[CWS] bundled rules per origin

DataDog · Dec 18, 2023 · 56fd7dd · 56fd7dd
1 parent a87ec42
commit 56fd7dd
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 15 deletions.
diff --git a/pkg/security/rules/bundled_policy_provider.go b/pkg/security/rules/bundled_policy_provider.go
@@ -7,24 +7,37 @@
 package rules
 
 import (
+	"github.com/hashicorp/go-multierror"
+
+	"github.com/DataDog/datadog-agent/pkg/security/config"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/version"
-	"github.com/hashicorp/go-multierror"
 )
 
 // BundledPolicyProvider specify the policy provider for bundled policies
-type BundledPolicyProvider struct{}
+type BundledPolicyProvider struct {
+	cfg *config.RuntimeSecurityConfig
+}
+
+// NewBundledPolicyProvider returns a new bundled policy provider
+func NewBundledPolicyProvider(cfg *config.RuntimeSecurityConfig) *BundledPolicyProvider {
+	return &BundledPolicyProvider{
+		cfg: cfg,
+	}
+}
 
 // LoadPolicies implements the PolicyProvider interface
 func (p *BundledPolicyProvider) LoadPolicies([]rules.MacroFilter, []rules.RuleFilter) ([]*rules.Policy, *multierror.Error) {
+	bundledRules := newBundledPolicyRules(p.cfg)
+
 	policy := &rules.Policy{}
 
 	policy.Name = "bundled_policy"
 	policy.Source = "bundled"
 	policy.Version = version.AgentVersion
-	policy.Rules = bundledPolicyRules
+	policy.Rules = bundledRules
 
-	for _, rule := range bundledPolicyRules {
+	for _, rule := range bundledRules {
 		rule.Policy = policy
 	}
 

diff --git a/pkg/security/rules/bundled_policy_provider_linux.go b/pkg/security/rules/bundled_policy_provider_linux.go
@@ -7,15 +7,21 @@
 package rules
 
 import (
+	"github.com/DataDog/datadog-agent/pkg/security/config"
 	"github.com/DataDog/datadog-agent/pkg/security/events"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 )
 
-var bundledPolicyRules = []*rules.RuleDefinition{{
-	ID:         events.RefreshUserCacheRuleID,
-	Expression: `rename.file.destination.path in [ "/etc/passwd", "/etc/group" ]`,
-	Actions: []rules.ActionDefinition{{
-		InternalCallbackDefinition: &rules.InternalCallbackDefinition{},
-	}},
-	Silent: true,
-}}
+func newBundledPolicyRules(cfg *config.RuntimeSecurityConfig) []*rules.RuleDefinition {
+	if cfg.EBPFLessEnabled {
+		return []*rules.RuleDefinition{}
+	}
+	return []*rules.RuleDefinition{{
+		ID:         events.RefreshUserCacheRuleID,
+		Expression: `rename.file.destination.path in [ "/etc/passwd", "/etc/group" ]`,
+		Actions: []rules.ActionDefinition{{
+			InternalCallbackDefinition: &rules.InternalCallbackDefinition{},
+		}},
+		Silent: true,
+	}}
+}
diff --git a/pkg/security/rules/bundled_policy_provider_other.go b/pkg/security/rules/bundled_policy_provider_other.go
@@ -8,6 +8,11 @@
 // Package rules holds rules related files
 package rules
 
-import "github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+import (
+	"github.com/DataDog/datadog-agent/pkg/security/config"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+)
 
-var bundledPolicyRules = []*rules.RuleDefinition{}
+func newBundledPolicyRules(_ *config.RuntimeSecurityConfig) []*rules.RuleDefinition {
+	return []*rules.RuleDefinition{}
+}
diff --git a/pkg/security/rules/engine.go b/pkg/security/rules/engine.go
@@ -335,7 +335,7 @@ func (e *RuleEngine) notifyAPIServer(ruleIDs []rules.RuleID, policies []*monitor
 func (e *RuleEngine) gatherDefaultPolicyProviders() []rules.PolicyProvider {
 	var policyProviders []rules.PolicyProvider
 
-	policyProviders = append(policyProviders, &BundledPolicyProvider{})
+	policyProviders = append(policyProviders, NewBundledPolicyProvider(e.config))
 
 	// add remote config as config provider if enabled.
 	if e.config.RemoteConfigurationEnabled {