Adding first iteration on AppArmor profile generation to the recorder

[0xmilkmix]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This is a PR adding features for AppArmor profiles generation to the recorder:

• Modifications to the eBPF recorder to trace executions, file operations, sockets operations and capabilities
• Modifications to the AppArmor CRD to add an abstract representation, allowing to generate simpler profiles (like Bane
• Modifications to the spoc CLI to generate AppArmor profiles (CRD and raw) from the command line

This PR does not include the integration with the recorder controller for now. I wanted to first discussed the idea and first iteration with you. Would it be possible to have collaborations so that the code from this PR could then be integrated by you in the controller for in-cluster recording?

Also, note that using open/openat tracing has some limitations. Namely, symlinks will not be resolved and this could lead to misconfigured AppArmor profiles. A LSM hook such as security_open would be beneficial here.

Other known limitations in the submitted version:

• No support for recording sub-processes
• Sometime the recorded process could end and events would still be in the ring buffer, generating an incomplete profile
  • fixed

Does this PR have test?

N/A

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Yes

The `spoc` cli tool now features `apparmor` and `raw-apparmor` types to generate CRDs and raw apparmor profiles.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: 0xmilkmix / name: Julien Bachmann (5cd3fad, 1733a85, 075c6af, f0167b8, 85c50e9, fff88bd, d71fdea, 8e39dc6, 3250b2e, cf00834, 1342302, 4ae7468, e7e46c3, acf40ce, 3e26cbd, e228595, 57a7df6, d2b9938, 58b9313, 85d5b39, 033f33b, e65414f, 37160bb)
• ✅ login: saschagrunert / name: Sascha Grunert (66fac10)
• ✅ login: ccojocar / name: Cosmin Cojocar (b19d87e, 14bca86, c18fa0c, 5744f83, f21a10d, d0eee69, 5d188ff)

[k8s-ci-robot]

Welcome @0xmilkmix!

It looks like this is your first PR to kubernetes-sigs/security-profiles-operator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/security-profiles-operator has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @0xmilkmix. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[codecov-commenter]

Codecov Report

Merging #1917 (5744f83) into main (3f0a531) will decrease coverage by 2.11%.
Report is 1 commits behind head on main.
The diff coverage is 4.07%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1917      +/-   ##
==========================================
- Coverage   47.32%   45.21%   -2.11%     
==========================================
  Files          77       79       +2     
  Lines        7352     7714     +362     
==========================================
+ Hits         3479     3488       +9     
- Misses       3742     4090     +348     
- Partials      131      136       +5     

[ccojocar]

@0xmilkmix Great work! I left a few comments.

I think we can improve a bit the code by reducing the duplication in the recorder.bpf.c. Also in the bpfrecorder.go, I would use an interface to extract the parts for each recorder type instead of using an if recordingMode everywhere. This would make the code a bit more clearer.

[ccojocar]

nit: why this max number?

[ccojocar]

It would be helpful to add some integration tests similar with this one https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/test/tc_bpf_recorder_test.go. In this way, we can have some validation.

[ccojocar]

I think you need to run make update-bpf to update the bytecode. Also you can verify that everything is fine afterwards with make verify-bpf.

[saschagrunert]

@0xmilkmix may I ask you to rebase please?

[0xmilkmix]

Thanks for the feedback. I'll try to work on them this week or next one.

Best regards

[ccojocar]

Thanks for addressing the review comments.

[ccojocar]

@0xmilkmix I think there are some lint warnings which need to be fixed.

[0xmilkmix]

I think you need to run make update-bpf to update the bytecode. Also you can verify that everything is fine afterwards with make verify-bpf.

Should be ok now, thanks.

[ccojocar]

/lgtm