test: external triggers for integration

- Add external scripts to be triggered in order to test data filter
related to events that uses LSM.

Author: rscampos

tests/integration/event_filters_test.go

@@ -2290,6 +2290,341 @@ func Test_EventFilters(t *testing.T) {
 			coolDown:     0,
 			test:         ExpectAllInOrderSequentially,
 		},
+		{
+			name: "event: data: trace event security_kernel_read_file and security_kernel_post_read_file using data filter",
+			policyFiles: []testutils.PolicyFileWithID{
+				{
+					Id: 1,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "lsm-pol-1",
+						},
+						Spec: k8s.PolicySpec{
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_kernel_read_file",
+									Filters: []string{
+										"data.pathname=*linux_module.ko",
+									},
+								},
+							},
+						},
+					},
+				}, {
+					Id: 2,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "lsm-pol-2",
+						},
+						Spec: k8s.PolicySpec{
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_kernel_post_read_file",
+									Filters: []string{
+										"data.pathname=*linux_module.ko",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"sh -c 'scripts/load_module_security_checks.sh'",
+					1*time.Second,
+					30*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "insmod", testutils.CPUForTests, anyPID, 0, events.SecurityKernelReadFile, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "*linux_module.ko")),
+						expectEvent(anyHost, "insmod", testutils.CPUForTests, anyPID, 0, events.SecurityPostReadFile, orPolNames("lsm-pol-2"), orPolIDs(2), expectArg("pathname", "*linux_module.ko")),
+					},
+					[]string{},
+				),
+			},
+			useSyscaller: false,
+			coolDown:     0,
+			test:         ExpectAllInOrderSequentially,
+		},
+		{
+			name: "event: data: trace event security_inode_symlink, security_inode_rename and security_inode_unlink using data filter",
+			policyFiles: []testutils.PolicyFileWithID{
+				{
+					Id: 1,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "lsm-pol-1",
+						},
+						Spec: k8s.PolicySpec{
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_inode_symlink",
+									Filters: []string{
+										"data.linkpath=/tmp/inodefile",
+									},
+								},
+								{
+									Event: "security_inode_rename",
+									Filters: []string{
+										"data.old_path=/tmp/inodefi*",
+									},
+								},
+							},
+						},
+					},
+				}, {
+					Id: 2,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "lsm-pol-2",
+						},
+						Spec: k8s.PolicySpec{
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_inode_unlink",
+									Filters: []string{
+										"data.pathname=*inodefile_new",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"sh -c 'ln -s /etc/passwd /tmp/inodefile ; mv /tmp/inodefile /tmp/inodefile_new ; rm -rf /tmp/inodefile_new'",
+					0,
+					2*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "ln", testutils.CPUForTests, anyPID, 0, events.SecurityInodeSymlinkEventId, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("linkpath", "/tmp/inodefile")),
+						expectEvent(anyHost, "mv", testutils.CPUForTests, anyPID, 0, events.SecurityInodeRename, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("old_path", "/tmp/inodefile")),
+						expectEvent(anyHost, "rm", testutils.CPUForTests, anyPID, 0, events.SecurityInodeUnlink, orPolNames("lsm-pol-2"), orPolIDs(2), expectArg("pathname", "/tmp/inodefile_new")),
+					},
+					[]string{},
+				),
+			},
+			useSyscaller: false,
+			coolDown:     0,
+			test:         ExpectAllInOrderSequentially,
+		},
+		{
+			name: "comm: event: data: trace event security_bprm_check, shared_object_loaded and security_file_mprotect using data filter",
+			policyFiles: []testutils.PolicyFileWithID{
+				{
+					Id: 1,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "lsm-pol-1",
+						},
+						Spec: k8s.PolicySpec{
+							DefaultActions: []string{"log"},
+							Scope: []string{
+								"comm=load_file",
+							},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_bprm_check",
+									Filters: []string{
+										"data.pathname=/usr/bin/ls",
+									},
+								},
+								{
+									Event: "shared_object_loaded",
+									Filters: []string{
+										"data.pathname=*libc.so.6",
+									},
+								},
+								{
+									Event: "security_file_mprotect",
+									Filters: []string{
+										"data.pathname=*load_file",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"sh -c 'scripts/load_file_security_checks.sh'",
+					1*time.Second,
+					10*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "load_file", testutils.CPUForTests, anyPID, 0, events.SharedObjectLoaded, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "*libc.so.6")),
+						expectEvent(anyHost, "load_file", testutils.CPUForTests, anyPID, 0, events.SecurityFileMprotect, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "*load_file")),
+						expectEvent(anyHost, "load_file", testutils.CPUForTests, anyPID, 0, events.SecurityBprmCheck, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "/usr/bin/ls")),
+					},
+					[]string{},
+				),
+			},
+			useSyscaller: false,
+			coolDown:     0,
+			test:         ExpectAllInOrderSequentially,
+		},
+		{
+			name: "event: data: trace event security_sb_mount using data filter",
+			policyFiles: []testutils.PolicyFileWithID{
+				{
+					Id: 1,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "lsm-pol-1",
+						},
+						Spec: k8s.PolicySpec{
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_sb_mount",
+									Filters: []string{
+										"data.path=/mnt/tmpfs",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"sh -c 'mkdir -p /mnt/tmpfs && mount -t tmpfs tmpfs /mnt/tmpfs'",
+					0,
+					5*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "mount", testutils.CPUForTests, anyPID, 0, events.SecuritySbMount, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("path", "/mnt/tmpfs")),
+					},
+					[]string{},
+				),
+			},
+			useSyscaller: false,
+			coolDown:     0,
+			test:         ExpectAllInOrderSequentially,
+		},
+		{
+			name: "event: data: trace event security_inode_mknod using data filter",
+			policyFiles: []testutils.PolicyFileWithID{
+				{
+					Id: 1,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "lsm-pol-1",
+						},
+						Spec: k8s.PolicySpec{
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_inode_mknod",
+									Filters: []string{
+										"data.file_name=/tmp/char_file",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"sh -c 'mknod /tmp/char_file c 1 3'",
+					0,
+					5*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "mknod", testutils.CPUForTests, anyPID, 0, events.SecurityInodeMknod, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("file_name", "/tmp/char_file")),
+					},
+					[]string{},
+				),
+			},
+			useSyscaller: false,
+			coolDown:     0,
+			test:         ExpectAllInOrderSequentially,
+		},
+		{
+			name: "event: data: trace event security_path_notify using data filter",
+			policyFiles: []testutils.PolicyFileWithID{
+				{
+					Id: 1,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "lsm-pol-1",
+						},
+						Spec: k8s.PolicySpec{
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_path_notify",
+									Filters: []string{
+										"data.pathname=/tmp/inotify_file",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"sh -c 'scripts/inotify_file.sh'",
+					1*time.Second,
+					30*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "inotifywait", testutils.CPUForTests, anyPID, 0, events.SecurityPathNotify, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "/tmp/inotify_file")),
+					},
+					[]string{},
+				),
+			},
+			useSyscaller: false,
+			coolDown:     0,
+			test:         ExpectAllInOrderSequentially,
+		},
+		{
+			name: "event: data: trace event security_bpf_prog and security_bpf_map using data filter",
+			policyFiles: []testutils.PolicyFileWithID{
+				{
+					Id: 1,
+					PolicyFile: v1beta1.PolicyFile{
+						Metadata: v1beta1.Metadata{
+							Name: "lsm-pol-1",
+						},
+						Spec: k8s.PolicySpec{
+							DefaultActions: []string{"log"},
+							Rules: []k8s.Rule{
+								{
+									Event: "security_bpf_prog",
+									Filters: []string{
+										"data.name=sys_enter_exe*",
+									},
+								},
+								{
+									Event: "security_bpf_map",
+									Filters: []string{
+										"data.map_name=*my_fixed_map",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"sh -c 'scripts/load_ebpf_prog_map.sh'",
+					1*time.Second,
+					30*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "bpftrace", testutils.CPUForTests, anyPID, 0, events.SecurityBPFMap, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("map_name", "AT_my_fixed_map")),
+						expectEvent(anyHost, "bpftrace", testutils.CPUForTests, anyPID, 0, events.SecurityBpfProg, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("name", "sys_enter_execv")),
+					},
+					[]string{},
+				),
+			},
+			useSyscaller: false,
+			coolDown:     0,
+			test:         ExpectAllInOrderSequentially,
+		},
 	}
 
 	// run tests cases

tests/integration/scripts/inotify_file.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/bash
+
+exit_err() {
+    echo -n "ERROR: "
+    echo "$@"
+    exit 1
+}
+
+# Install inotify-tools
+apt update -y || exit_err "Failed to update package list"
+apt install -y inotify-tools || exit_err "Failed to install inotify-tools"
+
+# Create the file
+touch /tmp/inotify_file
+
+# Run inotifywait for 5 seconds only
+timeout 5 inotifywait -m /tmp/inotify_file || exit 0

tests/integration/scripts/load_ebpf_prog_map.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/bash
+
+exit_err() {
+    echo -n "ERROR: "
+    echo "$@"
+    exit 1
+}
+
+# Install bpftrace
+apt update -y || exit_err "Failed to update package list"
+apt install -y bpftrace || exit_err "Failed to install bpftrace"
+
+# Run bpftrace command
+timeout 5 bpftrace -e '
+tracepoint:syscalls:sys_enter_execve {
+    @my_fixed_map = count();
+}' || exit 0

tests/integration/scripts/load_file.c

@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+int main() {
+    // Program to execute
+    char *program = "/bin/ls";
+    char *args[] = { "ls", "-l", NULL };
+    char *env[] = { NULL };
+
+    if (execve(program, args, env) == -1) {
+        perror("execve failed");
+        exit(EXIT_FAILURE);
+    }
+
+    return 0;
+}