forked from DataDog/datadog-agent
/
approvers.go
143 lines (122 loc) · 4.7 KB
/
approvers.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
//go:build linux
// +build linux
package probe
import (
"path"
"github.com/StackVista/stackstate-agent/pkg/security/ebpf"
"github.com/StackVista/stackstate-agent/pkg/security/secl/compiler/eval"
"github.com/StackVista/stackstate-agent/pkg/security/secl/model"
"github.com/StackVista/stackstate-agent/pkg/security/secl/rules"
)
type onApproverHandler func(probe *Probe, approvers rules.Approvers) (activeApprovers, error)
type activeApprover = activeKFilter
type activeApprovers = activeKFilters
var allApproversHandlers = make(map[eval.EventType]onApproverHandler)
func approveBasename(tableName string, eventType model.EventType, basename string) (activeApprover, error) {
return &mapEventMask{
tableName: tableName,
key: basename,
tableKey: ebpf.NewStringMapItem(basename, BasenameFilterSize),
eventMask: uint64(1 << (eventType - 1)),
}, nil
}
func approveBasenames(tableName string, eventType model.EventType, basenames ...string) (approvers []activeApprover, _ error) {
for _, basename := range basenames {
activeApprover, err := approveBasename(tableName, eventType, basename)
if err != nil {
return nil, err
}
approvers = append(approvers, activeApprover)
}
return approvers, nil
}
func setFlagsFilter(tableName string, flags ...int) (activeApprover, error) {
var flagsItem ebpf.Uint32MapItem
for _, flag := range flags {
flagsItem |= ebpf.Uint32MapItem(flag)
}
if flagsItem != 0 {
return &arrayEntry{
tableName: tableName,
index: uint32(0),
value: flagsItem,
zeroValue: ebpf.ZeroUint32MapItem,
}, nil
}
return nil, nil
}
func approveFlags(tableName string, flags ...int) (activeApprover, error) {
return setFlagsFilter(tableName, flags...)
}
func onNewBasenameApprovers(probe *Probe, eventType model.EventType, field string, approvers rules.Approvers) ([]activeApprover, error) {
stringValues := func(fvs rules.FilterValues) []string {
var values []string
for _, v := range fvs {
values = append(values, v.Value.(string))
}
return values
}
prefix := eventType.String()
if field != "" {
prefix += "." + field
}
var basenameApprovers []activeApprover
for field, values := range approvers {
switch field {
case prefix + ".name":
activeApprovers, err := approveBasenames("basename_approvers", eventType, stringValues(values)...)
if err != nil {
return nil, err
}
basenameApprovers = append(basenameApprovers, activeApprovers...)
case prefix + ".path":
for _, value := range stringValues(values) {
basename := path.Base(value)
activeApprover, err := approveBasename("basename_approvers", eventType, basename)
if err != nil {
return nil, err
}
basenameApprovers = append(basenameApprovers, activeApprover)
}
}
}
return basenameApprovers, nil
}
func onNewBasenameApproversWrapper(event model.EventType) onApproverHandler {
return func(probe *Probe, approvers rules.Approvers) (activeApprovers, error) {
basenameApprovers, err := onNewBasenameApprovers(probe, event, "file", approvers)
if err != nil {
return nil, err
}
return newActiveKFilters(basenameApprovers...), nil
}
}
func onNewTwoBasenamesApproversWrapper(event model.EventType, field1, field2 string) onApproverHandler {
return func(probe *Probe, approvers rules.Approvers) (activeApprovers, error) {
basenameApprovers, err := onNewBasenameApprovers(probe, event, field1, approvers)
if err != nil {
return nil, err
}
basenameApprovers2, err := onNewBasenameApprovers(probe, event, field2, approvers)
if err != nil {
return nil, err
}
basenameApprovers = append(basenameApprovers, basenameApprovers2...)
return newActiveKFilters(basenameApprovers...), nil
}
}
func init() {
allApproversHandlers["chmod"] = onNewBasenameApproversWrapper(model.FileChmodEventType)
allApproversHandlers["chown"] = onNewBasenameApproversWrapper(model.FileChownEventType)
allApproversHandlers["link"] = onNewTwoBasenamesApproversWrapper(model.FileLinkEventType, "file", "file.destination")
allApproversHandlers["mkdir"] = onNewBasenameApproversWrapper(model.FileMkdirEventType)
allApproversHandlers["open"] = openOnNewApprovers
allApproversHandlers["rename"] = onNewTwoBasenamesApproversWrapper(model.FileRenameEventType, "file", "file.destination")
allApproversHandlers["rmdir"] = onNewBasenameApproversWrapper(model.FileRmdirEventType)
allApproversHandlers["unlink"] = onNewBasenameApproversWrapper(model.FileUnlinkEventType)
allApproversHandlers["utimes"] = onNewBasenameApproversWrapper(model.FileUtimesEventType)
}