Samples for specific intents

intents/core/1_protectAsset.yaml

@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: protectFile
+    params:
+        - path: /etc/shadow
+        - AllowBinary:
+          - /free5gc/webconsole
+          - /free5gc/webApp

intents/core/2_protectPort.yaml

@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: protectPort # will generate rules for all protocols
+    params:
+        - port: 5000
+        - AllowBinary
+          - /free5gc/webconsole
+          - /free5gc/webapp

intents/core/3_ownnerOnly.yaml

@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: ownerOnly #  The executable in the path can be invoked by ownerOnly
+    params:
+        - path: /home/5gc/myexec

intents/core/4_blockAsset.yaml

@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: blockAsset #  Nobody can access below paths
+    params:
+        - path: /home/5gc/

intents/core/5_blockRawSocket.yaml

@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: blockRawSocket #  No raw sockets can be accessed

intents/template-intent.yaml

@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: oran/core
+    ID: protectFile, protectPort, ownerOnly, blockAsset, blockRawsocket
+    params:

pkg/api/v1/securityintent_types.go

@@ -3,9 +3,7 @@
 
 package v1
 
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
@@ -15,110 +13,53 @@ type SecurityIntentSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
-	Intent Intent `json:"intent"` // Define the details of the security policy.
+	Intents []Intent `json:"intent"` // Define the details of the security policy.
 }
 
 // Intent defines the security policy details
 type Intent struct {
-	Description string     `json:"description,omitempty"` // Define the description
-	Action      string     `json:"action"`                // Define the action of the policy
-	Type        string     `json:"type"`                  // Defines the type of the policy
-	Resource    []Resource `json:"resource"`              // Define the resources to which the security policy applies
+	Description string       `json:"description,omitempty"` // Define the description
+	Group       string       `json:"type"`                  // Defines the type of the policy
+	ID          string       `json:"resource"`              // Define the resources to which the security policy applies
+	Params      IntentParams `json:"params"`
 }
 
 // Resource defines the resources that the security policy applies to
-type Resource struct {
-	Network      []Network      `json:"network,omitempty"`
-	Process      []Process      `json:"process,omitempty"`
-	File         []File         `json:"file,omitempty"`
-	Capabilities []Capabilities `json:"capabilities,omitempty"`
-	Syscalls     []Syscalls     `json:"syscalls,omitempty"`
-	FromCIDRSet  []CIDRSet      `json:"fromCIDRSet,omitempty"`
-	ToPorts      []ToPort       `json:"toPorts,omitempty"`
-}
-
-// Network defines the network-related policies
-type Network struct {
-	MatchProtocols []MatchProtocol `json:"matchProtocols,omitempty"`
-}
-
-// Process defines the process-related policies
-type Process struct {
-	MatchPaths       []MatchPath      `json:"matchPaths,omitempty"`
-	MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"`
-	MatchPatterns    []MatchPattern   `json:"matchPatterns,omitempty"`
-}
-
-// File defines the file-related policies
-type File struct {
-	MatchPaths       []MatchPath      `json:"matchPaths,omitempty"`
-	MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"`
-}
+type IntentParams struct {
+	File ProtectFile `json:"protectFile,omitempty"`
+	Port ProtectPort `json:"protectPort,omitempty"`
 
-// Capabilities defines the capabilities-related policies
-type Capabilities struct {
-	MatchCapabilities []MatchCapability `json:"matchCapabilities,omitempty"`
-}
+	// Only Owner can access file
+	OwnerOnly File `json:"ownerOnly,omitempty"`
 
-// Syscalls defines the syscalls-related policies
-type Syscalls struct {
-	MatchSyscalls []MatchSyscall `json:"matchSyscalls,omitempty"`
-}
+	// File cannot be accessed by anybody
+	BlockAsset File
 
-// CIDRSet defines CIDR ranges for network policies
-type CIDRSet struct {
-	CIDR string `json:"cidr,omitempty"`
+	// BlockRawSocket: does not have parameters
 }
 
-// ToPort defines ports and protocols for network policies
-type ToPort struct {
-	Ports []Port `json:"ports,omitempty"`
+// ProtectFile will ensure only AllowBinaries can access the File
+type ProtectFile struct {
+	File          string `json:"port,omitempty"`
+	AllowBinaries File   `json:"allowBinaries,omitempty"`
 }
 
-// Port defines a network port and its protocol
-type Port struct {
-	Port     string `json:"port,omitempty"`
-	Protocol string `json:"protocol,omitempty"`
+// ProtectPort will ensure only AllowBinaries can access Port
+type ProtectPort struct {
+	Port          string `json:"port,omitempty"`
+	AllowBinaries File   `json:"allowBinaries,omitempty"`
 }
 
-// MatchProtocol defines a protocol for network policies
-type MatchProtocol struct {
-	Protocol   string       `json:"protocol,omitempty"`
-	FromSource []FromSource `json:"fromSource,omitempty"`
+// File defines the file-related policies
+type File struct {
+	MatchPaths []MatchPath `json:"matchPaths,omitempty"`
 }
 
 // MatchPath defines a path for process or file policies
 type MatchPath struct {
 	Path string `json:"path,omitempty"`
 }
 
-// MatchDirectory defines a directory for process or file policies
-type MatchDirectory struct {
-	Directory  string       `json:"dir,omitempty"`
-	Recursive  bool         `json:"recursive,omitempty"`
-	FromSource []FromSource `json:"fromSource,omitempty"`
-}
-
-// MatchPattern defines a pattern for process policies
-type MatchPattern struct {
-	Pattern string `json:"pattern,omitempty"`
-}
-
-// MatchSyscall defines a syscall for syscall policies
-type MatchSyscall struct {
-	Syscalls []string `json:"syscalls,omitempty"`
-}
-
-// MatchCapability defines a capability for capabilities policies
-type MatchCapability struct {
-	Capability string `json:"capability,omitempty"`
-}
-
-// FromSource defines a source path for directory-based policies
-type FromSource struct {
-	Path string `json:"path,omitempty"`
-}
-
 // SecurityIntentStatus defines the observed state of SecurityIntent
 type SecurityIntentStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster