-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate the eBPF based AppArmor recorder into the API #2296
Integrate the eBPF based AppArmor recorder into the API #2296
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀 🚀🚀
@mhils please could you review the changes and let me know if you find any issues? Thanks a lot! |
fbfe609
to
aedf168
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2296 +/- ##
==========================================
- Coverage 45.50% 42.02% -3.48%
==========================================
Files 79 110 +31
Lines 7782 15913 +8131
==========================================
+ Hits 3541 6688 +3147
- Misses 4099 8732 +4633
- Partials 142 493 +351 |
1fdeb99
to
09b6974
Compare
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
…ests passing Signed-off-by: Cosmin Cojocar <[email protected]>
…armor profile Signed-off-by: Cosmin Cojocar <[email protected]>
…bpf recording is allowed Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I12cf01cadca6cbf1d2ce6bef71bb940bbdb02557 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I1c0502d9a7972868d15b32d06ce318898686a7ab Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: Ie0a997f6038df8a1ae07e24e51bbcd8420141b72 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: If04a9d51ce9632f39b18050754d2f727b15ed39d Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I871905cabeb1e59967d931f10878d76875d062fc Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: Id3a37643fbd22f5b126234c3c765d4c89783a69d Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I4c48cc34eb61e303ab440e9426a738121dcba773 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I5e8ebed9d4b12f01d98354726870ef78308edcf7 Signed-off-by: Cosmin Cojocar <[email protected]>
09b6974
to
32e6bb9
Compare
Change-Id: I50f8a1cc8abe492ddc39d985cecab3fe3d104d7b Signed-off-by: Cosmin Cojocar <[email protected]>
As describe in the comment there are linux distributions which doesn't support BPF_LSM yet. Change-Id: I4ff79f0ce553984f7f8d07244720ddd628fc1b42 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I89d4305709d1fb1412c1494fef81c34765b0329d Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: If52e0712439d2712b0d080afac0d7a84c16b4473 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: Iccfb8cda248ee3c53174ea865d3d132822c8b7ea Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I8746528f55101b343ee909de936dce90054e6c81 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I791bd3b6fe6f62ae083f05a2084c2a7b3bed0684 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I9d3226ea76b5bf4dd038c0f1758fac0a56b5a4e2 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I3742a802c1d19808da762e3ebfa68178eef54732 Signed-off-by: Cosmin Cojocar <[email protected]>
@saschagrunert @mhils This is ready for final review. All tests finally passed. Thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work! Just a documentation nit, otherwise LGTM.
Change-Id: I90acd15a1766790ee0a0656277fb814c22c2b3ce Signed-off-by: Cosmin Cojocar <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
// Run binary... | ||
cmd2 := exec.Command(demobinary, "--net-tcp") | ||
cmd2 := exec.Command(demobinary, "--net-tcp", "--sleep", "30") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the added sleep here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was not enough when running the tests. Sometimes needed to run a bit longer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this because we now have a race with ProcessIDByName
? I tried hard to make things work for short-lived processes, so if there is a different reason I'd be happy to dig into things.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's the reason. It takes a bit of time to find the pid into the list. It is less than 30 seconds, but this is large enough to keep the tests consistently running.
|
||
// searching the mntns of the process started outside of spoc | ||
cmd := r.options.commandOptions.Command() | ||
if err := util.Retry(func() (err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For seccomp, it currently works as follows if --no-proc
is passed:
- We record syscalls for all mount namespaces by binaries with the target program name.
- We merge them below in processSeccomp.
Is there a reason why we don't want to do the same for AppArmor, i.e. merge all recorded profiles?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding of this flag is that the process is not started by the spoc CLI but externally and spoc will start recording the profile for it as soon as the PID comes live.
I think in the previous implementation, it was recording everything for all process running into the system until it got interrupted.
In this implementation, it will look up first the PID by command name, and then the namespace where that PID is running. This is required to retrieve the recorded information from the maps by namespace.
Now we create an apparmor profile for an entire namespace where the process is running. This is also the case for seccomp. This is not ideal, if other processes run in parallel in that namespace when the CLI is recording. The profiles will contain more stuff than expected. I think for CLI this is acceptable, since people will most likely use this feature to record profiles for a single process running into a wider system, and that process will have its own namesapce unless they will start it in an already existing namesapce.
I would argue that this feature is probably not the best option, if you want to record a profile for an entire container (e.g. form outside). In that case, I would use the in-cluster option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in the previous implementation, it was recording everything for all process running into the system until it got interrupted.
Not quite. The ebpf code itself checks the program name and only records events for matching processes. So yes, you would get all events for "curl", no matter from which namespace, but you would not get events from the rest of the system. This is why the seccomp implementation takes all namespaces into account (mntns is 0) with --no-proc
. I think we could do the same for AppArmor and avoid the PID race.
@saschagrunert @mhils if you are happy please could you approve? I'll follow up with e2e tests and other small fixes if needed since this got already quite large. Thanks a lot! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ccojocar, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
It integrates the eBPF based AppArmor profile recorder into the API. This will allow to record AppArmor profiles for workloads directly into the cluster in the same fashion like seccomp profiles.
Which issue(s) this PR fixes:
Does this PR have test?
Yes
Special notes for your reviewer:
I will follow up with some integration tests in a separate pull request.
Does this PR introduce a user-facing change?
cc @mhils @@milkmix_