Skip to content

Commit 980cb0a

Browse files
rscamposrscampos
committed
test: external triggers for integration
- Add external scripts to be triggered in order to test data filter related to events that uses LSM.
1 parent 57b4fbf commit 980cb0a

File tree

12 files changed

+614
-0
lines changed

12 files changed

+614
-0
lines changed

tests/integration/event_filters_test.go

Lines changed: 335 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2289,6 +2289,341 @@ func Test_EventFilters(t *testing.T) {
22892289
coolDown: 0,
22902290
test: ExpectAllInOrderSequentially,
22912291
},
2292+
{
2293+
name: "event: data: trace event security_kernel_read_file and security_kernel_post_read_file using data filter",
2294+
policyFiles: []testutils.PolicyFileWithID{
2295+
{
2296+
Id: 1,
2297+
PolicyFile: v1beta1.PolicyFile{
2298+
Metadata: v1beta1.Metadata{
2299+
Name: "lsm-pol-1",
2300+
},
2301+
Spec: k8s.PolicySpec{
2302+
DefaultActions: []string{"log"},
2303+
Rules: []k8s.Rule{
2304+
{
2305+
Event: "security_kernel_read_file",
2306+
Filters: []string{
2307+
"data.pathname=*linux_module.ko",
2308+
},
2309+
},
2310+
},
2311+
},
2312+
},
2313+
}, {
2314+
Id: 2,
2315+
PolicyFile: v1beta1.PolicyFile{
2316+
Metadata: v1beta1.Metadata{
2317+
Name: "lsm-pol-2",
2318+
},
2319+
Spec: k8s.PolicySpec{
2320+
DefaultActions: []string{"log"},
2321+
Rules: []k8s.Rule{
2322+
{
2323+
Event: "security_kernel_post_read_file",
2324+
Filters: []string{
2325+
"data.pathname=*linux_module.ko",
2326+
},
2327+
},
2328+
},
2329+
},
2330+
},
2331+
},
2332+
},
2333+
cmdEvents: []cmdEvents{
2334+
newCmdEvents(
2335+
"sh scripts/module_load_security_checks.sh",
2336+
0,
2337+
15*time.Second,
2338+
[]trace.Event{
2339+
expectEvent(anyHost, "insmod", testutils.CPUForTests, anyPID, 0, events.SecurityKernelReadFile, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "*linux_module.ko")),
2340+
expectEvent(anyHost, "insmod", testutils.CPUForTests, anyPID, 0, events.SecurityPostReadFile, orPolNames("lsm-pol-2"), orPolIDs(2), expectArg("pathname", "*linux_module.ko")),
2341+
},
2342+
[]string{},
2343+
),
2344+
},
2345+
useSyscaller: false,
2346+
coolDown: 0,
2347+
test: ExpectAllInOrderSequentially,
2348+
},
2349+
{
2350+
name: "event: data: trace event security_inode_symlink, security_inode_rename and security_inode_unlink using data filter",
2351+
policyFiles: []testutils.PolicyFileWithID{
2352+
{
2353+
Id: 1,
2354+
PolicyFile: v1beta1.PolicyFile{
2355+
Metadata: v1beta1.Metadata{
2356+
Name: "lsm-pol-1",
2357+
},
2358+
Spec: k8s.PolicySpec{
2359+
DefaultActions: []string{"log"},
2360+
Rules: []k8s.Rule{
2361+
{
2362+
Event: "security_inode_symlink",
2363+
Filters: []string{
2364+
"data.linkpath=/tmp/inodefile",
2365+
},
2366+
},
2367+
{
2368+
Event: "security_inode_rename",
2369+
Filters: []string{
2370+
"data.old_path=/tmp/inodefi*",
2371+
},
2372+
},
2373+
},
2374+
},
2375+
},
2376+
}, {
2377+
Id: 2,
2378+
PolicyFile: v1beta1.PolicyFile{
2379+
Metadata: v1beta1.Metadata{
2380+
Name: "lsm-pol-2",
2381+
},
2382+
Spec: k8s.PolicySpec{
2383+
DefaultActions: []string{"log"},
2384+
Rules: []k8s.Rule{
2385+
{
2386+
Event: "security_inode_unlink",
2387+
Filters: []string{
2388+
"data.pathname=*inodefile_new",
2389+
},
2390+
},
2391+
},
2392+
},
2393+
},
2394+
},
2395+
},
2396+
cmdEvents: []cmdEvents{
2397+
newCmdEvents(
2398+
"sh -c 'ln -s /etc/passwd /tmp/inodefile ; mv /tmp/inodefile /tmp/inodefile_new ; rm -rf /tmp/inodefile_new'",
2399+
0,
2400+
2*time.Second,
2401+
[]trace.Event{
2402+
expectEvent(anyHost, "ln", testutils.CPUForTests, anyPID, 0, events.SecurityInodeSymlinkEventId, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("linkpath", "/tmp/inodefile")),
2403+
expectEvent(anyHost, "mv", testutils.CPUForTests, anyPID, 0, events.SecurityInodeRename, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("old_path", "/tmp/inodefile")),
2404+
expectEvent(anyHost, "rm", testutils.CPUForTests, anyPID, 0, events.SecurityInodeUnlink, orPolNames("lsm-pol-2"), orPolIDs(2), expectArg("pathname", "/tmp/inodefile_new")),
2405+
},
2406+
[]string{},
2407+
),
2408+
},
2409+
useSyscaller: false,
2410+
coolDown: 0,
2411+
test: ExpectAllInOrderSequentially,
2412+
},
2413+
{
2414+
name: "comm: event: data: trace event security_bprm_check, shared_object_loaded and security_file_mprotect using data filter",
2415+
policyFiles: []testutils.PolicyFileWithID{
2416+
{
2417+
Id: 1,
2418+
PolicyFile: v1beta1.PolicyFile{
2419+
Metadata: v1beta1.Metadata{
2420+
Name: "lsm-pol-1",
2421+
},
2422+
Spec: k8s.PolicySpec{
2423+
DefaultActions: []string{"log"},
2424+
Scope: []string{
2425+
"comm=load_file",
2426+
},
2427+
Rules: []k8s.Rule{
2428+
{
2429+
Event: "security_bprm_check",
2430+
Filters: []string{
2431+
"data.pathname=/usr/bin/ls",
2432+
},
2433+
},
2434+
{
2435+
Event: "shared_object_loaded",
2436+
Filters: []string{
2437+
"data.pathname=*libc.so.6",
2438+
},
2439+
},
2440+
{
2441+
Event: "security_file_mprotect",
2442+
Filters: []string{
2443+
"data.pathname=*load_file",
2444+
},
2445+
},
2446+
},
2447+
},
2448+
},
2449+
},
2450+
},
2451+
cmdEvents: []cmdEvents{
2452+
newCmdEvents(
2453+
"sh -c 'scripts/load_file_security_checks.sh'",
2454+
0,
2455+
5*time.Second,
2456+
[]trace.Event{
2457+
expectEvent(anyHost, "load_file", testutils.CPUForTests, anyPID, 0, events.SharedObjectLoaded, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "*libc.so.6")),
2458+
expectEvent(anyHost, "load_file", testutils.CPUForTests, anyPID, 0, events.SecurityFileMprotect, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "*load_file")),
2459+
expectEvent(anyHost, "load_file", testutils.CPUForTests, anyPID, 0, events.SecurityBprmCheck, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "/usr/bin/ls")),
2460+
},
2461+
[]string{},
2462+
),
2463+
},
2464+
useSyscaller: false,
2465+
coolDown: 0,
2466+
test: ExpectAllInOrderSequentially,
2467+
},
2468+
{
2469+
name: "event: data: trace event security_sb_mount using data filter",
2470+
policyFiles: []testutils.PolicyFileWithID{
2471+
{
2472+
Id: 1,
2473+
PolicyFile: v1beta1.PolicyFile{
2474+
Metadata: v1beta1.Metadata{
2475+
Name: "lsm-pol-1",
2476+
},
2477+
Spec: k8s.PolicySpec{
2478+
DefaultActions: []string{"log"},
2479+
Rules: []k8s.Rule{
2480+
{
2481+
Event: "security_sb_mount",
2482+
Filters: []string{
2483+
"data.path=/mnt/tmpfs",
2484+
},
2485+
},
2486+
},
2487+
},
2488+
},
2489+
},
2490+
},
2491+
cmdEvents: []cmdEvents{
2492+
newCmdEvents(
2493+
"sh -c 'mkdir -p /mnt/tmpfs && mount -t tmpfs tmpfs /mnt/tmpfs'",
2494+
0,
2495+
5*time.Second,
2496+
[]trace.Event{
2497+
expectEvent(anyHost, "mount", testutils.CPUForTests, anyPID, 0, events.SecuritySbMount, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("path", "/mnt/tmpfs")),
2498+
},
2499+
[]string{},
2500+
),
2501+
},
2502+
useSyscaller: false,
2503+
coolDown: 0,
2504+
test: ExpectAllInOrderSequentially,
2505+
},
2506+
{
2507+
name: "event: data: trace event security_inode_mknod using data filter",
2508+
policyFiles: []testutils.PolicyFileWithID{
2509+
{
2510+
Id: 1,
2511+
PolicyFile: v1beta1.PolicyFile{
2512+
Metadata: v1beta1.Metadata{
2513+
Name: "lsm-pol-1",
2514+
},
2515+
Spec: k8s.PolicySpec{
2516+
DefaultActions: []string{"log"},
2517+
Rules: []k8s.Rule{
2518+
{
2519+
Event: "security_inode_mknod",
2520+
Filters: []string{
2521+
"data.file_name=/tmp/char_file",
2522+
},
2523+
},
2524+
},
2525+
},
2526+
},
2527+
},
2528+
},
2529+
cmdEvents: []cmdEvents{
2530+
newCmdEvents(
2531+
"sh -c 'mknod /tmp/char_file c 1 3'",
2532+
0,
2533+
5*time.Second,
2534+
[]trace.Event{
2535+
expectEvent(anyHost, "mknod", testutils.CPUForTests, anyPID, 0, events.SecurityInodeMknod, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("file_name", "/tmp/char_file")),
2536+
},
2537+
[]string{},
2538+
),
2539+
},
2540+
useSyscaller: false,
2541+
coolDown: 0,
2542+
test: ExpectAllInOrderSequentially,
2543+
},
2544+
{
2545+
name: "event: data: trace event security_path_notify using data filter",
2546+
policyFiles: []testutils.PolicyFileWithID{
2547+
{
2548+
Id: 1,
2549+
PolicyFile: v1beta1.PolicyFile{
2550+
Metadata: v1beta1.Metadata{
2551+
Name: "lsm-pol-1",
2552+
},
2553+
Spec: k8s.PolicySpec{
2554+
DefaultActions: []string{"log"},
2555+
Rules: []k8s.Rule{
2556+
{
2557+
Event: "security_path_notify",
2558+
Filters: []string{
2559+
"data.pathname=/tmp/inotify_file",
2560+
},
2561+
},
2562+
},
2563+
},
2564+
},
2565+
},
2566+
},
2567+
cmdEvents: []cmdEvents{
2568+
newCmdEvents(
2569+
"sh -c 'scripts/inotify_file.sh'",
2570+
0,
2571+
5*time.Second,
2572+
[]trace.Event{
2573+
expectEvent(anyHost, "inotify_file", testutils.CPUForTests, anyPID, 0, events.SecurityPathNotify, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "/tmp/inotify_file")),
2574+
},
2575+
[]string{},
2576+
),
2577+
},
2578+
useSyscaller: false,
2579+
coolDown: 0,
2580+
test: ExpectAllInOrderSequentially,
2581+
},
2582+
{
2583+
name: "event: data: trace event security_bpf_prog and security_bpf_map using data filter",
2584+
policyFiles: []testutils.PolicyFileWithID{
2585+
{
2586+
Id: 1,
2587+
PolicyFile: v1beta1.PolicyFile{
2588+
Metadata: v1beta1.Metadata{
2589+
Name: "lsm-pol-1",
2590+
},
2591+
Spec: k8s.PolicySpec{
2592+
DefaultActions: []string{"log"},
2593+
Rules: []k8s.Rule{
2594+
{
2595+
Event: "security_bpf_prog",
2596+
Filters: []string{
2597+
"data.name=ebpf_prog_*",
2598+
},
2599+
},
2600+
{
2601+
Event: "security_bpf_map",
2602+
Filters: []string{
2603+
"data.map_name=*_map_test",
2604+
},
2605+
},
2606+
},
2607+
},
2608+
},
2609+
},
2610+
},
2611+
cmdEvents: []cmdEvents{
2612+
newCmdEvents(
2613+
"sh -c 'scripts/load_ebpf_prog_map.sh'",
2614+
1*time.Second,
2615+
10*time.Second,
2616+
[]trace.Event{
2617+
expectEvent(anyHost, "load_ebpf", testutils.CPUForTests, anyPID, 0, events.SecurityBpfProg, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("name", "ebpf_prog_test")),
2618+
expectEvent(anyHost, "load_ebpf", testutils.CPUForTests, anyPID, 0, events.SecurityBPFMap, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("map_name", "ebpf_map_test")),
2619+
},
2620+
[]string{},
2621+
),
2622+
},
2623+
useSyscaller: false,
2624+
coolDown: 0,
2625+
test: ExpectAllInOrderSequentially,
2626+
},
22922627
}
22932628

22942629
// run tests cases

0 commit comments

Comments
 (0)