Data

Tools

Indexes

Applications

Experiments

Open Source Science

Recent Releases of https://github.com/bytedance/varmor

https://github.com/bytedance/varmor - v0.8.2

Features

  • Mode Switching Enhancement. Allow mutual conversion between all modes. (#238)
  • Update Seccomp profile to AlwaysAllow post-behavior modeling (#240)
  • Add ArmorProfileModel Import API (#242)
  • Add Persistent Volume Support for LocalDisk ArmorProfileModel Data (#243)

Refactors

  • Refactor webhook config generation for modularity and reduced redundancy (#241)
  • Improve Audit Event Filtering Accuracy with Profile Names and Mount Namespace IDs (#245)

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.8.1...v0.8.2

- Go
Published by Danny-Wei 10 months ago

https://github.com/bytedance/varmor - v0.8.1

Features

  • Added the block-access-to-container-runtime built-in rule
  • Injected the accountID, region, clusterID, etc. fields into the component logs if they are configured with the auditEventMetadata values
  • Injected the namespace where the vArmor is deployed into the violation logs
  • Added container image to the violation logs

Refactors

  • Patched leader pod with pod name
  • Passed service ports through environment variables
  • Made the state feedback logic of the agent clearer

Fixes

  • Ensured that integers in the auditEventMetadata values can be output to the logs

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.8.0...v0.8.1

- Go
Published by Danny-Wei 10 months ago

https://github.com/bytedance/varmor - v0.8.0

vArmor v0.8.0 has been released. For a comprehensive overview of the new features, refer to our blog.

Added

  • Added a self-hosted runner and e2e test cases for the BPF enforcer (#205)
  • Supported defining multiple ports and port ranges for network egress rules (#202)
  • Added PodServiceEgressControl feature for restricting access to pods and services (#206, #216, #217, #221)
  • Added a pod-self entity to restrict containers from accessing the IP of the Pod they are located in (#207)
  • Added an unspecified entity to restrict containers from accessing the 0.0.0.0 and :: (#208)
  • Added a localhost entity to restrict containers from accessing the loopback address (#209)
  • Enhanced DefenseInDepth mode with flexible profile sources and observation support (#210)
  • Extracted profile name from the Pod annotation and added it to the violation event for improved log traceability (#210)
  • Supported injecting metadata into the violation event (#214)
  • Supported BPF enforcer removal from existing policies (#213)
  • Added the block-access-to-kube-apiserver built-in rule (#222)
  • Added the ingress-nightmare-mitigation built-in rule (#222) ## Changed
  • Saved AppArmor and Seccomp profiles as plain text into the CR object (#201)
  • Enhanced concurrency safety for status synchronization (#201)
  • Extracted common fields from CRD definitions into a common file (#210)
  • Upgraded libseccomp-golang to v0.11.0 (#210)
  • Improved error handling in ArmorProfile processing to collect all profile errors (#212)
  • Set default qps and burst values for Kubernetes client (#218)
  • Increased the value of MaxTargetContainerCountForBpfLsm from 100 to 110 (#207)

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.7.1...v0.8.0

- Go
Published by Danny-Wei 11 months ago

https://github.com/bytedance/varmor - release v0.8.0-beta.1

- Go
Published by Danny-Wei 12 months ago

https://github.com/bytedance/varmor - release v0.8.0-alpha2

- Go
Published by Danny-Wei 12 months ago

https://github.com/bytedance/varmor - release v0.8.0-alpha1

- Go
Published by Danny-Wei about 1 year ago

https://github.com/bytedance/varmor - release v0.6.4

What's Changed

  • Fixed incorrect interception of legitimate setsockopt calls in the disallow-load-bpf-via-setsockopt rule (#199)

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.6.3...v0.6.4

- Go
Published by Danny-Wei about 1 year ago

https://github.com/bytedance/varmor - release v0.7.1

What's Changed

  • Fixed the path matching issue in the procfs to ensure correct FD matching.
  • Fixed incorrect interception of legitimate setsockopt calls in the disallow-load-bpf-via-setsockopt rule (#199)

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.7.0...v0.7.1

- Go
Published by Danny-Wei about 1 year ago

https://github.com/bytedance/varmor - release v0.7.0

What's Changed

Added

  • Added an AllowViolations field to the VarmorPolicy and VarmorClusterPolicy CRD.
  • Supported the observation mode for AppArmor, BPF and Seccomp enforcers.
  • Logged the violation events that are not blocked into the violations.log file at debug level.
  • Added a StorageType field to the ArmorProfileModel CRD.
  • Added a STORAGE-TYPE field to the additional printer columns of the ArmorProfileModel resources to provide more detailed information when viewing the resources via the kubectl command-line tool.
  • Mounted an emptyDir data volume to the agent and the manager when the behavior modeling feature is enabled.
  • Manager saves the behavior data and profiles into a local file within the data volume when the ArmorProfileModel object exceeds the limit.
  • Agent caches the audit data in the data volume during modeling.
  • Supported exporting the complete ArmorProfileModel object from the interface of the manager.
  • All interfaces of the manager are exposed at the /apis path.
  • Added a --logFormat command-line option and allowed outputting logs in JSON format.
  • Modified the AppArmorRawRules structure of the VarmorPolicy and VarmorClusterPolicy CRD to support setting custom rules for specific executable files.
  • Forced agents to update profiles whose status did not meet the expected criteria periodically.
  • Loaded the profiles from the local file if the StorageType field of ArmorProfileModel object is LocalDisk when the policy is running in DefenseInDepth mode.
  • Added a --set jsonLogFormat.enabled=true option for switching log format to JSON.

Fixed

  • Agent exposed the readinessProbe on port 6080 by default if it was not in a container.
  • Accessed the classifier through the varmor-classifier-svc service when the agent was running in a container.
  • Increased the wait time for timeout retry.
  • Switched log level from 3 to 2 for tracing.

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.6.3...v0.7.0

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.7.0-alpha2

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.7.0-alpha1

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.7.0-beta3

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.6.3

What's Changed

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.6.2...v0.6.3

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.7.0-beta2

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.7.0-beta1

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.6.2

What's Changed

  • Added child's mnt ns id into monitor list if it's in a new mnt namespace during behavior modeling.
  • Return directly when the behavior data is too large.
  • Added a debug flag to control whether to generate the debug files for behavior modeling.
  • Added the disallow-load-all-bpf-prog rule for Seccomp enforcer to prohibit loading any types of eBPF programs.
  • Fixed: Create varmor-classifier-svc service in the namespace where varmor is installed

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.6.1...v0.6.2

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.6.1

What's Changed

  • fixed: Always render the agent environment variables
  • Upgrade the net package to fix CVE-2024-45338

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.6.0...v0.6.1

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.6.0

What's Changed

  • feat: Adapt AppArmor enforcer for K8s v1.30 and above
  • feat: Add monitoring metrics and support integration with Prometheus and Grafana
  • feat: Support violation auditing feature for BPF enforcer
  • feat: Enrich the violation audit logs of the BPF enforcer to include container and pod information
  • feat: Integrate the violation auditing features of AppArmor and BPF enforcer
  • feat: Unify the audit event format of AppArmor and BPF enforcers, and save the audit events into /var/log/varmor/violations.log
  • feat: Support enforcing access control on socket creation for BPF enforcer.
  • feat: Support wildcard for all bpf permissions and flags.
  • feat: Add new networking built-in rules for BPF and AppArmor enforcer
  • feat: Run agent in an unprivileged container
  • feat: Allow running the agent in host's network namespace
  • refactor: Abstract the processtracer and auditor modules to collect events for behavior modeling and violation auditing features
  • refactor: Refactor behavior modeling and violation auditing features, no longer dependent on syslog or auditd, and no manual configuration required.
  • refactor: Change fields in CRD from objects to pointers
  • refactor: Integrate the logic of updating policy objects
  • Auto adjust GOMAXPROCS for container limit
  • Pass node name and readiness port to agent via environment variable
  • Standardize the name of UserAgent
  • Added version flag
  • Added helm configuration options for new features
  • fixed: Remove the finalizers of zombie ArmorProfile object
  • fixed: Always retry for object updates if a conflict occurs
  • fixed: The child profile should inherit rules from parent without attack protection rules
  • fixed: Output error information when the agent service start fails
  • docs: Further improve the repo documentation
  • website: Official website launched (https://varmor.org)

New Contributors

  • @eltociear made their first contribution in https://github.com/bytedance/vArmor/pull/104

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.5.11...v0.6.0

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.6.0-rc1

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.6.0-alpha1

- Go
Published by Danny-Wei over 1 year ago

https://github.com/bytedance/varmor - release v0.5.11

What's Changed

  • Retry removal of ArmorProfile's finalizers upon conflict
  • Gin logger now logs only unsuccessful requests
  • Fixed: Load BPF profile when container starts
  • Fixed: Return an error when the service response unauthorized

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.5.10...v0.5.11

- Go
Published by Danny-Wei almost 2 years ago

https://github.com/bytedance/varmor - release v0.5.10

What's Changed

  • Fixed: Correct typo in capability denial by @Danny-Wei in https://github.com/bytedance/vArmor/pull/95

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.5.9...v0.5.10

- Go
Published by Danny-Wei almost 2 years ago

https://github.com/bytedance/varmor - release v0.5.9

What's Changed

  • Added a disable-chmod-s-bit built-in rule for Seccomp enforcer.
  • Refactor Seccomp enforcer, and merge rules as much as possible.
  • Added AlwaysAllow and RuntimeDefault mode for Seccomp enforcer.
  • Synchronized the upstream rules from the containerd to the AppArmor profile templates.
  • Merge the same child profiles for the AppArmor enforcer.
  • Introduced a violations audit feature to the AppArmor enforcer.
  • Support modifying existing policies and dynamically adding enforcers.
  • Optimized the status of VarmorClusterPolicy/VarmorPolicy CR to display more error information.
  • Added ownerReference and finalizers to the ArmorProfile CR to prevent unintended deletion.
  • The Policy Advisor can now generate policy templates with behavior model data.
  • Updated docs.
  • Fixed: CI workflow login use docker/login-action
  • Fixed: Ignore the privileged option of enhanceProtect for Seccomp enforcer.
  • Fixed: Ensure the cleanup logic of CR is properly executed.
  • Fixed: Update chart template to generate fixed full name for the k8s resources.
  • Fixed: Update ArmorProfileModel CR when modeling is completed.

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.5.8...v0.5.9

- Go
Published by Danny-Wei almost 2 years ago

https://github.com/bytedance/varmor - release v0.5.9-rc4

- Go
Published by Danny-Wei almost 2 years ago

https://github.com/bytedance/varmor - release v0.5.9-rc3

- Go
Published by Danny-Wei almost 2 years ago

https://github.com/bytedance/varmor - release v0.5.9-rc2

- Go
Published by Danny-Wei about 2 years ago

https://github.com/bytedance/varmor - release v0.5.9-rc1

- Go
Published by Danny-Wei about 2 years ago

https://github.com/bytedance/varmor - release v0.5.8

What's Changed

  • Added a disable-cap-all-except-net-bind-service built-in rule to comply with the Restricted Policy of the Pod Security Standards
  • Deprecated the disallow-create-user-ns built-in rule of AppArmor and BPF enforcers.
  • Added a policy advisor to help generate policy templates using the user context.

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.5.7...v0.5.8

- Go
Published by Danny-Wei about 2 years ago

https://github.com/bytedance/varmor - release v0.5.7

What's Changed

  • Added a pre-check for Seccomp enforcer
  • Upgraded the base image to Debian bookworm
  • Upgraded apparmor user components to 3.1
  • Added a disable-chmod-x-bit built-in rule for Seccomp enforcer
  • Optimized CI workflows
  • Added a readinessProbe for the Agent, optimizing the startup process
  • Unified log format
  • Added annotations for the demos

New Contributors

  • @darfux made their first contribution in https://github.com/bytedance/vArmor/pull/42

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.5.6...v0.5.7

- Go
Published by Danny-Wei about 2 years ago

https://github.com/bytedance/varmor - release v0.5.7-rc1

- Go
Published by Danny-Wei about 2 years ago

https://github.com/bytedance/varmor - release v0.5.6

What's Changed

  • Agent and Manager now interact through TLS.
  • Add Seccomp enforcer with support for EnhanceProtect, BehaviorModeling, and DefenseInDepth modes.
  • Cluster-scoped policy VarmorClusterPolicy now supports BehaviorModeling mode.
  • Support for the combination of different enforcers, now able to combine the use of AppArmor, BPF, Seccomp enforcers.
  • Add .spec.updateExistingWorkloads field to the policy interface, allowing users to independently control the protection switch for existing workloads.
  • Enable the --restartExistWorkloads switch of Manager by default.
  • Move the privileged field of the policy interface to inside .spec.policy.enhanceProtect.
  • Add built-in rules: disallow-create-user-ns, runc-override-mitigation, dirty-pipe-mitigation, * disallow-mount-securityfs, disallow-access-kallsyms.
  • Add CI workflows to automate the build and test processes.
  • Add more demos and make them more comprehensible.
  • Fix bugs.

New Contributors

  • @UgOrange made their first contribution in https://github.com/bytedance/vArmor/pull/19
  • @jonyhy96 made their first contribution in https://github.com/bytedance/vArmor/pull/27

Full Changelog: https://github.com/bytedance/vArmor/compare/v0.5.5...v0.5.6

- Go
Published by Danny-Wei over 2 years ago

https://github.com/bytedance/varmor - release v0.5.6-rc2

tag v0.5.6-rc2

- Go
Published by Danny-Wei over 2 years ago

https://github.com/bytedance/varmor - release v0.5.6-rc2

tag v0.5.6-rc2

- Go
Published by Danny-Wei over 2 years ago

https://github.com/bytedance/varmor - release v0.5.6-rc

tag v0.5.6-rc

- Go
Published by Danny-Wei over 2 years ago

https://github.com/bytedance/varmor - release 0.5.5

  • Refactor the behavior modeling feature of the AppArmor enforcer.
  • Introduce the BehaviorModeling mode to collect application behavior and generate models.
  • Optimize the mount access control primitives of the BPF enforcer to address bypass issues.
  • Fix the issue where abnormal nodes impact the status of policies.
  • Upgrade Go to version 1.20 and build BPF programs inside containers.
  • Support pulling images and charts from the Asia-Pacific Southeast region.

- Go
Published by Danny-Wei over 2 years ago

https://github.com/bytedance/varmor - release 0.5.4

  • Add mandatory access control primitives related to mount syscalls for the BPF enforcer.
  • Introduce new built-in rules for the BPF enforcer, including disallow-mount, disallow-umount, disallow-mount-procfs, disallow-mount-cgroupfs, disallow-debug-disk-device, and disallow-mount-disk-device.
  • Fine-tune partial built-in rules of the AppArmor enforcer to make them more precise and avoid unexpected behavior.
  • By default, building enhanced protection rules on top of the RuntimeDefault rules.
  • Improve the RuntimeDefault mode for the BPF enforcer.
  • Introduce a cluster-scoped policy interface: the VarmorClusterPolicy CR.
  • Improve documents.

- Go
Published by Danny-Wei over 2 years ago

https://github.com/bytedance/varmor - release 0.5.3

  • Optimize leader election logic.
  • Add webhook matchlabel and BPF enforcer exclusive mode configuration options.
  • Introduce ptrace primitives and built-in rules for BPF enforcer.
  • Improve documents.

- Go
Published by Danny-Wei over 2 years ago

https://github.com/bytedance/varmor - release-0.5.2

community initial release

- Go
Published by Danny-Wei almost 3 years ago

https://github.com/bytedance/varmor -

- Go
Published by Danny-Wei almost 3 years ago