security : check for unconfined processes

Signed-off-by: Shahriyar Jalayeri <[email protected]>
lf-edge · Nov 9, 2023 · 0f7de85 · 0f7de85
1 parent 8ef9d2d
commit 0f7de85
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/tests/sec/sec_test.go b/tests/sec/sec_test.go
@@ -1,6 +1,7 @@
 package sec_test
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"strings"
@@ -90,6 +91,53 @@ func TestMain(m *testing.M) {
 	os.Exit(res)
 }
 
+func TestUnconfinedProcesses(t *testing.T) {
+	log.Println("TestUnconfinedProcesses started")
+	defer log.Println("TestUnconfinedProcesses finished")
+
+	edgeNode := tc.GetEdgeNode(tc.WithTest(t))
+	tc.WaitForState(edgeNode, 60)
+
+	// check if there are any processes with capablities
+	command := `ps -eZ | awk '
+	BEGIN { print " [ "}
+	/LABEL/ {next}
+	{
+		printf " %s {\"label\": \"%s\", \"cmd\": \"%s\"}", separator, $1, $5;
+		separator = ",";
+	}
+	END { print " ] " }
+	'`
+
+	out, err := rnode.runCommand(command)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	processes := []struct {
+		Label string `json:"label"`
+		Cmd   string `json:"cmd"`
+	}{}
+
+	err = json.Unmarshal(out, &processes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	fail := false
+	for _, process := range processes {
+		if process.Label == "unconfined" {
+			t.Logf("Unconfined process found: %s", process.Cmd)
+			fail = true
+		}
+	}
+
+	if fail {
+		// TODO : this not a proper way to check, but good for now
+		t.Fatal("There are unconfined processes running on the system")
+	}
+}
+
 func TestUmask(t *testing.T) {
 	log.Println("TestUmask started")
 	defer log.Println("TestUmask finished")