Skip to content

Commit

Permalink
[CWS] Use containerutils.ContainerID in user and group resolver (Data…
Browse files Browse the repository at this point in the history
  • Loading branch information
lebauce authored Nov 28, 2024
1 parent 57b1ae5 commit b5f2511
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 32 deletions.
20 changes: 10 additions & 10 deletions pkg/security/probe/field_handlers_ebpf.go
Original file line number Diff line number Diff line change
Expand Up @@ -234,15 +234,15 @@ func (fh *EBPFFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields)
// ResolveChownUID resolves the ResolveProcessCacheEntry id of a chown event to a username
func (fh *EBPFFieldHandlers) ResolveChownUID(ev *model.Event, e *model.ChownEvent) string {
if len(e.User) == 0 {
e.User, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.UID), string(ev.ContainerContext.ContainerID))
e.User, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.UID), ev.ContainerContext.ContainerID)
}
return e.User
}

// ResolveChownGID resolves the group id of a chown event to a group name
func (fh *EBPFFieldHandlers) ResolveChownGID(ev *model.Event, e *model.ChownEvent) string {
if len(e.Group) == 0 {
e.Group, _ = fh.resolvers.UserGroupResolver.ResolveGroup(int(e.GID), string(ev.ContainerContext.ContainerID))
e.Group, _ = fh.resolvers.UserGroupResolver.ResolveGroup(int(e.GID), ev.ContainerContext.ContainerID)
}
return e.Group
}
Expand Down Expand Up @@ -313,47 +313,47 @@ func (fh *EBPFFieldHandlers) ResolveProcessIsThread(_ *model.Event, process *mod
// ResolveSetuidUser resolves the user of the Setuid event
func (fh *EBPFFieldHandlers) ResolveSetuidUser(ev *model.Event, e *model.SetuidEvent) string {
if len(e.User) == 0 {
e.User, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.UID), string(ev.ContainerContext.ContainerID))
e.User, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.UID), ev.ContainerContext.ContainerID)
}
return e.User
}

// ResolveSetuidEUser resolves the effective user of the Setuid event
func (fh *EBPFFieldHandlers) ResolveSetuidEUser(ev *model.Event, e *model.SetuidEvent) string {
if len(e.EUser) == 0 {
e.EUser, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.EUID), string(ev.ContainerContext.ContainerID))
e.EUser, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.EUID), ev.ContainerContext.ContainerID)
}
return e.EUser
}

// ResolveSetuidFSUser resolves the file-system user of the Setuid event
func (fh *EBPFFieldHandlers) ResolveSetuidFSUser(ev *model.Event, e *model.SetuidEvent) string {
if len(e.FSUser) == 0 {
e.FSUser, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.FSUID), string(ev.ContainerContext.ContainerID))
e.FSUser, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.FSUID), ev.ContainerContext.ContainerID)
}
return e.FSUser
}

// ResolveSetgidGroup resolves the group of the Setgid event
func (fh *EBPFFieldHandlers) ResolveSetgidGroup(ev *model.Event, e *model.SetgidEvent) string {
if len(e.Group) == 0 {
e.Group, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.GID), string(ev.ContainerContext.ContainerID))
e.Group, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.GID), ev.ContainerContext.ContainerID)
}
return e.Group
}

// ResolveSetgidEGroup resolves the effective group of the Setgid event
func (fh *EBPFFieldHandlers) ResolveSetgidEGroup(ev *model.Event, e *model.SetgidEvent) string {
if len(e.EGroup) == 0 {
e.EGroup, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.EGID), string(ev.ContainerContext.ContainerID))
e.EGroup, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.EGID), ev.ContainerContext.ContainerID)
}
return e.EGroup
}

// ResolveSetgidFSGroup resolves the file-system group of the Setgid event
func (fh *EBPFFieldHandlers) ResolveSetgidFSGroup(ev *model.Event, e *model.SetgidEvent) string {
if len(e.FSGroup) == 0 {
e.FSGroup, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.FSGID), string(ev.ContainerContext.ContainerID))
e.FSGroup, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.FSGID), ev.ContainerContext.ContainerID)
}
return e.FSGroup
}
Expand Down Expand Up @@ -383,7 +383,7 @@ func (fh *EBPFFieldHandlers) GetProcessCacheEntry(ev *model.Event, newEntryCb fu
// ResolveFileFieldsGroup resolves the group id of the file to a group name
func (fh *EBPFFieldHandlers) ResolveFileFieldsGroup(ev *model.Event, e *model.FileFields) string {
if len(e.Group) == 0 {
e.Group, _ = fh.resolvers.UserGroupResolver.ResolveGroup(int(e.GID), string(ev.ContainerContext.ContainerID))
e.Group, _ = fh.resolvers.UserGroupResolver.ResolveGroup(int(e.GID), ev.ContainerContext.ContainerID)
}
return e.Group
}
Expand All @@ -403,7 +403,7 @@ func (fh *EBPFFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, device *
// ResolveFileFieldsUser resolves the user id of the file to a username
func (fh *EBPFFieldHandlers) ResolveFileFieldsUser(ev *model.Event, e *model.FileFields) string {
if len(e.User) == 0 {
e.User, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.UID), string(ev.ContainerContext.ContainerID))
e.User, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.UID), ev.ContainerContext.ContainerID)
}
return e.User
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/security/probe/probe_ebpf.go
Original file line number Diff line number Diff line change
Expand Up @@ -1632,7 +1632,7 @@ func (p *EBPFProbe) FlushDiscarders() error {
}

// RefreshUserCache refreshes the user cache
func (p *EBPFProbe) RefreshUserCache(containerID string) error {
func (p *EBPFProbe) RefreshUserCache(containerID containerutils.ContainerID) error {
return p.Resolvers.UserGroupResolver.RefreshCache(containerID)
}

Expand Down Expand Up @@ -2508,7 +2508,7 @@ func (p *EBPFProbe) HandleActions(ctx *eval.Context, rule *rules.Rule) {

switch {
case action.InternalCallback != nil && rule.ID == bundled.RefreshUserCacheRuleID:
_ = p.RefreshUserCache(string(ev.ContainerContext.ContainerID))
_ = p.RefreshUserCache(ev.ContainerContext.ContainerID)

case action.InternalCallback != nil && rule.ID == bundled.RefreshSBOMRuleID && p.Resolvers.SBOMResolver != nil && len(ev.ContainerContext.ContainerID) > 0:
if err := p.Resolvers.SBOMResolver.RefreshSBOM(string(ev.ContainerContext.ContainerID)); err != nil {
Expand Down
3 changes: 2 additions & 1 deletion pkg/security/probe/probe_others.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/security/events"
"github.com/DataDog/datadog-agent/pkg/security/probe/kfilters"
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
"github.com/DataDog/datadog-agent/pkg/security/secl/containerutils"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
)
Expand Down Expand Up @@ -97,7 +98,7 @@ func (p *Probe) FlushDiscarders() error {
}

// RefreshUserCache refreshes the user cache
func (p *Probe) RefreshUserCache(_ string) error {
func (p *Probe) RefreshUserCache(_ containerutils.ContainerID) error {
return nil
}

Expand Down
12 changes: 6 additions & 6 deletions pkg/security/resolvers/process/resolver_ebpf.go
Original file line number Diff line number Diff line change
Expand Up @@ -1039,13 +1039,13 @@ func (p *EBPFResolver) SetProcessTTY(pce *model.ProcessCacheEntry) string {

// SetProcessUsersGroups resolves and set users and groups
func (p *EBPFResolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry) {
pce.User, _ = p.userGroupResolver.ResolveUser(int(pce.Credentials.UID), string(pce.ContainerID))
pce.EUser, _ = p.userGroupResolver.ResolveUser(int(pce.Credentials.EUID), string(pce.ContainerID))
pce.FSUser, _ = p.userGroupResolver.ResolveUser(int(pce.Credentials.FSUID), string(pce.ContainerID))
pce.User, _ = p.userGroupResolver.ResolveUser(int(pce.Credentials.UID), pce.ContainerID)
pce.EUser, _ = p.userGroupResolver.ResolveUser(int(pce.Credentials.EUID), pce.ContainerID)
pce.FSUser, _ = p.userGroupResolver.ResolveUser(int(pce.Credentials.FSUID), pce.ContainerID)

pce.Group, _ = p.userGroupResolver.ResolveGroup(int(pce.Credentials.GID), string(pce.ContainerID))
pce.EGroup, _ = p.userGroupResolver.ResolveGroup(int(pce.Credentials.EGID), string(pce.ContainerID))
pce.FSGroup, _ = p.userGroupResolver.ResolveGroup(int(pce.Credentials.FSGID), string(pce.ContainerID))
pce.Group, _ = p.userGroupResolver.ResolveGroup(int(pce.Credentials.GID), pce.ContainerID)
pce.EGroup, _ = p.userGroupResolver.ResolveGroup(int(pce.Credentials.EGID), pce.ContainerID)
pce.FSGroup, _ = p.userGroupResolver.ResolveGroup(int(pce.Credentials.FSGID), pce.ContainerID)
}

// Get returns the cache entry for a specified pid
Expand Down
27 changes: 14 additions & 13 deletions pkg/security/resolvers/usergroup/resolver_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
usergrouputils "github.com/DataDog/datadog-agent/pkg/security/common/usergrouputils"
"github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup"
cgroupModel "github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/containerutils"
"github.com/DataDog/datadog-agent/pkg/security/seclog"
"github.com/DataDog/datadog-agent/pkg/security/utils"
"golang.org/x/time/rate"
Expand All @@ -38,8 +39,8 @@ type EntryCache struct {
// Resolver resolves user and group ids to names
type Resolver struct {
cgroupResolver *cgroup.Resolver
nsUserCache *lru.Cache[string, *EntryCache]
nsGroupCache *lru.Cache[string, *EntryCache]
nsUserCache *lru.Cache[containerutils.ContainerID, *EntryCache]
nsGroupCache *lru.Cache[containerutils.ContainerID, *EntryCache]
}

type containerFS struct {
Expand Down Expand Up @@ -75,11 +76,11 @@ func (fs *hostFS) Open(path string) (fs.File, error) {
return os.Open(path)
}

func (r *Resolver) getFilesystem(containerID string) (fs.FS, error) {
func (r *Resolver) getFilesystem(containerID containerutils.ContainerID) (fs.FS, error) {
var fsys fs.FS

if containerID != "" {
cgroupEntry, found := r.cgroupResolver.GetWorkload(containerID)
cgroupEntry, found := r.cgroupResolver.GetWorkload(string(containerID))
if !found {
return nil, fmt.Errorf("failed to resolve container %s", containerID)
}
Expand All @@ -92,7 +93,7 @@ func (r *Resolver) getFilesystem(containerID string) (fs.FS, error) {
}

// RefreshCache refresh the user and group caches with data from files
func (r *Resolver) RefreshCache(containerID string) error {
func (r *Resolver) RefreshCache(containerID containerutils.ContainerID) error {
fsys, err := r.getFilesystem(containerID)
if err != nil {
return err
Expand All @@ -109,7 +110,7 @@ func (r *Resolver) RefreshCache(containerID string) error {
return nil
}

func (r *Resolver) refreshUserCache(containerID string, fsys fs.FS) (map[int]string, error) {
func (r *Resolver) refreshUserCache(containerID containerutils.ContainerID, fsys fs.FS) (map[int]string, error) {
entryCache, found := r.nsUserCache.Get(containerID)
if !found {
// add the entry cache before we parse the fill so that we also
Expand All @@ -131,7 +132,7 @@ func (r *Resolver) refreshUserCache(containerID string, fsys fs.FS) (map[int]str
return entries, nil
}

func (r *Resolver) refreshGroupCache(containerID string, fsys fs.FS) (map[int]string, error) {
func (r *Resolver) refreshGroupCache(containerID containerutils.ContainerID, fsys fs.FS) (map[int]string, error) {
entryCache, found := r.nsGroupCache.Get(containerID)
if !found {
entryCache = &EntryCache{rateLimiter: rate.NewLimiter(rate.Limit(refreshCacheRateLimit), refreshCacheRateBurst)}
Expand All @@ -152,7 +153,7 @@ func (r *Resolver) refreshGroupCache(containerID string, fsys fs.FS) (map[int]st
}

// ResolveUser resolves a user id to a username
func (r *Resolver) ResolveUser(uid int, containerID string) (string, error) {
func (r *Resolver) ResolveUser(uid int, containerID containerutils.ContainerID) (string, error) {
userCache, found := r.nsUserCache.Get(containerID)
if found {
cachedEntry, found := userCache.entries[uid]
Expand Down Expand Up @@ -181,7 +182,7 @@ func (r *Resolver) ResolveUser(uid int, containerID string) (string, error) {
}

// ResolveGroup resolves a group id to a group name
func (r *Resolver) ResolveGroup(gid int, containerID string) (string, error) {
func (r *Resolver) ResolveGroup(gid int, containerID containerutils.ContainerID) (string, error) {
groupCache, found := r.nsGroupCache.Get(containerID)
if found {
cachedEntry, found := groupCache.entries[gid]
Expand Down Expand Up @@ -211,18 +212,18 @@ func (r *Resolver) ResolveGroup(gid int, containerID string) (string, error) {

// OnCGroupDeletedEvent is used to handle a CGroupDeleted event
func (r *Resolver) OnCGroupDeletedEvent(sbom *cgroupModel.CacheEntry) {
r.nsGroupCache.Remove(string(sbom.CGroupID))
r.nsUserCache.Remove(string(sbom.CGroupID))
r.nsGroupCache.Remove(sbom.ContainerID)
r.nsUserCache.Remove(sbom.ContainerID)
}

// NewResolver instantiates a new user and group resolver
func NewResolver(cgroupResolver *cgroup.Resolver) (*Resolver, error) {
nsUserCache, err := lru.New[string, *EntryCache](64)
nsUserCache, err := lru.New[containerutils.ContainerID, *EntryCache](64)
if err != nil {
return nil, err
}

nsGroupCache, err := lru.New[string, *EntryCache](64)
nsGroupCache, err := lru.New[containerutils.ContainerID, *EntryCache](64)
if err != nil {
return nil, err
}
Expand Down

0 comments on commit b5f2511

Please sign in to comment.