feat: Support dynamically removing the BPF enforcer from policies. #99

bytedance · Jul 4, 2024 · 860ccb8 · 860ccb8
1 parent 6cf0503
commit 860ccb8
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/internal/agent/agent.go b/internal/agent/agent.go
@@ -464,6 +464,15 @@ func (agent *Agent) handleCreateOrUpdateArmorProfile(ap *varmor.ArmorProfile, ke
 			logger.Error(err, "SaveAndApplyBpfProfile()")
 			return agent.sendStatus(ap, varmortypes.Failed, "SaveBpfProfile(): "+err.Error())
 		}
+	} else {
+		// Unload BPF profile.
+		if agent.bpfLsmSupported && agent.bpfEnforcer.IsBpfProfileExist(ap.Spec.Profile.Name) {
+			logger.Info(fmt.Sprintf("unloading the BPF profile ('%s')", ap.Spec.Profile.Name))
+			err := agent.bpfEnforcer.DeleteBpfProfile(ap.Spec.Profile.Name)
+			if err != nil {
+				logger.Error(err, "DeleteBpfProfile()")
+			}
+		}
 	}
 
 	// Seccomp

diff --git a/internal/policy/clusterpolicy_controller.go b/internal/policy/clusterpolicy_controller.go
@@ -389,12 +389,12 @@ func (c *ClusterPolicyController) ignoreUpdate(newVp *varmor.VarmorClusterPolicy
 	// Disallow shutting down the enforcer that has been activated.
 	newEnforcers := varmortypes.GetEnforcerType(newVp.Spec.Policy.Enforcer)
 	oldEnforcers := varmortypes.GetEnforcerType(oldAp.Spec.Profile.Enforcer)
-	if newEnforcers&oldEnforcers != oldEnforcers {
+	if (newEnforcers&oldEnforcers != oldEnforcers) && (newEnforcers|varmortypes.BPF != oldEnforcers) {
 		err := fmt.Errorf("disallow shutting down the enforcer that has been activated")
 		logger.Error(err, "update VarmorClusterPolicy/status with forbidden info")
 		err = c.updateVarmorClusterPolicyStatus(newVp, "", false, varmortypes.VarmorPolicyUnchanged, varmortypes.VarmorPolicyUpdated, apicorev1.ConditionFalse,
 			"Forbidden",
-			"Modifying a policy to remove an already-set enforcer is not allowed. To remove enforcers, you must recreate the VarmorClusterPolicy object.")
+			"Modifying a policy to remove an already-set enforcer, except for the BPF enforcer, is not allowed. To remove enforcers, you must recreate the VarmorClusterPolicy object.")
 		return true, err
 	}
 

diff --git a/internal/policy/policy_controller.go b/internal/policy/policy_controller.go
@@ -413,12 +413,12 @@ func (c *PolicyController) ignoreUpdate(newVp *varmor.VarmorPolicy, oldAp *varmo
 	// Disallow shutting down the enforcer that has been activated.
 	newEnforcers := varmortypes.GetEnforcerType(newVp.Spec.Policy.Enforcer)
 	oldEnforcers := varmortypes.GetEnforcerType(oldAp.Spec.Profile.Enforcer)
-	if newEnforcers&oldEnforcers != oldEnforcers {
+	if (newEnforcers&oldEnforcers != oldEnforcers) && (newEnforcers|varmortypes.BPF != oldEnforcers) {
 		err := fmt.Errorf("disallow shutting down the enforcer that has been activated")
 		logger.Error(err, "update VarmorPolicy/status with forbidden info")
 		err = c.updateVarmorPolicyStatus(newVp, "", false, varmortypes.VarmorPolicyUnchanged, varmortypes.VarmorPolicyUpdated, apicorev1.ConditionFalse,
 			"Forbidden",
-			"Modifying a policy to remove an already-set enforcer is not allowed. To remove enforcers, you must recreate the VarmorPolicy object.")
+			"Modifying a policy to remove an already-set enforcer, except for the BPF enforcer, is not allowed. To remove enforcers, you must recreate the VarmorPolicy object.")
 		return true, err
 	}