Replace the variance in the apparmor file paths with apparmor variables

Replace the task ID and container ID variance in the apparmor file path.

Change-Id: I6395c4faf5f5f3773b87e97287647ba0b3cbb3d2
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

Author: ccojocar

examples/apparmorprofile-sleep.yaml

@@ -17,18 +17,42 @@ policy: |2
     /proc/@{pid}/cgroup r,
     /proc/@{pid}/mounts r,
     /proc/@{pid}/setgroups r,
+    /proc/@{pid}/task/@{tid}/attr r,
+    /proc/@{pid}/task/@{tid}/attr/apparmor r,
+    /proc/@{pid}/task/@{tid}/attr/apparmor/current r,
     /proc/@{pid}/uid_map r,
     /proc/sys/kernel/cap_last_cap r,
     /run r,
     /sys/module/apparmor/parameters/enabled r,
+    /var/lib/containers/storage/overlay/*/merged r,
+    /var/lib/containers/storage/overlay/*/merged/dev r,
+    /var/lib/containers/storage/overlay/*/merged/etc r,
+    /var/lib/containers/storage/overlay/*/merged/proc r,
+    /var/lib/containers/storage/overlay/*/merged/run r,
+    /var/lib/containers/storage/overlay/*/merged/run/secrets r,
+    /var/lib/containers/storage/overlay/*/merged/run/secrets/kubernetes.io r,
+    /var/lib/containers/storage/overlay/*/merged/sys r,
+    /var/lib/containers/storage/overlay/*/merged/var r,
 
     deny /proc/@{pid}/cgroup wlk,
     deny /proc/@{pid}/mounts wlk,
     deny /proc/@{pid}/setgroups wlk,
+    deny /proc/@{pid}/task/@{tid}/attr wlk,
+    deny /proc/@{pid}/task/@{tid}/attr/apparmor wlk,
+    deny /proc/@{pid}/task/@{tid}/attr/apparmor/current wlk,
     deny /proc/@{pid}/uid_map wlk,
     deny /proc/sys/kernel/cap_last_cap wlk,
     deny /run wlk,
     deny /sys/module/apparmor/parameters/enabled wlk,
+    deny /var/lib/containers/storage/overlay/*/merged wlk,
+    deny /var/lib/containers/storage/overlay/*/merged/dev wlk,
+    deny /var/lib/containers/storage/overlay/*/merged/etc wlk,
+    deny /var/lib/containers/storage/overlay/*/merged/proc wlk,
+    deny /var/lib/containers/storage/overlay/*/merged/run wlk,
+    deny /var/lib/containers/storage/overlay/*/merged/run/secrets wlk,
+    deny /var/lib/containers/storage/overlay/*/merged/run/secrets/kubernetes.io wlk,
+    deny /var/lib/containers/storage/overlay/*/merged/sys wlk,
+    deny /var/lib/containers/storage/overlay/*/merged/var wlk,
 
 
     /etc/alpine-release wlk,
@@ -84,6 +108,7 @@ policy: |2
     /lib/libssl.so.3 wlk,
     /lib/libz.so.1.3.1 wlk,
     /lib/sysctl.d/00-alpine.conf wlk,
+    /proc/@{pid}/task/@{tid}/attr/apparmor/exec wlk,
     /sbin/apk wlk,
     /sbin/ldconfig wlk,
     /usr/bin/getconf wlk,
@@ -115,6 +140,9 @@ policy: |2
     /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub wlk,
     /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub wlk,
     /usr/share/udhcpc/default.script wlk,
+    /var/lib/containers/storage/overlay/*/merged/dev/termination-log wlk,
+    /var/lib/containers/storage/overlay/*/merged/etc/resolv.conf wlk,
+    /var/lib/containers/storage/overlay/*/merged/run/.containerenv wlk,
 
     deny /etc/alpine-release r,
     deny /etc/apk/arch r,
@@ -169,6 +197,7 @@ policy: |2
     deny /lib/libssl.so.3 r,
     deny /lib/libz.so.1.3.1 r,
     deny /lib/sysctl.d/00-alpine.conf r,
+    deny /proc/@{pid}/task/@{tid}/attr/apparmor/exec r,
     deny /sbin/apk r,
     deny /sbin/ldconfig r,
     deny /usr/bin/getconf r,
@@ -200,6 +229,9 @@ policy: |2
     deny /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub r,
     deny /usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub r,
     deny /usr/share/udhcpc/default.script r,
+    deny /var/lib/containers/storage/overlay/*/merged/dev/termination-log r,
+    deny /var/lib/containers/storage/overlay/*/merged/etc/resolv.conf r,
+    deny /var/lib/containers/storage/overlay/*/merged/run/.containerenv r,
 
 
     /dev/null rwlk,

hack/ci/e2e-apparmor.sh

@@ -30,8 +30,6 @@ check_apparmor_profile() {
   # clean up the variance in the recorded apparmor profile
   yq -i ".spec" $APPARMOR_PROFILE_FILE
   sed -i -e "s/\btest-recording_test-pod[^ ]*\b/test-sleep/g" $APPARMOR_PROFILE_FILE
-  sed -i -e '/\/var\/lib\/containers\/storage\/overlay/d' $APPARMOR_PROFILE_FILE
-  sed -i -e '/\/proc\/@{pid}\/task/d' $APPARMOR_PROFILE_FILE
 
   diff $APPARMOR_REFERENCE_PROFILE_FILE $APPARMOR_PROFILE_FILE
 }

internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go

@@ -52,8 +52,6 @@ var appArmorHooks = []string{
 	"cap_capable",
 }
 
-var pathWithPid *regexp.Regexp = regexp.MustCompile(`^/proc/\d+/`)
-
 // mntnsID is a unique identifier for a group of processes usually running in a container
 // Note: on a host running concurrent containers, there will be multiple process running with
 // the same PID but they are assigned to different mntns since  they run in different containers.
@@ -241,6 +239,22 @@ func (b *AppArmorRecorder) GetAppArmorProcessed(mntns uint32) BpfAppArmorProcess
 	return processed
 }
 
+func replaceVarianceInFilePath(filePath string) string {
+	filePath = filepath.Clean(filePath)
+
+	// Replace PID value with a apparmor variable.
+	pathWithPid := regexp.MustCompile(`^/proc/\d+/`)
+	filePath = pathWithPid.ReplaceAllString(filePath, "/proc/@{pid}/")
+
+	// Replace TID value with a apparmor variable.
+	pathWithTid := regexp.MustCompile(`^/proc/@{pid}/task/\d+/`)
+	filePath = pathWithTid.ReplaceAllString(filePath, "/proc/@{pid}/task/@{tid}/")
+
+	// Replace container ID with any container ID
+	pathWithCid := regexp.MustCompile(`^/var/lib/containers/storage/overlay/\w+/`)
+	return pathWithCid.ReplaceAllString(filePath, "/var/lib/containers/storage/overlay/*/")
+}
+
 func (b *AppArmorRecorder) processExecFsEvents(mid mntnsID) BpfAppArmorFileProcessed {
 	b.lockRecordedFiles.Lock()
 	defer b.lockRecordedFiles.Unlock()
@@ -252,8 +266,7 @@ func (b *AppArmorRecorder) processExecFsEvents(mid mntnsID) BpfAppArmorFileProce
 	}
 
 	for fileName, access := range b.recordedFiles[mid] {
-		fileName = filepath.Clean(fileName)
-		fileName = pathWithPid.ReplaceAllString(fileName, "/proc/@{pid}/")
+		fileName = replaceVarianceInFilePath(fileName)
 
 		knownLibrary := isKnownFile(fileName, knownLibrariesPrefixes) || fileName == b.programName
 		knownRead := isKnownFile(fileName, knownReadPrefixes)

internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor_test.go

@@ -0,0 +1,66 @@
+//go:build linux && !no_bpf
+// +build linux,!no_bpf
+
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package bpfrecorder
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestReplaceVarianceInFilePath(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		path string
+		want string
+	}{
+		{
+			name: "no replacement",
+			path: "/sys/module/apparmor/parameters/enabled",
+			want: "/sys/module/apparmor/parameters/enabled",
+		},
+		{
+			name: "replace only PID",
+			path: "/proc/123/cgroup",
+			want: "/proc/@{pid}/cgroup",
+		},
+		{
+			name: "replace PID and TID",
+			path: "/proc/123/task/12948/attr/apparmor",
+			want: "/proc/@{pid}/task/@{tid}/attr/apparmor",
+		},
+		{
+			name: "replace container ID",
+			path: "/var/lib/containers/storage/overlay/8a0a50ee00/merged/dev",
+			want: "/var/lib/containers/storage/overlay/*/merged/dev",
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got := replaceVarianceInFilePath(tc.path)
+			require.Equal(t, tc.want, got)
+		})
+	}
+}