add default posture block test case based fromsourceallow

Modified test script to accomodate DefaultPosture logs

Signed-off-by: daemon1024 <[email protected]>

KubeArmor/enforcer/appArmorProfile.go

@@ -996,6 +996,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 
 	// Resolve conflicts
 	ae.ResolvedProcessWhiteListConflicts(&processWhiteList, fromSources, &fusionProcessWhiteList)
+
 	// body
 
 	profileBody := ""

tests/scenarios/github_test_12/cmd1

@@ -0,0 +1,7 @@
+source: ubuntu-1-deployment
+cmd: curl 142.250.193.46
+result: passed
+---
+operation: Network
+condition: SOCK_STREAM
+action: Allow

tests/scenarios/github_test_12/cmd2

@@ -0,0 +1,7 @@
+source: ubuntu-1-deployment
+cmd: curl google.com
+result: failed
+---
+operation: Network
+condition: SOCK_DGRAM
+action: Block

tests/scenarios/github_test_12/cmd3

@@ -0,0 +1,7 @@
+source: ubuntu-1-deployment
+cmd: wget --tries=1 142.250.193.46
+result: failed
+---
+operation: Network
+condition: SOCK_STREAM
+action: Block

tests/scenarios/github_test_12/ksp-ubuntu-1-net-tcp-from-source-allow.yaml

@@ -0,0 +1,17 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-ubuntu-1-net-tcp-from-source-allow-curl
+  namespace: github
+spec:
+  severity: 8
+  selector:
+    matchLabels:
+      container: ubuntu-1
+  network:
+    matchProtocols:
+    - protocol: tcp
+      fromSource:
+              - path: /usr/bin/curl
+  action:
+    Allow

tests/test-scenarios-github.sh

@@ -266,7 +266,7 @@ function should_find_blocked_log() {
     fi
 
     if [[ $6 -eq 0 ]]; then
-        audit_log=$($CAT_LOG | grep -E "$1.*policyName.*\"$2\".*$match_type.*$3.*resource.*$4.*$5" | tail -n 1 | grep -v Passed)
+        audit_log=$($CAT_LOG | grep -E "$1.*policyName.*\"$2|DefaultPosture\".*$match_type.*$3.*resource.*$4.*$5" | tail -n 1 | grep -v Passed)
     else
         audit_log=$($CAT_LOG | grep -E "$1.*policyName.*\"NativePolicy\".*$match_type.*$3.*resource.*$4.*$5" | tail -n 1 | grep -v Passed)
     fi

tests/test-scenarios-in-runtime.sh

@@ -208,7 +208,7 @@ function should_find_blocked_log() {
 
     if [[ $KUBEARMOR = "kubearmor"* ]]; then
         if [[ $6 -eq 0 ]]; then
-            audit_log=$(kubectl -n kube-system exec $KUBEARMOR -- grep -E "$1.*policyName.*\"$2\".*$match_type.*$3.*resource.*$4.*$5" $ARMOR_LOG | tail -n 1 | grep -v Passed)
+            audit_log=$(kubectl -n kube-system exec $KUBEARMOR -- grep -E "$1.*policyName.*\"$2|DefaultPosture\".*$match_type.*$3.*resource.*$4.*$5" $ARMOR_LOG | tail -n 1 | grep -v Passed)
         else
             audit_log=$(kubectl -n kube-system exec $KUBEARMOR -- grep -E "$1.*policyName.*\"NativePolicy\".*$match_type.*$3.*resource.*$4.*$5" $ARMOR_LOG | tail -n 1 | grep -v Passed)
         fi
@@ -222,7 +222,7 @@ function should_find_blocked_log() {
         fi
     else # local
         if [[ $6 -eq 0 ]]; then
-            audit_log=$(grep -E "$1.*policyName.*\"$2\".*$match_type.*$3.*resource.*$4.*$5" $ARMOR_LOG | tail -n 1 | grep -v Passed)
+            audit_log=$(grep -E "$1.*policyName.*\"$2|DefaultPosture\".*$match_type.*$3.*resource.*$4.*$5" $ARMOR_LOG | tail -n 1 | grep -v Passed)
         else
             audit_log=$(grep -E "$1.*policyName.*\"NativePolicy\".*$match_type.*$3.*resource.*$4.*$5" $ARMOR_LOG | tail -n 1 | grep -v Passed)
         fi

tests/test-scenarios-local.sh

@@ -225,7 +225,7 @@ function should_find_blocked_log() {
     fi
 
     if [[ $6 -eq 0 ]]; then
-        audit_log=$(grep -E "$1.*policyName.*\"$2\".*$match_type.*$3.*resource.*$4.*$5" $ARMOR_LOG | tail -n 1 | grep -v Passed)
+        audit_log=$(grep -E "$1.*policyName.*\"$2|DefaultPosture\".*$match_type.*$3.*resource.*$4.*$5" $ARMOR_LOG | tail -n 1 | grep -v Passed)
     else
         audit_log=$(grep -E "$1.*policyName.*\"NativePolicy\".*$match_type.*$3.*resource.*$4.*$5" $ARMOR_LOG | tail -n 1 | grep -v Passed)
     fi