From 0f7de8507beb6a200dd184c4e41ab053c1af0243 Mon Sep 17 00:00:00 2001
From: Shahriyar Jalayeri <shahriyar@zededa.com>
Date: Thu, 9 Nov 2023 12:26:15 +0100
Subject: [PATCH] security : check for unconfined processes

Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
---
 tests/sec/sec_test.go | 48 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/tests/sec/sec_test.go b/tests/sec/sec_test.go
index a297a0d1c..326554313 100644
--- a/tests/sec/sec_test.go
+++ b/tests/sec/sec_test.go
@@ -1,6 +1,7 @@
 package sec_test
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"strings"
@@ -90,6 +91,53 @@ func TestMain(m *testing.M) {
 	os.Exit(res)
 }
 
+func TestUnconfinedProcesses(t *testing.T) {
+	log.Println("TestUnconfinedProcesses started")
+	defer log.Println("TestUnconfinedProcesses finished")
+
+	edgeNode := tc.GetEdgeNode(tc.WithTest(t))
+	tc.WaitForState(edgeNode, 60)
+
+	// check if there are any processes with capablities
+	command := `ps -eZ | awk '
+	BEGIN { print " [ "}
+	/LABEL/ {next}
+	{
+		printf " %s {\"label\": \"%s\", \"cmd\": \"%s\"}", separator, $1, $5;
+		separator = ",";
+	}
+	END { print " ] " }
+	'`
+
+	out, err := rnode.runCommand(command)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	processes := []struct {
+		Label string `json:"label"`
+		Cmd   string `json:"cmd"`
+	}{}
+
+	err = json.Unmarshal(out, &processes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	fail := false
+	for _, process := range processes {
+		if process.Label == "unconfined" {
+			t.Logf("Unconfined process found: %s", process.Cmd)
+			fail = true
+		}
+	}
+
+	if fail {
+		// TODO : this not a proper way to check, but good for now
+		t.Fatal("There are unconfined processes running on the system")
+	}
+}
+
 func TestUmask(t *testing.T) {
 	log.Println("TestUmask started")
 	defer log.Println("TestUmask finished")