Add IPC_LOCK capability to allow mmap in higher kernel versions & Update documents

README.md

@@ -19,8 +19,9 @@ vArmor is a cloud-native container sandbox system. It leverages Linux's [AppArmo
 * You want to enhance the security of critical business containers, making it more difficult for attackers to escalate privileges, escape, or laterally move.
 * When high-risk vulnerabilities are present but immediate remediation is not possible due to the difficulty or lengthy process of patching, vArmor can be used to mitigate the risks (depending on the vulnerability type or exploitation vector) to block or increase the difficulty of exploitation.
 
-*Note: To meet stringent isolation requirements, it is advisable to give priority to utilizing hardware-virtualized containers (e.g., Kata Containers) for compute isolation, in conjunction with network isolation provided by CNI's NetworkPolicy.*
-
+*Note:* 
+*<br />- The core of security defense lies in balancing risks and benefits, transforming uncontrollable risks into controllable costs by choosing different types of security boundaries and defense technologies.*
+*<br />- runc + vArmor does not provide an isolation level equivalent to that of hardware virtualization containers (such as Kata Containers and other lightweight virtual machines). If you require a high-intensity isolation solution, please consider using hardware virtualization containers for compute isolation, and utilize CNI's NetworkPolicy for network isolation.*
 
 **vArmor Features:**
 * **Cloud-Native**. vArmor follows the Kubernetes Operator design pattern, allowing users to harden specific workloads by manipulating the [CRD API](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). This approach enables sandboxing of containerized microservices from a perspective closely aligned with business needs.

README.zh_CN.md

@@ -22,7 +22,10 @@ vArmor 是一个云原生容器沙箱系统，它借助 Linux 的 [AppArmor LSM]
 * 想要对关键的业务进行安全加固，增加攻击者权限提升、容器逃逸、横向渗透的难度与成本
 * 当出现高危漏洞，但由于修复难度大、周期长等原因无法立即修复时，可以借助 vArmor 实施漏洞利用缓解（具体取决于漏洞类型或漏洞利用向量。缓解代表阻断利用向量、增加利用难度）
 
-*注意：如果需要高强度的隔离方案，建议优先考虑使用硬件虚拟化容器（如 Kata Container）进行计算隔离，并借助 CNI 的 NetworkPolicy 进行网络隔离。*
+*注意：* 
+*<br />- 安全防御的核心在于平衡风险与收益，通过选择不同类型的安全边界和防御技术，将不可控风险转化为可控成本。*
+*<br />- runc + vArmor 不提供等同硬件虚拟化容器（如 Kata Container 等轻量级虚拟机）的隔离等级。如果您需要高强度的隔离方案，请优先考虑使用硬件虚拟化容器进行计算隔离，并借助 CNI 的 NetworkPolicy 进行网络隔离。*
+
 
 **vArmor 的特色**
 * **Cloud-Native**. vArmor 遵循 Kubernetes Operator 设计模式，用户可通过操作 [CRD API](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) 对特定的 Workloads 进行加固。从而以更贴近业务的视角，实现对容器化微服务的沙箱加固。

config/manifest/agent.yaml

@@ -48,6 +48,7 @@ spec:
             - SYS_RESOURCE
             - SYS_PTRACE
             - MAC_ADMIN
+            - IPC_LOCK
           runAsUser: 0
         volumeMounts:
         - mountPath: /sys/kernel/security

docs/README.md

@@ -10,7 +10,9 @@ vArmor is a cloud-native container sandbox system. It leverages Linux's [AppArmo
 * When there is a need to enhance the security of critical business containers, making it more difficult for attackers to escalate privileges, escape, or laterally move.
 * When high-risk vulnerabilities are present, but immediate remediation is not possible due to the difficulty or lengthy process of patching. vArmor can be used to mitigate the risks (depending on the vulnerability type or exploitation vector) to block or increase the difficulty of exploitation.
 
-*Note: To meet stringent isolation requirements, it is advisable to give priority to utilizing hardware-virtualized containers (e.g., Kata Containers) for compute isolation, in conjunction with network isolation provided by CNI's NetworkPolicy.*
+*Note:* 
+*<br />- The core of security defense lies in balancing risks and benefits, transforming uncontrollable risks into controllable costs by choosing different types of security boundaries and defense technologies.*
+*<br />- runc + vArmor does not provide an isolation level equivalent to that of hardware virtualization containers (such as Kata Containers and other lightweight virtual machines). If you require a high-intensity isolation solution, please consider using hardware virtualization containers for compute isolation, and utilize CNI's NetworkPolicy for network isolation.*
 
 **vArmor Features:**
 * Cloud-Native. vArmor follows the Kubernetes Operator design pattern, allowing users to harden specific workloads by manipulating the [CRD API](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). This approach enables sandboxing of containerized microservices from a perspective closely aligned with business needs.

docs/README.zh_cn.md → docs/README.zh_CN.md

@@ -13,9 +13,9 @@ vArmor 是一个云原生容器沙箱系统，它借助 Linux 的 [AppArmor LSM]
 * 当出现高危漏洞，但由于修复难度大、周期长等原因无法立即修复时，可以借助 vArmor 实施漏洞利用缓解（具体取决于漏洞类型或漏洞利用向量。缓解代表阻断利用向量、增加利用难度）。
 
 
-*Note:* 
+*注意：* 
 *<br />- 安全防御的核心在于平衡风险与收益，通过选择不同类型的安全边界和防御技术，将不可控风险转化为可控成本。*
-*<br />- runc + vArmor 不提供等同硬件虚拟化容器（如 Kata Container 等轻量级虚拟机）的隔离等级。如果您需要高强度的隔离方案，请优先考虑使用硬件虚拟化容器（如 Kata Container）进行计算隔离，并借助 CNI 的 NetworkPolicy 进行网络隔离。*
+*<br />- runc + vArmor 不提供等同硬件虚拟化容器（如 Kata Container 等轻量级虚拟机）的隔离等级。如果您需要高强度的隔离方案，请优先考虑使用硬件虚拟化容器进行计算隔离，并借助 CNI 的 NetworkPolicy 进行网络隔离。*
 
 **vArmor 的特点**
 * **Cloud-Native**. vArmor 遵循 Kubernetes Operator 设计模式，用户可通过操作 [CRD API](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) 对特定的 Workloads 进行加固。从而以更贴近业务的视角，实现对容器化微服务的沙箱加固。
@@ -57,7 +57,7 @@ vArmor 主要由 Manager 和 Agent 两个组件构成。Manager 用于响应和
 
 ### 关键术语
 #### 强制访问控制器
-vArmor 将 AppArmor, BPF, Seccomp 抽象为强制访问控制器（即 enforcer）。安全策略可以单独、组合使用它们来加固工作负载，例如：BPF、AppArmorBPF、AppArmorSeccomp、AppArmorBPFSeccomp 等。
+vArmor 将 AppArmor, BPF, Seccomp 抽象为强制访问控制器（即 Enforcer）。安全策略可以单独、组合使用它们来加固工作负载，例如：BPF、AppArmorBPF、AppArmorSeccomp、AppArmorBPFSeccomp 等。
 
 您可以在 [VarmorPolicy](getting_started/usage_instructions.md#varmorpolicy) 或 [VarmorClusterPolicy](getting_started/usage_instructions.md#varmorclusterpolicy) 对象的 `spec.policy.enforcer` 字段中设置要使用的强制访问控制器。
 

docs/getting_started/README.md

@@ -0,0 +1,6 @@
+English | [简体中文](README.zh_CN.md)
+
+* [Installation](installation.md)
+* [Usage Instructions](interface_specification.md)
+* [Metrics](metrics.md)
+* [Interface Specification](interface_specification.md)

docs/getting_started/README.zh_CN.md

@@ -0,0 +1,6 @@
+[English](README.md) | 简体中文
+
+* [安装指引](installation.zh_CN.md)
+* [使用说明](interface_specification.zh_CN.md)
+* [监控指标](metrics.zh_CN.md)
+* [接口说明](interface_specification.zh_CN.md)

docs/getting_started/installation.md

@@ -60,10 +60,10 @@ This is an experimental feature. Currently, only the AppArmor and Seccomp enforc
 #### Configure the search list of audit logs
 vArmor sequentially checks whether the audit logs exist and monitors the first valid file to consume AppArmor and Seccomp audit events for the violation auditing and behavioral modeling features. If you are using *auditd*, the audit events of AppArmor and Seccomp will be stored by default in `/var/log/audit/audit.log`. Otherwise they will be stored in `/var/log/kern.log`. 
 
-You can use the option to specify the audit logs or determine the search order yourself. Please use a vertical bar to separate file paths. Default: `/var/log/audit/audit.log\|/var/log/kern.log`.
+You can use the option to specify the audit logs or determine the search order yourself. Please use a vertical bar to separate file paths. Default: `/var/log/audit/audit.log|/var/log/kern.log`.
 
 ```bash
---set "agent.args={--auditLogPaths=FILE_PATH\|FILE_PATH}"
+--set "agent.args={--auditLogPaths=FILE_PATH|FILE_PATH}"
 ```
 
 #### Configure metrics

docs/getting_started/installation.zh_CN.md

@@ -3,7 +3,7 @@
 
 ## 前置条件
 
-不同 enforcers 所需要的前置条件如下表所示。
+不同 Enforcer 所需要的前置条件如下表所示。
 
 |强制访问控制器|要求|推荐|
 |------------|--------------------------------------------|--------|
@@ -50,7 +50,7 @@ helm install varmor varmor-0.5.11.tgz \
 ```
 
 #### 开启 BehaviorModeling 模式
-这是一个实验性质的功能。当前只有 AppArmor 和 Seccomp enforcer 支持 BehaviorModeling 模式。请参考  [BehaviorModeling Mode](../guides/policies_and_rules/policy_modes/behavior_modeling.md) 了解更多细节。默认值：关闭。
+这是一个实验性质的功能。当前只有 AppArmor 和 Seccomp enforcer 支持 BehaviorModeling 模式。请参考  [BehaviorModeling Mode](../guides/policies_and_rules/policy_modes/behavior_modeling.zh_CN.md) 了解更多细节。默认值：关闭。
 
 ```bash
 --set behaviorModeling.enabled=true
@@ -59,10 +59,10 @@ helm install varmor varmor-0.5.11.tgz \
 #### 配置审计日志的搜索列表
 vArmor 顺序检查对应的审计日志是否存在，并通过监控第一个有效的文件来获取 AppArmor 和 Seccomp 的审计事件，从而用于违规审计和行为建模功能。当您使用 *auditd* 时，AppArmor 和 Seccomp 的审计事件会默认保存在 `/var/log/audit/audit.log` 文件中。否则，他们通常会被保存在 `/var/log/kern.log` 文件中。
 
-你可以使用这个选项来配置审计日志、文件搜索顺序。请使用`|`来分割文件。默认值：`/var/log/audit/audit.log\|/var/log/kern.log`。
+你可以使用这个选项来配置审计日志、文件搜索顺序。请使用`|`来分割文件。默认值：`/var/log/audit/audit.log|/var/log/kern.log`。
 
 ```bash
---set "agent.args={--auditLogPaths=FILE_PATH\|FILE_PATH}"
+--set "agent.args={--auditLogPaths=FILE_PATH|FILE_PATH}"
 ```
 
 #### 配置监控指标

docs/getting_started/usage_instructions.md

@@ -10,7 +10,7 @@ vArmor supports performing a rolling restart of existing workloads that meet the
 The following constraints and usage requirements must also be observed:
 * Workloads must have the label **`sandbox.varmor.org/enable="true"`** to be processed by vArmor's webhook server during creation and updates. If they meet the matching conditions specified in a VarmorPolicy or VarmorClusterPolicy object's `spec.target`, vArmor will enable sandbox for them.
 * Once a VarmorPolicy or VarmorClusterPolicy object is created, its `spec.target` cannot be changed. Please create a new VarmorPolicy or VarmorClusterPolicy with the desired target to make changes.
-* After creating a VarmorPolicy or VarmorClusterPolicy object, you can dynamically switch the policy mode and update rules by updating `spec.policy`. However, switching from **BehaviorModeling mode** to other modes is not supported, and vice versa (Note: Switching policy mode and updating rules does not require triggering a rolling restart of workloads).
+* After creating a VarmorPolicy or VarmorClusterPolicy object, you can dynamically switch the policy mode and update rules by updating `spec.policy`. However, switching from **BehaviorModeling** mode to other modes is not supported, and vice versa (Note: Switching policy mode and updating rules does not require triggering a rolling restart of workloads).
 
 ## State Management
 
@@ -107,7 +107,7 @@ spec:
         - "/usr/bin/busybox"
 ```
 
-The policy enables sandbox with **EnhanceProtect mode** for deployments in the default namespace (with `sandbox.varmor.org/enable="true"` and `app=nginx` labels, and an `environment` label value of `dev` or `qa`).
+The policy enables sandbox with **EnhanceProtect** mode for deployments in the default namespace (with `sandbox.varmor.org/enable="true"` and `app=nginx` labels, and an `environment` label value of `dev` or `qa`).
 
 The built-in rules used are as follows:
 - Disable all privileged capabilities (those that can lead to escapes)

docs/guides/README.md

@@ -0,0 +1,6 @@
+English | [简体中文](README.zh_CN.md)
+
+* [Policies and Rules](policies_and_rules/README.md)
+* [Performance](performance/README.md)
+* [Policy Advisor](policy_advisor.md)
+* [Development](development.md)

docs/guides/README.zh_CN.md

@@ -0,0 +1,6 @@
+[English](README.md) | 简体中文
+
+* [策略与规则](policies_and_rules/README.zh_CN.md)
+* [性能说明](performance/README.zh_CN.md)
+* [策略顾问](policy_advisor.zh_CN.md)
+* [本地开发](development.zh_CN.md)

docs/guides/development.md

@@ -1,4 +1,7 @@
 # Development
+
+English | [简体中文](development.zh_CN.md)
+
 ### Step 1. Build the binary
 ```
 // You must rebuild everything if the CRDs or eBPF code were modified

docs/guides/development.zh_CN.md

@@ -0,0 +1,23 @@
+# 本地开发
+
+[English](development.md) | 简体中文
+
+### 步骤 1. 编译二进制
+```
+// You must rebuild everything if the CRDs or eBPF code were modified
+make build
+
+// Build the binary only when the Golang code has been modified
+make local
+```
+
+### 步骤 2. 安装所需的 CRD、资源等
+```
+./scripts/deploy_resources.sh test
+```
+
+### 步骤 3. 分别在本地运行 manager 和 agent
+```
+sudo ./bin/vArmor -kubeconfig=./varmor-manager.kubeconfig -v 3
+sudo ./bin/vArmor -agent -kubeconfig=./varmor-agent.kubeconfig -v 3
+```

docs/guides/performance/README.md

@@ -1,4 +1,5 @@
 # Performance
+
 English | [简体中文](README.zh_CN.md)
 
 ## Impact Factors

docs/guides/performance/README.zh_CN.md

@@ -1,4 +1,5 @@
-# 性能
+# 性能说明
+
 [English](README.md) | 简体中文
 
 ## 影响因素

docs/guides/policies_and_rules/README.md

@@ -0,0 +1,6 @@
+English | [简体中文](README.zh_CN.md)
+
+* [The Policy Modes](policy_modes/README.md)
+* [The Built-in Rules](built_in_rules.md)
+* [The Custom Rules](custom_rules.md)
+* [Writing Policies](writing_policies.md)

docs/guides/policies_and_rules/README.zh_CN.md

@@ -0,0 +1,6 @@
+English | [简体中文](README.zh_CN.md)
+
+* [策略模式](policy_modes/README.zh_CN.md)
+* [内置规则](built_in_rules.zh_CN.md)
+* [自定义规则](custom_rules.zh_CN.md)
+* [编写策略](writing_policies.zh_CN.md)

docs/guides/policies_and_rules/built_in_rules.md

@@ -1,7 +1,8 @@
 # The Built-in Rules
+
 English | [简体中文](built_in_rules.zh_CN.md)
 
-**vArmor** supports defining [VarmorPolicy](../../getting_started/usage_instructions.md#varmorpolicy) or [VarmorClusterPolicy](../../getting_started/usage_instructions.md#varmorclusterpolicy) objects using built-in rules in **EnhanceProtect mode**. The currently supported built-in rules and categories are shown in the following table. You can also try using the [policy advisor](../policy_advisor.md) to generate a policy template with built-in rules.
+**vArmor** supports defining [VarmorPolicy](../../getting_started/usage_instructions.md#varmorpolicy) or [VarmorClusterPolicy](../../getting_started/usage_instructions.md#varmorclusterpolicy) objects using built-in rules in **EnhanceProtect** mode. The currently supported built-in rules and categories are shown in the following table. You can also try using the [policy advisor](../policy_advisor.md) to generate a policy template with built-in rules.
 
 Note:<br />- The built-in rules supported by different enforcers are still under development.<br />- There are some limitations in the rules and syntax supported by different enforcers. For example, the AppArmor enforcer does not support fine-grained network access control, and BPF does not support access control for specified executables.<br />
 

docs/guides/policies_and_rules/built_in_rules.zh_CN.md

@@ -1,4 +1,5 @@
 # 内置规则
+
 [English](built_in_rules.md) | 简体中文
 
 **vArmor** 支持使用内置规则来定义 **EnhanceProtect** 模式的策略对象 [VarmorPolicy](../../getting_started/usage_instructions.zh_CN.md#varmorpolicy) or [VarmorClusterPolicy](../../getting_started/usage_instructions.zh_CN.md#varmorclusterpolicy)，当前支持的内置规则及其分类如下表所示。你可以尝试使用 [policy advisor](../policy_advisor.md) 来生成策略模版，从而帮助创建最终的防护策略。

docs/guides/policies_and_rules/custom_rules.md

@@ -1,7 +1,8 @@
 # The Custom Rules
+
 English | [简体中文](custom_rules.zh_CN.md)
 
-vArmor allows users to customize access control rules in [VarmorPolicy](../../getting_started/usage_instructions.md#varmorpolicy) or [VarmorClusterPolicy](../../getting_started/usage_instructions.md#varmorclusterpolicy) objects in **EnhanceProtect mode** based on the enforcer syntax.
+vArmor allows users to customize access control rules in [VarmorPolicy](../../getting_started/usage_instructions.md#varmorpolicy) or [VarmorClusterPolicy](../../getting_started/usage_instructions.md#varmorclusterpolicy) objects in **EnhanceProtect** mode based on the enforcer syntax.
 
 Note:<br />- The syntax supported by BPF enforcer is still under development.
 

docs/guides/policies_and_rules/custom_rules.zh_CN.md

@@ -1,4 +1,5 @@
 # 自定义规则
+
 [English](custom_rules.md) | 简体中文
 
 vArmor 支持用户基于 enforcer 的语法，在 EhanceProtect 模式的 [VarmorPolicy](../../getting_started/usage_instructions.zh_CN.md#varmorpolicy) 或 [VarmorClusterPolicy](../../getting_started/usage_instructions.zh_CN.md#varmorclusterpolicy) 对象中自定义访问控制规则。
@@ -9,13 +10,13 @@ vArmor 支持用户基于 enforcer 的语法，在 EhanceProtect 模式的 [Varm
 
 AppArmor enforcer 支持用户根据 AppArmor 的语法定制策略。
 
-请参见此[文档](https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html)在 [`.spec.policy.enhanceProtect.appArmorRawRules`](../../getting_started/interface_specification.zh_CN.md) 字段中设置自定义规则。请确保每条规则以 ',' 结尾。
+请参见此 [文档](https://manpages.ubuntu.com/manpages/jammy/man5/apparmor.d.5.html) 在 [`.spec.policy.enhanceProtect.appArmorRawRules`](../../getting_started/interface_specification.zh_CN.md) 字段中设置自定义规则。请确保每条规则以 ',' 结尾。
 
 ## Seccomp enforcer
 
 Seccomp enforcer 支持用户根据 OCI 规范的语法定制策略。
 
-请参见此[文档](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp)在 [`.spec.policy.enhanceProtect.syscallRawRules`](../../getting_started/interface_specification.zh_CN.md) 字段中设置自定义的系统调用规则。
+请参见此 [文档](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp) 在 [`.spec.policy.enhanceProtect.syscallRawRules`](../../getting_started/interface_specification.zh_CN.md) 字段中设置自定义的系统调用规则。
 
 ## BPF enforcer