Merge remote-tracking branch 'upstream/main' into metrics

.github/ISSUE_TEMPLATE/documentation.yml

@@ -0,0 +1,18 @@
+name: "Enhancement: Documentation"
+description: Recommend an enhancement to the vArmor documentation or website.
+title: "[Enhancement] "
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        What would you like to see added to the documentation or website?
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: Describe what enhancement you'd like to see.
+      # placeholder: Tell us what you see!
+      # value: ""
+    validations:
+      required: true

.github/scripts/toolchain.sh

@@ -4,5 +4,4 @@ wget https://apt.llvm.org/llvm.sh -O /tmp/llvm.sh
 chmod +x /tmp/llvm.sh
 sudo /tmp/llvm.sh 17
 sudo ln -s $(which llvm-strip-17) /usr/local/bin/llvm-strip
-sudo apt -y install libapparmor-dev
-sudo apt install libseccomp-dev
+sudo apt -y install libapparmor-dev libseccomp-dev

.github/workflows/ci-alpha-build.yml

@@ -68,7 +68,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s_version: [ "1.20.15", "1.24.17", "1.26.14" ]
+        k8s_version: [ "1.20.15", "1.26.15", "1.30.6" ]
         os: ["ubuntu-latest" ]
     runs-on:  ${{ matrix.os }}
     env:
@@ -106,8 +106,6 @@ jobs:
               --set bpfLsmEnforcer.enabled=true \
               --set "agent.bpfRelated.volumes[0].hostPath.type=Directory,agent.bpfRelated.volumes[0].hostPath.path=/sys/fs/bpf,agent.bpfRelated.volumes[0].name=bpffs" \
               --set "agent.bpfRelated.volumes[1].hostPath.type=File,agent.bpfRelated.volumes[1].hostPath.path=/sys/kernel/btf/vmlinux,agent.bpfRelated.volumes[1].name=btf" \
-              --set "agent.bpfRelated.volumes[2].hostPath.type=Directory,agent.bpfRelated.volumes[2].hostPath.path=/run/k3s/containerd/,agent.bpfRelated.volumes[2].name=containerd" \
-              --set "agent.bpfRelated.volumes[3].hostPath.type=Directory,agent.bpfRelated.volumes[3].hostPath.path=/proc,agent.bpfRelated.volumes[3].name=procfs" \
               --set image.namespace="varmor-test" \
               --set manager.image.pullPolicy="Never" \
               --set agent.image.pullPolicy="Never" \

.github/workflows/ci-go-unit-test.yml

@@ -30,4 +30,4 @@ jobs:
       - name: Set up llvm and apparmor
         run: ./.github/scripts/toolchain.sh
       - name: Run Tests
-        run: go test -v ./...
+        run: sudo go test -v ./...

.gitignore

@@ -13,3 +13,20 @@ __pycache__
 venv
 coverage.out
 .DS_Store
+
+# website
+# Dependencies
+/website/node_modules
+/website/build
+/website/.docusaurus
+/website/.cache-loader
+
+/website/.DS_Store
+/website/.env.local
+/website/.env.development.local
+/website/.env.test.local
+/website/.env.production.local
+
+/website/npm-debug.log*
+/website/yarn-debug.log*
+/website/yarn-error.log*

Makefile

@@ -28,9 +28,6 @@ CHART_APP_VERSION_DEV := $(GIT_VERSION)
 CHART_VERSION := $(shell echo $(CHART_APP_VERSION)| sed 's/^v//')
 CHART_VERSION_DEV := $(shell echo $(CHART_APP_VERSION_DEV)| sed 's/^v//')
 
-# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.20
-
 KERNEL_RELEASE = $(shell uname -r)
 APPARMOR_ABI_NAME = kernel-$(KERNEL_RELEASE)
 
@@ -122,8 +119,8 @@ build-ebpf: ## Generate the ebpf code and lib.
 .PHONY: copy-ebpf
 copy-ebpf: ## Copy the ebpf code and lib.
 	@echo "[+] Copy the ebpf code and lib."
-	cp vArmor-ebpf/pkg/tracer/bpf_bpfel.go internal/behavior/tracer
-	cp vArmor-ebpf/pkg/tracer/bpf_bpfel.o internal/behavior/tracer
+	cp vArmor-ebpf/pkg/processtracer/bpf_bpfel.go pkg/processtracer
+	cp vArmor-ebpf/pkg/processtracer/bpf_bpfel.o pkg/processtracer
 	cp vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.go pkg/lsm/bpfenforcer
 	cp vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.o pkg/lsm/bpfenforcer
 
@@ -207,6 +204,7 @@ docker-build-classifier-amd64-dev:
 docker-build-classifier-arm64-dev:
 	@echo "[+] Build classifier-arm64 image for the development version"
 	@docker buildx build --file $(PWD)/$(CLASSIFIER_PATH)/Dockerfile --tag $(CLASSIFIER_IMAGE_DEV)-arm64 --platform linux/arm64 --load .
+
 docker-save-ci-dev:
 	@docker tag  $(VARMOR_IMAGE_DEV)-amd64 $(VARMOR_IMAGE_DEV)
 	@docker tag  $(CLASSIFIER_IMAGE_DEV)-amd64 $(CLASSIFIER_IMAGE_DEV)

README.ja.md

@@ -4,7 +4,7 @@
         <img src="docs/img/logo-dark.svg" alt="Logo" width="400">
     </picture>
 </div>
-<br>
+<br />
 
 ![BHArsenalUSA2024](docs/img/BlackHat-Arsenal-USA-2024.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/bytedance/vArmor)](https://goreportcard.com/report/github.com/bytedance/vArmor)
@@ -42,8 +42,8 @@ vArmorは、ByteDanceのエンドポイントセキュリティ部門の**Elkeid
 
 |エンフォーサー|要件|推奨|
 |------------|--------------------------------------------|--------|
-|AppArmor    |1. Linux Kernel 4.15以上<br>2. AppArmor LSMが有効化されていること|GKE with Container-Optimized OS<br>AKS with Ubuntu 22.04 LTS<br>[VKE](https://www.volcengine.com/product/vke) with veLinux 1.0<br>Debian 10以上<br>Ubuntu 18.04.0 LTS以上<br>[veLinux 1.0](https://www.volcengine.com/docs/6396/74967)など|
-|BPF         |1. Linux Kernel 5.10以上 (x86_64)<br>2. containerd v1.6.0以上<br>3. BPF LSMが有効化されていること|EKS with Amazon Linux 2<br>GKE with Container-Optimized OS<br>[VKE](https://www.volcengine.com/product/vke) with veLinux 1.0 (with 5.10 kernel)<br>AKS with Ubuntu 22.04 LTS <sup>\*</sup><br>ACK with Alibaba Cloud Linux 3 <sup>\*</sup><br>OpenSUSE 15.4 <sup>\*</sup><br>Debian 11 <sup>\*</sup><br>Fedora 37 <br>[veLinux 1.0 with 5.10 kernel](https://www.volcengine.com/docs/6396/74967)など<br><br>* *BPF LSMの手動有効化が必要です*|
+|AppArmor    |1. Linux Kernel 4.15以上<br />2. AppArmor LSMが有効化されていること|GKE with Container-Optimized OS<br />AKS with Ubuntu 22.04 LTS<br />[VKE](https://www.volcengine.com/product/vke) with veLinux 1.0<br />Debian 10以上<br />Ubuntu 18.04.0 LTS以上<br />[veLinux 1.0](https://www.volcengine.com/docs/6396/74967)など|
+|BPF         |1. Linux Kernel 5.10以上 (x86_64)<br />2. containerd v1.6.0以上<br />3. BPF LSMが有効化されていること|EKS with Amazon Linux 2<br />GKE with Container-Optimized OS<br />[VKE](https://www.volcengine.com/product/vke) with veLinux 1.0 (with 5.10 kernel)<br />AKS with Ubuntu 22.04 LTS <sup>\*</sup><br />ACK with Alibaba Cloud Linux 3 <sup>\*</sup><br />OpenSUSE 15.4 <sup>\*</sup><br />Debian 11 <sup>\*</sup><br />Fedora 37 <br />[veLinux 1.0 with 5.10 kernel](https://www.volcengine.com/docs/6396/74967)など<br /><br />* *BPF LSMの手動有効化が必要です*|
 |Seccomp     |1. Kubernetes v1.19以上|すべてのLinuxディストリビューション|
 
 ## ポリシーモードと組み込みルール
@@ -123,7 +123,7 @@ vArmorは、eBPFプログラムを管理および操作するために[cilium/eb
 vArmorは、[Nirmata](https://nirmata.com/)によって開発された[kyverno](https://github.com/kyverno/kyverno)の一部のコードを参照しています。
 
 ## デモ
-以下は、vArmorを使用してDeploymentを強化し、CVE-2021-22555に対抗するデモンストレーションです。（エクスプロイトは[cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555)から変更されています）<br>
+以下は、vArmorを使用してDeploymentを強化し、CVE-2021-22555に対抗するデモンストレーションです。（エクスプロイトは[cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555)から変更されています）<br />
 ![image](test/demos/CVE-2021-22555/demo.gif)
 
 ## 404Starlink

README.md

@@ -4,7 +4,7 @@
         <img src="docs/img/logo-dark.svg" alt="Logo" width="400">
     </picture>
 </div>
-<br>
+<br />
 
 ![BHArsenalUSA2024](docs/img/BlackHat-Arsenal-USA-2024.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/bytedance/vArmor)](https://goreportcard.com/report/github.com/bytedance/vArmor)
@@ -74,7 +74,7 @@ vArmor references part of the code of [kyverno](https://github.com/kyverno/kyver
 
 
 ## Demo
-Below is a demonstration of using vArmor to harden a Deployment and defend against CVE-2021-22555. (The exploit is modified from [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555))<br>
+Below is a demonstration of using vArmor to harden a Deployment and defend against CVE-2021-22555. (The exploit is modified from [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555))<br />
 ![image](test/demos/CVE-2021-22555/demo.gif)
 
 

README.zh_CN.md

@@ -4,7 +4,7 @@
         <img src="docs/img/logo-dark.svg" alt="Logo" width="400">
     </picture>
 </div>
-<br>
+<br />
 
 ![BHArsenalUSA2024](docs/img/BlackHat-Arsenal-USA-2024.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/bytedance/vArmor)](https://goreportcard.com/report/github.com/bytedance/vArmor)
@@ -74,7 +74,7 @@ vArmor 在研发初期参考了 [Nirmata](https://nirmata.com/) 开发的 [kyver
 
 
 ## 演示
-下面是一个使用 vArmor 对 Deployment 进行加固，防御 CVE-2021-22555 攻击的演示（Exploit 修改自 [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555)）。<br>
+下面是一个使用 vArmor 对 Deployment 进行加固，防御 CVE-2021-22555 攻击的演示（Exploit 修改自 [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555)）。<br />
 ![image](test/demos/CVE-2021-22555/demo.zh_CN.gif)
 
 

apis/varmor/v1beta1/armorprofile_types.go

@@ -25,7 +25,7 @@ import (
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
 type CapabilitiesContent struct {
-	Mode         uint32 `json:"mode"`
+	Mode         uint32 `json:"mode,omitempty"`
 	Capabilities uint64 `json:"capabilities"`
 }
 
@@ -36,27 +36,27 @@ type PathPattern struct {
 }
 
 type FileContent struct {
-	Mode        uint32      `json:"mode"`
+	Mode        uint32      `json:"mode,omitempty"`
 	Permissions uint32      `json:"permissions"`
 	Pattern     PathPattern `json:"pattern"`
 }
 
 type NetworkContent struct {
-	Mode    uint32 `json:"mode"`
+	Mode    uint32 `json:"mode,omitempty"`
 	Flags   uint32 `json:"flags"`
 	Address string `json:"address,omitempty"`
 	CIDR    string `json:"cidr,omitempty"`
 	Port    uint32 `json:"port,omitempty"`
 }
 
 type PtraceContent struct {
-	Mode        uint32 `json:"mode"`
+	Mode        uint32 `json:"mode,omitempty"`
 	Permissions uint32 `json:"permissions,omitempty"`
 	Flags       uint32 `json:"flags,omitempty"`
 }
 
 type MountContent struct {
-	Mode              uint32      `json:"mode"`
+	Mode              uint32      `json:"mode,omitempty"`
 	MountFlags        uint32      `json:"mountFlags"`
 	ReverseMountflags uint32      `json:"reverseMountflags"`
 	Pattern           PathPattern `json:"pattern"`

apis/varmor/v1beta1/armorprofilemodel_types.go

@@ -64,8 +64,8 @@ type Seccomp struct {
 }
 
 type DynamicResult struct {
-	AppArmor AppArmor `json:"apparmor,omitempty"`
-	Seccomp  Seccomp  `json:"seccomp,omitempty"`
+	AppArmor *AppArmor `json:"apparmor,omitempty"`
+	Seccomp  *Seccomp  `json:"seccomp,omitempty"`
 }
 
 type StaticResult struct {

apis/varmor/v1beta1/varmorpolicy_types.go

@@ -124,11 +124,11 @@ type MountRule struct {
 }
 
 type BpfRawRules struct {
-	Files     []FileRule  `json:"files,omitempty"`
-	Processes []FileRule  `json:"processes,omitempty"`
-	Network   NetworkRule `json:"network,omitempty"`
-	Ptrace    PtraceRule  `json:"ptrace,omitempty"`
-	Mounts    []MountRule `json:"mounts,omitempty"`
+	Files     []FileRule   `json:"files,omitempty"`
+	Processes []FileRule   `json:"processes,omitempty"`
+	Network   *NetworkRule `json:"network,omitempty"`
+	Ptrace    *PtraceRule  `json:"ptrace,omitempty"`
+	Mounts    []MountRule  `json:"mounts,omitempty"`
 }
 
 type EnhanceProtect struct {
@@ -146,7 +146,7 @@ type EnhanceProtect struct {
 	AppArmorRawRules []string `json:"appArmorRawRules,omitempty"`
 	// BpfRawRules is used to set native BPF rules
 	// +optional
-	BpfRawRules BpfRawRules `json:"bpfRawRules,omitempty"`
+	BpfRawRules *BpfRawRules `json:"bpfRawRules,omitempty"`
 	// SyscallRawRules is used to set the syscalls blocklist rules with Seccomp enforcer.
 	// +optional
 	SyscallRawRules []specs.LinuxSyscall `json:"syscallRawRules,omitempty"`
@@ -160,9 +160,8 @@ type EnhanceProtect struct {
 	// +optional
 	Privileged bool `json:"privileged,omitempty"`
 	// AuditViolations determines whether to audit the actions that violate the mandatory access
-	// control rules. Currently, this feature supports only the AppArmor enforcer. Any detected
-	// violation will be logged to the system's audit file. If you are using syslog or rsyslog,
-	// the default log path is `/var/log/kern.log`.
+	// control rules. Currently, this feature supports AppArmor and BPF enforcers. Any detected
+	// violation will be logged to `/var/log/varmor/violations.log` file in the host.
 	//
 	// Default is false.
 	// +optional
@@ -188,10 +187,10 @@ type Policy struct {
 	Mode VarmorPolicyMode `json:"mode"`
 	// EnhanceProtect is used to specify which built-in or custom rules are employed to protect the target workloads.
 	// +optional
-	EnhanceProtect EnhanceProtect `json:"enhanceProtect,omitempty"`
+	EnhanceProtect *EnhanceProtect `json:"enhanceProtect,omitempty"`
 	// ModelingOptions is used for the modeling settings.
 	// +optional
-	ModelingOptions ModelingOptions `json:"modelingOptions,omitempty"`
+	ModelingOptions *ModelingOptions `json:"modelingOptions,omitempty"`
 }
 
 // VarmorPolicySpec defines the desired state of VarmorPolicy or VarmorClusterPolicy

cmd/varmor/Dockerfile

@@ -50,8 +50,8 @@ COPY --from=apparmor-libseccomp-builder /usr/lib/libseccomp.* /usr/lib/
 COPY --from=apparmor-libseccomp-builder /usr/include/seccomp* /usr/include/
 COPY --from=apparmor-libseccomp-builder /usr/lib/libapparmor.* /usr/lib/
 COPY --from=apparmor-libseccomp-builder /usr/include/aalogparse /usr/include/aalogparse
-COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/tracer/bpf_bpfel.go /varmor/internal/behavior/tracer
-COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/tracer/bpf_bpfel.o /varmor/internal/behavior/tracer
+COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/processtracer/bpf_bpfel.go /varmor/pkg/processtracer
+COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/processtracer/bpf_bpfel.o /varmor/pkg/processtracer
 COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.go /varmor/pkg/lsm/bpfenforcer
 COPY --from=vArmor-ebpf-builder /varmor/vArmor-ebpf/pkg/bpfenforcer/bpf_bpfel.o /varmor/pkg/lsm/bpfenforcer