mirror of
https://github.com/evilsocket/opensnitch.git
synced 2025-03-04 08:34:40 +01:00
changed ui/client/configuration tests
In order to test ebpf<->proc changes we'll need to have access to a valid ebpf module.
This commit is contained in:
Gustavo Iñiguez Goia
parent
bde5d34deb
commit
7d08b2b4a0
5 changed files with 40 additions and 20 deletions
|
|
@ -81,7 +81,7 @@ func GetPIDFromINode(inode int, inodeKey string) int {
|
||||||
return aPid
|
return aPid
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if found == -1 || methodIsProc() {
|
if found == -1 || MethodIsProc() {
|
||||||
found = lookupPidInProc("/proc/", expect, inodeKey, inode)
|
found = lookupPidInProc("/proc/", expect, inodeKey, inode)
|
||||||
}
|
}
|
||||||
log.Debug("new pid lookup took (%d): %v", found, time.Since(start))
|
log.Debug("new pid lookup took (%d): %v", found, time.Since(start))
|
||||||
|
|
|
||||||
|
|
@ -256,7 +256,7 @@ func MethodIsAudit() bool {
|
||||||
return monitorMethod == MethodAudit
|
return monitorMethod == MethodAudit
|
||||||
}
|
}
|
||||||
|
|
||||||
func methodIsProc() bool {
|
func MethodIsProc() bool {
|
||||||
lock.RLock()
|
lock.RLock()
|
||||||
defer lock.RUnlock()
|
defer lock.RUnlock()
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -17,13 +17,12 @@ import (
|
||||||
|
|
||||||
var (
|
var (
|
||||||
defaultConfig = &config.Config{
|
defaultConfig = &config.Config{
|
||||||
ProcMonitorMethod: procmon.MethodEbpf,
|
ProcMonitorMethod: procmon.MethodProc,
|
||||||
DefaultAction: "allow",
|
DefaultAction: "allow",
|
||||||
DefaultDuration: "once",
|
DefaultDuration: "once",
|
||||||
InterceptUnknown: false,
|
InterceptUnknown: false,
|
||||||
Firewall: "nftables",
|
Firewall: "nftables",
|
||||||
}
|
}
|
||||||
reloadConfig = *defaultConfig
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func restoreConfigFile(t *testing.T) {
|
func restoreConfigFile(t *testing.T) {
|
||||||
|
|
@ -39,8 +38,8 @@ func restoreConfigFile(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func validateConfig(t *testing.T, uiClient *Client, cfg *config.Config) {
|
func validateConfig(t *testing.T, uiClient *Client, cfg *config.Config) {
|
||||||
if uiClient.ProcMonitorMethod() != cfg.ProcMonitorMethod {
|
if uiClient.ProcMonitorMethod() != cfg.ProcMonitorMethod || procmon.GetMonitorMethod() != uiClient.ProcMonitorMethod() {
|
||||||
t.Errorf("not expected ProcMonitorMethod value: %s, expected: %s", uiClient.ProcMonitorMethod(), cfg.ProcMonitorMethod)
|
t.Errorf("not expected ProcMonitorMethod value: %s, expected: %s, procmon.MonitorMethod: %s", uiClient.ProcMonitorMethod(), cfg.ProcMonitorMethod, procmon.GetMonitorMethod())
|
||||||
}
|
}
|
||||||
if uiClient.GetFirewallType() != cfg.Firewall {
|
if uiClient.GetFirewallType() != cfg.Firewall {
|
||||||
t.Errorf("not expected FirewallType value: %s, expected: %s", uiClient.GetFirewallType(), cfg.Firewall)
|
t.Errorf("not expected FirewallType value: %s, expected: %s", uiClient.GetFirewallType(), cfg.Firewall)
|
||||||
|
|
@ -53,7 +52,7 @@ func validateConfig(t *testing.T, uiClient *Client, cfg *config.Config) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestClientConfig(t *testing.T) {
|
func TestClientConfigReloading(t *testing.T) {
|
||||||
restoreConfigFile(t)
|
restoreConfigFile(t)
|
||||||
cfgFile := "./testdata/default-config.json"
|
cfgFile := "./testdata/default-config.json"
|
||||||
|
|
||||||
|
|
@ -71,7 +70,8 @@ func TestClientConfig(t *testing.T) {
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("validate-reload-config", func(t *testing.T) {
|
t.Run("validate-reload-config", func(t *testing.T) {
|
||||||
reloadConfig.ProcMonitorMethod = procmon.MethodProc
|
reloadConfig := *defaultConfig
|
||||||
|
//reloadConfig.ProcMonitorMethod = procmon.MethodProc
|
||||||
reloadConfig.DefaultAction = string(rule.Deny)
|
reloadConfig.DefaultAction = string(rule.Deny)
|
||||||
reloadConfig.InterceptUnknown = true
|
reloadConfig.InterceptUnknown = true
|
||||||
reloadConfig.Firewall = iptables.Name
|
reloadConfig.Firewall = iptables.Name
|
||||||
|
|
|
||||||
|
|
@ -121,7 +121,7 @@ func (c *Client) reloadConfiguration(reload bool, newConfig config.Config) *moni
|
||||||
}
|
}
|
||||||
|
|
||||||
if reconnect {
|
if reconnect {
|
||||||
log.Debug("[config] config.server.address.* changed, reconnecting")
|
log.Debug("[config] config.server.address.* changed, reconnecting to %s", c.socketPath)
|
||||||
c.disconnect()
|
c.disconnect()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -189,14 +189,8 @@ func (c *Client) reloadConfiguration(reload bool, newConfig config.Config) *moni
|
||||||
log.Debug("[config] config.Ebpf.ModulesPath not changed")
|
log.Debug("[config] config.Ebpf.ModulesPath not changed")
|
||||||
}
|
}
|
||||||
if reloadProc {
|
if reloadProc {
|
||||||
monitor.End()
|
err := monitor.ReconfigureMonitorMethod(newConfig.ProcMonitorMethod, newConfig.Ebpf.ModulesPath)
|
||||||
procmon.SetMonitorMethod(newConfig.ProcMonitorMethod)
|
if err != nil && err.What > monitor.NoError {
|
||||||
clientConfig.ProcMonitorMethod = newConfig.ProcMonitorMethod
|
|
||||||
err := monitor.Init(newConfig.Ebpf.ModulesPath)
|
|
||||||
if err.What > monitor.NoError {
|
|
||||||
log.Error("[config] config.procmon error: %s", err.Msg)
|
|
||||||
procmon.SetMonitorMethod(clientConfig.ProcMonitorMethod)
|
|
||||||
monitor.Init(clientConfig.Ebpf.ModulesPath)
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
32
daemon/ui/testdata/default-config.json.orig
vendored
32
daemon/ui/testdata/default-config.json.orig
vendored
|
|
@ -2,16 +2,42 @@
|
||||||
"Server":
|
"Server":
|
||||||
{
|
{
|
||||||
"Address":"unix:///tmp/osui.sock",
|
"Address":"unix:///tmp/osui.sock",
|
||||||
"LogFile":"/var/log/opensnitchd.log"
|
"LogFile":"/dev/stdout",
|
||||||
|
"Authentication": {
|
||||||
|
"Type": "tls-mutual",
|
||||||
|
"TLSOptions": {
|
||||||
|
"CACert": "/tmp/opensnitch/certs/unix-socket/ca-cert.pem",
|
||||||
|
"ServerCert": "/tmp/opensnitch/certs/unix-socket/server-cert.pem",
|
||||||
|
"ClientCert": "/tmp/opensnitch/certs/unix-socket/client-abstract-cert.pem",
|
||||||
|
"ClientKey": "/tmp/opensnitch/certs/unix-socket/client-key.pem",
|
||||||
|
"SkipVerify": false,
|
||||||
|
"ClientAuthType": "req-and-verify-cert"
|
||||||
|
}
|
||||||
|
}
|
||||||
},
|
},
|
||||||
"DefaultAction": "allow",
|
"DefaultAction": "allow",
|
||||||
"DefaultDuration": "once",
|
"DefaultDuration": "once",
|
||||||
"InterceptUnknown": false,
|
"InterceptUnknown": false,
|
||||||
"ProcMonitorMethod": "ebpf",
|
"ProcMonitorMethod": "proc",
|
||||||
"LogLevel": 2,
|
"LogLevel": 0,
|
||||||
"LogUTC": true,
|
"LogUTC": true,
|
||||||
"LogMicro": false,
|
"LogMicro": false,
|
||||||
"Firewall": "nftables",
|
"Firewall": "nftables",
|
||||||
|
"FwOptions": {
|
||||||
|
"ConfigPath": "/etc/opensnitchd/system-fw.json",
|
||||||
|
"MonitorInterval": "25s",
|
||||||
|
"ActionOnOverflow": "drop"
|
||||||
|
},
|
||||||
|
"Rules": {
|
||||||
|
"Path": "",
|
||||||
|
"EnableChecksums": true
|
||||||
|
},
|
||||||
|
"Ebpf": {
|
||||||
|
"ModulesPath": "/usr/lib/opensnitchd/ebpf"
|
||||||
|
},
|
||||||
|
"Internal": {
|
||||||
|
"GCPercent": 75
|
||||||
|
},
|
||||||
"Stats": {
|
"Stats": {
|
||||||
"MaxEvents": 150,
|
"MaxEvents": 150,
|
||||||
"MaxStats": 25,
|
"MaxStats": 25,
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue