Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleanup the apparmor recorder maps after processing #2658

Closed
wants to merge 4 commits into from
Closed

Cleanup the apparmor recorder maps after processing #2658

wants to merge 4 commits into from

Conversation

ccojocar
Copy link
Contributor

@ccojocar ccojocar commented Jan 7, 2025
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:

Cleans up the apparmor recorder maps after processing.

Which issue(s) this PR fixes:

Does this PR have test?

Yes

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 7, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ccojocar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 7, 2025
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 7, 2025
@ccojocar ccojocar mentioned this pull request Jan 7, 2025
Closed
@ccojocar ccojocar requested review from saschagrunert and removed request for pjbgf and Vincent056 January 7, 2025 13:37
@ccojocar
Copy link
Contributor Author

ccojocar commented Jan 7, 2025

cc @mhils

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jan 7, 2025
@mhils
Copy link
Contributor

mhils commented Jan 7, 2025

LGTM!

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 8, 2025
@ccojocar ccojocar force-pushed the cleanup-recorder-maps branch from 1865618 to 8d2cec8 Compare January 10, 2025 10:21
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 10, 2025
mhils
mhils reviewed Jan 14, 2025
View reviewed changes
Copy link
Contributor

@mhils mhils left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

func (b *AppArmorRecorder) Unload() {
}

in bpfrecorder_apparmor.go needs to be fixed as well.

@ccojocar ccojocar force-pushed the cleanup-recorder-maps branch 2 times, most recently from abac239 to 3f40fdf Compare January 14, 2025 16:15
@ccojocar
Copy link
Contributor Author

in bpfrecorder_apparmor.go needs to be fixed as well.

It seems that that closing the module will destroy all the links and also unload the programs from the kernel.

security-profiles-operator/internal/pkg/daemon/bpfrecorder/bpfrecorder.go

Line 887 in b2742f1

b.CloseModule(b.module)

This is what actually happens in module close

security-profiles-operator/vendor/github.com/aquasecurity/libbpfgo/module.go

Line 183 in b2742f1

func (m *Module) Close() {

I'm not sure if we need to do anything extra in the AppArmorRecorder Unload.

@ccojocar
Clean up the maps in the apparmor recorder after processing
b1047f5 
Change-Id: Ic5db65e30c8c13dce4204de6b4ab481142da4f25
Signed-off-by: Cosmin Cojocar <[email protected]>
@ccojocar
Update the apparmor profiles after chaning the order of runtimes
a5ad3c4 
Change-Id: Idae3a0be22df8143697bb9e556d13dfd3bd5bea1
Signed-off-by: Cosmin Cojocar <[email protected]>
@ccojocar
Fix the RUNTIME overwrite in the install spo script
c8ab1b1 
Change-Id: I6dea16a829cbe2ba9b0fcecc325966b91b22b1c4
Signed-off-by: Cosmin Cojocar <[email protected]>
@ccojocar ccojocar force-pushed the cleanup-recorder-maps branch from 3f40fdf to c8ab1b1 Compare January 14, 2025 16:56
@mhils
Copy link
Contributor

mhils commented Jan 14, 2025

I just saw that the seccomp recorder is cleaning itself up in Unload and the AppArmor recorder isn't, which kind of fits the theme of this PR. Not sure if the userspace datastructures survive. :)

@ccojocar
Clean up all mpas when apparmor recorder unloads
60728dc 
Change-Id: Id45d0a68465f5f372090647c8a76514a3d988c9e
Signed-off-by: Cosmin Cojocar <[email protected]>
@ccojocar
Copy link
Contributor Author

I just saw that the seccomp recorder is cleaning itself up in Unload and the AppArmor recorder isn't, which kind of fits the theme of this PR. Not sure if the userspace datastructures survive. :)

Got it! I cleaned up all the internal maps in the Unload.

@ccojocar
Copy link
Contributor Author

Close in favour of #/2675.

@ccojocar ccojocar closed this Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhils mhils mhils left review comments

@saschagrunert saschagrunert Awaiting requested review from saschagrunert

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. release-note-none Denotes a PR that doesn't merit a release note. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ccojocar @k8s-ci-robot @mhils