Skip to content

Commit eacfe7c

Browse files
rscamposrscampos
committed
test: external triggers for integration
- Add external scripts to be triggered in order to test data filter related to events that uses LSM.
1 parent 3fa4d41 commit eacfe7c

File tree

12 files changed

+614
-0
lines changed

12 files changed

+614
-0
lines changed

tests/integration/event_filters_test.go

Lines changed: 335 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2290,6 +2290,341 @@ func Test_EventFilters(t *testing.T) {
22902290
coolDown: 0,
22912291
test: ExpectAllInOrderSequentially,
22922292
},
2293+
{
2294+
name: "event: data: trace event security_kernel_read_file and security_kernel_post_read_file using data filter",
2295+
policyFiles: []testutils.PolicyFileWithID{
2296+
{
2297+
Id: 1,
2298+
PolicyFile: v1beta1.PolicyFile{
2299+
Metadata: v1beta1.Metadata{
2300+
Name: "lsm-pol-1",
2301+
},
2302+
Spec: k8s.PolicySpec{
2303+
DefaultActions: []string{"log"},
2304+
Rules: []k8s.Rule{
2305+
{
2306+
Event: "security_kernel_read_file",
2307+
Filters: []string{
2308+
"data.pathname=*linux_module.ko",
2309+
},
2310+
},
2311+
},
2312+
},
2313+
},
2314+
}, {
2315+
Id: 2,
2316+
PolicyFile: v1beta1.PolicyFile{
2317+
Metadata: v1beta1.Metadata{
2318+
Name: "lsm-pol-2",
2319+
},
2320+
Spec: k8s.PolicySpec{
2321+
DefaultActions: []string{"log"},
2322+
Rules: []k8s.Rule{
2323+
{
2324+
Event: "security_kernel_post_read_file",
2325+
Filters: []string{
2326+
"data.pathname=*linux_module.ko",
2327+
},
2328+
},
2329+
},
2330+
},
2331+
},
2332+
},
2333+
},
2334+
cmdEvents: []cmdEvents{
2335+
newCmdEvents(
2336+
"sh -c 'scripts/load_module_security_checks.sh'",
2337+
1*time.Second,
2338+
30*time.Second,
2339+
[]trace.Event{
2340+
expectEvent(anyHost, "insmod", testutils.CPUForTests, anyPID, 0, events.SecurityKernelReadFile, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "*linux_module.ko")),
2341+
expectEvent(anyHost, "insmod", testutils.CPUForTests, anyPID, 0, events.SecurityPostReadFile, orPolNames("lsm-pol-2"), orPolIDs(2), expectArg("pathname", "*linux_module.ko")),
2342+
},
2343+
[]string{},
2344+
),
2345+
},
2346+
useSyscaller: false,
2347+
coolDown: 0,
2348+
test: ExpectAllInOrderSequentially,
2349+
},
2350+
{
2351+
name: "event: data: trace event security_inode_symlink, security_inode_rename and security_inode_unlink using data filter",
2352+
policyFiles: []testutils.PolicyFileWithID{
2353+
{
2354+
Id: 1,
2355+
PolicyFile: v1beta1.PolicyFile{
2356+
Metadata: v1beta1.Metadata{
2357+
Name: "lsm-pol-1",
2358+
},
2359+
Spec: k8s.PolicySpec{
2360+
DefaultActions: []string{"log"},
2361+
Rules: []k8s.Rule{
2362+
{
2363+
Event: "security_inode_symlink",
2364+
Filters: []string{
2365+
"data.linkpath=/tmp/inodefile",
2366+
},
2367+
},
2368+
{
2369+
Event: "security_inode_rename",
2370+
Filters: []string{
2371+
"data.old_path=/tmp/inodefi*",
2372+
},
2373+
},
2374+
},
2375+
},
2376+
},
2377+
}, {
2378+
Id: 2,
2379+
PolicyFile: v1beta1.PolicyFile{
2380+
Metadata: v1beta1.Metadata{
2381+
Name: "lsm-pol-2",
2382+
},
2383+
Spec: k8s.PolicySpec{
2384+
DefaultActions: []string{"log"},
2385+
Rules: []k8s.Rule{
2386+
{
2387+
Event: "security_inode_unlink",
2388+
Filters: []string{
2389+
"data.pathname=*inodefile_new",
2390+
},
2391+
},
2392+
},
2393+
},
2394+
},
2395+
},
2396+
},
2397+
cmdEvents: []cmdEvents{
2398+
newCmdEvents(
2399+
"sh -c 'ln -s /etc/passwd /tmp/inodefile ; mv /tmp/inodefile /tmp/inodefile_new ; rm -rf /tmp/inodefile_new'",
2400+
0,
2401+
2*time.Second,
2402+
[]trace.Event{
2403+
expectEvent(anyHost, "ln", testutils.CPUForTests, anyPID, 0, events.SecurityInodeSymlinkEventId, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("linkpath", "/tmp/inodefile")),
2404+
expectEvent(anyHost, "mv", testutils.CPUForTests, anyPID, 0, events.SecurityInodeRename, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("old_path", "/tmp/inodefile")),
2405+
expectEvent(anyHost, "rm", testutils.CPUForTests, anyPID, 0, events.SecurityInodeUnlink, orPolNames("lsm-pol-2"), orPolIDs(2), expectArg("pathname", "/tmp/inodefile_new")),
2406+
},
2407+
[]string{},
2408+
),
2409+
},
2410+
useSyscaller: false,
2411+
coolDown: 0,
2412+
test: ExpectAllInOrderSequentially,
2413+
},
2414+
{
2415+
name: "comm: event: data: trace event security_bprm_check, shared_object_loaded and security_file_mprotect using data filter",
2416+
policyFiles: []testutils.PolicyFileWithID{
2417+
{
2418+
Id: 1,
2419+
PolicyFile: v1beta1.PolicyFile{
2420+
Metadata: v1beta1.Metadata{
2421+
Name: "lsm-pol-1",
2422+
},
2423+
Spec: k8s.PolicySpec{
2424+
DefaultActions: []string{"log"},
2425+
Scope: []string{
2426+
"comm=load_file",
2427+
},
2428+
Rules: []k8s.Rule{
2429+
{
2430+
Event: "security_bprm_check",
2431+
Filters: []string{
2432+
"data.pathname=/usr/bin/ls",
2433+
},
2434+
},
2435+
{
2436+
Event: "shared_object_loaded",
2437+
Filters: []string{
2438+
"data.pathname=*libc.so.6",
2439+
},
2440+
},
2441+
{
2442+
Event: "security_file_mprotect",
2443+
Filters: []string{
2444+
"data.pathname=*load_file",
2445+
},
2446+
},
2447+
},
2448+
},
2449+
},
2450+
},
2451+
},
2452+
cmdEvents: []cmdEvents{
2453+
newCmdEvents(
2454+
"sh -c 'scripts/load_file_security_checks.sh'",
2455+
1*time.Second,
2456+
10*time.Second,
2457+
[]trace.Event{
2458+
expectEvent(anyHost, "load_file", testutils.CPUForTests, anyPID, 0, events.SharedObjectLoaded, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "*libc.so.6")),
2459+
expectEvent(anyHost, "load_file", testutils.CPUForTests, anyPID, 0, events.SecurityFileMprotect, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "*load_file")),
2460+
expectEvent(anyHost, "load_file", testutils.CPUForTests, anyPID, 0, events.SecurityBprmCheck, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "/usr/bin/ls")),
2461+
},
2462+
[]string{},
2463+
),
2464+
},
2465+
useSyscaller: false,
2466+
coolDown: 0,
2467+
test: ExpectAllInOrderSequentially,
2468+
},
2469+
{
2470+
name: "event: data: trace event security_sb_mount using data filter",
2471+
policyFiles: []testutils.PolicyFileWithID{
2472+
{
2473+
Id: 1,
2474+
PolicyFile: v1beta1.PolicyFile{
2475+
Metadata: v1beta1.Metadata{
2476+
Name: "lsm-pol-1",
2477+
},
2478+
Spec: k8s.PolicySpec{
2479+
DefaultActions: []string{"log"},
2480+
Rules: []k8s.Rule{
2481+
{
2482+
Event: "security_sb_mount",
2483+
Filters: []string{
2484+
"data.path=/mnt/tmpfs",
2485+
},
2486+
},
2487+
},
2488+
},
2489+
},
2490+
},
2491+
},
2492+
cmdEvents: []cmdEvents{
2493+
newCmdEvents(
2494+
"sh -c 'mkdir -p /mnt/tmpfs && mount -t tmpfs tmpfs /mnt/tmpfs'",
2495+
0,
2496+
5*time.Second,
2497+
[]trace.Event{
2498+
expectEvent(anyHost, "mount", testutils.CPUForTests, anyPID, 0, events.SecuritySbMount, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("path", "/mnt/tmpfs")),
2499+
},
2500+
[]string{},
2501+
),
2502+
},
2503+
useSyscaller: false,
2504+
coolDown: 0,
2505+
test: ExpectAllInOrderSequentially,
2506+
},
2507+
{
2508+
name: "event: data: trace event security_inode_mknod using data filter",
2509+
policyFiles: []testutils.PolicyFileWithID{
2510+
{
2511+
Id: 1,
2512+
PolicyFile: v1beta1.PolicyFile{
2513+
Metadata: v1beta1.Metadata{
2514+
Name: "lsm-pol-1",
2515+
},
2516+
Spec: k8s.PolicySpec{
2517+
DefaultActions: []string{"log"},
2518+
Rules: []k8s.Rule{
2519+
{
2520+
Event: "security_inode_mknod",
2521+
Filters: []string{
2522+
"data.file_name=/tmp/char_file",
2523+
},
2524+
},
2525+
},
2526+
},
2527+
},
2528+
},
2529+
},
2530+
cmdEvents: []cmdEvents{
2531+
newCmdEvents(
2532+
"sh -c 'mknod /tmp/char_file c 1 3'",
2533+
0,
2534+
5*time.Second,
2535+
[]trace.Event{
2536+
expectEvent(anyHost, "mknod", testutils.CPUForTests, anyPID, 0, events.SecurityInodeMknod, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("file_name", "/tmp/char_file")),
2537+
},
2538+
[]string{},
2539+
),
2540+
},
2541+
useSyscaller: false,
2542+
coolDown: 0,
2543+
test: ExpectAllInOrderSequentially,
2544+
},
2545+
{
2546+
name: "event: data: trace event security_path_notify using data filter",
2547+
policyFiles: []testutils.PolicyFileWithID{
2548+
{
2549+
Id: 1,
2550+
PolicyFile: v1beta1.PolicyFile{
2551+
Metadata: v1beta1.Metadata{
2552+
Name: "lsm-pol-1",
2553+
},
2554+
Spec: k8s.PolicySpec{
2555+
DefaultActions: []string{"log"},
2556+
Rules: []k8s.Rule{
2557+
{
2558+
Event: "security_path_notify",
2559+
Filters: []string{
2560+
"data.pathname=/tmp/inotify_file",
2561+
},
2562+
},
2563+
},
2564+
},
2565+
},
2566+
},
2567+
},
2568+
cmdEvents: []cmdEvents{
2569+
newCmdEvents(
2570+
"sh -c 'scripts/inotify_file.sh'",
2571+
1*time.Second,
2572+
10*time.Second,
2573+
[]trace.Event{
2574+
expectEvent(anyHost, "inotify_file", testutils.CPUForTests, anyPID, 0, events.SecurityPathNotify, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("pathname", "/tmp/inotify_file")),
2575+
},
2576+
[]string{},
2577+
),
2578+
},
2579+
useSyscaller: false,
2580+
coolDown: 0,
2581+
test: ExpectAllInOrderSequentially,
2582+
},
2583+
{
2584+
name: "event: data: trace event security_bpf_prog and security_bpf_map using data filter",
2585+
policyFiles: []testutils.PolicyFileWithID{
2586+
{
2587+
Id: 1,
2588+
PolicyFile: v1beta1.PolicyFile{
2589+
Metadata: v1beta1.Metadata{
2590+
Name: "lsm-pol-1",
2591+
},
2592+
Spec: k8s.PolicySpec{
2593+
DefaultActions: []string{"log"},
2594+
Rules: []k8s.Rule{
2595+
{
2596+
Event: "security_bpf_prog",
2597+
Filters: []string{
2598+
"data.name=ebpf_prog_*",
2599+
},
2600+
},
2601+
{
2602+
Event: "security_bpf_map",
2603+
Filters: []string{
2604+
"data.map_name=*_map_test",
2605+
},
2606+
},
2607+
},
2608+
},
2609+
},
2610+
},
2611+
},
2612+
cmdEvents: []cmdEvents{
2613+
newCmdEvents(
2614+
"sh -c 'scripts/load_ebpf_prog_map.sh'",
2615+
1*time.Second,
2616+
10*time.Second,
2617+
[]trace.Event{
2618+
expectEvent(anyHost, "load_ebpf", testutils.CPUForTests, anyPID, 0, events.SecurityBpfProg, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("name", "ebpf_prog_test")),
2619+
expectEvent(anyHost, "load_ebpf", testutils.CPUForTests, anyPID, 0, events.SecurityBPFMap, orPolNames("lsm-pol-1"), orPolIDs(1), expectArg("map_name", "ebpf_map_test")),
2620+
},
2621+
[]string{},
2622+
),
2623+
},
2624+
useSyscaller: false,
2625+
coolDown: 0,
2626+
test: ExpectAllInOrderSequentially,
2627+
},
22932628
}
22942629

22952630
// run tests cases

0 commit comments

Comments
 (0)