From 87393050a80212b812b35166717f3103df249a02 Mon Sep 17 00:00:00 2001 From: Jose Donizetti Date: Wed, 19 Jul 2023 20:11:45 +0000 Subject: [PATCH] feature(k8s): policy k8s compatible --- .../tracee/templates/tracee-policies.yaml | 74 +- deploy/kubernetes/tracee/tracee.yaml | 74 +- docs/docs/events/overview.md | 15 +- docs/docs/policies/index.md | 33 +- docs/docs/policies/rules.md | 57 +- docs/tutorials/k8s-policies.md | 88 +- examples/policies/container_dns_events.yaml | 20 +- examples/policies/context_comm.yaml | 22 +- examples/policies/dig.yaml | 20 +- examples/policies/new_containers.yaml | 19 +- examples/policies/new_pids.yaml | 20 +- examples/policies/not_containers.yaml | 17 +- examples/policies/openat_args_pahtname.yaml | 22 +- examples/policies/pid_equal.yaml | 28 +- examples/policies/scope_comm.yaml | 20 +- examples/policies/signature_events.yaml | 76 +- .../uid_higher_than_or_equal_to_zero.yaml | 20 +- pkg/cmd/cobra/helper.go | 3 +- pkg/cmd/flags/policy.go | 21 +- pkg/cmd/flags/policy_test.go | 969 +++++++++-------- pkg/policy/policy_file_test.go | 361 ------- pkg/policy/{ => v1beta1}/policy_file.go | 89 +- pkg/policy/v1beta1/policy_file_test.go | 488 +++++++++ tests/integration/event_filters_test.go | 988 ++++++++++-------- 24 files changed, 2026 insertions(+), 1518 deletions(-) delete mode 100644 pkg/policy/policy_file_test.go rename pkg/policy/{ => v1beta1}/policy_file.go (80%) create mode 100644 pkg/policy/v1beta1/policy_file_test.go diff --git a/deploy/helm/tracee/templates/tracee-policies.yaml b/deploy/helm/tracee/templates/tracee-policies.yaml index 0fa343b5cae2..19bda7e9fe01 100644 --- a/deploy/helm/tracee/templates/tracee-policies.yaml +++ b/deploy/helm/tracee/templates/tracee-policies.yaml @@ -7,38 +7,42 @@ metadata: {{- include "tracee.labels" . | nindent 4 }} data: signatures.yaml: |- - name: signature_events - description: traces all signature events - scope: - - global - rules: - - event: stdio_over_socket - - event: k8s_api_connection - - event: aslr_inspection - - event: proc_mem_code_injection - - event: docker_abuse - - event: scheduled_task_mod - - event: ld_preload - - event: cgroup_notify_on_release - - event: default_loader_mod - - event: sudoers_modification - - event: sched_debug_recon - - event: system_request_key_mod - - event: cgroup_release_agent - - event: rcd_modification - - event: core_pattern_modification - - event: proc_kcore_read - - event: proc_mem_access - - event: hidden_file_created - - event: anti_debugging - - event: ptrace_code_injection - - event: process_vm_write_inject - - event: disk_mount - - event: dynamic_code_loading - - event: fileless_execution - - event: illegitimate_shell - - event: kernel_module_loading - - event: k8s_cert_theft - - event: proc_fops_hooking - - event: syscall_hooking - - event: dropped_executable + apiVersion: aquasecurity.github.io/v1beta1 + kind: TraceePolicy + metadata: + name: signature_events + description: traces all signature events + spec: + scope: + - global + rules: + - event: stdio_over_socket + - event: k8s_api_connection + - event: aslr_inspection + - event: proc_mem_code_injection + - event: docker_abuse + - event: scheduled_task_mod + - event: ld_preload + - event: cgroup_notify_on_release + - event: default_loader_mod + - event: sudoers_modification + - event: sched_debug_recon + - event: system_request_key_mod + - event: cgroup_release_agent + - event: rcd_modification + - event: core_pattern_modification + - event: proc_kcore_read + - event: proc_mem_access + - event: hidden_file_created + - event: anti_debugging + - event: ptrace_code_injection + - event: process_vm_write_inject + - event: disk_mount + - event: dynamic_code_loading + - event: fileless_execution + - event: illegitimate_shell + - event: kernel_module_loading + - event: k8s_cert_theft + - event: proc_fops_hooking + - event: syscall_hooking + - event: dropped_executable diff --git a/deploy/kubernetes/tracee/tracee.yaml b/deploy/kubernetes/tracee/tracee.yaml index fbd1a6db485f..cdcdc85a6662 100644 --- a/deploy/kubernetes/tracee/tracee.yaml +++ b/deploy/kubernetes/tracee/tracee.yaml @@ -9,41 +9,45 @@ metadata: name: tracee-policies data: signatures.yaml: |- - name: signature_events - description: traces all signature events - scope: - - global - rules: - - event: stdio_over_socket - - event: k8s_api_connection - - event: aslr_inspection - - event: proc_mem_code_injection - - event: docker_abuse - - event: scheduled_task_mod - - event: ld_preload - - event: cgroup_notify_on_release - - event: default_loader_mod - - event: sudoers_modification - - event: sched_debug_recon - - event: system_request_key_mod - - event: cgroup_release_agent - - event: rcd_modification - - event: core_pattern_modification - - event: proc_kcore_read - - event: proc_mem_access - - event: hidden_file_created - - event: anti_debugging - - event: ptrace_code_injection - - event: process_vm_write_inject - - event: disk_mount - - event: dynamic_code_loading - - event: fileless_execution - - event: illegitimate_shell - - event: kernel_module_loading - - event: k8s_cert_theft - - event: proc_fops_hooking - - event: syscall_hooking - - event: dropped_executable + apiVersion: aquasecurity.github.io/v1beta1 + kind: TraceePolicy + metadata: + name: signature_events + description: traces all signature events + spec: + scope: + - global + rules: + - event: stdio_over_socket + - event: k8s_api_connection + - event: aslr_inspection + - event: proc_mem_code_injection + - event: docker_abuse + - event: scheduled_task_mod + - event: ld_preload + - event: cgroup_notify_on_release + - event: default_loader_mod + - event: sudoers_modification + - event: sched_debug_recon + - event: system_request_key_mod + - event: cgroup_release_agent + - event: rcd_modification + - event: core_pattern_modification + - event: proc_kcore_read + - event: proc_mem_access + - event: hidden_file_created + - event: anti_debugging + - event: ptrace_code_injection + - event: process_vm_write_inject + - event: disk_mount + - event: dynamic_code_loading + - event: fileless_execution + - event: illegitimate_shell + - event: kernel_module_loading + - event: k8s_cert_theft + - event: proc_fops_hooking + - event: syscall_hooking + - event: dropped_executable --- apiVersion: v1 kind: ConfigMap diff --git a/docs/docs/events/overview.md b/docs/docs/events/overview.md index ec965ef3c544..f26b88e2cfd2 100644 --- a/docs/docs/events/overview.md +++ b/docs/docs/events/overview.md @@ -18,12 +18,15 @@ Tracing `execve` events with [policies]: ``` cat <sample_policy.yaml -name: sample policy -description: traces execve events -scope: - - global -rules: - - event: execve +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: sample policy +spec: + scope: + - global + rules: + - event: execve EOF ``` diff --git a/docs/docs/policies/index.md b/docs/docs/policies/index.md index 7e19c67d7f34..6b55a01fb12e 100644 --- a/docs/docs/policies/index.md +++ b/docs/docs/policies/index.md @@ -10,21 +10,24 @@ You can load multiple (up to 64) policies into Tracee using the --policy flag pr Following is a sample policy: ```yaml -name: overview policy -description: sample overview policy -scope: - - global -rules: - - event: dropped_executable - - event: security_file_open - filters: - - args.pathname=/tmp/* - - event: sched_process_exec - filters: - - uid=0 - - event: close - filters: - - retval!=0 +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: overview policy +spec: + scope: + - global + rules: + - event: dropped_executable + - event: security_file_open + filters: + - args.pathname=/tmp/* + - event: sched_process_exec + filters: + - uid=0 + - event: close + filters: + - retval!=0 ``` This policy applies to any workload (global) and will log the dropped_executable, security_file_open, sched_process_exec and close events. Several filters are set to log only specific events: diff --git a/docs/docs/policies/rules.md b/docs/docs/policies/rules.md index 4e7f1421890f..4bf745dc272d 100644 --- a/docs/docs/policies/rules.md +++ b/docs/docs/policies/rules.md @@ -12,14 +12,17 @@ Events support three types of filters: `context`, `arguments` and `return value` Context is data which is collected along the event. They can be filtered like: ```yaml -name: sample_context_filter -description: sample context filter -scope: - - global -rules: - event: sched_process_exec - filters: - - pid=1000 +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: sample_context_filter +spec: + scope: + - global + rules: + event: sched_process_exec + filters: + - pid=1000 ``` The context filters supported are: @@ -182,14 +185,17 @@ filters: Events have arguments, which can be filtered. ```yaml -name: sample_argument_filter -description: sample argument filter -scope: - - global -rules: - event: security_file_open - filters: - - args.pathname=/tmp* +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: sample_argument_filter +spec: + scope: + - global + rules: + event: security_file_open + filters: + - args.pathname=/tmp* ``` Arguments can be found on the respective event definition, in this case [security_file_open](https://github.com/aquasecurity/tracee/blob/main/pkg/events/events.goL5293-L529), or the user can test the event output in CLI before defining a policy, e.g: @@ -207,12 +213,15 @@ tracee -e security_file_open --output json Return values can also be filtered. ```yaml -name: sample_return_value -description: sample return filter -scope: - - global -rules: - event: close - filters: - - retval!=0 +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: sample_return_value +spec: + scope: + - global + rules: + event: close + filters: + - retval!=0 ``` diff --git a/docs/tutorials/k8s-policies.md b/docs/tutorials/k8s-policies.md index ef12efccedda..24fbd9501b17 100644 --- a/docs/tutorials/k8s-policies.md +++ b/docs/tutorials/k8s-policies.md @@ -56,41 +56,44 @@ Data ==== signatures.yaml: ---- -name: signature_events -description: traces all signature events -scope: - - global -rules: - - event: stdio_over_socket - - event: k8s_api_connection - - event: aslr_inspection - - event: proc_mem_code_injection - - event: docker_abuse - - event: scheduled_task_mod - - event: ld_preload - - event: cgroup_notify_on_release - - event: default_loader_mod - - event: sudoers_modification - - event: sched_debug_recon - - event: system_request_key_mod - - event: cgroup_release_agent - - event: rcd_modification - - event: core_pattern_modification - - event: proc_kcore_read - - event: proc_mem_access - - event: hidden_file_created - - event: anti_debugging - - event: ptrace_code_injection - - event: process_vm_write_inject - - event: disk_mount - - event: dynamic_code_loading - - event: fileless_execution - - event: illegitimate_shell - - event: kernel_module_loading - - event: k8s_cert_theft - - event: proc_fops_hooking - - event: syscall_hooking - - event: dropped_executable +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: signature_events +spec: + scope: + - global + rules: + - event: stdio_over_socket + - event: k8s_api_connection + - event: aslr_inspection + - event: proc_mem_code_injection + - event: docker_abuse + - event: scheduled_task_mod + - event: ld_preload + - event: cgroup_notify_on_release + - event: default_loader_mod + - event: sudoers_modification + - event: sched_debug_recon + - event: system_request_key_mod + - event: cgroup_release_agent + - event: rcd_modification + - event: core_pattern_modification + - event: proc_kcore_read + - event: proc_mem_access + - event: hidden_file_created + - event: anti_debugging + - event: ptrace_code_injection + - event: process_vm_write_inject + - event: disk_mount + - event: dynamic_code_loading + - event: fileless_execution + - event: illegitimate_shell + - event: kernel_module_loading + - event: k8s_cert_theft + - event: proc_fops_hooking + - event: syscall_hooking + - event: dropped_executable ``` But let's supposed we also need tracee to trace all `execve` events, for it we need to change the configmap `tracee-policies` adding a new policy. @@ -107,12 +110,15 @@ To add a new policy for tracking execve events, append the following YAML block ```yaml events.yaml: |- - name: execve_event - description: traces all execve events - scope: - - global - rules: - - event: execve + apiVersion: aquasecurity.github.io/v1beta1 + kind: TraceePolicy + metadata: + name: execve_event + spec: + scope: + - global + rules: + - event: execve ``` Save and close the file. The changes will be applied automatically. diff --git a/examples/policies/container_dns_events.yaml b/examples/policies/container_dns_events.yaml index baaa7af76cc6..367d9f6b4b3c 100644 --- a/examples/policies/container_dns_events.yaml +++ b/examples/policies/container_dns_events.yaml @@ -1,7 +1,13 @@ -name: container_dns_events -description: traces dns events from containers -scope: - - container -rules: - - event: net_packet_dns_request - - event: net_packet_dns_response +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: container_dns_events + annotations: + description: traces dns events from containers +spec: + scope: + - container + rules: + - event: net_packet_dns_request + - event: net_packet_dns_response + diff --git a/examples/policies/context_comm.yaml b/examples/policies/context_comm.yaml index 2002556e109a..4661be018a2c 100644 --- a/examples/policies/context_comm.yaml +++ b/examples/policies/context_comm.yaml @@ -1,9 +1,13 @@ -name: context_comm -description: traces openat done by ls -scope: - - global -rules: - - event: openat - filters: - - comm=ls - +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: context_comm + annotations: + description: traces openat done by ls +spec: + scope: + - global + rules: + - event: openat + filters: + - comm=ls diff --git a/examples/policies/dig.yaml b/examples/policies/dig.yaml index 0f856d01bbe2..3a52079f2bd8 100644 --- a/examples/policies/dig.yaml +++ b/examples/policies/dig.yaml @@ -1,8 +1,12 @@ -name: dig -description: traces dns events from the dig binary -scope: - - binary=/usr/bin/dig -rules: - - event: net_packet_dns_request - - event: net_packet_dns_response - +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: dig + annotations: + description: traces dns events from the dig binary +spec: + scope: + - binary=/usr/bin/dig + rules: + - event: net_packet_dns_request + - event: net_packet_dns_response diff --git a/examples/policies/new_containers.yaml b/examples/policies/new_containers.yaml index 0417fb88bdc9..6efadc0225a0 100644 --- a/examples/policies/new_containers.yaml +++ b/examples/policies/new_containers.yaml @@ -1,7 +1,12 @@ -name: new_containers -description: traces events container_created and security_file_open only for new container -scope: - - container=new -rules: - - event: container_create - - event: security_file_open +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: new_containers + annotations: + description: traces events container_created and security_file_open only for new container +spec: + scope: + - container=new + rules: + - event: container_create + - event: security_file_open diff --git a/examples/policies/new_pids.yaml b/examples/policies/new_pids.yaml index 451a969b31fc..beb153f7ac62 100644 --- a/examples/policies/new_pids.yaml +++ b/examples/policies/new_pids.yaml @@ -1,8 +1,12 @@ -name: new_pids -description: traces openat and security_file_open for new pids -scope: - - pid=new -rules: - - event: openat - - event: security_file_open - +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: new_pids + annotations: + description: traces openat and security_file_open for new pids +spec: + scope: + - pid=new + rules: + - event: openat + - event: security_file_open diff --git a/examples/policies/not_containers.yaml b/examples/policies/not_containers.yaml index c194204c6d71..7915d4620cab 100644 --- a/examples/policies/not_containers.yaml +++ b/examples/policies/not_containers.yaml @@ -1,6 +1,11 @@ -name: not_containers -description: traces anti_debugging in the host -scope: - - "!container" -rules: - - event: anti_debugging +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: not_containers + annotations: + description: traces anti_debugging in the host +spec: + scope: + - "!container" + rules: + - event: anti_debugging diff --git a/examples/policies/openat_args_pahtname.yaml b/examples/policies/openat_args_pahtname.yaml index 9f65e502adc3..30ea08471047 100644 --- a/examples/policies/openat_args_pahtname.yaml +++ b/examples/policies/openat_args_pahtname.yaml @@ -1,9 +1,13 @@ -name: openat_args_pathname -description: traces openat under /tmp/* -scope: - - global -rules: - - event: openat - filters: - - args.pathname=/tmp* - +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: openat_args_pathname + annotations: + description: traces openat under /tmp/* +spec: + scope: + - global + rules: + - event: openat + filters: + - args.pathname=/tmp* diff --git a/examples/policies/pid_equal.yaml b/examples/policies/pid_equal.yaml index 093ea41ee7a6..ae0c1bb4ea43 100644 --- a/examples/policies/pid_equal.yaml +++ b/examples/policies/pid_equal.yaml @@ -1,12 +1,16 @@ -name: pid_equal -description: traces read and write syscalls for pids 1000, and 2000 -scope: - - global -rules: - - event: read - filters: - - pid=1000 - - event: write - filters: - - pid=2000 - +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: pid_equal + annotations: + description: traces read and write syscalls for pids 1000, and 2000 +spec: + scope: + - global + rules: + - event: read + filters: + - pid=1000 + - event: write + filters: + - pid=2000 diff --git a/examples/policies/scope_comm.yaml b/examples/policies/scope_comm.yaml index 7498d6cadbf0..d6f14fb45a2f 100644 --- a/examples/policies/scope_comm.yaml +++ b/examples/policies/scope_comm.yaml @@ -1,7 +1,13 @@ -name: comm_strace -description: traces sched_process_exec and sched_process_exit for the command strace -scope: - - comm=strace -rules: - - event: sched_process_exec - - event: sched_process_exit +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: comm_strace + annotations: + description: traces sched_process_exec and sched_process_exit for the command strace +spec: + scope: + - comm=strace + rules: + - event: sched_process_exec + - event: sched_process_exit + diff --git a/examples/policies/signature_events.yaml b/examples/policies/signature_events.yaml index 273c3ed7bcff..a2cfddf1809e 100644 --- a/examples/policies/signature_events.yaml +++ b/examples/policies/signature_events.yaml @@ -1,36 +1,40 @@ -name: signature_events -description: traces all signature events -scope: - - global -rules: - - event: stdio_over_socket - - event: k8s_api_connection - - event: aslr_inspection - - event: proc_mem_code_injection - - event: docker_abuse - - event: scheduled_task_mod - - event: ld_preload - - event: cgroup_notify_on_release - - event: default_loader_mod - - event: sudoers_modification - - event: sched_debug_recon - - event: system_request_key_mod - - event: cgroup_release_agent - - event: rcd_modification - - event: core_pattern_modification - - event: proc_kcore_read - - event: proc_mem_access - - event: hidden_file_created - - event: anti_debugging - - event: ptrace_code_injection - - event: process_vm_write_inject - - event: disk_mount - - event: dynamic_code_loading - - event: fileless_execution - - event: illegitimate_shell - - event: kernel_module_loading - - event: k8s_cert_theft - - event: proc_fops_hooking - - event: syscall_hooking - - event: dropped_executable - +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: signature_events + annotations: + description: traces all signature events +spec: + scope: + - global + rules: + - event: stdio_over_socket + - event: k8s_api_connection + - event: aslr_inspection + - event: proc_mem_code_injection + - event: docker_abuse + - event: scheduled_task_mod + - event: ld_preload + - event: cgroup_notify_on_release + - event: default_loader_mod + - event: sudoers_modification + - event: sched_debug_recon + - event: system_request_key_mod + - event: cgroup_release_agent + - event: rcd_modification + - event: core_pattern_modification + - event: proc_kcore_read + - event: proc_mem_access + - event: hidden_file_created + - event: anti_debugging + - event: ptrace_code_injection + - event: process_vm_write_inject + - event: disk_mount + - event: dynamic_code_loading + - event: fileless_execution + - event: illegitimate_shell + - event: kernel_module_loading + - event: k8s_cert_theft + - event: proc_fops_hooking + - event: syscall_hooking + - event: dropped_executable diff --git a/examples/policies/uid_higher_than_or_equal_to_zero.yaml b/examples/policies/uid_higher_than_or_equal_to_zero.yaml index a9fac7e6b232..95d3421b0ae4 100644 --- a/examples/policies/uid_higher_than_or_equal_to_zero.yaml +++ b/examples/policies/uid_higher_than_or_equal_to_zero.yaml @@ -1,8 +1,12 @@ -name: uid_higher_than_or_equal_to_zero -description: traces read and write syscall for uids higher than or equal to 0 -scope: - - uid>=0 -rules: - - event: read - - event: write - +apiVersion: aquasecurity.github.io/v1beta1 +kind: TraceePolicy +metadata: + name: uid_higher_than_or_equal_to_zero + annotations: + description: traces read and write syscall for uids higher than or equal to 0 +spec: + scope: + - uid>=0 + rules: + - event: read + - event: write diff --git a/pkg/cmd/cobra/helper.go b/pkg/cmd/cobra/helper.go index 2d0914702950..354778636aac 100644 --- a/pkg/cmd/cobra/helper.go +++ b/pkg/cmd/cobra/helper.go @@ -3,10 +3,11 @@ package cobra import ( "github.com/aquasecurity/tracee/pkg/cmd/flags" "github.com/aquasecurity/tracee/pkg/policy" + "github.com/aquasecurity/tracee/pkg/policy/v1beta1" ) func createPoliciesFromPolicyFiles(policyFlags []string) (*policy.Policies, error) { - policyFiles, err := policy.PoliciesFromPaths(policyFlags) + policyFiles, err := v1beta1.PoliciesFromPaths(policyFlags) if err != nil { return nil, err } diff --git a/pkg/cmd/flags/policy.go b/pkg/cmd/flags/policy.go index 1aa32918c869..3d166871ac63 100644 --- a/pkg/cmd/flags/policy.go +++ b/pkg/cmd/flags/policy.go @@ -9,10 +9,11 @@ import ( "github.com/aquasecurity/tracee/pkg/filters" "github.com/aquasecurity/tracee/pkg/logger" "github.com/aquasecurity/tracee/pkg/policy" + "github.com/aquasecurity/tracee/pkg/policy/v1beta1" ) // PrepareFilterMapsForPolicies prepares the scope and events PolicyFilterMap for the policies -func PrepareFilterMapsFromPolicies(policies []policy.PolicyFile) (PolicyScopeMap, PolicyEventMap, error) { +func PrepareFilterMapsFromPolicies(policies []v1beta1.PolicyFile) (PolicyScopeMap, PolicyEventMap, error) { policyScopeMap := make(PolicyScopeMap) policyEventsMap := make(PolicyEventMap) @@ -27,19 +28,19 @@ func PrepareFilterMapsFromPolicies(policies []policy.PolicyFile) (PolicyScopeMap policyNames := make(map[string]bool) for pIdx, p := range policies { - if _, ok := policyNames[p.Name]; ok { - return nil, nil, errfmt.Errorf("policy %s already exist", p.Name) + if _, ok := policyNames[p.Name()]; ok { + return nil, nil, errfmt.Errorf("policy %s already exist", p.Name()) } - policyNames[p.Name] = true + policyNames[p.Name()] = true scopeFlags := make([]scopeFlag, 0) // scope - for _, s := range p.Scope { + for _, s := range p.Scope() { s = strings.ReplaceAll(s, " ", "") - if s == "global" && len(p.Scope) > 1 { - return nil, nil, errfmt.Errorf("policy %s, global scope must be unique", p.Name) + if s == "global" && len(p.Scope()) > 1 { + return nil, nil, errfmt.Errorf("policy %s, global scope must be unique", p.Name()) } if s == "global" { @@ -66,13 +67,13 @@ func PrepareFilterMapsFromPolicies(policies []policy.PolicyFile) (PolicyScopeMap } policyScopeMap[pIdx] = policyScopes{ - policyName: p.Name, + policyName: p.Name(), scopeFlags: scopeFlags, } eventFlags := make([]eventFlag, 0) - for _, r := range p.Rules { + for _, r := range p.Rules() { evtFlag, err := parseEventFlag(r.Event) if err != nil { return nil, nil, errfmt.WrapError(err) @@ -102,7 +103,7 @@ func PrepareFilterMapsFromPolicies(policies []policy.PolicyFile) (PolicyScopeMap } policyEventsMap[pIdx] = policyEvents{ - policyName: p.Name, + policyName: p.Name(), eventFlags: eventFlags, } } diff --git a/pkg/cmd/flags/policy_test.go b/pkg/cmd/flags/policy_test.go index bd46909c5733..d0dcfa7c54d9 100644 --- a/pkg/cmd/flags/policy_test.go +++ b/pkg/cmd/flags/policy_test.go @@ -9,7 +9,7 @@ import ( "github.com/stretchr/testify/require" "github.com/aquasecurity/tracee/pkg/filters" - "github.com/aquasecurity/tracee/pkg/policy" + "github.com/aquasecurity/tracee/pkg/policy/v1beta1" ) var writeEvtFlag = eventFlag{ @@ -27,7 +27,7 @@ var readEvtFlag = eventFlag{ func TestPrepareFilterMapsFromPolicies(t *testing.T) { tests := []struct { testName string - policy policy.PolicyFile + policy v1beta1.PolicyFile expPolicyScopeMap PolicyScopeMap expPolicyEventMap PolicyEventMap skipPolicyCreation bool @@ -37,13 +37,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { // { testName: "global scope - single event", - policy: policy.PolicyFile{ - Name: "global_scope_single_event", - Description: "global scope - single event", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "global_scope_single_event", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -63,14 +66,17 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "global scope - multiple events", - policy: policy.PolicyFile{ - Name: "global_scope_multiple_events", - Description: "global scope - multiple events", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, - {Event: "read"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "global_scope_multiple_events", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + {Event: "read"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -91,13 +97,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "uid scope", - policy: policy.PolicyFile{ - Name: "uid_scope", - Description: "uid scope", - Scope: []string{"uid>=1000"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "uid_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"uid>=1000"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -123,13 +132,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "pid scope", - policy: policy.PolicyFile{ - Name: "pid_scope", - Description: "pid scope", - Scope: []string{"pid<=10"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "pid_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"pid<=10"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -155,13 +167,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "mntns scope", - policy: policy.PolicyFile{ - Name: "mntns", - Description: "mntns scope", - Scope: []string{"mntns=4026531840"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "mntns", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"mntns=4026531840"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -187,13 +202,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "pidns scope", - policy: policy.PolicyFile{ - Name: "pidns_scope", - Description: "pidns scope", - Scope: []string{"pidns!=4026531836"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "pidns_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"pidns!=4026531836"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -219,13 +237,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "uts scope", - policy: policy.PolicyFile{ - Name: "uts_scope", - Description: "uts scope", - Scope: []string{"uts!=ab356bc4dd554"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "uts_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"uts!=ab356bc4dd554"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -251,13 +272,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "comm=bash", - policy: policy.PolicyFile{ - Name: "comm_scope", - Description: "comm scope", - Scope: []string{"comm=bash"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"comm=bash"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -283,13 +307,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "container=new", - policy: policy.PolicyFile{ - Name: "container_scope", - Description: "container scope", - Scope: []string{"container=new"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "container_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"container=new"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -315,13 +342,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "!container", - policy: policy.PolicyFile{ - Name: "!container_scope", - Description: "!container scope", - Scope: []string{"!container"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "!container_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"!container"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -347,13 +377,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "container", - policy: policy.PolicyFile{ - Name: "container_scope", - Description: "container scope", - Scope: []string{"container"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "container_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"container"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -379,13 +412,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "tree=3213,5200", - policy: policy.PolicyFile{ - Name: "tree_scope", - Description: "tree scope", - Scope: []string{"tree=3213,5200"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "tree_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"tree=3213,5200"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -411,13 +447,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "scope with space", - policy: policy.PolicyFile{ - Name: "scope_with_space", - Description: "scope with space", - Scope: []string{"tree = 3213"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "scope_with_space", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"tree = 3213"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -443,13 +482,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "binary=host:/usr/bin/ls", - policy: policy.PolicyFile{ - Name: "binary_scope", - Description: "binary scope", - Scope: []string{"binary=host:/usr/bin/ls"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "binary_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"binary=host:/usr/bin/ls"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -476,13 +518,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "bin=4026532448:/usr/bin/ls", - policy: policy.PolicyFile{ - Name: "bin_scope", - Description: "bin scope", - Scope: []string{"bin=4026532448:/usr/bin/ls"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "bin_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"bin=4026532448:/usr/bin/ls"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -508,13 +553,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "follow", - policy: policy.PolicyFile{ - Name: "follow_scope", - Description: "follow scope", - Scope: []string{"follow"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "follow_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"follow"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -540,13 +588,16 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "multiple scopes", - policy: policy.PolicyFile{ - Name: "multiple_scope", - Description: "multiple scope", - Scope: []string{"comm=bash", "follow", "!container", "uid=1000"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - {Event: "write"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "multiple_scope", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"comm=bash", "follow", "!container", "uid=1000"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + {Event: "write"}, + }, }, }, expPolicyScopeMap: PolicyScopeMap{ @@ -593,15 +644,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { // args filter { testName: "args filter", - policy: policy.PolicyFile{ - Name: "args_filter", - Description: "args filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "security_file_open", - Filters: []string{"args.pathname=/etc/passwd"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "args_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "security_file_open", + Filters: []string{"args.pathname=/etc/passwd"}, + }, }, }, }, @@ -628,15 +682,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { // return filter { testName: "return filter", - policy: policy.PolicyFile{ - Name: "return_filter", - Description: "return filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"retval=-1"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "return_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"retval=-1"}, + }, }, }, }, @@ -659,15 +716,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { // context filter { testName: "timestamp filter", - policy: policy.PolicyFile{ - Name: "timestamp_filter", - Description: "timestamp filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"timestamp>1234567890"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "timestamp_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"timestamp>1234567890"}, + }, }, }, }, @@ -689,15 +749,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "processorId filter", - policy: policy.PolicyFile{ - Name: "processorId_filter", - Description: "processorId filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"processorId>=1234567890"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "processorId_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"processorId>=1234567890"}, + }, }, }, }, @@ -719,15 +782,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "p filter", - policy: policy.PolicyFile{ - Name: "p_filter", - Description: "p filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"p<=10"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "p_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"p<=10"}, + }, }, }, }, @@ -749,15 +815,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "pid filter", - policy: policy.PolicyFile{ - Name: "pid_filter", - Description: "pid filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"pid!=1"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "pid_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"pid!=1"}, + }, }, }, }, @@ -779,15 +848,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "processId filter", - policy: policy.PolicyFile{ - Name: "processId_filter", - Description: "processId filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"processId=1387"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "processId_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"processId=1387"}, + }, }, }, }, @@ -809,15 +881,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "tid filter", - policy: policy.PolicyFile{ - Name: "tid_filter", - Description: "tid filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"tid=1388"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "tid_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"tid=1388"}, + }, }, }, }, @@ -839,15 +914,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "threadId filter", - policy: policy.PolicyFile{ - Name: "threadId_filter", - Description: "threadId filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"threadId!=1388"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "threadId_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"threadId!=1388"}, + }, }, }, }, @@ -869,15 +947,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "ppid filter", - policy: policy.PolicyFile{ - Name: "ppid_filter", - Description: "ppid filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"ppid=1"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "ppid_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"ppid=1"}, + }, }, }, }, @@ -899,15 +980,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "parentProcessId filter", - policy: policy.PolicyFile{ - Name: "parentProcessId_filter", - Description: "parentProcessId filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "write", - Filters: []string{"parentProcessId>1455"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "parentProcessId_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "write", + Filters: []string{"parentProcessId>1455"}, + }, }, }, }, @@ -929,15 +1013,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "hostTid filter", - policy: policy.PolicyFile{ - Name: "hostTid_filter", - Description: "hostTid filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"hostTid=2455"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "hostTid_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"hostTid=2455"}, + }, }, }, }, @@ -959,15 +1046,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "hostThreadId filter", - policy: policy.PolicyFile{ - Name: "hostThreadId_filter", - Description: "hostThreadId filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"hostThreadId!=2455"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "hostThreadId_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"hostThreadId!=2455"}, + }, }, }, }, @@ -989,15 +1079,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "hostPid filter", - policy: policy.PolicyFile{ - Name: "hostPid_filter", - Description: "hostPid filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"hostPid=333"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "hostPid_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"hostPid=333"}, + }, }, }, }, @@ -1019,15 +1112,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "hostParentProcessID filter", - policy: policy.PolicyFile{ - Name: "hostParentProcessId_filter", - Description: "hostParentProcessId filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"hostParentProcessId!=333"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "hostParentProcessId_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"hostParentProcessId!=333"}, + }, }, }, }, @@ -1049,15 +1145,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "userId filter", - policy: policy.PolicyFile{ - Name: "userId_filter", - Description: "userId filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"userId=1000"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "userId_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"userId=1000"}, + }, }, }, }, @@ -1079,15 +1178,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "mntns filter", - policy: policy.PolicyFile{ - Name: "mntns_filter", - Description: "mntns filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"mntns=4026531840"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "mntns_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"mntns=4026531840"}, + }, }, }, }, @@ -1109,15 +1211,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "mountNamespace filter", - policy: policy.PolicyFile{ - Name: "mountNamespace_filter", - Description: "mountNamespace filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"mountNamespace!=4026531840"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "mountNamespace_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"mountNamespace!=4026531840"}, + }, }, }, }, @@ -1139,15 +1244,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "pidns filter", - policy: policy.PolicyFile{ - Name: "pidns_filter", - Description: "pidns filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"pidns=4026531836"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "pidns_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"pidns=4026531836"}, + }, }, }, }, @@ -1169,15 +1277,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "pidNamespace filter", - policy: policy.PolicyFile{ - Name: "pidNamespace_filter", - Description: "pidNamespace filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"pidNamespace!=4026531836"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "pidNamespace_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"pidNamespace!=4026531836"}, + }, }, }, }, @@ -1199,15 +1310,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "processName filter", - policy: policy.PolicyFile{ - Name: "processName_filter", - Description: "processName filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"processName=uname"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "processName_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"processName=uname"}, + }, }, }, }, @@ -1229,15 +1343,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "comm filter", - policy: policy.PolicyFile{ - Name: "comm_filter", - Description: "comm filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"comm!=uname"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"comm!=uname"}, + }, }, }, }, @@ -1259,15 +1376,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "hostName filter", - policy: policy.PolicyFile{ - Name: "hostName_filter", - Description: "hostName filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"hostName=test"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "hostName_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"hostName=test"}, + }, }, }, }, @@ -1289,15 +1409,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "cgroupId filter", - policy: policy.PolicyFile{ - Name: "cgroupId", - Description: "cgroupId filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"cgroupId=test"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "cgroupId", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"cgroupId=test"}, + }, }, }, }, @@ -1319,15 +1442,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "host filter", - policy: policy.PolicyFile{ - Name: "host", - Description: "host filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"host=test"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "host", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"host=test"}, + }, }, }, }, @@ -1349,15 +1475,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "container filter", - policy: policy.PolicyFile{ - Name: "container_filter", - Description: "container filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"container=c"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "container_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"container=c"}, + }, }, }, }, @@ -1379,15 +1508,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "containerId filter", - policy: policy.PolicyFile{ - Name: "containerId_filter", - Description: "containerId filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"containerId=da91bf3df3dc"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "containerId_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"containerId=da91bf3df3dc"}, + }, }, }, }, @@ -1409,15 +1541,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "containerImage filter", - policy: policy.PolicyFile{ - Name: "containerImage_filter", - Description: "containerImage filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"containerImage=tracee:latest"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "containerImage_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"containerImage=tracee:latest"}, + }, }, }, }, @@ -1439,15 +1574,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "containerName filter", - policy: policy.PolicyFile{ - Name: "containerName_filter", - Description: "containerName filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"containerName=tracee"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "containerName_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"containerName=tracee"}, + }, }, }, }, @@ -1469,15 +1607,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "podName filter", - policy: policy.PolicyFile{ - Name: "podName_filter", - Description: "podName filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"podName=daemonset/tracee"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "podName_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"podName=daemonset/tracee"}, + }, }, }, }, @@ -1499,15 +1640,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "podNamespace filter", - policy: policy.PolicyFile{ - Name: "podNamespace_filter", - Description: "podNamespace filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"podNamespace=production"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "podNamespace_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"podNamespace=production"}, + }, }, }, }, @@ -1529,15 +1673,18 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, { testName: "podUid filter", - policy: policy.PolicyFile{ - Name: "podUid_filter", - Description: "podUid filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{"podUid=poduid"}, + policy: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "podUid_filter", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{"podUid=poduid"}, + }, }, }, }, @@ -1562,7 +1709,7 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { for _, test := range tests { t.Run(test.testName, func(t *testing.T) { - policyScopeMap, policyEventMap, err := PrepareFilterMapsFromPolicies([]policy.PolicyFile{test.policy}) + policyScopeMap, policyEventMap, err := PrepareFilterMapsFromPolicies([]v1beta1.PolicyFile{test.policy}) assert.NoError(t, err) for k, v := range test.expPolicyScopeMap { diff --git a/pkg/policy/policy_file_test.go b/pkg/policy/policy_file_test.go deleted file mode 100644 index 1374f011d20a..000000000000 --- a/pkg/policy/policy_file_test.go +++ /dev/null @@ -1,361 +0,0 @@ -package policy - -import ( - "errors" - "testing" - - "gotest.tools/assert" - - "github.com/aquasecurity/tracee/pkg/events" -) - -func TestPolicyValidate(t *testing.T) { - fakeSignatureEvent := events.NewEventDefinition("fake_signature", []string{"signatures", "default"}, nil) - - err := events.Definitions.Add(9000, fakeSignatureEvent) - assert.NilError(t, err) - - tests := []struct { - testName string - policy PolicyFile - expectedError error - expectedPolicyError bool - }{ - { - testName: "empty name", - policy: PolicyFile{Name: ""}, - expectedError: errors.New("policy name cannot be empty"), - }, - { - testName: "empty description", - policy: PolicyFile{ - Name: "empty_description", - Description: "", - }, - expectedError: errors.New("policy.PolicyFile.Validate: policy empty_description, description cannot be empty"), - }, - { - testName: "empty scope", - policy: PolicyFile{ - Name: "empty_scope", - Description: "empty scope", - Scope: []string{}, - DefaultActions: []string{"log"}, - }, - expectedError: errors.New("policy empty_scope, scope cannot be empty"), - }, - { - testName: "empty rules", - policy: PolicyFile{ - Name: "empty_rules", - Description: "empty rules", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{}, - }, - expectedError: errors.New("policy empty_rules, rules cannot be empty"), - }, - { - testName: "empty event name", - policy: PolicyFile{ - Name: "empty_event_name", - Description: "empty event name", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - {Event: ""}, - }, - }, - expectedError: errors.New("policy.validateEvent: policy empty_event_name, event cannot be empty"), - }, - { - testName: "invalid event name", - policy: PolicyFile{ - Name: "invalid_event_name", - Description: "invalid event name", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - {Event: "non_existing_event"}, - }, - }, - expectedError: errors.New("policy.validateEvent: policy invalid_event_name, event non_existing_event is not valid"), - }, - { - testName: "invalid_scope_operator", - policy: PolicyFile{ - Name: "invalid_scope_operator", - Description: "invalid scope operator", - Scope: []string{"random"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - {Event: "write"}, - }, - }, - expectedError: errors.New("policy.parseScope: policy invalid_scope_operator, scope random is not valid"), - }, - { - testName: "invalid_scope", - policy: PolicyFile{ - Name: "invalid_scope", - Description: "invalid scope", - Scope: []string{"random!=0"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - {Event: "write"}, - }, - }, - expectedError: errors.New("policy.PolicyFile.validateScope: policy invalid_scope, scope random is not valid"), - }, - { - testName: "global scope must be unique", - policy: PolicyFile{ - Name: "global_scope_must_be_unique", - Description: "global scope must be unique", - Scope: []string{"global", "uid=1000"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - {Event: "write"}, - }, - }, - expectedError: errors.New("policy global_scope_must_be_unique, global scope must be unique"), - }, - { - testName: "duplicated event", - policy: PolicyFile{ - Name: "duplicated_event", - Description: "duplicated event", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - {Event: "write"}, - {Event: "write"}, - }, - }, - expectedError: errors.New("policy duplicated_event, event write is duplicated"), - }, - { - testName: "invalid filter operator", - policy: PolicyFile{ - Name: "invalid_filter_operator", - Description: "invalid filter operator", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "write", - Filters: []string{ - "random", - }, - }, - }, - }, - expectedError: errors.New("policy.PolicyFile.validateRules: policy invalid_filter_operator, invalid filter operator: random"), - }, - { - testName: "invalid policy action", - policy: PolicyFile{ - Name: "invalid_policy_action", - Description: "invalid policy action", - Scope: []string{"global"}, - DefaultActions: []string{"audit"}, - Rules: []Rule{ - {Event: "write"}, - }, - }, - expectedError: errors.New("policy.validateActions: policy invalid_policy_action, action audit is not valid"), - }, - { - testName: "invalid retval", - policy: PolicyFile{ - Name: "invalid_retval", - Description: "invalid retval filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "write", - Filters: []string{ - "retval", - }, - }, - }, - }, - expectedError: errors.New("policy.PolicyFile.validateRules: policy invalid_retval, invalid filter operator: retval"), - }, - { - testName: "empty retval", - policy: PolicyFile{ - Name: "empty_retval", - Description: "empty retval filter", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "write", - Filters: []string{ - "retval=", - }, - }, - }, - }, - expectedError: errors.New("policy.PolicyFile.validateRules: policy empty_retval, retval cannot be empty"), - }, - { - testName: "retval not an integer", - policy: PolicyFile{ - Name: "retval_not_an_integer", - Description: "retval not an integer", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "write", - Filters: []string{ - "retval=lala", - }, - }, - }, - }, - expectedError: errors.New("policy.PolicyFile.validateRules: policy retval_not_an_integer, retval must be an integer: lala"), - }, - { - testName: "empty arg name 1", - policy: PolicyFile{ - Name: "empty_filter_arg_1", - Description: "empty filter arg 1", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "write", - Filters: []string{ - "args", - }, - }, - }, - }, - expectedError: errors.New("policy.PolicyFile.validateRules: policy empty_filter_arg_1, invalid filter operator: args"), - }, - { - testName: "empty arg name 3", - policy: PolicyFile{ - Name: "empty_filter_arg_3", - Description: "empty filter arg 3", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "write", - Filters: []string{ - "args=", - }, - }, - }, - }, - expectedError: errors.New("policy.PolicyFile.validateRules: policy empty_filter_arg_3, arg name can't be empty"), - }, - { - testName: "empty arg name 4", - policy: PolicyFile{ - Name: "empty_filter_arg_4", - Description: "empty filter arg 4", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "write", - Filters: []string{ - "args=lala", - }, - }, - }, - }, - expectedError: errors.New("policy.PolicyFile.validateRules: policy empty_filter_arg_4, arg name can't be empty"), - }, - { - testName: "invalid arg", - policy: PolicyFile{ - Name: "invalid_arg", - Description: "invalid arg", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "openat", - Filters: []string{ - "args.lala=1", - }, - }, - }, - }, - expectedError: errors.New("policy.validateEventArg: policy invalid_arg, event openat does not have argument lala"), - }, - { - testName: "empty arg value", - policy: PolicyFile{ - Name: "empty_arg_value", - Description: "empty arg value", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "openat", - Filters: []string{ - "args.pathname=", - }, - }, - }, - }, - expectedError: errors.New("policy.validateEventArg: policy empty_arg_value, arg pathname value can't be empty"), - }, - { - testName: "empty arg value", - policy: PolicyFile{ - Name: "empty_arg_value", - Description: "empty arg value", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "openat", - Filters: []string{ - "args.pathname!=", - }, - }, - }, - }, - expectedError: errors.New("policy.validateEventArg: policy empty_arg_value, arg pathname value can't be empty"), - }, - { - testName: "signature filter arg", - policy: PolicyFile{ - Name: "signature_filter_arg", - Description: "signature filter arg", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []Rule{ - { - Event: "fake_signature", - Filters: []string{ - "args.lala=lala", - "args.lele!=lele", - }, - }, - }, - }, - expectedError: nil, - }, - } - - for _, test := range tests { - t.Run(test.testName, func(t *testing.T) { - err := test.policy.Validate() - if test.expectedError != nil { - assert.ErrorContains(t, err, test.expectedError.Error()) - } else { - assert.NilError(t, err) - } - }) - } -} diff --git a/pkg/policy/policy_file.go b/pkg/policy/v1beta1/policy_file.go similarity index 80% rename from pkg/policy/policy_file.go rename to pkg/policy/v1beta1/policy_file.go index e099b377bc79..fa5c6993d07d 100644 --- a/pkg/policy/policy_file.go +++ b/pkg/policy/v1beta1/policy_file.go @@ -1,4 +1,4 @@ -package policy +package v1beta1 import ( "os" @@ -14,8 +14,13 @@ import ( // PolicyFile is the structure of the policy file type PolicyFile struct { - Name string `yaml:"name"` - Description string `yaml:"description"` + APIVersion string `json:"apiVersion"` + Kind string `json:"kind"` + Metadata Metadata `yaml:"metadata"` + Spec PolicySpec `yaml:"spec"` +} + +type PolicySpec struct { Scope []string `yaml:"scope"` DefaultActions []string `yaml:"defaultActions"` Rules []Rule `yaml:"rules"` @@ -28,21 +33,45 @@ type Rule struct { Actions []string `yaml:"actions"` } +type Metadata struct { + Name string `yaml:"name"` +} + +func (p PolicyFile) Name() string { + return p.Metadata.Name +} + +func (p PolicyFile) Scope() []string { + return p.Spec.Scope +} + +func (p PolicyFile) DefaultActions() []string { + return p.Spec.DefaultActions +} + +func (p PolicyFile) Rules() []Rule { + return p.Spec.Rules +} + func (p PolicyFile) Validate() error { - if p.Name == "" { + if p.Name() == "" { return errfmt.Errorf("policy name cannot be empty") } - if p.Description == "" { - return errfmt.Errorf("policy %s, description cannot be empty", p.Name) + if p.APIVersion != "aquasecurity.github.io/v1beta1" { + return errfmt.Errorf("policy %s, apiVersion not supported", p.Name()) + } + + if p.Kind != "TraceePolicy" { + return errfmt.Errorf("policy %s, kind not supported", p.Name()) } - if p.Scope == nil || len(p.Scope) == 0 { - return errfmt.Errorf("policy %s, scope cannot be empty", p.Name) + if p.Scope() == nil || len(p.Scope()) == 0 { + return errfmt.Errorf("policy %s, scope cannot be empty", p.Name()) } - if p.Rules == nil || len(p.Rules) == 0 { - return errfmt.Errorf("policy %s, rules cannot be empty", p.Name) + if p.Rules() == nil || len(p.Rules()) == 0 { + return errfmt.Errorf("policy %s, rules cannot be empty", p.Name()) } if err := p.validateDefaultActions(); err != nil { @@ -57,11 +86,11 @@ func (p PolicyFile) Validate() error { } func (p PolicyFile) validateDefaultActions() error { - if p.DefaultActions == nil || len(p.DefaultActions) == 0 { + if p.DefaultActions() == nil || len(p.DefaultActions()) == 0 { return nil } - return validateActions(p.Name, p.DefaultActions) + return validateActions(p.Name(), p.DefaultActions()) } func validateActions(policyName string, actions []string) error { @@ -93,18 +122,18 @@ func (p PolicyFile) validateScope() error { "follow", } - for _, scope := range p.Scope { + for _, scope := range p.Scope() { scope = strings.ReplaceAll(scope, " ", "") - if scope == "global" && len(p.Scope) > 1 { - return errfmt.Errorf("policy %s, global scope must be unique", p.Name) + if scope == "global" && len(p.Scope()) > 1 { + return errfmt.Errorf("policy %s, global scope must be unique", p.Name()) } if scope == "global" { return nil } - scope, err := parseScope(p.Name, scope) + scope, err := parseScope(p.Name(), scope) if err != nil { return err } @@ -117,7 +146,7 @@ func (p PolicyFile) validateScope() error { } if !found { - return errfmt.Errorf("policy %s, scope %s is not valid", p.Name, scope) + return errfmt.Errorf("policy %s, scope %s is not valid", p.Name(), scope) } } return nil @@ -141,21 +170,21 @@ func parseScope(policyName, scope string) (string, error) { func (p PolicyFile) validateRules() error { evts := make(map[string]bool) - for _, r := range p.Rules { + for _, r := range p.Rules() { // Currently, an event can only be used once in the policy. Support for using the same // event, multiple times, with different filters, shall be implemented in the future. if _, ok := evts[r.Event]; ok { - return errfmt.Errorf("policy %s, event %s is duplicated", p.Name, r.Event) + return errfmt.Errorf("policy %s, event %s is duplicated", p.Name(), r.Event) } evts[r.Event] = true - err := validateEvent(p.Name, r.Event) + err := validateEvent(p.Name(), r.Event) if err != nil { return err } - err = validateActions(p.Name, r.Actions) + err = validateActions(p.Name(), r.Actions) if err != nil { return err } @@ -164,17 +193,17 @@ func (p PolicyFile) validateRules() error { operatorIdx := strings.IndexAny(f, "=!<>") if operatorIdx == -1 { - return errfmt.Errorf("policy %s, invalid filter operator: %s", p.Name, f) + return errfmt.Errorf("policy %s, invalid filter operator: %s", p.Name(), f) } // args if strings.HasPrefix(f, "args") { s := strings.Split(f, ".") if len(s) == 1 { - return errfmt.Errorf("policy %s, arg name can't be empty", p.Name) + return errfmt.Errorf("policy %s, arg name can't be empty", p.Name()) } - err := validateEventArg(p.Name, r.Event, s[1]) + err := validateEventArg(p.Name(), r.Event, s[1]) if err != nil { return err } @@ -186,16 +215,16 @@ func (p PolicyFile) validateRules() error { if strings.HasPrefix(f, "retval") { s := strings.Split(f, "=") if len(s) == 1 { - return errfmt.Errorf("policy %s, retval must have value: %s", p.Name, f) + return errfmt.Errorf("policy %s, retval must have value: %s", p.Name(), f) } if s[1] == "" { - return errfmt.Errorf("policy %s, retval cannot be empty", p.Name) + return errfmt.Errorf("policy %s, retval cannot be empty", p.Name()) } _, err := strconv.Atoi(s[1]) if err != nil { - return errfmt.Errorf("policy %s, retval must be an integer: %s", p.Name, s[1]) + return errfmt.Errorf("policy %s, retval must be an integer: %s", p.Name(), s[1]) } continue @@ -306,11 +335,11 @@ func PoliciesFromPaths(paths []string) ([]PolicyFile, error) { } // validate policy name is unique - if _, ok := policyNames[policy.Name]; ok { - return nil, errfmt.Errorf("policy %s already exist", policy.Name) + if _, ok := policyNames[policy.Name()]; ok { + return nil, errfmt.Errorf("policy %s already exist", policy.Name()) } - policyNames[policy.Name] = true + policyNames[policy.Name()] = true policies = append(policies, policy) } diff --git a/pkg/policy/v1beta1/policy_file_test.go b/pkg/policy/v1beta1/policy_file_test.go new file mode 100644 index 000000000000..207adfb744d8 --- /dev/null +++ b/pkg/policy/v1beta1/policy_file_test.go @@ -0,0 +1,488 @@ +package v1beta1 + +import ( + "errors" + "testing" + + "gotest.tools/assert" + + "github.com/aquasecurity/tracee/pkg/events" +) + +func TestPolicyValidate(t *testing.T) { + fakeSignatureEvent := events.NewEventDefinition("fake_signature", []string{"signatures", "default"}, nil) + + err := events.Definitions.Add(9000, fakeSignatureEvent) + assert.NilError(t, err) + + tests := []struct { + testName string + policy PolicyFile + expectedError error + expectedPolicyError bool + }{ + { + testName: "empty name", + policy: PolicyFile{ + Metadata: Metadata{Name: ""}, + }, + expectedError: errors.New("policy name cannot be empty"), + }, + { + testName: "empty API", + policy: PolicyFile{ + APIVersion: "", + Metadata: Metadata{Name: "emptyAPI"}, + }, + expectedError: errors.New("policy emptyAPI, apiVersion not supported"), + }, + { + testName: "invalid API", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/test", + Metadata: Metadata{Name: "invalidAPI"}, + }, + expectedError: errors.New("policy invalidAPI, apiVersion not supported"), + }, + { + testName: "empty Kind", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Metadata: Metadata{Name: "emptyKind"}, + }, + expectedError: errors.New("policy emptyKind, kind not supported"), + }, + { + testName: "invalid Kind", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "Policy", + Metadata: Metadata{Name: "invalidKind"}, + }, + expectedError: errors.New("policy invalidKind, kind not supported"), + }, + { + testName: "empty scope", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "empty_scope", + }, + Spec: PolicySpec{ + Scope: []string{}, + DefaultActions: []string{"log"}, + }, + }, + expectedError: errors.New("policy empty_scope, scope cannot be empty"), + }, + { + testName: "empty rules", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "empty_rules", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{}, + }, + }, + expectedError: errors.New("policy empty_rules, rules cannot be empty"), + }, + { + testName: "empty event name", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "empty_event_name", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + {Event: ""}, + }, + }, + }, + expectedError: errors.New("v1beta1.validateEvent: policy empty_event_name, event cannot be empty"), + }, + { + testName: "invalid event name", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "invalid_event_name", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + {Event: "non_existing_event"}, + }, + }, + }, + expectedError: errors.New("v1beta1.validateEvent: policy invalid_event_name, event non_existing_event is not valid"), + }, + { + testName: "invalid_scope_operator", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "invalid_scope_operator", + }, + Spec: PolicySpec{ + Scope: []string{"random"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + {Event: "write"}, + }, + }, + }, + expectedError: errors.New("v1beta1.parseScope: policy invalid_scope_operator, scope random is not valid"), + }, + { + testName: "invalid_scope", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "invalid_scope", + }, + Spec: PolicySpec{ + Scope: []string{"random!=0"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + {Event: "write"}, + }, + }, + }, + expectedError: errors.New("v1beta1.PolicyFile.validateScope: policy invalid_scope, scope random is not valid"), + }, + { + testName: "global scope must be unique", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "global_scope_must_be_unique", + }, + Spec: PolicySpec{ + Scope: []string{"global", "uid=1000"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + {Event: "write"}, + }, + }, + }, + expectedError: errors.New("policy global_scope_must_be_unique, global scope must be unique"), + }, + { + testName: "duplicated event", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "duplicated_event", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + {Event: "write"}, + {Event: "write"}, + }, + }, + }, + expectedError: errors.New("policy duplicated_event, event write is duplicated"), + }, + { + testName: "invalid filter operator", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "invalid_filter_operator", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "write", + Filters: []string{ + "random", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.PolicyFile.validateRules: policy invalid_filter_operator, invalid filter operator: random"), + }, + { + testName: "invalid policy action", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "invalid_policy_action", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"audit"}, + Rules: []Rule{ + {Event: "write"}, + }, + }, + }, + expectedError: errors.New("v1beta1.validateActions: policy invalid_policy_action, action audit is not valid"), + }, + { + testName: "invalid retval", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "invalid_retval", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "write", + Filters: []string{ + "retval", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.PolicyFile.validateRules: policy invalid_retval, invalid filter operator: retval"), + }, + { + testName: "empty retval", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "empty_retval", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "write", + Filters: []string{ + "retval=", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.PolicyFile.validateRules: policy empty_retval, retval cannot be empty"), + }, + { + testName: "retval not an integer", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "retval_not_an_integer", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "write", + Filters: []string{ + "retval=lala", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.PolicyFile.validateRules: policy retval_not_an_integer, retval must be an integer: lala"), + }, + { + testName: "empty arg name 1", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "empty_filter_arg_1", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "write", + Filters: []string{ + "args", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.PolicyFile.validateRules: policy empty_filter_arg_1, invalid filter operator: args"), + }, + { + testName: "empty arg name 3", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "empty_filter_arg_3", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "write", + Filters: []string{ + "args=", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.PolicyFile.validateRules: policy empty_filter_arg_3, arg name can't be empty"), + }, + { + testName: "empty arg name 4", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "empty_filter_arg_4", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "write", + Filters: []string{ + "args=lala", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.PolicyFile.validateRules: policy empty_filter_arg_4, arg name can't be empty"), + }, + { + testName: "invalid arg", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "invalid_arg", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "openat", + Filters: []string{ + "args.lala=1", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.validateEventArg: policy invalid_arg, event openat does not have argument lala"), + }, + { + testName: "empty arg value", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "empty_arg_value", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "openat", + Filters: []string{ + "args.pathname=", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.validateEventArg: policy empty_arg_value, arg pathname value can't be empty"), + }, + { + testName: "empty arg value", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "empty_arg_value", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "openat", + Filters: []string{ + "args.pathname!=", + }, + }, + }, + }, + }, + expectedError: errors.New("v1beta1.validateEventArg: policy empty_arg_value, arg pathname value can't be empty"), + }, + { + testName: "signature filter arg", + policy: PolicyFile{ + APIVersion: "aquasecurity.github.io/v1beta1", + Kind: "TraceePolicy", + Metadata: Metadata{ + Name: "signature_filter_arg", + }, + Spec: PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []Rule{ + { + Event: "fake_signature", + Filters: []string{ + "args.lala=lala", + "args.lele!=lele", + }, + }, + }, + }, + }, + expectedError: nil, + }, + } + + for _, test := range tests { + t.Run(test.testName, func(t *testing.T) { + err := test.policy.Validate() + if test.expectedError != nil { + assert.ErrorContains(t, err, test.expectedError.Error()) + } else { + assert.NilError(t, err) + } + }) + } +} diff --git a/tests/integration/event_filters_test.go b/tests/integration/event_filters_test.go index 3826396d9c85..3d556d46406e 100644 --- a/tests/integration/event_filters_test.go +++ b/tests/integration/event_filters_test.go @@ -17,6 +17,7 @@ import ( "github.com/aquasecurity/tracee/pkg/config" "github.com/aquasecurity/tracee/pkg/events" "github.com/aquasecurity/tracee/pkg/policy" + "github.com/aquasecurity/tracee/pkg/policy/v1beta1" "github.com/aquasecurity/tracee/pkg/utils" "github.com/aquasecurity/tracee/signatures/helpers" "github.com/aquasecurity/tracee/tests/testutils" @@ -40,21 +41,24 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "container_event", - Description: "policy for new containers", - Scope: []string{ - "container=new", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "container_event", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "-container_create", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "container=new", }, - { - Event: "-container_remove", - Filters: []string{}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "-container_create", + Filters: []string{}, + }, + { + Event: "-container_remove", + Filters: []string{}, + }, }, }, }, @@ -78,21 +82,24 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "comm_event", - Description: "policy for ping command", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "sched_process_exec", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", }, - { - Event: "sched_process_exit", - Filters: []string{}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "sched_process_exec", + Filters: []string{}, + }, + { + Event: "sched_process_exit", + Filters: []string{}, + }, }, }, }, @@ -117,17 +124,20 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 5, - policyFile: policy.PolicyFile{ - Name: "comm_event", - Description: "policy for ping command", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "net_packet_icmp", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "net_packet_icmp", + Filters: []string{}, + }, }, }, }, @@ -152,18 +162,21 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 42, - policyFile: policy.PolicyFile{ - Name: "event_args", - Description: "policy with args pathname finishing with 'ls'", - Scope: []string{ - "global", - }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "execve", - Filters: []string{ - "args.pathname=*ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "event_args", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "global", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "execve", + Filters: []string{ + "args.pathname=*ls", + }, }, }, }, @@ -189,18 +202,21 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 42, - policyFile: policy.PolicyFile{ - Name: "event_args", - Description: "policy with args pathname starting with * wildcard", - Scope: []string{ - "global", - }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "execve", - Filters: []string{ - "args.pathname=*/almost/improbable/path", // no event expected + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "event_args", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "global", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "execve", + Filters: []string{ + "args.pathname=*/almost/improbable/path", // no event expected + }, }, }, }, @@ -221,18 +237,21 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 42, - policyFile: policy.PolicyFile{ - Name: "comm_event_args", - Description: "policy with args pathname for ls command", - Scope: []string{ - "comm=ls", - }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "security_file_open", - Filters: []string{ - "args.pathname=*integration", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_args", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "security_file_open", + Filters: []string{ + "args.pathname=*integration", + }, }, }, }, @@ -257,34 +276,40 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 4, - policyFile: policy.PolicyFile{ - Name: "comm_event_4", - Description: "ls policy", - Scope: []string{ - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_4", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "sched_process_exit", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "sched_process_exit", + Filters: []string{}, + }, }, }, }, }, { id: 2, - policyFile: policy.PolicyFile{ - Name: "comm_event_2", - Description: "uname policy", - Scope: []string{ - "comm=uname", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_2", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "sched_process_exit", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=uname", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "sched_process_exit", + Filters: []string{}, + }, }, }, }, @@ -314,34 +339,40 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "bin_event_1", - Description: "who policy", - Scope: []string{ - "bin=/usr/bin/who", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "bin_event_1", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "sched_process_exec", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "bin=/usr/bin/who", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "sched_process_exec", + Filters: []string{}, + }, }, }, }, }, { id: 2, - policyFile: policy.PolicyFile{ - Name: "bin_event_2", - Description: "uname policy", - Scope: []string{ - "bin=/usr/bin/uname", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "bin_event_2", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "sched_process_exec", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "bin=/usr/bin/uname", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "sched_process_exec", + Filters: []string{}, + }, }, }, }, @@ -373,18 +404,21 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "pid_0_event_args", - Description: "trace event sched_switch with args from pid 0", - Scope: []string{ - "pid=0", - }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "sched_switch", - Filters: []string{ - "args.next_comm=systemd,init", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "pid_0_event_args", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "pid=0", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "sched_switch", + Filters: []string{ + "args.next_comm=systemd,init", + }, }, }, }, @@ -410,14 +444,17 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "pid_1", - Description: "trace events from pid 1", - Scope: []string{ - "pid=1", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "pid_1", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "pid=1", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, }, @@ -440,15 +477,18 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "uid_0_comm", - Description: "trace uid 0 from ls command", - Scope: []string{ - "uid=0", - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "uid_0_comm", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "uid=0", + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, }, @@ -470,15 +510,18 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "uid_0_comm", - Description: "trace only uid>0 from ls command (should be empty)", - Scope: []string{ - "uid>0", - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "uid_0_comm", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "uid>0", + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, }, @@ -498,17 +541,20 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "event_fs", - Description: "trace filesystem events from ls command", - Scope: []string{ - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "event_fs", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "fs", // fs set - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "fs", // fs set + Filters: []string{}, + }, }, }, }, @@ -532,17 +578,20 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "bin_event", - Description: "trace only setns events from \"/usr/bin/dockerd\" binary", - Scope: []string{ - "bin=/usr/bin/dockerd", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "bin_event", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "setns", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "bin=/usr/bin/dockerd", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "setns", + Filters: []string{}, + }, }, }, }, @@ -567,15 +616,18 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "pid_new", - Description: "trace new pids (should be empty)", - Scope: []string{ - "pid=new", - "pid=1", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "pid_new", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "pid=new", + "pid=1", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, }, @@ -595,14 +647,17 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 64, - policyFile: policy.PolicyFile{ - Name: "comm_64", - Description: "policy for ls command", - Scope: []string{ - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_64", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, }, @@ -624,27 +679,33 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 64, - policyFile: policy.PolicyFile{ - Name: "comm_64", - Description: "policy for ls command", - Scope: []string{ - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_64", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, { // no events expected id: 42, - policyFile: policy.PolicyFile{ - Name: "comm_42", - Description: "policy from who command", - Scope: []string{ - "comm=who", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_42", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=who", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, }, @@ -666,26 +727,32 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 64, - policyFile: policy.PolicyFile{ - Name: "comm_64", - Description: "policy for ls command", - Scope: []string{ - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_64", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, { id: 42, - policyFile: policy.PolicyFile{ - Name: "comm_42", - Description: "policy for who command", - Scope: []string{ - "comm=who", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_42", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=who", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, }, @@ -715,19 +782,22 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 42, - policyFile: policy.PolicyFile{ - Name: "event_args_context", - Description: "policy for only security_file_open from \"execve\" syscall", - Scope: []string{ - "global", - }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "security_file_open", - Filters: []string{ - "syscall=execve", // context - "args.pathname=*ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "event_args_context", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "global", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "security_file_open", + Filters: []string{ + "syscall=execve", // context + "args.pathname=*ls", + }, }, }, }, @@ -753,17 +823,20 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 42, - policyFile: policy.PolicyFile{ - Name: "comm_event", - Description: "policy for magic write", - Scope: []string{ - "comm=tee", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "magic_write", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=tee", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "magic_write", + Filters: []string{}, + }, }, }, }, @@ -791,12 +864,11 @@ func Test_EventFilters(t *testing.T) { // policyFiles: []policyFileWithID{ // { // id: 3, - // policyFile: policy.PolicyFile{ + // policyFile: v1beta1.PolicyFile{ // Name: "comm_event", - // Description: "policy for net_packet_icmp event", // Scope: []string{"comm=ping"}, // DefaultActions: []string{"log"}, - // Rules: []policy.Rule{ + // Rules: []v1beta1.Rule{ // { // Event: "net_packet_icmp", // Filters: []string{}, @@ -806,12 +878,11 @@ func Test_EventFilters(t *testing.T) { // }, // { // id: 5, - // policyFile: policy.PolicyFile{ + // policyFile: v1beta1.PolicyFile{ // Name: "event_args", - // Description: "policy for ptrace event", // Scope: []string{}, // DefaultActions: []string{"log"}, - // Rules: []policy.Rule{ + // Rules: []v1beta1.Rule{ // { // Event: "ptrace", // Filters: []string{"args.pid=0"}, @@ -821,12 +892,11 @@ func Test_EventFilters(t *testing.T) { // }, // { // id: 9, - // policyFile: policy.PolicyFile{ + // policyFile: v1beta1.PolicyFile{ // Name: "signature", - // Description: "policy for anti_debugging event", // Scope: []string{}, // DefaultActions: []string{"log"}, - // Rules: []policy.Rule{ + // Rules: []v1beta1.Rule{ // { // Event: "anti_debugging", // Filters: []string{}, @@ -864,34 +934,40 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 3, - policyFile: policy.PolicyFile{ - Name: "comm_event_3", - Description: "policy for ping command", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_3", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "net_packet_icmp", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "net_packet_icmp", + Filters: []string{}, + }, }, }, }, }, { id: 5, - policyFile: policy.PolicyFile{ - Name: "comm_event_5", - Description: "policy for ping command", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_5", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "net_packet_icmp", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "net_packet_icmp", + Filters: []string{}, + }, }, }, }, @@ -916,38 +992,44 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 3, - policyFile: policy.PolicyFile{ - Name: "comm_event_3", - Description: "policy for ping command", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_3", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "net_packet_icmp", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "net_packet_icmp", + Filters: []string{}, + }, }, }, }, }, { id: 5, - policyFile: policy.PolicyFile{ - Name: "comm_event_5", - Description: "policy for ping commands", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_5", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "net_packet_icmp", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", }, - { - Event: "setuid", - Filters: []string{}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "net_packet_icmp", + Filters: []string{}, + }, + { + Event: "setuid", + Filters: []string{}, + }, }, }, }, @@ -974,72 +1056,84 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 3, - policyFile: policy.PolicyFile{ - Name: "comm_event_3", - Description: "policy for ping command", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_3", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "net_packet_icmp", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "net_packet_icmp", + Filters: []string{}, + }, }, }, }, }, { id: 5, - policyFile: policy.PolicyFile{ - Name: "comm_event_5", - Description: "policy for ping command", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_5", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "net_packet_icmp", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "net_packet_icmp", + Filters: []string{}, + }, }, }, }, }, { id: 7, - policyFile: policy.PolicyFile{ - Name: "comm_event_7", - Description: "policy for ping command", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_7", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "sched_process_exec", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "sched_process_exec", + Filters: []string{}, + }, }, }, }, }, { id: 9, - policyFile: policy.PolicyFile{ - Name: "comm_event_9", - Description: "policy for ping command", - Scope: []string{ - "comm=ping", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_9", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "sched_process_exec", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ping", }, - { - Event: "security_socket_connect", - Filters: []string{}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "sched_process_exec", + Filters: []string{}, + }, + { + Event: "security_socket_connect", + Filters: []string{}, + }, }, }, }, @@ -1068,27 +1162,33 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 64, - policyFile: policy.PolicyFile{ - Name: "comm_64", - Description: "policy for ls command", - Scope: []string{ - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_64", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, { id: 42, - policyFile: policy.PolicyFile{ - Name: "comm_42", - Description: "policy for ls and who commands", - Scope: []string{ - "comm=who", - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_42", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=who", + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, }, @@ -1118,26 +1218,32 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 64, - policyFile: policy.PolicyFile{ - Name: "comm_64", - Description: "policy for ls command", - Scope: []string{ - "comm=ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_64", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, { id: 42, - policyFile: policy.PolicyFile{ - Name: "comm_42", - Description: "policy for ls and who commands", - Scope: []string{ - "comm=who,ls", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_42", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=who,ls", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{}, }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{}, }, }, }, @@ -1173,21 +1279,24 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 1, - policyFile: policy.PolicyFile{ - Name: "comm_event", - Description: "policy for fakeprog1 command", - Scope: []string{ - "comm=fakeprog1", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event", }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "read", - Filters: []string{}, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=fakeprog1", }, - { - Event: "write", - Filters: []string{}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "read", + Filters: []string{}, + }, + { + Event: "write", + Filters: []string{}, + }, }, }, }, @@ -1212,15 +1321,18 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 42, - policyFile: policy.PolicyFile{ - Name: "event_pol_42", - Description: "policy for fakeprog1 command", - Scope: []string{"global"}, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "execve", - Filters: []string{}, + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "event_pol_42", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{"global"}, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "execve", + Filters: []string{}, + }, }, }, }, @@ -1244,20 +1356,23 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 64, - policyFile: policy.PolicyFile{ - Name: "comm_event_args_64", - Description: "policy with args for fakeprog1 command", - Scope: []string{ - "comm=fakeprog1", - }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "openat", - Filters: []string{ - "args.dirfd=0", - "args.flags=0", - "args.mode=0", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_args_64", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=fakeprog1", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "openat", + Filters: []string{ + "args.dirfd=0", + "args.flags=0", + "args.mode=0", + }, }, }, }, @@ -1265,19 +1380,22 @@ func Test_EventFilters(t *testing.T) { }, { id: 42, - policyFile: policy.PolicyFile{ - Name: "comm_event_args_42", - Description: "policy with args for fakeprog2 command", - Scope: []string{ - "comm=fakeprog2", - }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "open", - Filters: []string{ - "args.flags=0", - "args.mode=0", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_args_42", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=fakeprog2", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "open", + Filters: []string{ + "args.flags=0", + "args.mode=0", + }, }, }, }, @@ -1317,18 +1435,21 @@ func Test_EventFilters(t *testing.T) { policyFiles: []policyFileWithID{ { id: 64, - policyFile: policy.PolicyFile{ - Name: "comm_event_retval_64", - Description: "policy with retval for fakeprog1 command", - Scope: []string{ - "comm=fakeprog1", - }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "openat", - Filters: []string{ - "retval<0", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_retval_64", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=fakeprog1", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "openat", + Filters: []string{ + "retval<0", + }, }, }, }, @@ -1337,18 +1458,21 @@ func Test_EventFilters(t *testing.T) { { // no events expected id: 42, - policyFile: policy.PolicyFile{ - Name: "comm_event_retval_42", - Description: "policy with retval for fakeprog2 command", - Scope: []string{ - "comm=fakeprog2", - }, - DefaultActions: []string{"log"}, - Rules: []policy.Rule{ - { - Event: "open", - Filters: []string{ - "retval>=0", + policyFile: v1beta1.PolicyFile{ + Metadata: v1beta1.Metadata{ + Name: "comm_event_retval_42", + }, + Spec: v1beta1.PolicySpec{ + Scope: []string{ + "comm=fakeprog2", + }, + DefaultActions: []string{"log"}, + Rules: []v1beta1.Rule{ + { + Event: "open", + Filters: []string{ + "retval>=0", + }, }, }, }, @@ -1435,7 +1559,7 @@ const ( ) type policyFileWithID struct { - policyFile policy.PolicyFile + policyFile v1beta1.PolicyFile id int } @@ -1466,7 +1590,7 @@ func newCmdEvents(runCmd string, timeout time.Duration, evts []trace.Event, sets // newPolicies creates a new policies object with the given policies files with IDs. func newPolicies(polsFilesID []policyFileWithID) *policy.Policies { - var polsFiles []policy.PolicyFile + var polsFiles []v1beta1.PolicyFile for _, polFile := range polsFilesID { polsFiles = append(polsFiles, polFile.policyFile)