forked from DataDog/datadog-agent
/
open.go
66 lines (55 loc) · 1.79 KB
/
open.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
//go:build linux
// +build linux
package probe
import (
"fmt"
"github.com/StackVista/stackstate-agent/pkg/security/secl/compiler/eval"
"github.com/StackVista/stackstate-agent/pkg/security/secl/model"
"github.com/StackVista/stackstate-agent/pkg/security/secl/rules"
)
var openCapabilities = Capabilities{
"open.file.path": {
PolicyFlags: PolicyFlagBasename,
FieldValueTypes: eval.ScalarValueType | eval.PatternValueType,
ValidateFnc: validateBasenameFilter,
},
"open.file.name": {
PolicyFlags: PolicyFlagBasename,
FieldValueTypes: eval.ScalarValueType,
},
"open.flags": {
PolicyFlags: PolicyFlagFlags,
FieldValueTypes: eval.ScalarValueType | eval.BitmaskValueType,
},
}
func openOnNewApprovers(probe *Probe, approvers rules.Approvers) (activeApprovers, error) {
intValues := func(fvs rules.FilterValues) []int {
var values []int
for _, v := range fvs {
values = append(values, v.Value.(int))
}
return values
}
openApprovers, err := onNewBasenameApprovers(probe, model.FileOpenEventType, "file", approvers)
if err != nil {
return nil, err
}
for field, values := range approvers {
switch field {
case "open.file.name", "open.file.path": // already handled by onNewBasenameApprovers
case "open.flags":
activeApprover, err := approveFlags("open_flags_approvers", intValues(values)...)
if err != nil {
return nil, err
}
openApprovers = append(openApprovers, activeApprover)
default:
return nil, fmt.Errorf("unknown field '%s'", field)
}
}
return newActiveKFilters(openApprovers...), nil
}