From b44dadac4b268edc3eb1d7ce7b072390c29c0d90 Mon Sep 17 00:00:00 2001
From: Prateek Nandle <prateeknandle@gmail.com>
Date: Thu, 14 Mar 2024 21:28:49 +0530
Subject: [PATCH] check Apparmor Fs & available lsms to set enforcer

Signed-off-by: Prateek Nandle <prateeknandle@gmail.com>
---
 pkg/KubeArmorOperator/cmd/snitch-cmd/main.go | 14 ++++++++++++--
 pkg/KubeArmorOperator/enforcer/enforcer.go   |  2 +-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go b/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go
index b7bf3f9756..2ed1af48b5 100644
--- a/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go
+++ b/pkg/KubeArmorOperator/cmd/snitch-cmd/main.go
@@ -8,11 +8,12 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/seccomp"
 	"os"
 	"path/filepath"
 	"strings"
 
+	"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/seccomp"
+
 	"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/common"
 	"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/enforcer"
 	"github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/k8s"
@@ -101,6 +102,9 @@ func snitch() {
 
 	// Detecting enforcer
 	nodeEnforcer := enforcer.DetectEnforcer(order, PathPrefix, *Logger)
+	if (nodeEnforcer == "apparmor") && (enforcer.CheckIfApparmorFsPresent(PathPrefix, *Logger) == "no") {
+		nodeEnforcer = "NA"
+	}
 	if nodeEnforcer != "NA" {
 		Logger.Infof("Node enforcer is %s", nodeEnforcer)
 	} else {
@@ -131,7 +135,13 @@ func snitch() {
 	patchNode.Metadata.Labels[common.RandLabel] = rand.String(4)
 	patchNode.Metadata.Labels[common.BTFLabel] = btfPresent
 	patchNode.Metadata.Labels[common.ApparmorFsLabel] = enforcer.CheckIfApparmorFsPresent(PathPrefix, *Logger)
-	patchNode.Metadata.Labels[common.SecurityFsLabel] = enforcer.CheckIfSecurityFsPresent(PathPrefix, *Logger)
+
+	if nodeEnforcer == "none" {
+		patchNode.Metadata.Labels[common.SecurityFsLabel] = "no"
+	} else {
+		patchNode.Metadata.Labels[common.SecurityFsLabel] = enforcer.CheckIfSecurityFsPresent(PathPrefix, *Logger)
+	}
+
 	patch, err := json.Marshal(patchNode)
 
 	if err != nil {
diff --git a/pkg/KubeArmorOperator/enforcer/enforcer.go b/pkg/KubeArmorOperator/enforcer/enforcer.go
index a8d811c71c..8beb5b3f39 100644
--- a/pkg/KubeArmorOperator/enforcer/enforcer.go
+++ b/pkg/KubeArmorOperator/enforcer/enforcer.go
@@ -29,7 +29,7 @@ func CheckBtfSupport(PathPrefix string, log zap.SugaredLogger) string {
 
 // CheckIfApparmorFsPresent checks if BTF is present
 func CheckIfApparmorFsPresent(PathPrefix string, log zap.SugaredLogger) string {
-	path := PathPrefix + "/etc/apparmor.d"
+	path := PathPrefix + "/etc/apparmor.d/tunables"
 	if _, err := os.Stat(filepath.Clean(path)); err == nil {
 		return "yes"
 	}