KubeArmor: Policy enforcement failure due to rule conflicts

Let’s say that we have the following policies.

Policy A

process:
  matchPaths:
  - path: /bin/sleep
     fromSource:
     - path: /bin/bash
  action:
    Allow

Policy B

process:
  matchPaths:
  - path: /bin/bash
action:
  Allow

Those policies are converted something like this.

...
/bin/bash cx,
profile /bin/bash {
  /bin/sleep ix,
}
/bin/bash ix,
...

Causing the policy enforcement failure because of two /bin/bash lines.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 18 (14 by maintainers)

Most upvoted comments

@daemon1024 no problem 😃 just for checking.

+1
nam-jaehyun on Jul 1, 2021

@daemon1024 Yes, that was what I thought, but I’m wondering if there is no problem when we have such AppArmor rules. If you validate those AppArmor rules before starting the implementation, it would be helpful. Please check if there is no syntax and semantic error.

+1
nam-jaehyun on Jun 22, 2021

@daemon1024 I assigned this issue to you.

+1
nam-jaehyun on Jun 14, 2021
Read more comments on GitHub
← KubeArmor: Permission denied when KubeArmor attaches kprobes
KubeArmor: Visibility logs with `Result: Unknown error` for network operations →