Log enricher running unprivileged and extends supported audit line types

[pjbgf]

What type of PR is this?

/kind feature

What this PR does / why we need it:

• Extends log enrichment support to type=AVC (SELinux) and type=SECCOMP audit lines
• Removes dependency on /dev/kmsg device.

Which issue(s) this PR fixes:

Relates to: #244

Does this PR have test?

Yes. But E2E tests will be added on follow-up PRs.

Special notes for your reviewer:

Different distros may log seccomp audit lines differently, I have tested this based on log lines from Ubuntu (type=1326) and Fedora (type=SECCOMP).

The /dev/kmsg ended up being a dead-end as it cannot be executed in a least privilege mode. A follow-up PR will cater for the automatic creation of a symlink /var/log/spo.log pointing to the supported kernel log in the given distribution. In the interim the symlink needs to be manually created.

Does this PR introduce a user-facing change?

Log enricher now supports SELinux log lines and runs unprivileged.

[codecov-io]

Codecov Report

Merging #339 (8207398) into master (65ad696) will increase coverage by 2.32%.
The diff coverage is 40.84%.

@@            Coverage Diff             @@
##           master     #339      +/-   ##
==========================================
+ Coverage   27.34%   29.66%   +2.32%     
==========================================
  Files           9        9              
  Lines         673      691      +18     
==========================================
+ Hits          184      205      +21     
+ Misses        470      467       -3     
  Partials       19       19              

Flag	Coverage Δ
unittests	29.66% <40.84%> (+2.32%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
internal/pkg/daemon/enricher/main.go	0.00% <0.00%> (ø)
internal/pkg/daemon/enricher/container.go	11.90% <26.31%> (+11.90%)	⬆️
internal/pkg/daemon/enricher/audit.go	90.32% <88.88%> (+4.60%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 65ad696...8207398. Read the comment docs.

[saschagrunert]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pjbgf, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pjbgf,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[saschagrunert]

The /dev/kmsg ended up being a dead-end as it cannot be executed in a least privilege mode. A follow-up PR will cater for the automatic creation of a symlink /var/log/spo.log pointing to the supported kernel log in the given distribution. In the interim the symlink needs to be manually created.

Hey @pjbgf, do you think you could follow up on that?