跳到主要内容
版本:main

The Custom Rules

vArmor allows users to customize access control rules in VarmorPolicy or VarmorClusterPolicy objects in EnhanceProtect mode based on the enforcer syntax.

Note:
- The syntax supported by BPF enforcer is still under development.

AppArmor enforcer

The AppArmor enforcer supports users in customizing policies based on the syntax of AppArmor.

Please refer to the syntax of security profiles for AppArmor to set custom rules in the .spec.policy.enhanceProtect.appArmorRawRules field. Please ensure that each rule ends with a comma.

Seccomp enforcer

The Seccomp enforcer supports users in customizing policies based on the syntax of OCI specification.

Please refer to this document to set custom syscalls blocklist rules in the .spec.policy.enhanceProtect.syscallRawRules field.

BPF enforcer

The BPF enforcer supports users in customizing policies based on the syntax, with an upper limit of 50 rules per rule type. Each node of Kubernetes can enable sandboxing for up to 100 containers.

Please refer to the syntaxes below to set custom rules in the .spec.policy.enhanceProtect.bpfRawRules field.

  • File Permission

    Permission / Permission AbbreviateImplied PermissionsDescription
    read / r-
    rename
    hard link
    Restrict read permission.
    Prohibit abusing 'rename oldpath newpath' to bypass read restrictions on oldpath.
    Prohibit abusing 'ln TARGET LINK_NAME' to bypass read restrictions on TARGET.
    write / w-
    append
    rename
    hard link
    symbol link
    chmod
    chown
    Restrict write permission.
    Prohibit using the O_APPEND flag to bypass map_file_to_perms() for append operations.
    Prohibit abusing 'rename oldpath newpath' to bypass write restrictions on newpath.
    Prohibit abusing 'ln TARGET LINK_NAME' to bypass write restrictions on LINK_NAME.
    Prohibit abusing symlink to bypass write restrictions on the target file.
    WIP
    WIP
    exec / x-Prohibit execution permission.
    append / a-Prohibit append permission.
  • File Globbing Syntax

    GlobbingDescriptionExamplesNotes
    *- Used only to match file names.
    - It will match dot files except the special dot files . and ..
    - Supports only a single *, and does not support ** and * appearing together.
    - fi* matches any file name starting with 'fi'.
    - *le matches any file name ending with 'le'.
    - *.log matches any file name ending with '.log'
    The behavior of this globbing may change in future versions.
    **- Match zero, one, or multiple characters in multi-level directories.
    - It will match dot files except the special dot files . and ..
    - Supports only a single **, and does not support ** and * appearing together.
    - /tmp/**/33 matches any file that starts with /tmp and ends with /33, including /tmp/33.
    - /tmp/** matches any file or directory that starts with /tmp.
    - /tm** matches any file or directory that starts with /tm.
    - /t**/33 matches any file or directory that starts with /t and ends with /33.
  • Network Permission

    • Currently, vArmor supports connection access control for specified IP addresses, IP address blocks (CIDR blocks), and ports.
    • When specific IP addresses or IP address blocks are specified without specifying ports, it defaults to affecting all ports.
    • Please refer to NetworkEgressRule for specific details.