Skip to content

feat: Add qualifiers field to BPF enforcer custom rule interfaces #257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 23, 2025
Merged

feat: Add qualifiers field to BPF enforcer custom rule interfaces #257

merged 6 commits into from
Sep 23, 2025

Conversation

Danny-Wei
Copy link
Member

@Danny-Wei Danny-Wei commented Sep 22, 2025
edited
Loading

What this PR does

Extends the BPF enforcer’s custom rule interface with a qualifiers field across core rule types, enabling users to specify rule behavior modifiers (e.g., deny, audit)—aligning with AppArmor’s familiar syntax. This allows granular control over custom rule actions in EnhancedProtect mode, supporting use cases like rule testing and targeted audit-only monitoring.

Key Features Added

  • Added optional Qualifiers []string field to 7 core BPF rule structs to define rule behavior:
    • FileRule (file/process access control)
    • Service / Pod / Destination (network egress targeting)
    • NetworkSocketRule (socket operation control)
    • PtraceRule (process tracing restrictions)
    • MountRule (filesystem mount control)
  • Supported qualifiers values and behavior:
    • ["deny"]: Blocks matching behavior without auditing.
    • ["audit"]: Logs matching behavior without blocking (observation mode for the rule).
    • ["audit", "deny"]: Block and logs matching behavior.

Benefits

  1. Granular Behavior Control: Users can tailor rules to audit first (before full denial) or target specific restrictions, reducing false positives.
  2. Grayscale Rollouts: New custom rules can be tested in audit mode to validate coverage before switching to deny, minimizing operational risk.
  3. Enforcer Consistency: Matches AppArmor’s modifier workflow, creating a unified experience across vArmor’s enforcers.

Related Issue

Fixes #248

Notes

The allow qualifier is not supported for now. The BPF enforcer’s Allow-by-Default model permits actions unless explicitly restricted via deny.

@Danny-Wei Danny-Wei merged commit c8528fe into main Sep 23, 2025
13 checks passed
@Danny-Wei Danny-Wei added this to the v0.9 milestone Sep 23, 2025
@Danny-Wei Danny-Wei added the feature New feature label Oct 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@UgOrange UgOrange UgOrange approved these changes

Assignees

No one assigned

Labels

feature New feature

Projects

None yet

Milestone

v0.9

Development

Successfully merging this pull request may close these issues.

[Feature] Allow setting audit and deny qualifiers for the custom BPF rules

2 participants

@Danny-Wei @UgOrange