Merge pull request kubearmor#1809 from Aryan-sharma11/fix-default-pos…

…ture-logs fix: default posture logs for system generated permission denied events
navin772 · Jul 23, 2024 · 3a0fb40 · 3a0fb40
2 parents 24e52b1 + 4fa3911
commit 3a0fb40
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 41 deletions.
diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go
@@ -970,6 +970,19 @@ func setLogFields(log *tp.Log, existAllowPolicy bool, defaultPosture string, vis
 
 		return true
 	}
+	if existAllowPolicy && defaultPosture == "block" && (*log).Result != "Passed" {
+		if containerEvent {
+			(*log).Type = "MatchedPolicy"
+		} else {
+			(*log).Type = "MatchedHostPolicy"
+		}
+
+		(*log).PolicyName = "DefaultPosture"
+		(*log).Enforcer = "eBPF Monitor"
+		(*log).Action = "Block"
+
+		return true
+	}
 
 	if containerEvent {
 		// return here as container events are dropped in kernel space
@@ -1003,7 +1016,6 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 	existFileAllowPolicy := false
 	existNetworkAllowPolicy := false
 	existCapabilitiesAllowPolicy := false
-
 	fd.DefaultPosturesLock.Lock()
 	defer fd.DefaultPosturesLock.Unlock()
 	if log.Result == "Passed" || log.Result == "Operation not permitted" || log.Result == "Permission denied" {
@@ -1036,7 +1048,6 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 					continue
 				}
 			}
-
 			switch log.Operation {
 			case "Process", "File":
 				if secPolicy.Operation != log.Operation {
@@ -1672,22 +1683,6 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 
 		fd.SecurityPoliciesLock.RUnlock()
 
-		if log.PolicyName == "" && log.Result != "Passed" {
-			// default posture (block) or native policy
-			// no matched policy, but result = blocked -> default posture
-
-			log.Type = "MatchedPolicy"
-
-			log.PolicyName = "DefaultPosture"
-
-			log.Severity = ""
-			log.Tags = ""
-			log.ATags = []string{}
-			log.Message = ""
-
-			log.Enforcer = fd.Enforcer
-			log.Action = "Block"
-		}
 	}
 
 	if log.ContainerID != "" { // container

diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go
@@ -1947,18 +1947,10 @@ var _ = Describe("Ksp", func() {
 			AssertCommand(ub1, "multiubuntu", []string{"bash", "-c", "cat /etc/hostname"},
 				MatchRegexp("hostname.*Permission denied"), true,
 			)
-
-			expect := protobuf.Alert{
-				PolicyName: "DefaultPosture",
-				Severity:   "",
-				Action:     "Block",
-				Result:     "Permission denied",
-				Resource:   "hostname",
-			}
-
-			res, err := KarmorGetTargetAlert(5*time.Second, &expect)
-			Expect(err).To(BeNil())
-			Expect(res.Found).To(BeTrue())
+			/*
+				skip matching alerts as kubearmor doesn't generate
+				alerts for apparmor managed policy
+			*/
 		})
 
 		It("it can allow readonly access to a file path", func() {

diff --git a/tests/k8s_env/privileged/privileged_test.go b/tests/k8s_env/privileged/privileged_test.go
@@ -235,17 +235,7 @@ var _ = Describe("Ksp", func() {
 				[]string{"bash", "-c", "umount /var/run/secrets/kubernetes.io/serviceaccount"})
 			Expect(err).To(BeNil())
 			fmt.Printf("OUTPUT: %s\n", sout)
-
-			expect = &protobuf.Alert{
-				PolicyName: "DefaultPosture",
-				Action:     "Block",
-				Result:     "Operation not permitted",
-				Data:       "syscall=SYS_UMOUNT2",
-			}
-
-			res, err := KarmorGetTargetAlert(5*time.Second, expect)
-			Expect(err).To(BeNil())
-			Expect(res.Found).To(BeTrue())
+			Expect(sout).To(MatchRegexp("umount.*must be superuser to unmount"))
 		})
 
 		It("won't block umount by default for all capabilities enabled containers", func() {