ApparmorProfile should be updated in place when is complain mode and missing permissions are detected

[ccojocar]

What would you like to be added:

Typically when an apparmor profile is recorded, it is not entirely complete. Sometimes there is functionality which is not captured during the recording phase. This can lead to certain actions being denied when the profile is enforced.

A better strategy to avoid service disruptions when enforcing a profile, it is to follow these steps:

1. Record the big bulk of the profile with the eBPF recorder. This will allow a container to start and run in the most common cases.
2. Place the apparmor profile in complain mode, and assign it to the container. This will only log the unauthorized actions which are not already present in the profile permissions.
3. Use a profile updater (e.g. in the log enricher) which should watch the audit log, and parse the denied apparmor messages. It can add then in-place the missing permissions to the profile. It can also signal when no permissions need to be added for a certain period of time, indicating that the profile is complete and ready to be enforced.
4. When the profile is complete, an audit can be performed, and based on the result the profile can be placed in enforce mode.

To achieve this, the log enricher and profile recorder need to be extended in order to support apparmor profile updates when a profile is in complain mode, and missing permissions are detected.

Also we should consider adding a flag in the apparmorprofile status which should indicate when a profile is partial or complete. This information can be used to decide when a profile is ready to be switched from complain mode to enforce mode.

Why is this needed:

This feature is required in order to use with confidence the apparmor profile for production workloads which must not be disrupted by an incomplete profile.

[ccojocar]

cc @mhils