Multiple Alerts Getting Generated For A Single Deny Action When Using DASH
DASH is an alternative shell generally found in Debian based distros. sh itself is a symlink to dash in some environments.
There is some internal retry logic for handling command execution failures in DASH which re-executes failed commands using any other symlinks to the original binary present under $PATH. Also, in some environments, paths under $PATH may be symlinks themselves.
In Debian 12 /bin is symlinked to /usr/bin. When KubeArmor blocks apt based on a process rule for /usr/bin/apt, DASH re-executes it and tries to run the command using /bin/apt, which is blocked again.
Thus, these are actually two different executions and accordingly lead to multiple alerts.
AppArmor enforcer isn't aware of the actual binary path but only the symlink. Thus, the processName in syscall events doesn't match with the path specified in policy and the extra alert has policyName: DefaultPosture.
BPF-LSM enforcer however, is aware of the actual binary path. Thus, the processName in syscall events matches with policy and the extra alert has correct policyName.
