[CWS] fix event type issue in multi-discarders (#25240)

DataDog · Apr 30, 2024 · d9d232d · d9d232d
1 parent 9a03fcd
commit d9d232d
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 18 deletions.
diff --git a/pkg/security/probe/discarders_windows.go b/pkg/security/probe/discarders_windows.go
@@ -5,53 +5,56 @@
 
 package probe
 
-import "github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+import (
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+)
 
 func init() {
 	SupportedMultiDiscarder = []*rules.MultiDiscarder{
 		{
 			Entries: []rules.MultiDiscarderEntry{
 				{
 					Field:     "create.file.path",
-					EventType: "create",
+					EventType: model.CreateNewFileEventType,
 				},
 				{
 					Field:     "rename.file.path",
-					EventType: "rename",
+					EventType: model.FileRenameEventType,
 				},
 				{
 					Field:     "delete.file.path",
-					EventType: "delete",
+					EventType: model.DeleteFileEventType,
 				},
 				{
 					Field:     "write.file.path",
-					EventType: "write",
+					EventType: model.WriteFileEventType,
 				},
 			},
 			FinalField:     "create.file.path",
-			FinalEventType: "create",
+			FinalEventType: model.CreateNewFileEventType,
 		},
 		{
 			Entries: []rules.MultiDiscarderEntry{
 				{
 					Field:     "create.file.name",
-					EventType: "create",
+					EventType: model.CreateNewFileEventType,
 				},
 				{
 					Field:     "rename.file.name",
-					EventType: "rename",
+					EventType: model.FileRenameEventType,
 				},
 				{
 					Field:     "delete.file.name",
-					EventType: "delete",
+					EventType: model.DeleteFileEventType,
 				},
 				{
 					Field:     "write.file.name",
-					EventType: "write",
+					EventType: model.WriteFileEventType,
 				},
 			},
 			FinalField:     "create.file.name",
-			FinalEventType: "create",
+			FinalEventType: model.CreateNewFileEventType,
 		},
 	}
 }
diff --git a/pkg/security/secl/rules/opts.go b/pkg/security/secl/rules/opts.go
@@ -108,11 +108,11 @@ func NewEvalOpts(eventTypeEnabled map[eval.EventType]bool) (*Opts, *eval.Opts) {
 type MultiDiscarder struct {
 	Entries        []MultiDiscarderEntry
 	FinalField     string
-	FinalEventType string
+	FinalEventType model.EventType
 }
 
 // MultiDiscarderEntry represents a multi discarder entry (a field, and associated event type)
 type MultiDiscarderEntry struct {
 	Field     string
-	EventType string
+	EventType model.EventType
 }
diff --git a/pkg/security/secl/rules/ruleset.go b/pkg/security/secl/rules/ruleset.go
@@ -765,12 +765,12 @@ func (rs *RuleSet) EvaluateDiscarders(event eval.Event) {
 	for _, check := range mdiscsToCheck {
 		isMultiDiscarder := true
 		for _, entry := range check.mdisc.Entries {
-			bucket := rs.eventRuleBuckets[entry.EventType]
-			if bucket == nil {
+			bucket := rs.eventRuleBuckets[entry.EventType.String()]
+			if bucket == nil || len(bucket.rules) == 0 {
 				continue
 			}
 
-			dctx, err := buildDiscarderCtx(entry.Field, check.value)
+			dctx, err := buildDiscarderCtx(entry.EventType, entry.Field, check.value)
 			if err != nil {
 				rs.logger.Errorf("failed to build discarder context: %v", err)
 				isMultiDiscarder = false
@@ -784,7 +784,7 @@ func (rs *RuleSet) EvaluateDiscarders(event eval.Event) {
 		}
 
 		if isMultiDiscarder {
-			rs.NotifyDiscarderFound(event, check.mdisc.FinalField, check.mdisc.FinalEventType)
+			rs.NotifyDiscarderFound(event, check.mdisc.FinalField, check.mdisc.FinalEventType.String())
 		}
 	}
 }
@@ -808,8 +808,9 @@ type multiDiscarderCheck struct {
 	value string
 }
 
-func buildDiscarderCtx(field string, value interface{}) (*eval.Context, error) {
+func buildDiscarderCtx(eventType model.EventType, field string, value interface{}) (*eval.Context, error) {
 	ev := model.NewFakeEvent()
+	ev.BaseEvent.Type = uint32(eventType)
 	if err := ev.SetFieldValue(field, value); err != nil {
 		return nil, err
 	}