From 1cb4d27f9615ca5aaf54686a745b84e14b34ca0e Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Wed, 4 Dec 2024 19:00:28 +0100 Subject: [PATCH] [CWS] always use HumanReadableDuration through a pointer so that unmarshalling works (#31760) --- pkg/security/probe/selftests/ebpfless.go | 2 +- pkg/security/secl/rules/model.go | 50 ++++++++++++------------ pkg/security/secl/rules/policy_test.go | 2 +- pkg/security/secl/rules/ruleset.go | 5 ++- pkg/security/tests/action_test.go | 8 ++-- pkg/security/tests/event_test.go | 4 +- 6 files changed, 37 insertions(+), 34 deletions(-) diff --git a/pkg/security/probe/selftests/ebpfless.go b/pkg/security/probe/selftests/ebpfless.go index 49b3ca2c36d29..885e723b830e1 100644 --- a/pkg/security/probe/selftests/ebpfless.go +++ b/pkg/security/probe/selftests/ebpfless.go @@ -30,7 +30,7 @@ func (o *EBPFLessSelfTest) GetRuleDefinition() *rules.RuleDefinition { return &rules.RuleDefinition{ ID: o.ruleID, Expression: `exec.file.path != "" && process.parent.pid == 0 && process.ppid == 0`, - Every: rules.HumanReadableDuration{ + Every: &rules.HumanReadableDuration{ Duration: time.Duration(math.MaxInt64), }, Silent: true, diff --git a/pkg/security/secl/rules/model.go b/pkg/security/secl/rules/model.go index e150e5251ca84..6cc1cf1d5179a 100644 --- a/pkg/security/secl/rules/model.go +++ b/pkg/security/secl/rules/model.go @@ -63,21 +63,21 @@ type RuleID = string // RuleDefinition holds the definition of a rule type RuleDefinition struct { - ID RuleID `yaml:"id,omitempty" json:"id"` - Version string `yaml:"version,omitempty" json:"version,omitempty"` - Expression string `yaml:"expression" json:"expression,omitempty"` - Description string `yaml:"description,omitempty" json:"description,omitempty"` - Tags map[string]string `yaml:"tags,omitempty" json:"tags,omitempty"` - AgentVersionConstraint string `yaml:"agent_version,omitempty" json:"agent_version,omitempty"` - Filters []string `yaml:"filters,omitempty" json:"filters,omitempty"` - Disabled bool `yaml:"disabled,omitempty" json:"disabled,omitempty"` - Combine CombinePolicy `yaml:"combine,omitempty" json:"combine,omitempty" jsonschema:"enum=override"` - OverrideOptions OverrideOptions `yaml:"override_options,omitempty" json:"override_options,omitempty"` - Actions []*ActionDefinition `yaml:"actions,omitempty" json:"actions,omitempty"` - Every HumanReadableDuration `yaml:"every,omitempty" json:"every,omitempty"` - RateLimiterToken []string `yaml:"limiter_token,omitempty" json:"limiter_token,omitempty"` - Silent bool `yaml:"silent,omitempty" json:"silent,omitempty"` - GroupID string `yaml:"group_id,omitempty" json:"group_id,omitempty"` + ID RuleID `yaml:"id,omitempty" json:"id"` + Version string `yaml:"version,omitempty" json:"version,omitempty"` + Expression string `yaml:"expression" json:"expression,omitempty"` + Description string `yaml:"description,omitempty" json:"description,omitempty"` + Tags map[string]string `yaml:"tags,omitempty" json:"tags,omitempty"` + AgentVersionConstraint string `yaml:"agent_version,omitempty" json:"agent_version,omitempty"` + Filters []string `yaml:"filters,omitempty" json:"filters,omitempty"` + Disabled bool `yaml:"disabled,omitempty" json:"disabled,omitempty"` + Combine CombinePolicy `yaml:"combine,omitempty" json:"combine,omitempty" jsonschema:"enum=override"` + OverrideOptions OverrideOptions `yaml:"override_options,omitempty" json:"override_options,omitempty"` + Actions []*ActionDefinition `yaml:"actions,omitempty" json:"actions,omitempty"` + Every *HumanReadableDuration `yaml:"every,omitempty" json:"every,omitempty"` + RateLimiterToken []string `yaml:"limiter_token,omitempty" json:"limiter_token,omitempty"` + Silent bool `yaml:"silent,omitempty" json:"silent,omitempty"` + GroupID string `yaml:"group_id,omitempty" json:"group_id,omitempty"` } // GetTag returns the tag value associated with a tag key @@ -133,19 +133,19 @@ type Scope string // SetDefinition describes the 'set' section of a rule action type SetDefinition struct { - Name string `yaml:"name" json:"name"` - Value interface{} `yaml:"value" json:"value,omitempty" jsonschema:"oneof_required=SetWithValue,oneof_type=string;integer;boolean;array"` - Field string `yaml:"field" json:"field,omitempty" jsonschema:"oneof_required=SetWithField"` - Append bool `yaml:"append" json:"append,omitempty"` - Scope Scope `yaml:"scope" json:"scope,omitempty" jsonschema:"enum=process,enum=container"` - Size int `yaml:"size" json:"size,omitempty"` - TTL HumanReadableDuration `yaml:"ttl" json:"ttl,omitempty"` + Name string `yaml:"name" json:"name"` + Value interface{} `yaml:"value" json:"value,omitempty" jsonschema:"oneof_required=SetWithValue,oneof_type=string;integer;boolean;array"` + Field string `yaml:"field" json:"field,omitempty" jsonschema:"oneof_required=SetWithField"` + Append bool `yaml:"append" json:"append,omitempty"` + Scope Scope `yaml:"scope" json:"scope,omitempty" jsonschema:"enum=process,enum=container"` + Size int `yaml:"size" json:"size,omitempty"` + TTL *HumanReadableDuration `yaml:"ttl" json:"ttl,omitempty"` } // KillDisarmerParamsDefinition describes the parameters of a kill action disarmer type KillDisarmerParamsDefinition struct { - MaxAllowed int `yaml:"max_allowed" json:"max_allowed,omitempty" jsonschema:"description=The maximum number of allowed kill actions within the period,example=5"` - Period HumanReadableDuration `yaml:"period" json:"period,omitempty" jsonschema:"description=The period of time during which the maximum number of allowed kill actions is calculated,example=1m"` + MaxAllowed int `yaml:"max_allowed" json:"max_allowed,omitempty" jsonschema:"description=The maximum number of allowed kill actions within the period,example=5"` + Period *HumanReadableDuration `yaml:"period" json:"period,omitempty" jsonschema:"description=The period of time during which the maximum number of allowed kill actions is calculated,example=1m"` } // KillDisarmerDefinition describes the 'disarmer' section of a kill action @@ -200,7 +200,7 @@ type HumanReadableDuration struct { } // MarshalYAML marshals a duration to a human readable format -func (d HumanReadableDuration) MarshalYAML() (interface{}, error) { +func (d *HumanReadableDuration) MarshalYAML() (interface{}, error) { return d.String(), nil } diff --git a/pkg/security/secl/rules/policy_test.go b/pkg/security/secl/rules/policy_test.go index e9c3cfefd203d..e6252c10593f1 100644 --- a/pkg/security/secl/rules/policy_test.go +++ b/pkg/security/secl/rules/policy_test.go @@ -340,7 +340,7 @@ func TestActionSetVariableTTL(t *testing.T) { Name: "var1", Append: true, Value: []string{"foo"}, - TTL: HumanReadableDuration{ + TTL: &HumanReadableDuration{ Duration: 1 * time.Second, }, }, diff --git a/pkg/security/secl/rules/ruleset.go b/pkg/security/secl/rules/ruleset.go index 297de1fd557d5..24b99ecf123c0 100644 --- a/pkg/security/secl/rules/ruleset.go +++ b/pkg/security/secl/rules/ruleset.go @@ -241,7 +241,10 @@ func (rs *RuleSet) PopulateFieldsWithRuleActionsData(policyRules []*PolicyRule, variableProvider = &rs.globalVariables } - opts := eval.VariableOpts{TTL: actionDef.Set.TTL.Duration, Size: actionDef.Set.Size} + opts := eval.VariableOpts{Size: actionDef.Set.Size} + if actionDef.Set.TTL != nil { + opts.TTL = actionDef.Set.TTL.Duration + } variable, err := variableProvider.GetVariable(actionDef.Set.Name, variableValue, opts) if err != nil { diff --git a/pkg/security/tests/action_test.go b/pkg/security/tests/action_test.go index e759d1a94d824..c1a47869f1ef7 100644 --- a/pkg/security/tests/action_test.go +++ b/pkg/security/tests/action_test.go @@ -619,13 +619,13 @@ func TestActionKillDisarmFromRule(t *testing.T) { Disarmer: &rules.KillDisarmerDefinition{ Executable: &rules.KillDisarmerParamsDefinition{ MaxAllowed: 1, - Period: rules.HumanReadableDuration{ + Period: &rules.HumanReadableDuration{ Duration: enforcementDisarmerExecutablePeriod, }, }, Container: &rules.KillDisarmerParamsDefinition{ MaxAllowed: 1, - Period: rules.HumanReadableDuration{ + Period: &rules.HumanReadableDuration{ Duration: enforcementDisarmerContainerPeriod, }, }, @@ -644,13 +644,13 @@ func TestActionKillDisarmFromRule(t *testing.T) { Disarmer: &rules.KillDisarmerDefinition{ Executable: &rules.KillDisarmerParamsDefinition{ MaxAllowed: 1, - Period: rules.HumanReadableDuration{ + Period: &rules.HumanReadableDuration{ Duration: enforcementDisarmerExecutablePeriod, }, }, Container: &rules.KillDisarmerParamsDefinition{ MaxAllowed: 1, - Period: rules.HumanReadableDuration{ + Period: &rules.HumanReadableDuration{ Duration: enforcementDisarmerContainerPeriod, }, }, diff --git a/pkg/security/tests/event_test.go b/pkg/security/tests/event_test.go index e28217fece6ce..7a52b7eef269c 100644 --- a/pkg/security/tests/event_test.go +++ b/pkg/security/tests/event_test.go @@ -106,7 +106,7 @@ func TestEventRaleLimiters(t *testing.T) { { ID: "test_unique_id", Expression: `open.file.path == "{{.Root}}/test-unique-id"`, - Every: rules.HumanReadableDuration{ + Every: &rules.HumanReadableDuration{ Duration: 5 * time.Second, }, RateLimiterToken: []string{"process.file.name"}, @@ -114,7 +114,7 @@ func TestEventRaleLimiters(t *testing.T) { { ID: "test_std", Expression: `open.file.path == "{{.Root}}/test-std"`, - Every: rules.HumanReadableDuration{ + Every: &rules.HumanReadableDuration{ Duration: 5 * time.Second, }, },