diff --git a/cmd/security-agent/subcommands/runtime/command.go b/cmd/security-agent/subcommands/runtime/command.go index 08bbdcea4c787a..c0b5e2c0775ff4 100644 --- a/cmd/security-agent/subcommands/runtime/command.go +++ b/cmd/security-agent/subcommands/runtime/command.go @@ -41,6 +41,7 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/probe/kfilters" "github.com/DataDog/datadog-agent/pkg/security/proto/api" "github.com/DataDog/datadog-agent/pkg/security/reporter" + "github.com/DataDog/datadog-agent/pkg/security/rules/filtermodel" "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" "github.com/DataDog/datadog-agent/pkg/security/secl/model" "github.com/DataDog/datadog-agent/pkg/security/secl/rules" @@ -463,12 +464,22 @@ func checkPoliciesLocal(args *checkPoliciesCliParams, writer io.Writer) error { return fmt.Errorf("failed to create agent version filter: %w", err) } + os := runtime.GOOS + if args.windowsModel { + os = "windows" + } + + ruleFilterModel := filtermodel.NewOSOnlyFilterModel(os) + seclRuleFilter := rules.NewSECLRuleFilter(ruleFilterModel) + loaderOpts := rules.PolicyLoaderOpts{ MacroFilters: []rules.MacroFilter{ agentVersionFilter, + seclRuleFilter, }, RuleFilters: []rules.RuleFilter{ agentVersionFilter, + seclRuleFilter, }, } diff --git a/pkg/security/rules/filtermodel/os_only_filter.go b/pkg/security/rules/filtermodel/os_only_filter.go new file mode 100644 index 00000000000000..515203c44b6f9a --- /dev/null +++ b/pkg/security/rules/filtermodel/os_only_filter.go @@ -0,0 +1,103 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +// Package filtermodel holds rules related files +package filtermodel + +import ( + "reflect" + + "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" +) + +// OSOnlyFilterEvent defines an os-only rule filter event +type OSOnlyFilterEvent struct { + os string +} + +// OSOnlyFilterModel defines a filter model +type OSOnlyFilterModel struct { + os string +} + +// NewOSOnlyFilterModel returns a new rule filter model +func NewOSOnlyFilterModel(os string) *OSOnlyFilterModel { + return &OSOnlyFilterModel{ + os: os, + } +} + +// NewEvent returns a new event +func (m *OSOnlyFilterModel) NewEvent() eval.Event { + return &OSOnlyFilterEvent{ + os: m.os, + } +} + +// GetEvaluator gets the evaluator +func (m *OSOnlyFilterModel) GetEvaluator(field eval.Field, _ eval.RegisterID) (eval.Evaluator, error) { + switch field { + case "os": + return &eval.StringEvaluator{ + EvalFnc: func(_ *eval.Context) string { return m.os }, + Field: field, + }, nil + } + + return nil, &eval.ErrFieldNotFound{Field: field} +} + +// GetFieldValue gets a field value +func (e *OSOnlyFilterEvent) GetFieldValue(field eval.Field) (interface{}, error) { + switch field { + case "os": + return e.os, nil + } + + return nil, &eval.ErrFieldNotFound{Field: field} +} + +// Init inits the rule filter event +func (e *OSOnlyFilterEvent) Init() {} + +// GetFieldEventType returns the event type for the given field +func (e *OSOnlyFilterEvent) GetFieldEventType(_ eval.Field) (string, error) { + return "*", nil +} + +// SetFieldValue sets the value for the given field +func (e *OSOnlyFilterEvent) SetFieldValue(field eval.Field, _ interface{}) error { + return &eval.ErrFieldNotFound{Field: field} +} + +// GetFieldType get the type of the field +func (e *OSOnlyFilterEvent) GetFieldType(field eval.Field) (reflect.Kind, error) { + switch field { + case "os": + return reflect.String, nil + } + + return reflect.Invalid, &eval.ErrFieldNotFound{Field: field} +} + +// GetType returns the type for this event +func (e *OSOnlyFilterEvent) GetType() string { + return "*" +} + +// GetTags returns the tags for this event +func (e *OSOnlyFilterEvent) GetTags() []string { + return []string{} +} + +// ValidateField returns whether the value use against the field is valid +func (m *OSOnlyFilterModel) ValidateField(_ string, _ eval.FieldValue) error { + return nil +} + +// GetFieldRestrictions returns the field event type restrictions +func (m *OSOnlyFilterModel) GetFieldRestrictions(_ eval.Field) []eval.EventType { + return nil +}