add a test case for protocol:all handling

Signed-off-by: rksharma95 <[email protected]>

KubeArmor/enforcer/appArmorProfile.go

@@ -243,9 +243,7 @@ func (ae *AppArmorEnforcer) SetNetworkMatchProtocols(proto tp.NetworkProtocolTyp
 	rule.Deny = deny
 	rule.Allow = !deny
 	if len(proto.FromSource) == 0 {
-		if proto.Protocol != "all" {
-			addRuletoMap(rule, proto.Protocol, prof.NetworkRules)
-		}
+		addRuletoMap(rule, proto.Protocol, prof.NetworkRules)
 		return
 	}
 
@@ -267,9 +265,7 @@ func (ae *AppArmorEnforcer) SetNetworkMatchProtocols(proto tp.NetworkProtocolTyp
 				prof.FromSource[source] = val
 			}
 		}
-		if proto.Protocol != "all" {
-			addRuletoMap(rule, proto.Protocol, prof.FromSource[source].NetworkRules)
-		}
+		addRuletoMap(rule, proto.Protocol, prof.FromSource[source].NetworkRules)
 	}
 }
 
@@ -391,9 +387,9 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 		if len(secPolicy.Spec.Network.MatchProtocols) > 0 {
 			for _, proto := range secPolicy.Spec.Network.MatchProtocols {
 				if proto.Action == "Allow" {
-					ae.SetNetworkMatchProtocols(proto, &profile, false, defaultPosture.NetworkAction != "block" || proto.Protocol == "all")
+					ae.SetNetworkMatchProtocols(proto, &profile, false, defaultPosture.NetworkAction != "block")
 				} else if proto.Action == "Block" {
-					ae.SetNetworkMatchProtocols(proto, &profile, true, true && proto.Protocol != "all")
+					ae.SetNetworkMatchProtocols(proto, &profile, true, true)
 				}
 			}
 		}

KubeArmor/enforcer/appArmorTemplate.go

@@ -225,7 +225,11 @@ profile {{$v := $.Name | split "."}}{{$v._0}}_{{ regexReplaceAllLiteral "[^a-z A
   ## == Network START == ##
 	{{- range $value, $data := .NetworkRules}}
     {{- if $data.Deny}}
+	  {{- if eq $value "all" }}
+	  deny network,
+	  {{- else }}
       deny network {{$value}},
+	  {{- end}}
     {{- end}}
     {{- if $data.Allow}}
       network {{$value}},

KubeArmor/feeder/policyMatcher.go

@@ -59,9 +59,9 @@ func GetProtocolFromType(proto int32) string {
 }
 
 func fetchProtocol(resource string) string {
-	if strings.Contains(resource, "protocol=TCP") || (strings.Contains(resource, "SOCK_STREAM") && strings.Contains(resource, "protocol=0")) {
+	if strings.Contains(resource, "protocol=TCP") || (strings.Contains(resource, "SOCK_STREAM") && strings.Contains(resource, "protocol=HOPOPT")) {
 		return "tcp"
-	} else if strings.Contains(resource, "protocol=UDP") || (strings.Contains(resource, "SOCK_DGRAM") && strings.Contains(resource, "protocol=0")) {
+	} else if strings.Contains(resource, "protocol=UDP") || (strings.Contains(resource, "SOCK_DGRAM") && strings.Contains(resource, "protocol=HOPOPT")) {
 		return "udp"
 	} else if strings.Contains(resource, "protocol=ICMP") {
 		return "icmp"

KubeArmor/go.mod

@@ -65,7 +65,6 @@ require (
 	github.com/emicklei/go-restful/v3 v3.11.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect

pkg/KubeArmorController/config/rbac/role.yaml

@@ -4,6 +4,74 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "create","delete","update","list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - security.kubearmor.com
+  resources:
+  - kubearmorclusterpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - security.kubearmor.com
+  resources:
+  - kubearmorclusterpolicies/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - security.kubearmor.com
+  resources:
+  - kubearmorhostpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - security.kubearmor.com
+  resources:
+  - kubearmorhostpolicies/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - security.kubearmor.com
+  resources:
+  - kubearmorpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - security.kubearmor.com
+  resources:
+  - kubearmorpolicies/status
+  verbs:
+  - get
+  - patch
+  - update

tests/k8s_env/ksp/ksp_test.go

@@ -266,6 +266,32 @@ var _ = Describe("Ksp", func() {
 
 		})
 
+		It("it can block all network traffic", func() {
+
+			// Apply Policy
+			err := K8sApplyFile("multiubuntu/ksp-ubuntu-1-block-net-all.yaml")
+			Expect(err).To(BeNil())
+
+			// Start KubeArmor Logs
+			err = KarmorLogStart("policy", "multiubuntu", "Network", ub1)
+			Expect(err).To(BeNil())
+			AssertCommand(ub1, "multiubuntu", []string{"bash", "-c", "ping -c 1 127.0.0.1"},
+				MatchRegexp("ping.*Permission denied"), true,
+			)
+
+			expect := protobuf.Alert{
+				PolicyName: "ksp-ubuntu-1-block-net-all",
+				Severity:   "8",
+				Action:     "Block",
+				Result:     "Permission denied",
+			}
+
+			res, err := KarmorGetTargetAlert(5*time.Second, &expect)
+			Expect(err).To(BeNil())
+			Expect(res.Found).To(BeTrue())
+
+		})
+
 	})
 
 	Describe("Apply Capabilities Policy", func() {

tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml

@@ -0,0 +1,15 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-ubuntu-1-block-net-all
+  namespace: multiubuntu
+spec:
+  severity: 8
+  selector:
+    matchLabels:
+      container: ubuntu-1
+  network:
+    matchProtocols:
+    - protocol: all
+  action:
+    Block