apparmor recorder: do not include CAP_OPT_NOAUDIT events

this ensures that we do not end up with unused (sensitive) permissions in the profile
mhils · May 23, 2024 · 30c73f5 · 30c73f5
1 parent 9531a49
commit 30c73f5
Show file tree

Hide file tree

Showing 6 changed files with 9,487 additions and 9,464 deletions.
diff --git a/.typos.toml b/.typos.toml
@@ -23,7 +23,7 @@ extend-ignore-identifiers-re = []
 extend-ignore-re = [
     "(?i)aks",
     "ANDed",
-    "PT_REGS_PARM3",
+    "PT_REGS_PARM",
     "Mmaped",
     "ro",
 ]
diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c
@@ -37,6 +37,8 @@
 
 #define S_IFIFO 0010000
 
+#define CAP_OPT_NOAUDIT 0b10
+
 #define SOCK_RAW 3
 
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
@@ -281,6 +283,11 @@ int BPF_KPROBE(cap_capable)
         return 0;
 
     unsigned long cap = PT_REGS_PARM3(ctx);
+    unsigned long cap_opt = PT_REGS_PARM4(ctx);
+    // bpf_printk("requesting capability: cap=%i cap_opt=%i\n", cap, cap_opt);
+
+    if (cap_opt & CAP_OPT_NOAUDIT)
+        return 0;
 
     // TODO: This should be implemented like the seccomp syscalls map.
     event_data_t * event =
@@ -292,7 +299,6 @@ int BPF_KPROBE(cap_capable)
 
         event->flags = cap;
 
-        bpf_printk("requesting capability: %i\n", cap);
         bpf_ringbuf_submit(event, 0);
     }
 

diff --git a/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go b/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go
@@ -129,7 +129,7 @@ func (b *AppArmorRecorder) handleFileEvent(fileEvent *bpfEvent) {
 
 	fileName := fileDataToString(&fileEvent.Data)
 
-	log.Printf("File access: %s, flags=%d\n", fileName, fileEvent.Flags)
+	log.Printf("File access: %s, flags=%d pid=%d mntns=%d\n", fileName, fileEvent.Flags, fileEvent.Pid, fileEvent.Mntns)
 
 	path, ok := b.recordedFiles[fileName]
 	if !ok {
@@ -169,6 +169,13 @@ func (b *AppArmorRecorder) handleCapabilityEvent(capEvent *bpfEvent) {
 			return
 		}
 	}
+
+	log.Printf(
+		"Requested capability: %s with pid=%d, mntns=%d\n",
+		capabilityToString(requestedCap),
+		capEvent.Pid,
+		capEvent.Mntns,
+	)
 	b.recordedCapabilities = append(b.recordedCapabilities, requestedCap)
 }
 
@@ -230,11 +237,7 @@ func (b *AppArmorRecorder) processExecFsEvents() BpfAppArmorFileProcessed {
 func (b *AppArmorRecorder) processCapabilities() []string {
 	ret := make([]string, 0, len(b.recordedCapabilities))
 	for _, capID := range b.recordedCapabilities {
-		val, ok := capabilities[capID]
-		if !ok {
-			val = fmt.Sprintf("CAPABILITY_%d", capID)
-		}
-		ret = append(ret, val)
+		ret = append(ret, capabilityToString(capID))
 	}
 	slices.Sort(ret)
 	return ret
@@ -303,3 +306,11 @@ var capabilities = map[int]string{
 	39: "bpf",
 	40: "checkpoint_restore",
 }
+
+func capabilityToString(capID int) string {
+	val, ok := capabilities[capID]
+	if !ok {
+		return fmt.Sprintf("CAPABILITY_%d", capID)
+	}
+	return val
+}