[CWS] remove some vars from event types (#33910)

DataDog · Feb 12, 2025 · 5b40f43 · 5b40f43
1 parent 32d77d9
commit 5b40f43
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 14 deletions.
diff --git a/pkg/security/ebpf/probes/event_types.go b/pkg/security/ebpf/probes/event_types.go
@@ -75,8 +75,15 @@ func NetworkSelectors() []manager.ProbesSelector {
 }
 
 // SyscallMonitorSelectors is the list of probes that should be activated for the syscall monitor feature
-var SyscallMonitorSelectors = []manager.ProbesSelector{
-	&manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFFuncName: "sys_enter"}},
+func SyscallMonitorSelectors() []manager.ProbesSelector {
+	return []manager.ProbesSelector{
+		&manager.ProbeSelector{
+			ProbeIdentificationPair: manager.ProbeIdentificationPair{
+				UID:          SecurityAgentUID,
+				EBPFFuncName: "sys_enter",
+			},
+		},
+	}
 }
 
 // SnapshotSelectors selectors required during the snapshot
@@ -92,15 +99,9 @@ func SnapshotSelectors(fentry bool) []manager.ProbesSelector {
 	}
 }
 
-var selectorsPerEventTypeStore map[eval.EventType][]manager.ProbesSelector
-
 // GetSelectorsPerEventType returns the list of probes that should be activated for each event
 func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSelector {
-	if selectorsPerEventTypeStore != nil {
-		return selectorsPerEventTypeStore
-	}
-
-	selectorsPerEventTypeStore = map[eval.EventType][]manager.ProbesSelector{
+	selectorsPerEventTypeStore := map[eval.EventType][]manager.ProbesSelector{
 		// The following probes will always be activated, regardless of the loaded rules
 		"*": {
 			// Exec probes

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -1537,13 +1537,13 @@ func (p *EBPFProbe) updateProbes(ruleEventTypes []eval.EventType, needRawSyscall
 	}
 
 	if needRawSyscalls {
-		activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...)
+		activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors()...)
 	} else {
 		// ActivityDumps
 		if p.config.RuntimeSecurity.ActivityDumpEnabled {
 			for _, e := range p.profileManagers.GetActivityDumpTracedEventTypes() {
 				if e == model.SyscallsEventType {
-					activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...)
+					activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors()...)
 					break
 				}
 			}
@@ -1552,7 +1552,7 @@ func (p *EBPFProbe) updateProbes(ruleEventTypes []eval.EventType, needRawSyscall
 		if p.config.RuntimeSecurity.AnomalyDetectionEnabled {
 			for _, e := range p.profileManagers.GetAnomalyDetectionEventTypes() {
 				if e == model.SyscallsEventType {
-					activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...)
+					activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors()...)
 					break
 				}
 			}
@@ -2178,7 +2178,7 @@ func (p *EBPFProbe) initManagerOptionsActivatedProbes(config *config.Config) {
 		for _, e := range config.RuntimeSecurity.ActivityDumpTracedEventTypes {
 			if e == model.SyscallsEventType {
 				// Add syscall monitor probes
-				p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors...)
+				p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors()...)
 				break
 			}
 		}
@@ -2187,7 +2187,7 @@ func (p *EBPFProbe) initManagerOptionsActivatedProbes(config *config.Config) {
 		for _, e := range config.RuntimeSecurity.AnomalyDetectionEventTypes {
 			if e == model.SyscallsEventType {
 				// Add syscall monitor probes
-				p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors...)
+				p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors()...)
 				break
 			}
 		}