diff --git a/src/go.mod b/src/go.mod index 91e39995..98002f88 100644 --- a/src/go.mod +++ b/src/go.mod @@ -29,6 +29,7 @@ require ( k8s.io/api v0.23.5 k8s.io/apimachinery v0.23.5 k8s.io/client-go v0.23.5 + k8s.io/utils v0.0.0-20211116205334-6203023598ed sigs.k8s.io/yaml v1.3.0 ) @@ -124,7 +125,6 @@ require ( gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect k8s.io/klog/v2 v2.30.0 // indirect k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect - k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect ) diff --git a/src/systempolicy/systemPolicy.go b/src/systempolicy/systemPolicy.go index 13b58f6c..235cc93f 100644 --- a/src/systempolicy/systemPolicy.go +++ b/src/systempolicy/systemPolicy.go @@ -13,6 +13,7 @@ import ( "time" "github.com/clarketm/json" + "k8s.io/utils/strings/slices" "sigs.k8s.io/yaml" "github.com/accuknox/auto-policy-discovery/src/cluster" @@ -340,6 +341,33 @@ func extractK8SSystemPolicies(namespace, clustername, labels, fromsource string, if !includeNetwork { pol.Spec.Network = types.NetworkRule{} } + // if a binary is a global binary, convert file access to global + + globalbinaries := []string{} + for _, binary := range pol.Spec.Process.MatchPaths { + if len(binary.FromSource) == 0 && !slices.Contains(globalbinaries, binary.Path) { + globalbinaries = append(globalbinaries, binary.Path) + } + } + + for i, matchpath := range pol.Spec.File.MatchPaths { + for _, binary := range matchpath.FromSource { + if slices.Contains(globalbinaries, binary.Path) { + pol.Spec.File.MatchPaths[i].FromSource = []types.KnoxFromSource{} + break + } + } + } + + for i, matchDir := range pol.Spec.File.MatchDirectories { + for _, binary := range matchDir.FromSource { + if slices.Contains(globalbinaries, binary.Path) { + pol.Spec.File.MatchDirectories[i].FromSource = []types.KnoxFromSource{} + break + } + } + } + result = append(result, pol) } }