From b8da290123a98b477f787765738ebfeaf62b08b3 Mon Sep 17 00:00:00 2001
From: Paul Cacheux <paul.cacheux@datadoghq.com>
Date: Thu, 19 Dec 2024 12:11:19 +0100
Subject: [PATCH] prevent macro from using FIM event field

---
 pkg/security/secl/rules/ruleset.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/security/secl/rules/ruleset.go b/pkg/security/secl/rules/ruleset.go
index 62834bbdc28a5f..4bdd54a0442391 100644
--- a/pkg/security/secl/rules/ruleset.go
+++ b/pkg/security/secl/rules/ruleset.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"reflect"
 	"slices"
+	"strings"
 	"sync"
 
 	"github.com/spf13/cast"
@@ -121,6 +122,10 @@ func (rs *RuleSet) AddMacro(parsingContext *ast.ParsingContext, pMacro *PolicyMa
 	case pMacro.Def.Expression != "" && len(pMacro.Def.Values) > 0:
 		return nil, &ErrMacroLoad{Macro: pMacro, Err: errors.New("only one of 'expression' and 'values' can be defined")}
 	case pMacro.Def.Expression != "":
+		if strings.Contains(pMacro.Def.Expression, "fim.write.file.") {
+			return nil, &ErrMacroLoad{Macro: pMacro, Err: errors.New("macro expression cannot contain 'fim.write.file.' event types")}
+		}
+
 		if macro, err = eval.NewMacro(pMacro.Def.ID, pMacro.Def.Expression, rs.model, parsingContext, rs.evalOpts); err != nil {
 			return nil, &ErrMacroLoad{Macro: pMacro, Err: err}
 		}