Skip to content

Commit

Permalink
apparmor: fix /proc/@{pid} replacement
Browse files Browse the repository at this point in the history 
The previous implementation failed with `/proc/self`
  • Loading branch information
@mhils @k8s-ci-robot
mhils authored and k8s-ci-robot committed May 14, 2024
1 parent 4098a79 commit 40e8c0b
Showing 1 changed file with 5 additions and 6 deletions.
11 changes: 5 additions & 6 deletions internal/pkg/daemon/bpfrecorder/bpfrecorder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
"fmt"
"os"
"path/filepath"
"regexp"
"runtime"
"sort"
"strconv"
Expand Down Expand Up @@ -950,17 +951,15 @@ func (b *BpfRecorder) isKnownFile(path string, knownPrefixes []string) bool {
return false
}

var pathWithPid *regexp.Regexp = regexp.MustCompile(`^/proc/\d+/`)

func (b *BpfRecorder) processExecFsEvents() BpfAppArmorFileProcessed {
var processedEvents BpfAppArmorFileProcessed

processedEvents.AllowedExecutables = append(processedEvents.AllowedExecutables, b.recordedExecs...)
for _, currentFile := range b.recordedFiles {
var currentFilename string
if strings.HasPrefix(currentFile.Filename, "/proc/") {
currentFilename = strings.Replace(currentFile.Filename, "/proc/", "/proc/@{pid}/", 1)
} else {
currentFilename = filepath.Clean(currentFile.Filename)
}
currentFilename := filepath.Clean(currentFile.Filename)
currentFilename = pathWithPid.ReplaceAllString(currentFilename, "/proc/@{pid}/")
// loaded library
if currentFile.GotExec && !b.isKnownFile(currentFile.Filename, knownLibrariesPrefixes) {
processedEvents.AllowedLibraries = append(processedEvents.AllowedLibraries, currentFilename)
Expand Down

0 comments on commit 40e8c0b

Please sign in to comment.