inet6, rose, netbeui,
security, key, netlink, packet, ash, econet,
atmsvc, rds, sna, irda, pppox, wanpipe, llc,
ib, mpls, can, tipc, bluetooth, iucv, rxrpc,
isdn, phonet, ieee802154, caif, alg, nfc,
vsock, kcm, qipcrtr, smc, xdp, mctp"
items:
type: string
type: array
protocols:
description: "Protocols specifies the particular
protocols to be used with the socket. Note
that the protocols field and types field are
mutually exclusive. \n Available values: *,
all, icmp, tcp, udp"
items:
type: string
type: array
types:
description: "Types specifies the communication
semantics of socket. Note that the types field
and protocols field are mutually exclusive.
\n Available values: *, all, stream, dgram,
raw, rdm, seqpacket, dccp, packet"
items:
type: string
type: array
type: object
type: array
type: object
processes:
items:
Expand Down
2 changes: 1 addition & 1 deletion internal/policy/policy_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ func (c *PolicyController) handleDeleteVarmorPolicy(namespace, name string) erro
ap, err := c.varmorInterface.ArmorProfiles(namespace).Get(context.Background(), apName, metav1.GetOptions{})
if err != nil {
if k8errors.IsNotFound(err) {
logger.Error(err, "namespace", namespace, "name", apName)
logger.V(3).Info("ArmorProfiles object is not found", "namespace", namespace, "name", apName)
} else {
logger.Error(err, "c.varmorInterface.ArmorProfiles().Get()")
return err
Expand Down
Loading

0 comments on commit 8f09da1

Please sign in to comment.