neuvector · jayhuang-suse · Jun 6, 2025
@@ -187,11 +187,7 @@ func NewFileAccessCtrl(p *Probe) (*FileAccessCtrl, bool) {
 	}
 	fa.cflag = unix.FAN_OPEN_PERM
 
-	// perferable flag
-	if fa.isSupportExecPerm() {
-		log.Info("FA: Use ExecPerm")
-		fa.cflag = unix.FAN_OPEN_EXEC_PERM
-	}
+	// perferable on the unix.FAN_OPEN_EXEC_PERM but it failed to detect its availablity
 
 	go fa.monitorFilePermissionEvents()
 	return fa, true
@@ -278,19 +274,6 @@ func (fa *FileAccessCtrl) isSupportOpenPerm() bool {
 	return true
 }
 
-func (fa *FileAccessCtrl) isSupportExecPerm() bool {
-	path := fmt.Sprintf(procRootMountPoint, 1)
-	if err := fa.fanfd.Mark(unix.FAN_MARK_ADD, unix.FAN_OPEN_EXEC_PERM, unix.AT_FDCWD, path); err != nil {
-		log.WithFields(log.Fields{"error": err}).Info("FA: not supported")
-		return false
-	}
-
-	if err := fa.fanfd.Mark(unix.FAN_MARK_REMOVE, unix.FAN_OPEN_EXEC_PERM, unix.AT_FDCWD, path); err != nil && !bIgnoredErrors(err) {
-		log.WithFields(log.Fields{"error": err}).Error()
-	}
-	return true
-}
-
 // ///
 func (fa *FileAccessCtrl) monitorExit() {
 	if fa.fanfd != nil {
@@ -725,6 +708,7 @@ func (fa *FileAccessCtrl) whiteListCheck(path string, pid int) (string, string,
 			return id, profileSetting, svcGroup, nvRole, res
 		}
 
+		res = rule_not_defined
 		if rres, ok := cRoot.whlst[path]; ok {
 			// log.WithFields(log.Fields{"rres": rres}).Debug("FA: ")
 			if rres != rule_denied {

@@ -3283,26 +3283,21 @@ func (p *Probe) IsAllowedShieldProcess(id, mode, svcGroup string, proc *procInte
 			}
 		}
 	} else {
-		switch ppe.Action {
-		case share.PolicyActionLearn, share.PolicyActionOpen:
-			ppe.Action = share.PolicyActionViolate
+		if ppe.Action == share.PolicyActionDeny {
 			ppe.Uuid = share.CLUSReservedUuidShieldMode
-		case share.PolicyActionAllow:
-			bPass = true
-			if ppe.CfgType == share.Learned { // user needs to allow the process manually
-				// TODO: how about the learned rule's translation from GroundCfg-CRD?
-				bPass = false
-				ppe.Action = negativeResByMode(mode)
+		} else { // other actions
+			if bFromPmon && ppe.CfgType <= share.Learned {
+				ppe.Action = share.PolicyActionViolate
 				ppe.Uuid = share.CLUSReservedUuidShieldMode
-			} else if !ppe.AllowFileUpdate && !bNotImageButNewlyAdded {
-				if bModified {
-					bPass = false
-					ppe.Action = negativeResByMode(mode)
+			} else { // a defined rule from custom/crd groups
+				if bModified && !ppe.AllowFileUpdate {
+					ppe.Action = share.PolicyActionViolate
 					ppe.Uuid = share.CLUSReservedUuidAnchorMode
+				} else {
+					bPass = true
+					ppe.Action = share.PolicyActionAllow // allowed
 				}
 			}
-		case share.PolicyActionDeny:
-			ppe.Uuid = share.CLUSReservedUuidShieldMode
 		}
 	}
 	mLog.WithFields(log.Fields{"bModified": bModified, "bImageFile": bImageFile, "bNotImageButNewlyAdded": bNotImageButNewlyAdded}).Debug("SHD:")

@@ -605,7 +605,11 @@ func (d *crioDriver) IsDaemonProcess(proc string, cmds []string) bool {
 }
 
 func (d *crioDriver) IsRuntimeProcess(proc string, cmds []string) bool {
-	return proc == "runc" || proc == "crio" || proc == "conmon" || proc == "crio-conmon" // an OCI container runtime monitor
+	switch proc {
+	case "runc", "crio", "conmon", "crio-conmon", "crun": // an OCI container runtime monitor
+		return true
+	}
+	return false
 }
 
 func (d *crioDriver) GetParent(info *ContainerMetaExtra, pidMap map[int]string) (bool, string) {