tests for overriding rules/macros/lists

New tests that test every possible override:

 - Overriding a rule with one that doesn't match
 - Overriding a macro to one that doesn't match
 - Overriding a top level list to a binary that doesn't match
 - Overriding an embedded list to one that doesn't match

In each case, the override results in no longer matching an open by the
program "cat".

test/falco_tests.yaml.in

@@ -95,6 +95,34 @@ trace_files: !mux
       - rules/double_rule.yaml
     trace_file: trace_files/cat_write.scap
 
+  multiple_rules_overriding:
+    detect: False
+    rules_file:
+      - rules/single_rule.yaml
+      - rules/override_rule.yaml
+    trace_file: trace_files/cat_write.scap
+
+  macro_overriding:
+    detect: False
+    rules_file:
+      - rules/single_rule.yaml
+      - rules/override_macro.yaml
+    trace_file: trace_files/cat_write.scap
+
+  list_overriding:
+    detect: False
+    rules_file:
+      - rules/single_rule.yaml
+      - rules/override_list.yaml
+    trace_file: trace_files/cat_write.scap
+
+  nested_list_overriding:
+    detect: False
+    rules_file:
+      - rules/single_rule.yaml
+      - rules/override_nested_list.yaml
+    trace_file: trace_files/cat_write.scap
+
   invalid_rule_output:
     exit_status: 1
     stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting."

test/rules/override_list.yaml

@@ -0,0 +1,2 @@
+- list: cat_capable_binaries
+  items: [not-cat]

test/rules/override_macro.yaml

@@ -0,0 +1,2 @@
+- macro: is_cat
+  condition: proc.name in (not-cat)

test/rules/override_nested_list.yaml

@@ -0,0 +1,2 @@
+- list: cat_binaries
+  items: [not-cat]

test/rules/override_rule.yaml

@@ -0,0 +1,5 @@
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=not-cat
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING

test/rules/single_rule.yaml

@@ -1,5 +1,11 @@
+- list: cat_binaries
+  items: [cat]
+
+- list: cat_capable_binaries
+  items: [cat_binaries]
+
 - macro: is_cat
-  condition: proc.name=cat
+  condition: proc.name in (cat_capable_binaries)
 
 - rule: open_from_cat
   desc: A process named cat does an open