diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index 21946457b..a04a3fde7 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -970,6 +970,19 @@ func setLogFields(log *tp.Log, existAllowPolicy bool, defaultPosture string, vis return true } + if existAllowPolicy && defaultPosture == "block" && (*log).Result != "Passed" { + if containerEvent { + (*log).Type = "MatchedPolicy" + } else { + (*log).Type = "MatchedHostPolicy" + } + + (*log).PolicyName = "DefaultPosture" + (*log).Enforcer = "eBPF Monitor" + (*log).Action = "Block" + + return true + } if containerEvent { // return here as container events are dropped in kernel space @@ -1003,7 +1016,6 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { existFileAllowPolicy := false existNetworkAllowPolicy := false existCapabilitiesAllowPolicy := false - fd.DefaultPosturesLock.Lock() defer fd.DefaultPosturesLock.Unlock() if log.Result == "Passed" || log.Result == "Operation not permitted" || log.Result == "Permission denied" { @@ -1036,7 +1048,6 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { continue } } - switch log.Operation { case "Process", "File": if secPolicy.Operation != log.Operation { @@ -1672,22 +1683,6 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { fd.SecurityPoliciesLock.RUnlock() - if log.PolicyName == "" && log.Result != "Passed" { - // default posture (block) or native policy - // no matched policy, but result = blocked -> default posture - - log.Type = "MatchedPolicy" - - log.PolicyName = "DefaultPosture" - - log.Severity = "" - log.Tags = "" - log.ATags = []string{} - log.Message = "" - - log.Enforcer = fd.Enforcer - log.Action = "Block" - } } if log.ContainerID != "" { // container diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index 46dad74fd..4c2763acc 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -1947,18 +1947,10 @@ var _ = Describe("Ksp", func() { AssertCommand(ub1, "multiubuntu", []string{"bash", "-c", "cat /etc/hostname"}, MatchRegexp("hostname.*Permission denied"), true, ) - - expect := protobuf.Alert{ - PolicyName: "DefaultPosture", - Severity: "", - Action: "Block", - Result: "Permission denied", - Resource: "hostname", - } - - res, err := KarmorGetTargetAlert(5*time.Second, &expect) - Expect(err).To(BeNil()) - Expect(res.Found).To(BeTrue()) + /* + skip matching alerts as kubearmor doesn't generate + alerts for apparmor managed policy + */ }) It("it can allow readonly access to a file path", func() { diff --git a/tests/k8s_env/privileged/privileged_test.go b/tests/k8s_env/privileged/privileged_test.go index 55a83fe30..284cc0c59 100644 --- a/tests/k8s_env/privileged/privileged_test.go +++ b/tests/k8s_env/privileged/privileged_test.go @@ -235,17 +235,7 @@ var _ = Describe("Ksp", func() { []string{"bash", "-c", "umount /var/run/secrets/kubernetes.io/serviceaccount"}) Expect(err).To(BeNil()) fmt.Printf("OUTPUT: %s\n", sout) - - expect = &protobuf.Alert{ - PolicyName: "DefaultPosture", - Action: "Block", - Result: "Operation not permitted", - Data: "syscall=SYS_UMOUNT2", - } - - res, err := KarmorGetTargetAlert(5*time.Second, expect) - Expect(err).To(BeNil()) - Expect(res.Found).To(BeTrue()) + Expect(sout).To(MatchRegexp("umount.*must be superuser to unmount")) }) It("won't block umount by default for all capabilities enabled containers", func() {