apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-ubuntu-3-proc-path-owner-allow
  namespace: multiubuntu
spec:
  severity: 7
  selector:
    matchLabels:
      container: ubuntu-3
  process:
    matchPaths:
    - path: /home/user1/hello
      ownerOnly: true
    matchDirectories:
    - dir: /bin/ # required to change root to user1
      recursive: true
    - dir: /usr/bin/ # used in changing accounts
      recursive: true
  file:
    matchPaths:
    - path: /root/.bashrc # used by root
    - path: /root/.bash_history # used by root
    - path: /home/user1/.profile # used by user1
    - path: /home/user1/.bashrc # used by user1
    - path: /run/utmp # required to change root to user1
    - path: /dev/tty
    matchDirectories:
    - dir: /etc/ # required to change root to user1 (coarse-grained way)
      recursive: true
    - dir: /proc/ # required to change root to user1 (coarse-grained way)
      recursive: true
    - dir: /lib/ # used by root and user1
      recursive: true
    - dir: /sys/ # used by root and user1
      recursive: true
    - dir: /pts/ # used by root and user1
      recursive: true
  action:
    Allow

# multiubuntu_test_14

# test
# $ /home/user1/hello
# bash: /home/user1/hello: Permission denied
# $ su - user1 -c "/home/user1/hello"
# helloworld