charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon falcosecurity

WIP falco: when leastPrivileged is true, set the apparmor profile to …

Open doublez13 opened this issue 1 year ago • 2 comments

What type of PR is this?

/kind bug /kind chart-release

What this PR does / why we need it: It appears that when setting leastPrivileged: true, apparmor does not not allow falco to ptrace, which appears to leave the container fields null.

Oct 24 09:52:57 hostname kernel: audit: type=1400 audit(1729785177.339:404624): apparmor="DENIED" operation="ptrace" profile="cri-containerd.apparmor.d" pid=2389102 comm="falco" requested_mask="read" denied_mask="read" peer="unconfined"

If leastPrivileged: true, set the apparmor profile to unconfined.

@leogr This just a request for comments, as I'm not sure if this if the best way to solve the issue.

Which issue(s) this PR fixes: falcosecurity/falco#3345

Checklist

  • [ ] Chart Version bumped
  • [ ] Variables are documented in the README.md
  • [ ] CHANGELOG.md updated

doublez13 avatar Oct 24 '24 20:10 doublez13

Welcome @doublez13! It looks like this is your first PR to falcosecurity/charts 🎉

poiana avatar Oct 24 '24 20:10 poiana

This just a request for comments, as I'm not sure if this if the best way to solve the issue. Or perhaps there should be an optional field in the helm file that allows specifying a apparmor profile (custom or unconfined.)

Hey @doublez13

Thank you for this. I haven't dug into it, but it seems to be the correct approach. I'll do some tests. cc @falcosecurity/charts-maintainers

leogr avatar Oct 28 '24 14:10 leogr

@doublez13

also, can you bump the chart version? so the test will run :pray:

leogr avatar Oct 28 '24 14:10 leogr

Hey @doublez13

I'm ok with this fix, so we can go ahead.

To merge this PR, we just need to:

  • rebase
  • bump the version again
  • run make falco-docs (and commit changes)
  • remove WIP from PR's title.

Let me know if you can do that; otherwise, I will do it for you.

Thank you

leogr avatar Oct 29 '24 16:10 leogr

I'm away from my computer for awhile (just phone). You're welcome to rebase and merge, or I can do it later.

doublez13 avatar Oct 29 '24 17:10 doublez13

I'm away from my computer for awhile (just phone). You're welcome to rebase and merge, or I can do it later.

I'm rebasing right now.

leogr avatar Oct 30 '24 10:10 leogr

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: doublez13, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar Oct 30 '24 10:10 poiana

LGTM label has been added.

Git tree hash: cc294e786fb73dc8a2b6eb8368e8f7a1eafe810b

poiana avatar Oct 30 '24 10:10 poiana