Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new built-in rules #33

Merged
merged 12 commits into from
Feb 26, 2024
Merged

Add new built-in rules #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
781c4ae
Add disallow-access-kallsyms rule
Danny-Wei Feb 21, 2024
ad83fbd
Add runc-override-mitigation built-in rule
Danny-Wei Feb 26, 2024
0689783
Add dirty-pipe-mitigation built-in rule
Danny-Wei Feb 26, 2024
d4ac0ea
Push all artifacts to the ap-southeast region
Danny-Wei Feb 26, 2024
f39801a
Add demo for the 'ditry pipe' vulnerablity
Danny-Wei Feb 26, 2024
bbc0606
Add demo for 'CVE-2019-5736'
Danny-Wei Feb 26, 2024
0683d39
Update documents for built-in rules
Danny-Wei Feb 26, 2024
52a89b5
Update CI workflows
Danny-Wei Feb 26, 2024
932d5ab
Setup toolchain before building images
Danny-Wei Feb 26, 2024
86f724b
Revert "Setup toolchain before building images"
Danny-Wei Feb 26, 2024
0fe2ab3
Install autoconf-archive package before building libapparmor
Danny-Wei Feb 26, 2024
f539509
fix: package chart before pushing
Danny-Wei Feb 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 9 additions & 15 deletions .github/workflows/ci-alpha-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,32 +40,26 @@ jobs:
with:
platforms: linux/amd64,linux/arm64/v8

- name: Set up llvm and apparmor
run: ./.github/scripts/toolchain.sh
- name: Run build
run: make docker-build-dev

- name: Package helm chart
run: make helm-package-dev

- name: Login to registry
run: echo "${{ secrets.PUSH_PASSWORD }}" | docker login -u=${{ secrets.PUSH_USERNAME }} elkeid-ap-southeast-1.cr.volces.com --password-stdin

- name: Push artifacts to registry
run: make push-dev

- name: Upload Helm Chart as Artifact
uses: actions/upload-artifact@v2
with:
name: helm-chart
path: varmor-*.tgz

- name: Run build
run: make docker-build-dev

- name: Login to Docker Hub
run: echo "${{ secrets.PUSH_PASSWORD }}"|docker login -u=${{ secrets.PUSH_USERNAME }} elkeid-ap-southeast-1.cr.volces.com --password-stdin


- name: Push image to registry
run: make push-dev

- id: SetVersion
run: echo "version=$(git describe --tags --match "v[0-9]*"| sed 's/^v//')">> "$GITHUB_OUTPUT"


run: echo "version=$(git describe --tags --match "v[0-9]*" | sed 's/^v//')">> "$GITHUB_OUTPUT"

deploy-and-basic-test:
needs: build
Expand Down
11 changes: 4 additions & 7 deletions .github/workflows/ci-release-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,17 +29,14 @@ jobs:
with:
platforms: linux/amd64,linux/arm64/v8

- name: Set up llvm and apparmor
run: ./.github/scripts/toolchain.sh

- name: Run build
run: make docker-build

- name: Login to Docker Hub
run: echo "${{ secrets.RELEASE_PASSWORD }}"||docker login -u=${{ secrets.PUSH_USERNAME }} elkeid-cn-beijing.cr.volces.com --password-stdin

- name: Package helm chart
run: make helm-package

- name: Push image to registry
- name: Login to registry
run: echo "${{ secrets.RELEASE_PASSWORD }}"||docker login -u=${{ secrets.PUSH_USERNAME }} elkeid-ap-southeast-1.cr.volces.com --password-stdin

- name: Push artifacts to registry
run: make push
42 changes: 4 additions & 38 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,11 @@ GIT_VERSION := $(shell git describe --tags --match "v[0-9]*")
VARMOR_PATH := cmd/varmor
CLASSIFIER_PATH := cmd/classifier

REGISTRY ?= elkeid-cn-beijing.cr.volces.com
REGISTRY_AP ?= elkeid-ap-southeast-1.cr.volces.com
REGISTRY_DEV ?= elkeid-ap-southeast-1.cr.volces.com

NAMESPACE ?= varmor
NAMESPACE_DEV ?= varmor-test
REPO = $(REGISTRY)/$(NAMESPACE)
REPO_AP = $(REGISTRY_AP)/$(NAMESPACE)
REPO_DEV = $(REGISTRY_DEV)/$(NAMESPACE_DEV)

Expand All @@ -20,10 +18,8 @@ CLASSIFIER_IMAGE_NAME := classifier
CLASSIFIER_IMAGE_TAG := $(VARMOR_IMAGE_TAG)
CLASSIFIER_IMAGE_TAG_DEV := $(VARMOR_IMAGE_TAG_DEV)

VARMOR_IMAGE ?= $(REPO)/$(VARMOR_IMAGE_NAME):$(VARMOR_IMAGE_TAG)
VARMOR_IMAGE_AP ?= $(REPO_AP)/$(VARMOR_IMAGE_NAME):$(VARMOR_IMAGE_TAG)
VARMOR_IMAGE_DEV ?= $(REPO_DEV)/$(VARMOR_IMAGE_NAME):$(VARMOR_IMAGE_TAG_DEV)
CLASSIFIER_IMAGE ?= $(REPO)/$(CLASSIFIER_IMAGE_NAME):$(CLASSIFIER_IMAGE_TAG)
CLASSIFIER_IMAGE_AP ?= $(REPO_AP)/$(CLASSIFIER_IMAGE_NAME):$(CLASSIFIER_IMAGE_TAG)
CLASSIFIER_IMAGE_DEV ?= $(REPO_DEV)/$(CLASSIFIER_IMAGE_NAME):$(CLASSIFIER_IMAGE_TAG_DEV)

Expand Down Expand Up @@ -178,19 +174,19 @@ docker-build-dev: docker-build-varmor-amd64-dev docker-build-varmor-arm64-dev do

docker-build-varmor-amd64:
@echo "[+] Build varmor-amd64 image for release version"
@docker buildx build --file $(PWD)/$(VARMOR_PATH)/Dockerfile --tag $(VARMOR_IMAGE)-amd64 --platform linux/amd64 --build-arg TARGETPLATFORM="linux/amd64" --build-arg MAKECHECK="check" --load .
@docker buildx build --file $(PWD)/$(VARMOR_PATH)/Dockerfile --tag $(VARMOR_IMAGE_AP)-amd64 --platform linux/amd64 --build-arg TARGETPLATFORM="linux/amd64" --build-arg MAKECHECK="check" --load .

docker-build-varmor-arm64:
@echo "[+] Build varmor-arm64 image for the release version"
@docker buildx build --file $(PWD)/$(VARMOR_PATH)/Dockerfile --tag $(VARMOR_IMAGE)-arm64 --platform linux/arm64 --build-arg TARGETPLATFORM="linux/arm64" --build-arg MAKECHECK="check" --load .
@docker buildx build --file $(PWD)/$(VARMOR_PATH)/Dockerfile --tag $(VARMOR_IMAGE_AP)-arm64 --platform linux/arm64 --build-arg TARGETPLATFORM="linux/arm64" --build-arg MAKECHECK="check" --load .

docker-build-classifier-amd64:
@echo "[+] Build classifier-amd64 image for the release version"
@docker buildx build --file $(PWD)/$(CLASSIFIER_PATH)/Dockerfile --tag $(CLASSIFIER_IMAGE)-amd64 --platform linux/amd64 --load .
@docker buildx build --file $(PWD)/$(CLASSIFIER_PATH)/Dockerfile --tag $(CLASSIFIER_IMAGE_AP)-amd64 --platform linux/amd64 --load .

docker-build-classifier-arm64:
@echo "[+] Build classifier-arm64 image for the release version"
@docker buildx build --file $(PWD)/$(CLASSIFIER_PATH)/Dockerfile --tag $(CLASSIFIER_IMAGE)-arm64 --platform linux/arm64 --load .
@docker buildx build --file $(PWD)/$(CLASSIFIER_PATH)/Dockerfile --tag $(CLASSIFIER_IMAGE_AP)-arm64 --platform linux/arm64 --load .

docker-build-varmor-amd64-dev:
@echo "[+] Build varmor-amd64 image for the development version"
Expand Down Expand Up @@ -249,20 +245,6 @@ push-dev: ## Push images and chart to the private repository for development.


push: ## Push images and chart to the public repository for release.
docker push $(VARMOR_IMAGE)-amd64
@echo "----------------------------------------"
docker push $(VARMOR_IMAGE)-arm64
@echo "----------------------------------------"
-docker manifest rm $(VARMOR_IMAGE)
@echo "----------------------------------------"
docker manifest create $(VARMOR_IMAGE) $(VARMOR_IMAGE)-amd64 $(VARMOR_IMAGE)-arm64
@echo "----------------------------------------"
docker manifest push $(VARMOR_IMAGE)
@echo "----------------------------------------"
docker tag $(VARMOR_IMAGE)-amd64 $(VARMOR_IMAGE_AP)-amd64
@echo "----------------------------------------"
docker tag $(VARMOR_IMAGE)-arm64 $(VARMOR_IMAGE_AP)-arm64
@echo "----------------------------------------"
docker push $(VARMOR_IMAGE_AP)-amd64
@echo "----------------------------------------"
docker push $(VARMOR_IMAGE_AP)-arm64
Expand All @@ -273,20 +255,6 @@ push: ## Push images and chart to the public repository for release.
@echo "----------------------------------------"
docker manifest push $(VARMOR_IMAGE_AP)
@echo "----------------------------------------"
docker push $(CLASSIFIER_IMAGE)-amd64
@echo "----------------------------------------"
docker push $(CLASSIFIER_IMAGE)-arm64
@echo "----------------------------------------"
-docker manifest rm $(CLASSIFIER_IMAGE)
@echo "----------------------------------------"
docker manifest create $(CLASSIFIER_IMAGE) $(CLASSIFIER_IMAGE)-amd64 $(CLASSIFIER_IMAGE)-arm64
@echo "----------------------------------------"
docker manifest push $(CLASSIFIER_IMAGE)
@echo "----------------------------------------"
docker tag $(CLASSIFIER_IMAGE)-amd64 $(CLASSIFIER_IMAGE_AP)-amd64
@echo "----------------------------------------"
docker tag $(CLASSIFIER_IMAGE)-arm64 $(CLASSIFIER_IMAGE_AP)-arm64
@echo "----------------------------------------"
docker push $(CLASSIFIER_IMAGE_AP)-amd64
@echo "----------------------------------------"
docker push $(CLASSIFIER_IMAGE_AP)-arm64
Expand All @@ -297,6 +265,4 @@ push: ## Push images and chart to the public repository for release.
@echo "----------------------------------------"
docker manifest push $(CLASSIFIER_IMAGE_AP)
@echo "----------------------------------------"
helm push varmor-$(CHART_VERSION).tgz oci://$(REPO)
@echo "----------------------------------------"
helm push varmor-$(CHART_VERSION).tgz oci://$(REPO_AP)
8 changes: 4 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,15 +52,15 @@ For more information, please refer to [Policy Modes and Built-in Rules](docs/bui

### Step 1. Fetch chart
```
helm pull oci://elkeid-cn-beijing.cr.volces.com/varmor/varmor --version 0.5.6-rc
helm pull oci://elkeid-ap-southeast-1.cr.volces.com/varmor/varmor --version 0.5.6-rc
```

### Step 2. Install
*You can use the domain `elkeid-ap-southeast-1.cr.volces.com` outside of the CN region.*
*You can use the domain `elkeid-cn-beijing.cr.volces.com` inside of the CN region.*
```
helm install varmor varmor-0.5.6-rc.tgz \
--namespace varmor --create-namespace \
--set image.registry="elkeid-cn-beijing.cr.volces.com"
--set image.registry="elkeid-ap-southeast-1.cr.volces.com"
```

### Step 3. Try with this example
Expand Down Expand Up @@ -122,7 +122,7 @@ vArmor references part of the code of [kyverno](https://github.com/kyverno/kyver

## Demo
Below is a demonstration of using vArmor to harden a Deployment and defend against CVE-2021-22555. (The exploit is modified from [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555))<br>
![image](test/demo/kernel-exp/CVE-2021-22555/demo.gif)
![image](test/demo/vulnerability-mitigation/CVE-2021-22555/demo.gif)


## 404Starlink
Expand Down
5 changes: 3 additions & 2 deletions README.zh_CN.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

**vArmor** 是一个云原生容器沙箱系统,它借助 Linux 的 [AppArmor LSM](https://en.wikipedia.org/wiki/AppArmor), [BPF LSM](https://docs.kernel.org/bpf/prog_lsm.html) 和 [Seccomp](https://en.wikipedia.org/wiki/Seccomp) 技术实现强制访问控制器(即 enforcer),从而对容器进行安全加固。它可以用于增强容器隔离性、减少内核攻击面、增加容器逃逸或横行移动攻击的难度与成本。

你可以借助 vArmor 在以下场景对 Kubernetes 集群中的容器进行沙箱防护
您可以借助 vArmor 在以下场景对 Kubernetes 集群中的容器进行沙箱防护
* 业务场景存在多租户(多租户共享同一个集群),由于成本、技术条件等原因无法使用硬件虚拟化容器(如 Kata Container)
* 需要对关键的业务进行安全加固,增加攻击者权限提升、容器逃逸、横向渗透的难度与成本
* 当出现高危漏洞,但由于修复难度大、周期长等原因无法立即修复时,可以借助 vArmor 实施漏洞利用缓解(具体取决于漏洞类型或漏洞利用向量。缓解代表阻断利用向量、增加利用难度)
Expand Down Expand Up @@ -54,6 +54,7 @@ helm pull oci://elkeid-cn-beijing.cr.volces.com/varmor/varmor --version 0.5.6-rc
```

### Step 2. 安装
*您可以在非中国地区使用 elkeid-ap-southeast-1.cr.volces.com 域名*
```
helm install varmor varmor-0.5.6-rc.tgz \
--namespace varmor --create-namespace \
Expand Down Expand Up @@ -118,7 +119,7 @@ vArmor 在研发初期参考了 [Nirmata](https://nirmata.com/) 开发的 [kyver

## 演示
下面是一个使用 vArmor 对 Deployment 进行加固,防御 CVE-2021-22555 攻击的演示(Exploit 修改自 [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555))。<br>
![image](test/demo/kernel-exp/CVE-2021-22555/demo.zh_CN.gif)
![image](test/demo/vulnerability-mitigation/CVE-2021-22555/demo.zh_CN.gif)


## 404星链计划
Expand Down
2 changes: 1 addition & 1 deletion cmd/varmor/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ LABEL maintainer="[email protected]"
ARG MAKECHECK

RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y git python3-pip python3-dev swig bison flex dejagnu pyflakes3 autoconf libtool zlib1g-dev gettext gperf
RUN apt-get install -y git python3-pip python3-dev swig bison flex dejagnu pyflakes3 autoconf libtool zlib1g-dev gettext gperf autoconf-archive
RUN pip3 install notify2 psutil python-config

RUN git clone https://gitlab.com/apparmor/apparmor.git
Expand Down
Loading
Loading