Skip to content

Commit

Permalink
fix(tests): make test policies compatible with newer ubuntu
Browse files Browse the repository at this point in the history
Signed-off-by: daemon1024 <barun1024@gmail.com>
  • Loading branch information
daemon1024 committed Oct 21, 2024
1 parent 8dd10c4 commit 24ebbdb
Show file tree
Hide file tree
Showing 33 changed files with 51 additions and 38 deletions.
4 changes: 3 additions & 1 deletion tests/k8s_env/blockposture/res/ksp-wordpress-allow-file.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ spec:
recursive: true
- dir: /lib/x86_64-linux-gnu/
- dir: /bin/
- dir: /usr/bin/
- dir: /pts/
recursive: true
- dir: /dev/
Expand All @@ -27,11 +28,12 @@ spec:
- path: /dev/tty
- path: /lib/terminfo/x/xterm
- fromSource:
- path: /bin/cat
- path: /usr/bin/cat
path: /var/www/html/readme.html
process:
matchDirectories:
- dir: /bin/
- dir: /usr/bin/
recursive: true

# http://[NodeIP]:30080
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ spec:
- path: /usr/bin/curl
process:
matchDirectories:
- dir: /bin/ # required to change root to user1
- dir: /usr/bin/ # required to change root to user1
recursive: true
- dir: /usr/bin/ # used in changing accounts
recursive: true
Expand Down
2 changes: 2 additions & 0 deletions tests/k8s_env/configmap/manifests/ksp-unannotated-allow.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ spec:
- dir: /pts/
- dir: /bin/
- dir: /usr/bin/
- dir: /usr/bin/
- dir: /proc/
recursive: true
- dir: /dev/
Expand All @@ -33,6 +34,7 @@ spec:
process:
matchDirectories:
- dir: /bin/ # required to change root to user1
- dir: /usr/bin/ # required to change root to user1
- dir: /usr/bin/ # used in changing accounts
action:
Allow
Expand Down
2 changes: 1 addition & 1 deletion tests/k8s_env/ksp/ksp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1832,7 +1832,7 @@ var _ = Describe("Ksp", func() {
)

expectLog := protobuf.Log{
Source: "/bin/cat /dev/shm/new",
Source: "/usr/bin/cat /dev/shm/new",
Result: "Passed",
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ spec:
group: group-1
process:
matchPaths:
- path: /bin/ls
- path: /usr/bin/ls
fromSource:
- path: /bin/dash
- path: /usr/bin/dash
action:
Block

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ spec:
group: group-1
process:
matchPaths:
- path: /bin/sleep
- path: /usr/bin/sleep
action:
Block

# multiubuntu_test_01

# test
# $ sleep 1
# bash: /bin/sleep: Permission denied
# bash: /usr/bin/sleep: Permission denied
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ spec:
process:
matchDirectories:
- dir: /bin/
recursive: true
- dir: /usr/bin/
file:
matchPaths:
- path: /secret.txt
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
- path: /dev/tty
- path: /lib/terminfo/x/xterm
matchDirectories:
Expand All @@ -29,6 +29,7 @@ spec:
recursive: true
- dir: /lib/x86_64-linux-gnu/
- dir: /bin/
- dir: /usr/bin/
action:
Allow

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ spec:
process: # base whitelisting rules
matchDirectories:
- dir: /bin/ # required to change root to user1 / try 'su - user1'
- dir: /usr/bin/ # required to change root to user1 / try 'su - user1'
recursive: true
- dir: /usr/bin/ # used in changing accounts
recursive: true
Expand All @@ -19,8 +20,8 @@ spec:
- path: /home/user1/secret_data1.txt
ownerOnly: true
fromSource:
- path: /bin/cat
# - path: /bin/su
- path: /usr/bin/cat
# - path: /usr/bin/su
- path: /root/.bashrc # used by root
- path: /root/.bash_history # used by root
- path: /home/user1/.profile # used by user1
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
matchPaths:
- path: /secret.txt
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
action:
Audit

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
- path: /home/user1/secret_data1.txt
ownerOnly: true
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
action:
Audit

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ spec:
group: group-2
process:
matchPaths:
- path: /bin/sleep
- path: /usr/bin/sleep
action:
Audit

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
matchPaths:
- path: /secret.txt
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
action:
Block

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
- path: /home/user1/secret_data1.txt
ownerOnly: true
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
action:
Block

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ spec:
container: ubuntu-3
process:
matchDirectories:
- dir: /bin/ # required to change root to user1
- dir: /bin # required to change root to user1
recursive: true
- dir: /usr/bin/ # used in changing accounts
recursive: true
Expand All @@ -36,7 +36,7 @@ spec:
recursive: true
- dir: /pts/ # used by root and user1
recursive: true
- dir: /bin/
- dir: /usr/bin/
recursive: true
action:
Allow
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ spec:
matchDirectories:
- dir: /bin/
recursive: true
- dir: /usr/bin/
recursive: true
file:
matchPaths:
- path: /root/.bashrc # used by root
Expand All @@ -30,6 +32,7 @@ spec:
recursive: true
- dir: /lib/x86_64-linux-gnu/
- dir: /bin/
- dir: /usr/bin/
# - dir: /etc/ # required to change root to user1 (coarse-grained way)
# recursive: true
# - dir: /lib/ # used by root and user1
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ spec:
recursive: true
- dir: /bin/
recursive: true
- dir: /usr/bin/
recursive: true
- dir: /dev/
recursive: true
action:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ spec:
matchPaths:
- path: /home/user1/readwrite
# fromSource:
# - path: /bin/su
# - path: /usr/bin/su
matchDirectories:
- dir: /bin/ # required to change root to user1 / try 'su - user1'
recursive: true
Expand All @@ -29,7 +29,7 @@ spec:
fromSource:
- path: /home/user1/readwrite
- path: /home/user1/readwrite
# - path: /bin/su
# - path: /usr/bin/su
- path: /root/.bashrc # used by root
- path: /root/.bash_history # used by root
- path: /home/user1/.profile # used by user1
Expand All @@ -50,6 +50,8 @@ spec:
recursive: true
- dir: /bin/
recursive: true
- dir: /usr/bin/
recursive: true
action:
Allow

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
container: ubuntu-4
file:
matchDirectories:
- dir: /bin/ # used by root
- dir: /usr/bin/ # used by root
recursive: true
- dir: /pts/
recursive: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spec:
kubearmor.io/container.name: "[container-1]"
process:
matchPaths:
- path: /bin/ls
- path: /usr/bin/ls
# ls
action:
Block
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spec:
kubearmor.io/container.name: "[]"
process:
matchPaths:
- path: /bin/ls
- path: /usr/bin/ls
# ls
action:
Block
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spec:
kubearmor.io/container.name: ""
process:
matchPaths:
- path: /bin/ls
- path: /usr/bin/ls
# ls
action:
Block
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spec:
kubearmor.io/container.name: "[container-1,,]"
process:
matchPaths:
- path: /bin/ls
- path: /usr/bin/ls
# ls
action:
Block
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spec:
kubearmor.io/container.name: "[caps-container]"
process:
matchPaths:
- path: /bin/ls
- path: /usr/bin/ls
# ls
action:
Block
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spec:
kubearmor.io/container.name: "[priv-container]"
process:
matchPaths:
- path: /bin/ls
- path: /usr/bin/ls
# ls
action:
Block
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ spec:
container: ubuntu-1
process:
matchPaths:
- path: /bin/ls
- path: /usr/bin/ls
fromSource:
- path: /bin/dash
- path: /usr/bin/dash
action:
Block
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,6 @@ spec:
matchPaths:
- path: /secret.txt
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
action:
Block
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,6 @@ spec:
matchPaths:
- path: /secret.txt
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
action:
Allow
2 changes: 1 addition & 1 deletion tests/k8s_env/smoke/res/ksp-wordpress-allow-tcp.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,6 @@ spec:
- protocol: tcp
fromSource:
- path: /usr/bin/curl
- path: /bin/bash
- path: /usr/bin/bash
action:
Allow
2 changes: 1 addition & 1 deletion tests/k8s_env/smoke/res/ksp-wordpress-block-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
matchPaths:
- path: /var/www/html/wp-config.php
fromSource:
- path: /bin/cat
- path: /usr/bin/cat

# http://[NodeIP]:30080
# cat /var/www/html/wp-config.php
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ spec:
- dir: /run/secrets/kubernetes.io/serviceaccount/
recursive: true
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
process:
matchDirectories:
- dir: /
Expand Down
4 changes: 2 additions & 2 deletions tests/k8s_env/smoke/res/ksp-wordpress-two-policies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
matchPaths:
- path: /etc/passwd
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
action:
Block
---
Expand All @@ -32,6 +32,6 @@ spec:
matchPaths:
- path: /etc/shadow
fromSource:
- path: /bin/cat
- path: /usr/bin/cat
action:
Block
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@ spec:
path: /home/
recursive: true
fromSource:
- dir: /bin/
- dir: /usr/bin/
action:
Audit
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@ spec:
path: /home/
recursive: true
fromSource:
- path: /bin/unlink
- path: /usr/bin/unlink
action:
Audit

0 comments on commit 24ebbdb

Please sign in to comment.