spoc: abort apparmor recording if BPF LSM is not enabled

mhils · mhils · commit eddceceda0f1 · 2024-07-31T14:21:16.000+02:00
diff --git a/internal/pkg/cli/recorder/recorder.go b/internal/pkg/cli/recorder/recorder.go
@@ -22,6 +22,7 @@ package recorder
 import (
 	"context"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -78,6 +79,13 @@ func (r *Recorder) Run() error {
 		(r.options.typ == TypeRawSeccomp) ||
 		(r.options.typ == TypeAll))
 
+	// https://github.com/kubernetes-sigs/security-profiles-operator/issues/2384
+	// Explicitly check for BPF LSM support as the recorder fails silently
+	// to support seccomp-only use cases.
+	if recordAppArmor && !bpfrecorder.BPFLSMEnabled() {
+		return errors.New("BPF LSM is not enabled for this kernel")
+	}
+
 	r.bpfRecorder = bpfrecorder.New(
 		r.options.commandOptions.Command(),
 		logr.New(&cli.LogSink{}),
diff --git a/internal/pkg/daemon/bpfrecorder/bpfrecorder.go b/internal/pkg/daemon/bpfrecorder/bpfrecorder.go
@@ -476,6 +476,8 @@ func (b *BpfRecorder) Load(startEventProcessor bool) (err error) {
 			// Only log an error here, if Apparmor cannot be loaded. This is because it is
 			// enabled by default, and there are Linux distributions which either do not
 			// support Apparmor or BPF LSM is not yet available.
+			//
+			// see also https://github.com/kubernetes-sigs/security-profiles-operator/issues/2384
 			b.logger.Error(err, "Loading bpf program")
 		}
 	}
diff --git a/test/spoc/e2e_spoc_test.go b/test/spoc/e2e_spoc_test.go
@@ -196,14 +196,29 @@ func recordAppArmorTest(t *testing.T) {
 
 		require.Contains(t, stdout.String(), "allowTcp", "did not find TCP permission in profile")
 	})
+	t.Run("unsupported", func(t *testing.T) {
+		if bpfrecorder.BPFLSMEnabled() {
+			t.Skip("BPF LSM enabled")
+		}
+		_, err := runSpoc(
+			t,
+			"record",
+			"-t",
+			"apparmor",
+			"-o",
+			"/dev/stdout",
+			"./demobinary",
+		)
+		require.Error(t, err)
+	})
 }
 
 func recordSeccompTest(t *testing.T) {
 	profile := recordSeccomp(t, "--net-tcp")
 	require.Contains(t, profile.Syscalls[0].Names, "listen")
 }
 
-func runSpoc(t *testing.T, args ...string) []byte {
+func runSpoc(t *testing.T, args ...string) ([]byte, error) {
 	t.Helper()
 	args = append([]string{spocPath}, args...)
 	cmd := exec.Command(
@@ -212,17 +227,17 @@ func runSpoc(t *testing.T, args ...string) []byte {
 	)
 	cmd.Stderr = os.Stderr
 	out, err := cmd.Output()
-	require.NoError(t, err, "failed to run spoc")
-	return out
+	return out, err
 }
 
 func record(t *testing.T, typ string, profile client.Object, args ...string) {
 	t.Helper()
 	args = append([]string{
 		"record", "-t", typ, "-o", "/dev/stdout", "--no-base-syscalls", "./demobinary",
 	}, args...)
-	content := runSpoc(t, args...)
-	err := yaml.Unmarshal(content, &profile)
+	content, err := runSpoc(t, args...)
+	require.NoError(t, err, "failed to run spoc")
+	err = yaml.Unmarshal(content, &profile)
 	require.NoError(t, err, "failed to parse yaml")
 }
 

Original file line number	Diff line number	Diff line change
`@@ -476,6 +476,8 @@ func (b *BpfRecorder) Load(startEventProcessor bool) (err error) {`
`476`	`476`	`// Only log an error here, if Apparmor cannot be loaded. This is because it is`
`477`	`477`	`// enabled by default, and there are Linux distributions which either do not`
`478`	`478`	`// support Apparmor or BPF LSM is not yet available.`
	`479`	`+ //`
	`480`	`+ // see also https://github.com/kubernetes-sigs/security-profiles-operator/issues/2384`
`479`	`481`	`b.logger.Error(err, "Loading bpf program")`
`480`	`482`	`}`
`481`	`483`	`}`