release v0.5.9-rc2

Merge pull request #78 from bytedance/policy-advisor-with-behavior-model

Policy advisor with behavior model

release v0.5.9-rc1

Merge pull request #76 from bytedance/fix-seccomp-enforcer

fix: Append arguments if there is more than one built-in rule for a s…

release v0.5.8

What's Changed

• Added a disable-cap-all-except-net-bind-service built-in rule to comply with the Restricted Policy of the Pod Security Standards
• Deprecated the disallow-create-user-ns built-in rule of AppArmor and BPF enforcers.
• Added a policy advisor to help generate policy templates using the context information.

Full Changelog: v0.5.7...v0.5.8

release v0.5.7

What's Changed

• Added a pre-check for Seccomp enforcer
• Upgraded the base image to Debian bookworm
• Upgraded apparmor user components to 3.1
• Added a disable-chmod-x-bit built-in rule for Seccomp enforcer
• Optimized CI workflows
• Added a readinessProbe for the Agent, optimizing the startup process
• Unified log format
• Added annotations for the demos

New Contributors

• @darfux made their first contribution in #42

Full Changelog: v0.5.6...v0.5.7

release v0.5.7-rc1

Update issue templates

release v0.5.6

What's Changed

• Agent and Manager now interact through TLS.
• Add Seccomp enforcer with support for EnhanceProtect, BehaviorModeling, and DefenseInDepth modes.
• Cluster-scoped policy VarmorClusterPolicy now supports BehaviorModeling mode.
• Support for the combination of different enforcers, now able to combine the use of AppArmor, BPF, Seccomp enforcers.
• Add .spec.updateExistingWorkloads field to the policy interface, allowing users to independently control the protection switch for existing workloads.
• Enable the --restartExistWorkloads switch of Manager by default.
• Move the privileged field of the policy interface to inside .spec.policy.enhanceProtect.
• Add built-in rules: disallow-create-user-ns, runc-override-mitigation, dirty-pipe-mitigation, * disallow-mount-securityfs, disallow-access-kallsyms.
• Add CI workflows to automate the build and test processes.
• Add more demos and make them more comprehensible.
• Fix bugs.

New Contributors

• @UgOrange made their first contribution in #19
• @jonyhy96 made their first contribution in #27

Full Changelog: v0.5.5...v0.5.6

release v0.5.6-rc2

tag v0.5.6-rc2

release v0.5.6-rc

tag v0.5.6-rc

release 0.5.5

• Refactor the behavior modeling feature of the AppArmor enforcer.
• Introduce the BehaviorModeling mode to collect application behavior and generate models.
• Optimize the mount access control primitives of the BPF enforcer to address bypass issues.
• Fix the issue where abnormal nodes impact the status of policies.
• Upgrade Go to version 1.20 and build BPF programs inside containers.
• Support pulling images and charts from the Asia-Pacific Southeast region.

release 0.5.4

• Add mandatory access control primitives related to mount syscalls for the BPF enforcer.
• Introduce new built-in rules for the BPF enforcer, including disallow-mount, disallow-umount, disallow-mount-procfs, disallow-mount-cgroupfs, disallow-debug-disk-device, and disallow-mount-disk-device.
• Fine-tune partial built-in rules of the AppArmor enforcer to make them more precise and avoid unexpected behavior.
• By default, building enhanced protection rules on top of the RuntimeDefault rules.
• Improve the RuntimeDefault mode for the BPF enforcer.
• Introduce a cluster-scoped policy interface: the VarmorClusterPolicy CR.
• Improve documents.