Skip to content

Commit

Permalink
[CWS] Add the protocol field to BindNode (DataDog#31428)
Browse files Browse the repository at this point in the history
  • Loading branch information
mftoure authored Nov 26, 2024
1 parent d03c3af commit e75539a
Show file tree
Hide file tree
Showing 8 changed files with 26 additions and 13 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -642,7 +642,7 @@ require (

require (
github.com/DATA-DOG/go-sqlmock v1.5.2
github.com/DataDog/agent-payload/v5 v5.0.135
github.com/DataDog/agent-payload/v5 v5.0.137
github.com/DataDog/datadog-agent/comp/api/api/def v0.56.0-rc.3
github.com/DataDog/datadog-agent/comp/core/config v0.59.0
github.com/DataDog/datadog-agent/comp/core/flare/types v0.59.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion pkg/security/secl/schemas/activity_dump.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -291,11 +291,15 @@
},
"ip": {
"type": "string"
},
"protocol": {
"type": "integer"
}
},
"required": [
"port",
"ip"
"ip",
"protocol"
]
}
}
Expand Down
6 changes: 5 additions & 1 deletion pkg/security/secl/schemas/activity_dump_proto.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -275,11 +275,15 @@
},
"ip": {
"type": "string"
},
"protocol": {
"type": "integer"
}
},
"required": [
"port",
"ip"
"ip",
"protocol"
]
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,7 @@ func protoDecodeProtoSocket(sn *adproto.SocketNode) *SocketNode {
MatchedRules: make([]*model.MatchedRule, 0, len(bindNode.MatchedRules)),
Port: uint16(bindNode.Port),
IP: bindNode.Ip,
Protocol: uint16(bindNode.Protocol),
ImageTags: bindNode.ImageTags,
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,7 @@ func socketNodeToProto(sn *SocketNode) *adproto.SocketNode {
MatchedRules: make([]*adproto.MatchedRule, 0, len(bn.MatchedRules)),
Port: uint32(bn.Port),
Ip: bn.IP,
Protocol: uint32(bn.Protocol),
ImageTags: bn.ImageTags,
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -287,39 +287,40 @@ func (pn *ProcessNode) snapshotBoundSockets(p *process.Process, stats *Stats, ne
for _, s := range sockets {
for _, sock := range TCP {
if sock.Inode == s {
pn.insertSnapshottedSocket(unix.AF_INET, sock.LocalAddr, uint16(sock.LocalPort), stats, newEvent)
pn.insertSnapshottedSocket(unix.AF_INET, sock.LocalAddr, unix.IPPROTO_TCP, uint16(sock.LocalPort), stats, newEvent)
break
}
}
for _, sock := range UDP {
if sock.Inode == s {
pn.insertSnapshottedSocket(unix.AF_INET, sock.LocalAddr, uint16(sock.LocalPort), stats, newEvent)
pn.insertSnapshottedSocket(unix.AF_INET, sock.LocalAddr, unix.IPPROTO_UDP, uint16(sock.LocalPort), stats, newEvent)
break
}
}
for _, sock := range TCP6 {
if sock.Inode == s {
pn.insertSnapshottedSocket(unix.AF_INET6, sock.LocalAddr, uint16(sock.LocalPort), stats, newEvent)
pn.insertSnapshottedSocket(unix.AF_INET6, sock.LocalAddr, unix.IPPROTO_TCP, uint16(sock.LocalPort), stats, newEvent)
break
}
}
for _, sock := range UDP6 {
if sock.Inode == s {
pn.insertSnapshottedSocket(unix.AF_INET6, sock.LocalAddr, uint16(sock.LocalPort), stats, newEvent)
pn.insertSnapshottedSocket(unix.AF_INET6, sock.LocalAddr, unix.IPPROTO_UDP, uint16(sock.LocalPort), stats, newEvent)
break
}
}
// not necessary found here, can be also another kind of socket (AF_UNIX, AF_NETLINK, etc)
}
}

func (pn *ProcessNode) insertSnapshottedSocket(family uint16, ip net.IP, port uint16, stats *Stats, newEvent func() *model.Event) {
func (pn *ProcessNode) insertSnapshottedSocket(family uint16, ip net.IP, protocol uint16, port uint16, stats *Stats, newEvent func() *model.Event) {
evt := newEvent()
evt.Type = uint32(model.BindEventType)

evt.Bind.SyscallEvent.Retval = 0
evt.Bind.AddrFamily = family
evt.Bind.Addr.IPNet.IP = ip
evt.Bind.Protocol = protocol
if family == unix.AF_INET {
evt.Bind.Addr.IPNet.Mask = net.CIDRMask(32, 32)
} else {
Expand Down
8 changes: 5 additions & 3 deletions pkg/security/security_profile/activity_tree/socket_node.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ type BindNode struct {
GenerationType NodeGenerationType
Port uint16
IP string
Protocol uint16
}

// SocketNode is used to store a Socket node and associated events
Expand All @@ -32,10 +33,10 @@ type SocketNode struct {

// Matches returns true if BindNodes matches
func (bn *BindNode) Matches(toMatch *BindNode) bool {
return bn.Port == toMatch.Port && bn.IP == toMatch.IP
return bn.Port == toMatch.Port && bn.IP == toMatch.IP && bn.Protocol == toMatch.Protocol
}

// Matches returns true if BindNodes matches
// Matches returns true if SocketNodes matches
func (sn *SocketNode) Matches(toMatch *SocketNode) bool {
return sn.Family == toMatch.Family
}
Expand Down Expand Up @@ -81,7 +82,7 @@ func (sn *SocketNode) InsertBindEvent(evt *model.BindEvent, imageTag string, gen
evtIP := evt.Addr.IPNet.IP.String()

for _, n := range sn.Bind {
if evt.Addr.Port == n.Port && evtIP == n.IP {
if evt.Addr.Port == n.Port && evtIP == n.IP && evt.Protocol == n.Protocol {
if !dryRun {
n.MatchedRules = model.AppendMatchedRule(n.MatchedRules, rules)
}
Expand All @@ -100,6 +101,7 @@ func (sn *SocketNode) InsertBindEvent(evt *model.BindEvent, imageTag string, gen
GenerationType: generationType,
Port: evt.Addr.Port,
IP: evtIP,
Protocol: evt.Protocol,
}
if imageTag != "" {
node.ImageTags = []string{imageTag}
Expand Down

0 comments on commit e75539a

Please sign in to comment.