Skip to content

Commit

Permalink
[CWS] bundled rules per origin (#21621)
Browse files Browse the repository at this point in the history
[CWS] bundled rules per origin
  • Loading branch information
safchain authored Dec 20, 2023
1 parent a339ad5 commit 3966088
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 13 deletions.
14 changes: 13 additions & 1 deletion pkg/security/rules/bundled_policy_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,27 @@ package rules
import (
"github.com/hashicorp/go-multierror"

"github.com/DataDog/datadog-agent/pkg/security/config"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
"github.com/DataDog/datadog-agent/pkg/version"
)

// BundledPolicyProvider specify the policy provider for bundled policies
type BundledPolicyProvider struct{}
type BundledPolicyProvider struct {
cfg *config.RuntimeSecurityConfig
}

// NewBundledPolicyProvider returns a new bundled policy provider
func NewBundledPolicyProvider(cfg *config.RuntimeSecurityConfig) *BundledPolicyProvider {
return &BundledPolicyProvider{
cfg: cfg,
}
}

// LoadPolicies implements the PolicyProvider interface
func (p *BundledPolicyProvider) LoadPolicies([]rules.MacroFilter, []rules.RuleFilter) ([]*rules.Policy, *multierror.Error) {
bundledPolicyRules := newBundledPolicyRules(p.cfg)

policy := &rules.Policy{}

policy.Name = "bundled_policy"
Expand Down
22 changes: 14 additions & 8 deletions pkg/security/rules/bundled_policy_provider_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,21 @@
package rules

import (
"github.com/DataDog/datadog-agent/pkg/security/config"
"github.com/DataDog/datadog-agent/pkg/security/events"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
)

var bundledPolicyRules = []*rules.RuleDefinition{{
ID: events.RefreshUserCacheRuleID,
Expression: `rename.file.destination.path in [ "/etc/passwd", "/etc/group" ]`,
Actions: []rules.ActionDefinition{{
InternalCallbackDefinition: &rules.InternalCallbackDefinition{},
}},
Silent: true,
}}
func newBundledPolicyRules(cfg *config.RuntimeSecurityConfig) []*rules.RuleDefinition {
if cfg.EBPFLessEnabled {
return []*rules.RuleDefinition{}
}
return []*rules.RuleDefinition{{
ID: events.RefreshUserCacheRuleID,
Expression: `rename.file.destination.path in [ "/etc/passwd", "/etc/group" ]`,
Actions: []rules.ActionDefinition{{
InternalCallbackDefinition: &rules.InternalCallbackDefinition{},
}},
Silent: true,
}}
}
9 changes: 7 additions & 2 deletions pkg/security/rules/bundled_policy_provider_other.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@
// Package rules holds rules related files
package rules

import "github.com/DataDog/datadog-agent/pkg/security/secl/rules"
import (
"github.com/DataDog/datadog-agent/pkg/security/config"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
)

var bundledPolicyRules = []*rules.RuleDefinition{}
func newBundledPolicyRules(_ *config.RuntimeSecurityConfig) []*rules.RuleDefinition {
return []*rules.RuleDefinition{}
}
2 changes: 1 addition & 1 deletion pkg/security/rules/engine.go
Original file line number Diff line number Diff line change
Expand Up @@ -346,7 +346,7 @@ func (e *RuleEngine) notifyAPIServer(ruleIDs []rules.RuleID, policies []*monitor
func (e *RuleEngine) gatherDefaultPolicyProviders() []rules.PolicyProvider {
var policyProviders []rules.PolicyProvider

policyProviders = append(policyProviders, &BundledPolicyProvider{})
policyProviders = append(policyProviders, NewBundledPolicyProvider(e.config))

// add remote config as config provider if enabled.
if e.config.RemoteConfigurationEnabled {
Expand Down
2 changes: 1 addition & 1 deletion pkg/security/tests/module_tester.go
Original file line number Diff line number Diff line change
Expand Up @@ -1122,7 +1122,7 @@ func (tm *testModule) Run(t *testing.T, name string, fnc func(t *testing.T, kind
func (tm *testModule) reloadPolicies() error {
log.Debugf("reload policies with cfgDir: %s", commonCfgDir)

bundledPolicyProvider := &rulesmodule.BundledPolicyProvider{}
bundledPolicyProvider := rulesmodule.NewBundledPolicyProvider(tm.eventMonitor.Probe.Config.RuntimeSecurity)
policyDirProvider, err := rules.NewPoliciesDirProvider(commonCfgDir, false)
if err != nil {
return err
Expand Down

0 comments on commit 3966088

Please sign in to comment.