From d9d232d728a50beff0d52b27ac16fb50ba55a97a Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Tue, 30 Apr 2024 17:31:43 +0200 Subject: [PATCH] [CWS] fix event type issue in multi-discarders (#25240) --- pkg/security/probe/discarders_windows.go | 25 +++++++++++++----------- pkg/security/secl/rules/opts.go | 4 ++-- pkg/security/secl/rules/ruleset.go | 11 ++++++----- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/pkg/security/probe/discarders_windows.go b/pkg/security/probe/discarders_windows.go index b62e53a61f5918..0bfe9eae23afb6 100644 --- a/pkg/security/probe/discarders_windows.go +++ b/pkg/security/probe/discarders_windows.go @@ -5,7 +5,10 @@ package probe -import "github.com/DataDog/datadog-agent/pkg/security/secl/rules" +import ( + "github.com/DataDog/datadog-agent/pkg/security/secl/model" + "github.com/DataDog/datadog-agent/pkg/security/secl/rules" +) func init() { SupportedMultiDiscarder = []*rules.MultiDiscarder{ @@ -13,45 +16,45 @@ func init() { Entries: []rules.MultiDiscarderEntry{ { Field: "create.file.path", - EventType: "create", + EventType: model.CreateNewFileEventType, }, { Field: "rename.file.path", - EventType: "rename", + EventType: model.FileRenameEventType, }, { Field: "delete.file.path", - EventType: "delete", + EventType: model.DeleteFileEventType, }, { Field: "write.file.path", - EventType: "write", + EventType: model.WriteFileEventType, }, }, FinalField: "create.file.path", - FinalEventType: "create", + FinalEventType: model.CreateNewFileEventType, }, { Entries: []rules.MultiDiscarderEntry{ { Field: "create.file.name", - EventType: "create", + EventType: model.CreateNewFileEventType, }, { Field: "rename.file.name", - EventType: "rename", + EventType: model.FileRenameEventType, }, { Field: "delete.file.name", - EventType: "delete", + EventType: model.DeleteFileEventType, }, { Field: "write.file.name", - EventType: "write", + EventType: model.WriteFileEventType, }, }, FinalField: "create.file.name", - FinalEventType: "create", + FinalEventType: model.CreateNewFileEventType, }, } } diff --git a/pkg/security/secl/rules/opts.go b/pkg/security/secl/rules/opts.go index e5eca0513d2592..4b18328ccce1e4 100644 --- a/pkg/security/secl/rules/opts.go +++ b/pkg/security/secl/rules/opts.go @@ -108,11 +108,11 @@ func NewEvalOpts(eventTypeEnabled map[eval.EventType]bool) (*Opts, *eval.Opts) { type MultiDiscarder struct { Entries []MultiDiscarderEntry FinalField string - FinalEventType string + FinalEventType model.EventType } // MultiDiscarderEntry represents a multi discarder entry (a field, and associated event type) type MultiDiscarderEntry struct { Field string - EventType string + EventType model.EventType } diff --git a/pkg/security/secl/rules/ruleset.go b/pkg/security/secl/rules/ruleset.go index 274cf74ebc8b98..93b8b2ca449158 100644 --- a/pkg/security/secl/rules/ruleset.go +++ b/pkg/security/secl/rules/ruleset.go @@ -765,12 +765,12 @@ func (rs *RuleSet) EvaluateDiscarders(event eval.Event) { for _, check := range mdiscsToCheck { isMultiDiscarder := true for _, entry := range check.mdisc.Entries { - bucket := rs.eventRuleBuckets[entry.EventType] - if bucket == nil { + bucket := rs.eventRuleBuckets[entry.EventType.String()] + if bucket == nil || len(bucket.rules) == 0 { continue } - dctx, err := buildDiscarderCtx(entry.Field, check.value) + dctx, err := buildDiscarderCtx(entry.EventType, entry.Field, check.value) if err != nil { rs.logger.Errorf("failed to build discarder context: %v", err) isMultiDiscarder = false @@ -784,7 +784,7 @@ func (rs *RuleSet) EvaluateDiscarders(event eval.Event) { } if isMultiDiscarder { - rs.NotifyDiscarderFound(event, check.mdisc.FinalField, check.mdisc.FinalEventType) + rs.NotifyDiscarderFound(event, check.mdisc.FinalField, check.mdisc.FinalEventType.String()) } } } @@ -808,8 +808,9 @@ type multiDiscarderCheck struct { value string } -func buildDiscarderCtx(field string, value interface{}) (*eval.Context, error) { +func buildDiscarderCtx(eventType model.EventType, field string, value interface{}) (*eval.Context, error) { ev := model.NewFakeEvent() + ev.BaseEvent.Type = uint32(eventType) if err := ev.SetFieldValue(field, value); err != nil { return nil, err }