Merge pull request #78 from bytedance/policy-advisor-with-behavior-model

Policy advisor with behavior model
bytedance · May 30, 2024 · b727a54 · b727a54
2 parents 0f68b94 + ea6beb7
commit b727a54
Show file tree

Hide file tree

Showing 10 changed files with 199 additions and 56 deletions.
diff --git a/apis/varmor/v1beta1/armorprofilemodel_types.go b/apis/varmor/v1beta1/armorprofilemodel_types.go
@@ -60,7 +60,7 @@ type AppArmor struct {
 }
 
 type Seccomp struct {
-	Syscall []string `json:"syscall,omitempty"`
+	Syscalls []string `json:"syscalls,omitempty"`
 }
 
 type DynamicResult struct {

diff --git a/apis/varmor/v1beta1/zz_generated.deepcopy.go b/apis/varmor/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crds/crd.varmor.org_armorprofilemodels.yaml b/config/crds/crd.varmor.org_armorprofilemodels.yaml
@@ -133,7 +133,7 @@ spec:
                     type: object
                   seccomp:
                     properties:
-                      syscall:
+                      syscalls:
                         items:
                           type: string
                         type: array

diff --git a/internal/behavior/preprocessor/preprocessor.go b/internal/behavior/preprocessor/preprocessor.go
@@ -86,7 +86,7 @@ func NewDataPreprocessor(
 	p.behaviorData.DynamicResult.AppArmor.Ptraces = make([]varmor.Ptrace, 0)
 	p.behaviorData.DynamicResult.AppArmor.Signals = make([]varmor.Signal, 0)
 	p.behaviorData.DynamicResult.AppArmor.Unhandled = make([]string, 0)
-	p.behaviorData.DynamicResult.Seccomp.Syscall = make([]string, 0)
+	p.behaviorData.DynamicResult.Seccomp.Syscalls = make([]string, 0)
 	p.behaviorData.Namespace = namespace
 	p.behaviorData.NodeName = nodeName
 	p.behaviorData.ProfileName = name
@@ -275,7 +275,7 @@ func (p *DataPreprocessor) Process() []byte {
 
 	p.log.Info("data preprocess completed",
 		"apparmor profiles num", len(p.behaviorData.DynamicResult.AppArmor.Profiles),
-		"seccomp num", len(p.behaviorData.DynamicResult.Seccomp.Syscall))
+		"seccomp num", len(p.behaviorData.DynamicResult.Seccomp.Syscalls))
 
 	p.behaviorData.Status = varmortypes.Succeeded
 	p.behaviorData.Message = ""

diff --git a/internal/behavior/preprocessor/seccomp.go b/internal/behavior/preprocessor/seccomp.go
@@ -75,7 +75,7 @@ func (p *DataPreprocessor) parseSeccompEventForTree(event *varmortypes.SeccompLo
 	}
 
 	p.syscall[event.Syscall] = struct{}{}
-	p.behaviorData.DynamicResult.Seccomp.Syscall = append(p.behaviorData.DynamicResult.Seccomp.Syscall, event.Syscall)
+	p.behaviorData.DynamicResult.Seccomp.Syscalls = append(p.behaviorData.DynamicResult.Seccomp.Syscalls, event.Syscall)
 
 	return nil
 }
diff --git a/internal/profile/seccomp/seccomp.go b/internal/profile/seccomp/seccomp.go
@@ -51,13 +51,13 @@ func GenerateBehaviorModelingProfile() string {
 }
 
 func GenerateProfileWithBehaviorModel(dynamicResult *varmor.DynamicResult) (string, error) {
-	if len(dynamicResult.Seccomp.Syscall) == 0 {
+	if len(dynamicResult.Seccomp.Syscalls) == 0 {
 		return "", nil
 	}
 
 	syscall := specs.LinuxSyscall{
 		Action: specs.ActAllow,
-		Names:  dynamicResult.Seccomp.Syscall,
+		Names:  dynamicResult.Seccomp.Syscalls,
 	}
 
 	profile := specs.LinuxSeccomp{

diff --git a/internal/status/api/v1/data.go b/internal/status/api/v1/data.go
@@ -277,20 +277,20 @@ func mergeAppArmorResult(apm *varmor.ArmorProfileModel, data *varmortypes.Behavi
 }
 
 func mergeSeccompResult(apm *varmor.ArmorProfileModel, data *varmortypes.BehaviorData) {
-	if apm.Data.DynamicResult.Seccomp.Syscall == nil && len(apm.Data.DynamicResult.Seccomp.Syscall) != 0 {
-		apm.Data.DynamicResult.Seccomp.Syscall = make([]string, 0)
-		apm.Data.DynamicResult.Seccomp.Syscall = append(apm.Data.DynamicResult.Seccomp.Syscall, data.DynamicResult.Seccomp.Syscall...)
+	if apm.Data.DynamicResult.Seccomp.Syscalls == nil && len(apm.Data.DynamicResult.Seccomp.Syscalls) != 0 {
+		apm.Data.DynamicResult.Seccomp.Syscalls = make([]string, 0)
+		apm.Data.DynamicResult.Seccomp.Syscalls = append(apm.Data.DynamicResult.Seccomp.Syscalls, data.DynamicResult.Seccomp.Syscalls...)
 	} else {
-		for _, newSyscall := range data.DynamicResult.Seccomp.Syscall {
+		for _, newSyscall := range data.DynamicResult.Seccomp.Syscalls {
 			find := false
-			for _, syscall := range apm.Data.DynamicResult.Seccomp.Syscall {
+			for _, syscall := range apm.Data.DynamicResult.Seccomp.Syscalls {
 				if newSyscall == syscall {
 					find = true
 					break
 				}
 			}
 			if !find {
-				apm.Data.DynamicResult.Seccomp.Syscall = append(apm.Data.DynamicResult.Seccomp.Syscall, newSyscall)
+				apm.Data.DynamicResult.Seccomp.Syscalls = append(apm.Data.DynamicResult.Seccomp.Syscalls, newSyscall)
 			}
 		}
 	}

diff --git a/manifests/varmor/templates/crds/crd.varmor.org_armorprofilemodels.yaml b/manifests/varmor/templates/crds/crd.varmor.org_armorprofilemodels.yaml
@@ -133,7 +133,7 @@ spec:
                     type: object
                   seccomp:
                     properties:
-                      syscall:
+                      syscalls:
                         items:
                           type: string
                         type: array

diff --git a/tools/policy-advisor/built-in-rules.json b/tools/policy-advisor/built-in-rules.json
@@ -470,7 +470,8 @@
       "id": "disallow-create-user-ns",
       "enforcers": ["seccomp"],
       "conflicts": {
-        "features": ["dind"]
+        "features": ["dind"],
+        "syscalls": ["unshare"]
       }
     }
   ],
@@ -506,34 +507,59 @@
     },
     {
       "id": "disable-busybox",
-      "enforcers": ["apparmor", "bpf"]
+      "enforcers": ["apparmor", "bpf"],
+      "conflicts": {
+        "executions": ["busybox"]
+      }
     },
     {
       "id": "disable-shell",
-      "enforcers": ["apparmor", "bpf"]
+      "enforcers": ["apparmor", "bpf"],
+      "conflicts": {
+        "executions": ["sh", "bash", "dash"]
+      }
     },
     {
       "id": "disable-wget",
-      "enforcers": ["apparmor", "bpf"]
+      "enforcers": ["apparmor", "bpf"],
+      "conflicts": {
+        "executions": ["wget"]
+      }
     },
     {
       "id": "disable-curl",
-      "enforcers": ["apparmor", "bpf"]
+      "enforcers": ["apparmor", "bpf"],
+      "conflicts": {
+        "executions": ["curl"]
+      }
     },
     {
       "id": "disable-chmod",
-      "enforcers": ["apparmor", "bpf"]
+      "enforcers": ["apparmor", "bpf"],
+      "conflicts": {
+        "executions": ["chmod"]
+      }
     },
     {
       "id": "disable-chmod-x-bit",
       "enforcers": ["seccomp"],
       "conflicts": {
-        "syscalls": ["chmod"]
+        "syscalls": ["chmod", "fchmod", "fchmodat", "fchmodat2"]
+      }
+    },
+    {
+      "id": "disable-chmod-s-bit",
+      "enforcers": ["seccomp"],
+      "conflicts": {
+        "syscalls": ["chmod", "fchmod", "fchmodat", "fchmodat2"]
       }
     },
     {
       "id": "disable-su-sudo",
-      "enforcers": ["apparmor", "bpf"]
+      "enforcers": ["apparmor", "bpf"],
+      "conflicts": {
+        "executions": ["su", "sudo"]
+      }
     }
   ],
   "vulnerability_mitigation": [