diff --git a/go.mod b/go.mod index 6b3b497855d60..c4d8fc7351599 100644 --- a/go.mod +++ b/go.mod @@ -642,7 +642,7 @@ require ( require ( github.com/DATA-DOG/go-sqlmock v1.5.2 - github.com/DataDog/agent-payload/v5 v5.0.135 + github.com/DataDog/agent-payload/v5 v5.0.137 github.com/DataDog/datadog-agent/comp/api/api/def v0.56.0-rc.3 github.com/DataDog/datadog-agent/comp/core/config v0.59.0 github.com/DataDog/datadog-agent/comp/core/flare/types v0.59.0 diff --git a/go.sum b/go.sum index f09de46eaf02d..d2c1ce25b4480 100644 --- a/go.sum +++ b/go.sum @@ -115,8 +115,8 @@ github.com/CycloneDX/cyclonedx-go v0.9.1 h1:yffaWOZsv77oTJa/SdVZYdgAgFioCeycBUKk github.com/CycloneDX/cyclonedx-go v0.9.1/go.mod h1:NE/EWvzELOFlG6+ljX/QeMlVt9VKcTwu8u0ccsACEsw= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= -github.com/DataDog/agent-payload/v5 v5.0.135 h1:EZXSnOILBD/q4xWKtaOsDsIVWPteY1G79It8a5x8jJw= -github.com/DataDog/agent-payload/v5 v5.0.135/go.mod h1:lxh9lb5xYrBXjblpIWYUi4deJqVbkIfkjwesi5nskDc= +github.com/DataDog/agent-payload/v5 v5.0.137 h1:nV02RrYj6AwlQBGIEv6yG23CuxGtG0YWoFZAVE6vwxY= +github.com/DataDog/agent-payload/v5 v5.0.137/go.mod h1:lxh9lb5xYrBXjblpIWYUi4deJqVbkIfkjwesi5nskDc= github.com/DataDog/appsec-internal-go v1.9.0 h1:cGOneFsg0JTRzWl5U2+og5dbtyW3N8XaYwc5nXe39Vw= github.com/DataDog/appsec-internal-go v1.9.0/go.mod h1:wW0cRfWBo4C044jHGwYiyh5moQV2x0AhnwqMuiX7O/g= github.com/DataDog/aptly v1.5.3 h1:oLsRvjuXSVM4ia0N83dU3KiQeiJ6BaszYbTZOkSfDlw= diff --git a/pkg/security/secl/schemas/activity_dump.schema.json b/pkg/security/secl/schemas/activity_dump.schema.json index e41eacabd6fbe..a4196f2db7c37 100644 --- a/pkg/security/secl/schemas/activity_dump.schema.json +++ b/pkg/security/secl/schemas/activity_dump.schema.json @@ -291,11 +291,15 @@ }, "ip": { "type": "string" + }, + "protocol": { + "type": "integer" } }, "required": [ "port", - "ip" + "ip", + "protocol" ] } } diff --git a/pkg/security/secl/schemas/activity_dump_proto.schema.json b/pkg/security/secl/schemas/activity_dump_proto.schema.json index ebcd5311bdf33..01c52431d8131 100644 --- a/pkg/security/secl/schemas/activity_dump_proto.schema.json +++ b/pkg/security/secl/schemas/activity_dump_proto.schema.json @@ -275,11 +275,15 @@ }, "ip": { "type": "string" + }, + "protocol": { + "type": "integer" } }, "required": [ "port", - "ip" + "ip", + "protocol" ] } } diff --git a/pkg/security/security_profile/activity_tree/activity_tree_proto_dec_v1.go b/pkg/security/security_profile/activity_tree/activity_tree_proto_dec_v1.go index 09ad5a25a4c9a..efa5b301b31fc 100644 --- a/pkg/security/security_profile/activity_tree/activity_tree_proto_dec_v1.go +++ b/pkg/security/security_profile/activity_tree/activity_tree_proto_dec_v1.go @@ -331,6 +331,7 @@ func protoDecodeProtoSocket(sn *adproto.SocketNode) *SocketNode { MatchedRules: make([]*model.MatchedRule, 0, len(bindNode.MatchedRules)), Port: uint16(bindNode.Port), IP: bindNode.Ip, + Protocol: uint16(bindNode.Protocol), ImageTags: bindNode.ImageTags, } diff --git a/pkg/security/security_profile/activity_tree/activity_tree_proto_enc_v1.go b/pkg/security/security_profile/activity_tree/activity_tree_proto_enc_v1.go index 30b0b46e29382..3897b5a160fe9 100644 --- a/pkg/security/security_profile/activity_tree/activity_tree_proto_enc_v1.go +++ b/pkg/security/security_profile/activity_tree/activity_tree_proto_enc_v1.go @@ -303,6 +303,7 @@ func socketNodeToProto(sn *SocketNode) *adproto.SocketNode { MatchedRules: make([]*adproto.MatchedRule, 0, len(bn.MatchedRules)), Port: uint32(bn.Port), Ip: bn.IP, + Protocol: uint32(bn.Protocol), ImageTags: bn.ImageTags, } diff --git a/pkg/security/security_profile/activity_tree/process_node_snapshot.go b/pkg/security/security_profile/activity_tree/process_node_snapshot.go index 7233b9738d078..aea6151f018e2 100644 --- a/pkg/security/security_profile/activity_tree/process_node_snapshot.go +++ b/pkg/security/security_profile/activity_tree/process_node_snapshot.go @@ -287,25 +287,25 @@ func (pn *ProcessNode) snapshotBoundSockets(p *process.Process, stats *Stats, ne for _, s := range sockets { for _, sock := range TCP { if sock.Inode == s { - pn.insertSnapshottedSocket(unix.AF_INET, sock.LocalAddr, uint16(sock.LocalPort), stats, newEvent) + pn.insertSnapshottedSocket(unix.AF_INET, sock.LocalAddr, unix.IPPROTO_TCP, uint16(sock.LocalPort), stats, newEvent) break } } for _, sock := range UDP { if sock.Inode == s { - pn.insertSnapshottedSocket(unix.AF_INET, sock.LocalAddr, uint16(sock.LocalPort), stats, newEvent) + pn.insertSnapshottedSocket(unix.AF_INET, sock.LocalAddr, unix.IPPROTO_UDP, uint16(sock.LocalPort), stats, newEvent) break } } for _, sock := range TCP6 { if sock.Inode == s { - pn.insertSnapshottedSocket(unix.AF_INET6, sock.LocalAddr, uint16(sock.LocalPort), stats, newEvent) + pn.insertSnapshottedSocket(unix.AF_INET6, sock.LocalAddr, unix.IPPROTO_TCP, uint16(sock.LocalPort), stats, newEvent) break } } for _, sock := range UDP6 { if sock.Inode == s { - pn.insertSnapshottedSocket(unix.AF_INET6, sock.LocalAddr, uint16(sock.LocalPort), stats, newEvent) + pn.insertSnapshottedSocket(unix.AF_INET6, sock.LocalAddr, unix.IPPROTO_UDP, uint16(sock.LocalPort), stats, newEvent) break } } @@ -313,13 +313,14 @@ func (pn *ProcessNode) snapshotBoundSockets(p *process.Process, stats *Stats, ne } } -func (pn *ProcessNode) insertSnapshottedSocket(family uint16, ip net.IP, port uint16, stats *Stats, newEvent func() *model.Event) { +func (pn *ProcessNode) insertSnapshottedSocket(family uint16, ip net.IP, protocol uint16, port uint16, stats *Stats, newEvent func() *model.Event) { evt := newEvent() evt.Type = uint32(model.BindEventType) evt.Bind.SyscallEvent.Retval = 0 evt.Bind.AddrFamily = family evt.Bind.Addr.IPNet.IP = ip + evt.Bind.Protocol = protocol if family == unix.AF_INET { evt.Bind.Addr.IPNet.Mask = net.CIDRMask(32, 32) } else { diff --git a/pkg/security/security_profile/activity_tree/socket_node.go b/pkg/security/security_profile/activity_tree/socket_node.go index a2f38607181d2..73e4e0c3c174a 100644 --- a/pkg/security/security_profile/activity_tree/socket_node.go +++ b/pkg/security/security_profile/activity_tree/socket_node.go @@ -21,6 +21,7 @@ type BindNode struct { GenerationType NodeGenerationType Port uint16 IP string + Protocol uint16 } // SocketNode is used to store a Socket node and associated events @@ -32,10 +33,10 @@ type SocketNode struct { // Matches returns true if BindNodes matches func (bn *BindNode) Matches(toMatch *BindNode) bool { - return bn.Port == toMatch.Port && bn.IP == toMatch.IP + return bn.Port == toMatch.Port && bn.IP == toMatch.IP && bn.Protocol == toMatch.Protocol } -// Matches returns true if BindNodes matches +// Matches returns true if SocketNodes matches func (sn *SocketNode) Matches(toMatch *SocketNode) bool { return sn.Family == toMatch.Family } @@ -81,7 +82,7 @@ func (sn *SocketNode) InsertBindEvent(evt *model.BindEvent, imageTag string, gen evtIP := evt.Addr.IPNet.IP.String() for _, n := range sn.Bind { - if evt.Addr.Port == n.Port && evtIP == n.IP { + if evt.Addr.Port == n.Port && evtIP == n.IP && evt.Protocol == n.Protocol { if !dryRun { n.MatchedRules = model.AppendMatchedRule(n.MatchedRules, rules) } @@ -100,6 +101,7 @@ func (sn *SocketNode) InsertBindEvent(evt *model.BindEvent, imageTag string, gen GenerationType: generationType, Port: evt.Addr.Port, IP: evtIP, + Protocol: evt.Protocol, } if imageTag != "" { node.ImageTags = []string{imageTag}