Interface Instructions
VarmorPolicy / VarmorClusterPolicy
Spec
| Field | Subfield | Subfield | Description |
|---|---|---|---|
| target | kind string | - | Kind is used to specify the type of workloads for the protection targets. Available values: Deployment, StatefulSet, DaemonSet, Pod |
| name string | - | Optional. Name is used to specify a specific workload name. | |
| containers string array | - | Optional. Containers are used to specify the names of the protected containers. If it is empty, sandbox protection will be enabled for all containers within the workload (excluding initContainers and ephemeralContainers). | |
| selector LabelSelector | - | Optional. LabelSelector is used to match workloads that meet the specified conditions. Note: the type of workloads is determined by the KIND field. | |
| policy | enforcer string | - | Enforcer is used to specify which LSM to use for mandatory access control. Available values: AppArmor, BPF, Seccomp, AppArmorBPF, AppArmorSeccomp, BPFSeccomp, AppArmorBPFSeccomp |
| mode string | - | Used to specify the protection mode, please refer to the Built-in Rules. Available values: AlwaysAllow, RuntimeDefault, EnhanceProtect, BehaviorModeling, DefenseInDepth | |
| enhanceProtect | hardeningRules string array | Optional. HardeningRules are used to specify the built-in hardening rules, please refer to the Built-in Rules. | |
| attackProtectionRules AttackProtectionRules array | Optional. AttackProtectionRules are used to specify the built-in attack protection rules, please refer to the Built-in Rules. | ||
| vulMitigationRules string array | Optional. VulMitigationRules are used to specify the built-in vulnerability mitigation rules, please refer to the Built-in Rules. | ||
| appArmorRawRules string array | Optional. AppArmorRawRules is used to set custom AppArmor rules, each rule must end with a comma, please refer to the AppArmor Syntax. | ||
| bpfRawRules BpfRawRules array | Optional. BpfRawRules is used to set custom BPF rules. | ||
| syscallRawRules LinuxSyscall array | Optional. SyscallRawRules is used to set the custom syscalls blocklist rules with Seccomp enforcer. Please refer to this document to create custom rules. | ||
| privileged bool | Optional. Privileged is used to identify whether the policy is for the privileged container. If set to nil or false, vArmor will build AppArmor or BPF profiles on top of the RuntimeDefault mode. Otherwise, it will build AppArmor or BPF profiles on top of the AlwaysAllow mode. (Default: false)Note: If set to true, vArmor will not build Seccomp profile for the target workloads. | ||
| auditViolations bool | Optional. AuditViolations determines whether to audit the actions that violate the mandatory access control rules. Currently, this feature supports only the AppArmor enforcer. Any detected violation will be logged to the system's audit file. If you are using syslog or rsyslog, the default log path is /var/log/kern.log. (Default: false) | ||
| modelingOptions | duration int | [Experimental] Duration is the duration in minutes to modeling. | |
| updateExistingWorkloads bool | - | - | Optional. UpdateExistingWorkloads is used to indicate whether to perform a rolling update on target existing workloads, thus enabling or disabling the protection of the target workloads when policies are created or deleted. (Default: false) Note: vArmor only performs a rolling update on Deployment, StatefulSet, or DaemonSet type workloads. If .spec.target.kind is Pod, you need to rebuild the Pod yourself to enable or disable protection. |
| PLACEHOLDER_PLACEHOD |
AttackProtectionRules
| Field | Description |
|---|---|
| rules string array | List of built-in attack protection rules to be used, please refer to the Built-in Rules. |
| targets string array | Optional. Targets are used to specify the workloads to which the policy applies. They must be specified as full paths to executable files, and this feature is only effective when using AppArmor as the enforcer. |
| PLACEHOLDER |
BpfRawRules
| Field | Subfield | Description |
|---|---|---|
| files FileRule array | pattern string | Any string (maximum length 128 bytes) that conforms to the policy syntax, used for matching file paths and filenames. Please refer to the BPF Syntax. |
| permissions string array | Permissions are used to specify the file permissions to be disabled. Available values: read(r), write(w), append(a), exec(e) | |
| processes FileRule array | - | Same as above. |
| network NetworkRule | egresses NetworkEgressRule array | Optional. Egresses are the list of egress rules to be applied to restrict particular IPs and ports. |
| ptrace PtraceRule | strictMode bool | Optional. If set to false, it restricts ptrace-related permissions only for processes in other containers. If set to true, it restricts ptrace-related permissions for all processes, except those within the init mnt namespace. (Default: false) |
| permissions string array | Prohibited ptrace-related permissions. Available values: trace, traceby, read, readby. - trace: prohibiting tracing of other container processes. - read: prohibiting reading of other container processes. - traceby: prohibiting being traced by other processes (excluding the host processes). - readby: prohibiting being read by other processes (excluding the host processes). | |
| mounts MountRule array | sourcePattern string | Any string (maximum length 128 bytes) that conforms to the policy syntax, used for matching the source paramater of MOUNT(2), the target paramater of UMOUNT(2), and the from_pathname paramater of MOVE_MOUNT(2). Please refer to the BPF Syntax. |
| fstype string | Any string (maximum length 16 bytes), used for matching the type of filesystem. '*' represents matching any filesystem. | |
| flags string array | Prohibited mount flags. They are similar to AppArmor's MOUNT FLAGS, 'all' represents matching all mount flags. Available values: all, ro(r, read-only), rw(w), suid, nosuid, dev, nodev, exec, noexec, sync, async, mand, nomand, dirsync, atime, noatime, diratime, nodiratime, silent, loud, relatime, norelatime, iversion, noiversion, strictatime, nostrictatime, remount, bind(B), move(M), rbind(R), make-unbindable, make-private(private), make-slave(slave), make-shared(shared), make-runbindable, make-rprivate, make-rslave, make-rshared, umount | |
| PLACEHOLDER_ | PLACEHOLDER_PLACEHOD |
NetworkEgressRule
| Field | Description |
|---|---|
| ipBlock string | Optional. IPBlock defines policy on a particular IPBlock with CIDR. If this field is set then neither of the IP field can be. For example: * 192.168.1.1/24 represents IP addresses within the range of 192.168.1.0 to 192.168.1.255. * 2001:db8::/32 represents IP addresses within the range of 2001:db8:: to 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff |
| ip string | Optional. IP defines policy on a particular IP. If this field is set then neither of the IPBlock field can be. |
| port int | Optional. Port defines policy on a particular port. If this field is zero or missing, this rule matches all ports. Available values: 1 to 65535 |
| PLACEHOLDER |
Syntax
vArmor also allows users to customize Mandatory Access Control rules in spec.policy.enhanceProtect.appArmorRawRules and spec.policy.enhanceProtect.bpfRawRules based on the syntax.
AppArmor enforcer
The AppArmor enforcer supports users in customizing policies based on the syntax of AppArmor.
- Refer to the syntax of security profiles for AppArmor and AppArmor_Core_Policy_Reference for the details.
- Usage:
- Add a custom rule in .spec.policy.enhanceProtect.appArmorRawRules[]
- Please ensure that each rule ends with a comma
BPF enforcer (WIP)
The BPF enforcer supports users in customizing policies based on the syntax, with an upper limit of 50 rules per rule type. Each node of Kubernetes can enable sandboxing for up to 100 containers.
-
File Permission
Permission / Permission Abbreviate Implied Permissions Description read / r -
rename
hard linkRestrict read permission.
Prohibit abusing 'rename oldpath newpath' to bypass read restrictions on oldpath.
Prohibit abusing 'ln TARGET LINK_NAME' to bypass read restrictions on TARGET.write / w -
append
rename
hard link
symbol link
chmod
chownRestrict write permission.
Prohibit using the O_APPEND flag to bypass map_file_to_perms() for append operations.
Prohibit abusing 'rename oldpath newpath' to bypass write restrictions on newpath.
Prohibit abusing 'ln TARGET LINK_NAME' to bypass write restrictions on LINK_NAME.
Prohibit abusing symlink to bypass write restrictions on the target file.
WIP
WIPexec / x - Prohibit execution permission. append / a - Prohibit append permission. -
File Globbing Syntax
Globbing Description Examples Notes * - Used only to match file names.
- It will match dot files except the special dot files . and ..
- Supports only a single *, and does not support ** and * appearing together.- fi* matches any file name starting with 'fi'.
- *le matches any file name ending with 'le'.
- *.log matches any file name ending with '.log'The behavior of this globbing may change in future versions. ** - Match zero, one, or multiple characters in multi-level directories.
- It will match dot files except the special dot files . and ..
- Supports only a single **, and does not support ** and * appearing together.- /tmp/**/33 matches any file that starts with /tmp and ends with /33, including /tmp/33.
- /tmp/** matches any file or directory that starts with /tmp.
- /tm** matches any file or directory that starts with /tm.
- /t**/33 matches any file or directory that starts with /t and ends with /33. -
Network Permission
- Currently, vArmor supports connection access control for specified IP addresses, IP address blocks (CIDR blocks), and ports.
- When specific IP addresses or IP address blocks are specified without specifying ports, it defaults to affecting all ports.
- Please refer to NetworkEgressRule for specific details.