Update docs

docs/getting_started/interface_specification.md

@@ -50,8 +50,8 @@ English | [简体中文](interface_specification.zh_CN.md)
 |bpfRawRules<br />*[BpfRawRules](#bpfrawrules) array*|Optional. BpfRawRules is used to set custom BPF rules.|
 |syscallRawRules<br />*[LinuxSyscall](https://pkg.go.dev/github.com/opencontainers/[email protected]/specs-go#LinuxSyscall) array*|Optional. SyscallRawRules is used to set the custom syscalls blocklist rules with Seccomp enforcer. Please refer to [this document](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp) to create custom rules.|
 |privileged<br />*bool*|Optional. Privileged is used to identify whether the policy is for the privileged container. If set to false, the **EnhanceProtect** mode will build AppArmor or BPF profile on top of the **RuntimeDefault** mode. Otherwise, it will build AppArmor or BPF profile on top of the **AlwaysAllow** mode. (Default: false)<br /><br />Note: If set to true, vArmor will not build Seccomp profile for the target workloads.|
-|auditViolations<br />*bool*|Optional. AuditViolations determines whether to audit the actions that violate the mandatory access control rules. If this field is set, any detected violation will be logged to `/var/log/varmor/violations.log` file in the host.<br />Please note that the Seccomp enforcer does not support auditing violations when the allowViolations field is set to false. (Default: false)|
-|allowViolations<br />*bool*|Optional. AllowViolations determines whether to allow the actions that are against mandatory access control rules. If this field is set, any detected violation will be allowed rather than blocked, and an `ALLOWED` audit event will be generated and logged. (Default: false)|
+|auditViolations<br />*bool*|Optional. AuditViolations determines whether to log the actions that violate the mandatory access control rules. If this field is set, any detected violation will be logged to `/var/log/varmor/violations.log` file in the host. The action of the event will be `AUDIT` if allowViolations is set to true, otherwise it will be `DENIED`.<br /><br />Please note that the Seccomp enforcer does not support auditing violations when the allowViolations field is set to false. (Default: false)|
+|allowViolations<br />*bool*|Optional. AllowViolations determines whether to allow the actions that are against mandatory access control rules. If this field is set, any detected violation will be allowed rather than blocked. (Default: false)|
 
 ### AttackProtectionRules
 
@@ -77,11 +77,11 @@ English | [简体中文](interface_specification.zh_CN.md)
 |ptrace<br />*[PtraceRule](#ptracerule)*|Optional. Ptrace specifies the ptrace-based access control rules.|
 |mounts<br />*[MountRule](#mountrule) array*|Optional. Mounts specifies mount point access control rules.|
 
-
 ### FileRule
 
 | Field | Description |
 |-------|-------------|
+|qualifiers<br />*string array*|Qualifiers determine the behavior of the rule via combinations of values.<br />Available values: `deny, audit`|
 |pattern<br />*string*|Pattern can be any string (maximum length 128 bytes) that conforms to the policy syntax, used for matching file paths and filenames.|
 |permissions<br />*string array*|Permissions are used to specify the file permissions.<br />Available values: `all(*), read(r), write(w), append(a), exec(e)`|
 
@@ -96,13 +96,15 @@ English | [简体中文](interface_specification.zh_CN.md)
 
 | Field | Description |
 |-------|-------------|
+|qualifiers<br />*string array*|Qualifiers determine the behavior of the rule via combinations of values.<br />Available values: `deny, audit`|
 |strictMode<br />*bool*|Optional. StrictMode is used to indicate whether to restrict ptrace operations for all source and destination processes. If set to false, it allows a process to perform trace and read operations on other processes within the same container, and also allows a process to be subjected to traceby and readby operations by other processes within the same container. If set to true, it prohibits all trace, read, traceby, and readby operations within the container.(Default: false)|
 |permissions<br />*string array*|Permissions are used to indicate which ptrace-related permissions of the target container should be restricted. <br />Available values: `all(*), trace, traceby, read, readby` <br /><br />- trace: prohibiting tracing of other processes. <br />- read: prohibiting reading of other processes. <br />- traceby: prohibiting being traced by other processes (excluding the host processes). <br />- readby: prohibiting being read by other processes (excluding the host processes).<br /><br />The trace, traceby permissions for "write" operations, or other operations that are more dangerous, such as: ptrace attaching (PTRACE_ATTACH) to another process or calling process_vm_writev(2).<br /><br />The read, readby permissions for "read" operations or other operations that are less dangerous, such as: get_robust_list(2); kcmp(2); reading /proc/pid/auxv, /proc/pid/environ, or /proc/pid/stat; or readlink(2) of a /proc/pid/ns/* file.|
 
 ### MountRule
 
 | Field | Description |
 |-------|-------------|
+|qualifiers<br />*string array*|Qualifiers determine the behavior of the rule via combinations of values.<br />Available values: `deny, audit`|
 |sourcePattern<br />*string*|SourcePattern can be any string (maximum length 128 bytes) that conforms to the policy syntax, used for matching the source paramater of mount(2), the target paramater of umount(2), and the from_pathname paramater of move_mount(2).|
 |fstype<br />*string*|Fstype is used to specify the type of filesystem (maximum length 16 bytes) to enforce. It can be `*` to match any type.|
 |flags<br />*string array*|Flags are used to specify the mount flags to enforce. They are almost the same as the [MOUNT FLAGS LIST](https://manpages.ubuntu.com/manpages/focal/man5/apparmor.d.5.html) of AppArmor. <br />Available values: `all(*), ro(r, read-only), rw(w), suid, nosuid, dev, nodev, exec, noexec, sync, async, mand, nomand, dirsync, atime, noatime, diratime, nodiratime, silent, loud, relatime, norelatime, iversion, noiversion, strictatime, nostrictatime, remount, bind(B), move(M), rbind(R), make-unbindable, make-private(private), make-slave(slave), make-shared(shared), make-runbindable, make-rprivate, make-rslave, make-rshared, umount`|
@@ -111,6 +113,7 @@ English | [简体中文](interface_specification.zh_CN.md)
 
 | Field | Description |
 |-------|-------------|
+|qualifiers<br />*string array*|Qualifiers determine the behavior of the rule via combinations of values.<br />Available values: `deny, audit`|
 |domains<br />*string array*|Optional. Domains specifies the communication domains of socket. <br />Available values: `all(*), unix, inet, ax25, ipx, appletalk, netrom, bridge, atmpvc, x25, inet6, rose, netbeui, security, key, netlink, packet, ash, econet, atmsvc, rds, sna, irda, pppox, wanpipe, llc, ib, mpls, can, tipc, bluetooth, iucv, rxrpc, isdn, phonet, ieee802154, caif, alg, nfc, vsock, kcm, qipcrtr, smc, xdp, mctp`|
 |types<br />*string array*|Optional. Types specifies the communication semantics of socket. <br />Available values: `all(*), stream, dgram, raw, rdm, seqpacket, dccp, packet`|
 |protocols<br />*string array*|Optional. Protocols specifies the particular protocols to be used with the socket. <br />Available values: `all(*), icmp, tcp, udp`<br /><br />Note that the protocols field and types field are mutually exclusive. |
@@ -134,6 +137,7 @@ English | [简体中文](interface_specification.zh_CN.md)
 
 | Field | Description |
 |-------|-------------|
+|qualifiers<br />*string array*|Qualifiers determine the behavior of the rule via combinations of values.<br />Available values: `deny, audit`|
 |ip<br />*string*|Optional. IP defines this rule on a particular IP. Please use a valid textual representation of an IP, or special entities like `pod-self`, `unspecified` or `localhost`. Note that the ip field and cidr field are mutually exclusive.<br /><br />- pod-self: An entity that represents the Pod's own IP addresses. Pods may be allocated at most 1 address for each of IPv4 and IPv6.<br />- unspecified: An entity that represents the all-zeros address - specifically, 0.0.0.0 and ::. Its full name is unspecified address, referring to binding to all interfaces.<br />- localhost: An entity that represents the loopback addresses - specifically, 127.0.0.1 and ::1.|
 |cidr<br />*string*|Optional. CIDR defines this rule on a particular CIDR. Note that the ip field and cidr field are mutually exclusive.|
 |ports<br />*[Port](#port) array*|Optional. Ports defines this rule on particular ports. Each item in this list is combined using a logical OR. If this field is empty or not present, this rule matches all ports. If this field is present and contains at least one item, then this rule matches all ports in the list.|
@@ -142,6 +146,7 @@ English | [简体中文](interface_specification.zh_CN.md)
 
 | Field | Description |
 |-------|-------------|
+|qualifiers<br />*string array*|Qualifiers determine the behavior of the rule via combinations of values.<br />Available values: `deny, audit`|
 |namespace<br />*string*|Optional. Namespace specifies in which namespace to select services.|
 |name<br />*string*|Optional. Name selects a service by the name and namespace pair.|
 |serviceSelector<br />*[LabelSelector](https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#LabelSelector)*|Optional. ServiceSelector is a label selector which selects services. This field follows standard label selector semantics. It selects the services matching serviceSelector in the namespace. If the namespace field is empty or not present, it selects the services matching serviceSelector in all namespaces. Note that the serviceSelector field and name field are mutually exclusive.|
@@ -150,6 +155,7 @@ English | [简体中文](interface_specification.zh_CN.md)
 
 | Field | Description |
 |-------|-------------|
+|qualifiers<br />*string array*|Qualifiers determine the behavior of the rule via combinations of values.<br />Available values: `deny, audit`|
 |namespace<br />*string*|Optional. Namespace specifies in which namespace to select pods.|
 |podSelector<br />*[LabelSelector](https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#LabelSelector)*|PodSelector is a label selector which selects pods. This field follows standard label selector semantics. It selects the pods matching podSelector in the namespace. If the namespace field is empty or not present, it selects the pods matching podSelector in all namespaces.|
 |ports<br />*[Port](#port) array*|Optional. Ports defines this rule on particular ports. Each item in this list is combined using a logical OR. If this field is empty or not present, this rule matches all ports. If this field is present and contains at least one item, then this rule matches all ports in the list.|
@@ -173,7 +179,7 @@ English | [简体中文](interface_specification.zh_CN.md)
 |-------|-------------|
 |appArmor<br />*[AppArmorProfile](#apparmorprofile)*|Optional. AppArmor specifies the AppArmor profile and additional custom rules for the Deny-by-Default protection.|
 |seccomp<br />*[SeccompProfile](#seccompprofile)*|Optional. Seccomp specifies the Seccomp profile and additional custom rules for the Deny-by-Default protection.|
-|allowViolations<br />*bool*|Optional. AllowViolations determines whether to allow the actions that are against mandatory access control rules. If this field is set, any detected violation will be allowed rather than blocked, and an `ALLOWED` audit event will be generated and logged. This can be used to gather violations for improving Deny-by-Default protection profiles. If this field is not set, any detected violation will be blocked, and a `DENIED` audit event will be generated and logged. (Default: false)
+|allowViolations<br />*bool*|Optional. AllowViolations determines whether to allow the actions that are against mandatory access control rules. If this field is set, any detected violation will be allowed rather than blocked, and an audit event with the `ALLOWED` action will be generated and logged. This can be used to gather violations for improving Deny-by-Default protection profiles. If this field is not set, any detected violation will be blocked, and an audit event with the `DENIED` action will be generated and logged. (Default: false)
 
 ### AppArmorProfile