From 396608846527548ed10afecfaa6dc0e11d45becb Mon Sep 17 00:00:00 2001 From: Sylvain Afchain Date: Wed, 20 Dec 2023 14:11:40 +0100 Subject: [PATCH] [CWS] bundled rules per origin (#21621) [CWS] bundled rules per origin --- pkg/security/rules/bundled_policy_provider.go | 14 +++++++++++- .../rules/bundled_policy_provider_linux.go | 22 ++++++++++++------- .../rules/bundled_policy_provider_other.go | 9 ++++++-- pkg/security/rules/engine.go | 2 +- pkg/security/tests/module_tester.go | 2 +- 5 files changed, 36 insertions(+), 13 deletions(-) diff --git a/pkg/security/rules/bundled_policy_provider.go b/pkg/security/rules/bundled_policy_provider.go index b82931965c3fc..df2f8302d3417 100644 --- a/pkg/security/rules/bundled_policy_provider.go +++ b/pkg/security/rules/bundled_policy_provider.go @@ -9,15 +9,27 @@ package rules import ( "github.com/hashicorp/go-multierror" + "github.com/DataDog/datadog-agent/pkg/security/config" "github.com/DataDog/datadog-agent/pkg/security/secl/rules" "github.com/DataDog/datadog-agent/pkg/version" ) // BundledPolicyProvider specify the policy provider for bundled policies -type BundledPolicyProvider struct{} +type BundledPolicyProvider struct { + cfg *config.RuntimeSecurityConfig +} + +// NewBundledPolicyProvider returns a new bundled policy provider +func NewBundledPolicyProvider(cfg *config.RuntimeSecurityConfig) *BundledPolicyProvider { + return &BundledPolicyProvider{ + cfg: cfg, + } +} // LoadPolicies implements the PolicyProvider interface func (p *BundledPolicyProvider) LoadPolicies([]rules.MacroFilter, []rules.RuleFilter) ([]*rules.Policy, *multierror.Error) { + bundledPolicyRules := newBundledPolicyRules(p.cfg) + policy := &rules.Policy{} policy.Name = "bundled_policy" diff --git a/pkg/security/rules/bundled_policy_provider_linux.go b/pkg/security/rules/bundled_policy_provider_linux.go index 042d46983516c..e8d0ab5b5bc4d 100644 --- a/pkg/security/rules/bundled_policy_provider_linux.go +++ b/pkg/security/rules/bundled_policy_provider_linux.go @@ -7,15 +7,21 @@ package rules import ( + "github.com/DataDog/datadog-agent/pkg/security/config" "github.com/DataDog/datadog-agent/pkg/security/events" "github.com/DataDog/datadog-agent/pkg/security/secl/rules" ) -var bundledPolicyRules = []*rules.RuleDefinition{{ - ID: events.RefreshUserCacheRuleID, - Expression: `rename.file.destination.path in [ "/etc/passwd", "/etc/group" ]`, - Actions: []rules.ActionDefinition{{ - InternalCallbackDefinition: &rules.InternalCallbackDefinition{}, - }}, - Silent: true, -}} +func newBundledPolicyRules(cfg *config.RuntimeSecurityConfig) []*rules.RuleDefinition { + if cfg.EBPFLessEnabled { + return []*rules.RuleDefinition{} + } + return []*rules.RuleDefinition{{ + ID: events.RefreshUserCacheRuleID, + Expression: `rename.file.destination.path in [ "/etc/passwd", "/etc/group" ]`, + Actions: []rules.ActionDefinition{{ + InternalCallbackDefinition: &rules.InternalCallbackDefinition{}, + }}, + Silent: true, + }} +} diff --git a/pkg/security/rules/bundled_policy_provider_other.go b/pkg/security/rules/bundled_policy_provider_other.go index 57718ba0c72ff..996356885dccf 100644 --- a/pkg/security/rules/bundled_policy_provider_other.go +++ b/pkg/security/rules/bundled_policy_provider_other.go @@ -8,6 +8,11 @@ // Package rules holds rules related files package rules -import "github.com/DataDog/datadog-agent/pkg/security/secl/rules" +import ( + "github.com/DataDog/datadog-agent/pkg/security/config" + "github.com/DataDog/datadog-agent/pkg/security/secl/rules" +) -var bundledPolicyRules = []*rules.RuleDefinition{} +func newBundledPolicyRules(_ *config.RuntimeSecurityConfig) []*rules.RuleDefinition { + return []*rules.RuleDefinition{} +} diff --git a/pkg/security/rules/engine.go b/pkg/security/rules/engine.go index 6ba33397f6453..068f9a82afe3c 100644 --- a/pkg/security/rules/engine.go +++ b/pkg/security/rules/engine.go @@ -346,7 +346,7 @@ func (e *RuleEngine) notifyAPIServer(ruleIDs []rules.RuleID, policies []*monitor func (e *RuleEngine) gatherDefaultPolicyProviders() []rules.PolicyProvider { var policyProviders []rules.PolicyProvider - policyProviders = append(policyProviders, &BundledPolicyProvider{}) + policyProviders = append(policyProviders, NewBundledPolicyProvider(e.config)) // add remote config as config provider if enabled. if e.config.RemoteConfigurationEnabled { diff --git a/pkg/security/tests/module_tester.go b/pkg/security/tests/module_tester.go index b68e6116532c3..eaa5f5fac7830 100644 --- a/pkg/security/tests/module_tester.go +++ b/pkg/security/tests/module_tester.go @@ -1122,7 +1122,7 @@ func (tm *testModule) Run(t *testing.T, name string, fnc func(t *testing.T, kind func (tm *testModule) reloadPolicies() error { log.Debugf("reload policies with cfgDir: %s", commonCfgDir) - bundledPolicyProvider := &rulesmodule.BundledPolicyProvider{} + bundledPolicyProvider := rulesmodule.NewBundledPolicyProvider(tm.eventMonitor.Probe.Config.RuntimeSecurity) policyDirProvider, err := rules.NewPoliciesDirProvider(commonCfgDir, false) if err != nil { return err