From 89d1fd66f7046c2279785bfb493614812ea693f9 Mon Sep 17 00:00:00 2001
From: Danny__Wei <schindler36@live.com>
Date: Wed, 4 Dec 2024 15:36:42 +0800
Subject: [PATCH 1/3] feat: Run agent in an unprivileged container

---
 cmd/varmor/main.go           | 8 ++++++++
 config/manifest/agent.yaml   | 8 +++++++-
 manifests/varmor/values.yaml | 8 +++++++-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/cmd/varmor/main.go b/cmd/varmor/main.go
index a010124..f35da59 100644
--- a/cmd/varmor/main.go
+++ b/cmd/varmor/main.go
@@ -25,6 +25,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
 	_ "go.uber.org/automaxprocs"
+	"golang.org/x/sys/unix"
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
@@ -156,6 +157,13 @@ func main() {
 	if agent {
 		setupLog.Info("vArmor agent startup")
 
+		// RemoveMemlock requires the write permission for /proc/sys/kernel/printk_ratelimit
+		err = unix.Unmount("/proc/sys", 0)
+		if err != nil {
+			setupLog.Error(err, "unix.Unmount(\"/proc/sys\", 0)")
+			os.Exit(1)
+		}
+
 		agentCtrl, err := varmoragent.NewAgent(
 			kubeClient.CoreV1().Pods(config.Namespace),
 			varmorClient.CrdV1beta1(),
diff --git a/config/manifest/agent.yaml b/config/manifest/agent.yaml
index c29b3d7..8181cf6 100644
--- a/config/manifest/agent.yaml
+++ b/config/manifest/agent.yaml
@@ -31,7 +31,13 @@ spec:
         - --enableBpfEnforcer
         - --enableBehaviorModeling
         securityContext:
-          privileged: true
+          capabilities:
+            add:
+            - SYS_ADMIN
+            - BPF
+            - SYS_RESOURCE
+            - SYS_PTRACE
+            - MAC_ADMIN
           runAsUser: 0
         volumeMounts:
         - mountPath: /sys/kernel/security
diff --git a/manifests/varmor/values.yaml b/manifests/varmor/values.yaml
index 879171f..0ef5ed8 100644
--- a/manifests/varmor/values.yaml
+++ b/manifests/varmor/values.yaml
@@ -143,7 +143,13 @@ agent:
     tag: ""
   
   securityContext:
-    privileged: true
+    capabilities:
+      add:
+      - SYS_ADMIN
+      - BPF
+      - SYS_RESOURCE
+      - SYS_PTRACE
+      - MAC_ADMIN
     runAsUser: 0
 
   args: []

From d976578bb3af16ec329462fe1fbc2ff307e247d9 Mon Sep 17 00:00:00 2001
From: Danny__Wei <schindler36@live.com>
Date: Wed, 4 Dec 2024 15:42:28 +0800
Subject: [PATCH 2/3] Only umount /proc/sys when agent runs in a container

---
 cmd/varmor/main.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/cmd/varmor/main.go b/cmd/varmor/main.go
index f35da59..284ad92 100644
--- a/cmd/varmor/main.go
+++ b/cmd/varmor/main.go
@@ -158,10 +158,12 @@ func main() {
 		setupLog.Info("vArmor agent startup")
 
 		// RemoveMemlock requires the write permission for /proc/sys/kernel/printk_ratelimit
-		err = unix.Unmount("/proc/sys", 0)
-		if err != nil {
-			setupLog.Error(err, "unix.Unmount(\"/proc/sys\", 0)")
-			os.Exit(1)
+		if !debug {
+			err = unix.Unmount("/proc/sys", 0)
+			if err != nil {
+				setupLog.Error(err, "unix.Unmount(\"/proc/sys\", 0)")
+				os.Exit(1)
+			}
 		}
 
 		agentCtrl, err := varmoragent.NewAgent(

From 2943f21c67e21c6f0358d92cffa0954d2b94d9ae Mon Sep 17 00:00:00 2001
From: Danny__Wei <schindler36@live.com>
Date: Wed, 4 Dec 2024 17:40:25 +0800
Subject: [PATCH 3/3] Disable AppArmor for the agent container

---
 config/manifest/agent.yaml                       |  2 ++
 manifests/varmor/templates/daemonsets/agent.yaml | 15 ++++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/config/manifest/agent.yaml b/config/manifest/agent.yaml
index 8181cf6..96edc95 100644
--- a/config/manifest/agent.yaml
+++ b/config/manifest/agent.yaml
@@ -17,6 +17,8 @@ spec:
       labels:
         app: varmor
         app.kubernetes.io/name: varmor-agent
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/agent: unconfined
     spec:
       hostPID: true
       serviceAccountName: varmor-agent
diff --git a/manifests/varmor/templates/daemonsets/agent.yaml b/manifests/varmor/templates/daemonsets/agent.yaml
index 01361b2..b947218 100644
--- a/manifests/varmor/templates/daemonsets/agent.yaml
+++ b/manifests/varmor/templates/daemonsets/agent.yaml
@@ -13,6 +13,13 @@ spec:
     metadata:
       labels:
         {{- include "varmor.agent.selectorLabels" . | nindent 8 }}
+      annotations:
+        {{- with .Values.agent.podAnnotations }}
+            {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- if semverCompare "<1.30.0-0" .Capabilities.KubeVersion.Version }}
+        container.apparmor.security.beta.kubernetes.io/agent: unconfined
+        {{- end }}
     spec:
       {{- if .Values.image.password }}
       imagePullSecrets:
@@ -58,7 +65,13 @@ spec:
           {{- end }}
         {{- end }}
         securityContext:
-          {{- toYaml .Values.agent.securityContext | nindent 10 }}
+          {{- with .Values.agent.securityContext }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- if semverCompare ">=1.30.0-0" .Capabilities.KubeVersion.Version }}
+          appArmorProfile:
+            type: Unconfined
+          {{- end }}
         volumeMounts:
         - mountPath: /sys/kernel/security
           name: securityfs