release v0.7.0-alpha1

Release 0.7.0-alpha1

release v0.7.0-beta3

Release 0.7.0-beta3

release v0.6.3

What's Changed

• Added the disallow-load-bpf-via-setsockopt built-in rule for Seccomp enforcer.
• Added the disallow-userfaultfd-creation built-in rule for Seccomp enforcer.
• Increased wait time on timeout retry for status report.

Full Changelog: v0.6.2...v0.6.3

release v0.7.0-beta2

chore: Switch log level from 3 to 2 for tracing

release v0.7.0-beta1

Update libseccomp to v2.6.0

release v0.6.2

What's Changed

• Added child's mnt ns id into monitor list if it's in a new mnt namespace during behavior modeling.
• Return directly when the behavior data is too large.
• Added a debug flag to control whether to generate the debug files for behavior modeling.
• Added the disallow-load-all-bpf-prog rule for Seccomp enforcer to prohibit loading any types of eBPF programs.
• Fixed: Create varmor-classifier-svc service in the namespace where varmor is installed

Full Changelog: v0.6.1...v0.6.2

release v0.6.1

What's Changed

• fixed: Always render the agent environment variables
• Upgrade the net package to fix CVE-2024-45338

Full Changelog: v0.6.0...v0.6.1

release v0.6.0

What's Changed

• feat: Adapt AppArmor enforcer for K8s v1.30 and above
• feat: Add monitoring metrics and support integration with Prometheus and Grafana
• feat: Support violation auditing feature for BPF enforcer
• feat: Enrich the violation audit logs of the BPF enforcer to include container and pod information
• feat: Integrate the violation auditing features of AppArmor and BPF enforcer
• feat: Unify the audit event format of AppArmor and BPF enforcers, and save the audit events into /var/log/varmor/violations.log
• feat: Support enforcing access control on socket creation for BPF enforcer.
• feat: Support wildcard for all bpf permissions and flags.
• feat: Add new networking built-in rules for BPF and AppArmor enforcer
• feat: Run agent in an unprivileged container
• feat: Allow running the agent in host's network namespace
• refactor: Abstract the processtracer and auditor modules to collect events for behavior modeling and violation auditing features
• refactor: Refactor behavior modeling and violation auditing features, no longer dependent on syslog or auditd, and no manual configuration required.
• refactor: Change fields in CRD from objects to pointers
• refactor: Integrate the logic of updating policy objects
• Auto adjust GOMAXPROCS for container limit
• Pass node name and readiness port to agent via environment variable
• Standardize the name of UserAgent
• Added version flag
• Added helm configuration options for new features
• fixed: Remove the finalizers of zombie ArmorProfile object
• fixed: Always retry for object updates if a conflict occurs
• fixed: The child profile should inherit rules from parent without attack protection rules
• fixed: Output error information when the agent service start fails
• docs: Further improve the repo documentation
• website: Official website launched (https://varmor.org)

New Contributors

• @eltociear made their first contribution in #104

Full Changelog: v0.5.11...v0.6.0

release v0.6.0-rc1

Upgrade golang.org/x/crypto

release v0.6.0-alpha1

Upgrade path-to-regexp package