Skip to content

Commit

Permalink
test(filters): kernel data filter
Browse files Browse the repository at this point in the history 
Add two different test cases:
- test1: policy1 without in-kernel filter and policy2 with in-kernel
  filter;
- test2: policy1 with two filters (one in-kernel filter and other non
  in-kernel filter) and policy2 with in-kernel filter;
  • Loading branch information
@rscampos
rscampos committed Jan 7, 2025
1 parent 889f472 commit 74bdace
Showing 1 changed file with 136 additions and 0 deletions.
136 changes: 136 additions & 0 deletions tests/integration/event_filters_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1950,6 +1950,142 @@ func Test_EventFilters(t *testing.T) {
coolDown: 0,
test: ExpectAtLeastOneForEach,
},
{
name: "comm: event: data: trace event security_file_open set in multiple policies (with and without in-kernel filter)",
policyFiles: []testutils.PolicyFileWithID{
{
Id: 1,
PolicyFile: v1beta1.PolicyFile{
Metadata: v1beta1.Metadata{
Name: "sfo-pol-1",
},
Spec: k8s.PolicySpec{
Scope: []string{
"comm=more",
},
DefaultActions: []string{"log"},
Rules: []k8s.Rule{
{
Event: "security_file_open",
Filters: []string{
"data.syscall_pathname=/sys/class/net*,/sys/class/dmi/id*",
},
},
},
},
},
},
{
Id: 2,
PolicyFile: v1beta1.PolicyFile{
Metadata: v1beta1.Metadata{
Name: "sfo-pol-2",
},
Spec: k8s.PolicySpec{
Scope: []string{
"comm=more",
},
DefaultActions: []string{"log"},
Rules: []k8s.Rule{
{
Event: "security_file_open",
Filters: []string{
"data.pathname=/etc/pam.d/*",
},
},
},
},
},
},
},
cmdEvents: []cmdEvents{
newCmdEvents(
"more /sys/class/dmi/id/bios_date",
0,
1*time.Second,
[]trace.Event{
expectEvent(anyHost, "more", testutils.CPUForTests, anyPID, 0, events.SecurityFileOpen, orPolNames("sfo-pol-1"), orPolIDs(1), expectArg("syscall_pathname", "/sys/class/dmi/id/bios_date")),
},
[]string{},
),
newCmdEvents(
"more /etc/pam.d/other",
0,
1*time.Second,
[]trace.Event{
expectEvent(anyHost, "more", testutils.CPUForTests, anyPID, 0, events.SecurityFileOpen, orPolNames("sfo-pol-2"), orPolIDs(2), expectArg("pathname", "/etc/pam.d/other")),
},
[]string{},
),
},
useSyscaller: false,
coolDown: 0,
test: ExpectAtLeastOneForEach,
},
{
name: "comm: event: data: trace event security_file_open set in multiple policies (with and without in-kernel filter) mixed in same policy",
policyFiles: []testutils.PolicyFileWithID{
{
Id: 1,
PolicyFile: v1beta1.PolicyFile{
Metadata: v1beta1.Metadata{
Name: "sfo-pol-1",
},
Spec: k8s.PolicySpec{
Scope: []string{
"comm=more",
},
DefaultActions: []string{"log"},
Rules: []k8s.Rule{
{
Event: "security_file_open",
Filters: []string{
"data.pathname=/sys/devices/virtual/dmi/id*",
"data.syscall_pathname=/sys/class/net*,/sys/class/dmi/id*",
},
},
},
},
},
},
{
Id: 2,
PolicyFile: v1beta1.PolicyFile{
Metadata: v1beta1.Metadata{
Name: "sfo-pol-2",
},
Spec: k8s.PolicySpec{
Scope: []string{
"comm=more",
},
DefaultActions: []string{"log"},
Rules: []k8s.Rule{
{
Event: "security_file_open",
Filters: []string{
"data.pathname=/etc/pam.d/*",
},
},
},
},
},
},
},
cmdEvents: []cmdEvents{
newCmdEvents(
"more /sys/class/dmi/id/bios_date",
0,
1*time.Second,
[]trace.Event{
expectEvent(anyHost, "more", testutils.CPUForTests, anyPID, 0, events.SecurityFileOpen, orPolNames("sfo-pol-1"), orPolIDs(1), expectArg("pathname", "/sys/devices/virtual/dmi/id/bios_date")),
},
[]string{},
),
},
useSyscaller: false,
coolDown: 0,
test: ExpectAtLeastOneForEach,
},
{
name: "comm: event: data: trace event security_mmap_file using multiple filter types",
policyFiles: []testutils.PolicyFileWithID{
Expand Down

0 comments on commit 74bdace

Please sign in to comment.