Skip to content

Commit

Permalink
prevent macro from using FIM event field
Browse files Browse the repository at this point in the history
  • Loading branch information
@paulcacheux
paulcacheux committed Dec 19, 2024
1 parent 66e576d commit b8da290
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions pkg/security/secl/rules/ruleset.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"fmt"
"reflect"
"slices"
"strings"
"sync"

"github.com/spf13/cast"
Expand Down Expand Up @@ -121,6 +122,10 @@ func (rs *RuleSet) AddMacro(parsingContext *ast.ParsingContext, pMacro *PolicyMa
case pMacro.Def.Expression != "" && len(pMacro.Def.Values) > 0:
return nil, &ErrMacroLoad{Macro: pMacro, Err: errors.New("only one of 'expression' and 'values' can be defined")}
case pMacro.Def.Expression != "":
if strings.Contains(pMacro.Def.Expression, "fim.write.file.") {
return nil, &ErrMacroLoad{Macro: pMacro, Err: errors.New("macro expression cannot contain 'fim.write.file.' event types")}
}

if macro, err = eval.NewMacro(pMacro.Def.ID, pMacro.Def.Expression, rs.model, parsingContext, rs.evalOpts); err != nil {
return nil, &ErrMacroLoad{Macro: pMacro, Err: err}
}
Expand Down

0 comments on commit b8da290

Please sign in to comment.