Merge pull request #610 from achrefbensaad/fix-policy-gen

make disocvered policies work
accuknox · Nov 28, 2022 · 29ca624 · 29ca624
2 parents 3131f7e + fd306ee
commit 29ca624
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/src/go.mod b/src/go.mod
@@ -30,6 +30,7 @@ require (
 	k8s.io/api v0.23.5
 	k8s.io/apimachinery v0.23.5
 	k8s.io/client-go v0.23.5
+	k8s.io/utils v0.0.0-20211116205334-6203023598ed
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -125,7 +126,6 @@ require (
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/klog/v2 v2.30.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
-	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
 	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 )
diff --git a/src/systempolicy/systemPolicy.go b/src/systempolicy/systemPolicy.go
@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/clarketm/json"
+	"k8s.io/utils/strings/slices"
 	"sigs.k8s.io/yaml"
 
 	"github.com/accuknox/auto-policy-discovery/src/cluster"
@@ -340,6 +341,33 @@ func extractK8SSystemPolicies(namespace, clustername, labels, fromsource string,
 			if !includeNetwork {
 				pol.Spec.Network = types.NetworkRule{}
 			}
+			// if a binary is a global binary, convert file access to global
+
+			globalbinaries := []string{}
+			for _, binary := range pol.Spec.Process.MatchPaths {
+				if len(binary.FromSource) == 0 && !slices.Contains(globalbinaries, binary.Path) {
+					globalbinaries = append(globalbinaries, binary.Path)
+				}
+			}
+
+			for i, matchpath := range pol.Spec.File.MatchPaths {
+				for _, binary := range matchpath.FromSource {
+					if slices.Contains(globalbinaries, binary.Path) {
+						pol.Spec.File.MatchPaths[i].FromSource = []types.KnoxFromSource{}
+						break
+					}
+				}
+			}
+
+			for i, matchDir := range pol.Spec.File.MatchDirectories {
+				for _, binary := range matchDir.FromSource {
+					if slices.Contains(globalbinaries, binary.Path) {
+						pol.Spec.File.MatchDirectories[i].FromSource = []types.KnoxFromSource{}
+						break
+					}
+				}
+			}
+
 			result = append(result, pol)
 		}
 	}