Skip to content

Commit

Permalink
Merge pull request #1689 from Prateeknandle/apparmor
Browse files Browse the repository at this point in the history
fix(snitch) : check Apparmor Fs & available lsms to set enforcer
  • Loading branch information
daemon1024 authored Mar 15, 2024
2 parents 409cc15 + b44dada commit ac57611
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 3 deletions.
14 changes: 12 additions & 2 deletions pkg/KubeArmorOperator/cmd/snitch-cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ import (
"context"
"encoding/json"
"errors"
"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/seccomp"
"os"
"path/filepath"
"strings"

"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/seccomp"

"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/common"
"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/enforcer"
"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/k8s"
Expand Down Expand Up @@ -101,6 +102,9 @@ func snitch() {

// Detecting enforcer
nodeEnforcer := enforcer.DetectEnforcer(order, PathPrefix, *Logger)
if (nodeEnforcer == "apparmor") && (enforcer.CheckIfApparmorFsPresent(PathPrefix, *Logger) == "no") {
nodeEnforcer = "NA"
}
if nodeEnforcer != "NA" {
Logger.Infof("Node enforcer is %s", nodeEnforcer)
} else {
Expand Down Expand Up @@ -131,7 +135,13 @@ func snitch() {
patchNode.Metadata.Labels[common.RandLabel] = rand.String(4)
patchNode.Metadata.Labels[common.BTFLabel] = btfPresent
patchNode.Metadata.Labels[common.ApparmorFsLabel] = enforcer.CheckIfApparmorFsPresent(PathPrefix, *Logger)
patchNode.Metadata.Labels[common.SecurityFsLabel] = enforcer.CheckIfSecurityFsPresent(PathPrefix, *Logger)

if nodeEnforcer == "none" {
patchNode.Metadata.Labels[common.SecurityFsLabel] = "no"
} else {
patchNode.Metadata.Labels[common.SecurityFsLabel] = enforcer.CheckIfSecurityFsPresent(PathPrefix, *Logger)
}

patch, err := json.Marshal(patchNode)

if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion pkg/KubeArmorOperator/enforcer/enforcer.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func CheckBtfSupport(PathPrefix string, log zap.SugaredLogger) string {

// CheckIfApparmorFsPresent checks if BTF is present
func CheckIfApparmorFsPresent(PathPrefix string, log zap.SugaredLogger) string {
path := PathPrefix + "/etc/apparmor.d"
path := PathPrefix + "/etc/apparmor.d/tunables"
if _, err := os.Stat(filepath.Clean(path)); err == nil {
return "yes"
}
Expand Down

0 comments on commit ac57611

Please sign in to comment.