From f780889d4cef5f0cc53b83a07da139c9e24a1dd8 Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Tue, 15 Feb 2022 13:19:02 -0800 Subject: [PATCH] Forbid empty AppArmor localhost profile --- pkg/security/apparmor/validate.go | 11 ++++++++++- pkg/security/apparmor/validate_test.go | 2 ++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/pkg/security/apparmor/validate.go b/pkg/security/apparmor/validate.go index 34a0b1ee368..b800a4c0fe5 100644 --- a/pkg/security/apparmor/validate.go +++ b/pkg/security/apparmor/validate.go @@ -74,10 +74,19 @@ func (v *validator) Validate(pod *v1.Pod) error { var retErr error podutil.VisitContainers(&pod.Spec, podutil.AllContainers, func(container *v1.Container, containerType podutil.ContainerType) bool { - retErr = ValidateProfileFormat(GetProfileName(pod, container.Name)) + profile := GetProfileName(pod, container.Name) + retErr = ValidateProfileFormat(profile) if retErr != nil { return false } + // TODO(#64841): This would ideally be part of ValidateProfileFormat, but that is called for + // API validation, and this is tightening validation. + if strings.HasPrefix(profile, v1.AppArmorBetaProfileNamePrefix) { + if strings.TrimSpace(strings.TrimPrefix(profile, v1.AppArmorBetaProfileNamePrefix)) == "" { + retErr = fmt.Errorf("invalid empty AppArmor profile name: %q", profile) + return false + } + } return true }) diff --git a/pkg/security/apparmor/validate_test.go b/pkg/security/apparmor/validate_test.go index 03b4a487f47..818afd1a8d6 100644 --- a/pkg/security/apparmor/validate_test.go +++ b/pkg/security/apparmor/validate_test.go @@ -109,6 +109,8 @@ func TestValidateValidHost(t *testing.T) { {v1.AppArmorBetaProfileNamePrefix + "foo-container", true}, {v1.AppArmorBetaProfileNamePrefix + "/usr/sbin/ntpd", true}, {"docker-default", false}, + {v1.AppArmorBetaProfileNamePrefix + "", false}, // Empty profile explicitly forbidden. + {v1.AppArmorBetaProfileNamePrefix + " ", false}, } for _, test := range tests {