github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/oo_symlink_unix.go (about) 1 // Unless explicitly stated otherwise all files in this repository are licensed 2 // under the Apache License Version 2.0. 3 // This product includes software developed at Datadog (https://www.datadoghq.com/). 4 // Copyright 2016-present Datadog, Inc. 5 6 //go:build unix 7 8 // Package model holds model related files 9 package model 10 11 import ( 12 "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" 13 ) 14 15 var ( 16 symlinkPathnameEvaluators = [MaxSymlinks]func(field eval.Field) *eval.StringEvaluator{ 17 func(field eval.Field) *eval.StringEvaluator { 18 return &eval.StringEvaluator{ 19 Field: field, 20 EvalFnc: func(ctx *eval.Context) string { 21 if path := ctx.Event.(*Event).ProcessContext.SymlinkPathnameStr[0]; path != "" { 22 return path 23 } 24 return ctx.Event.(*Event).ProcessContext.FileEvent.PathnameStr 25 }, 26 } 27 }, 28 func(field eval.Field) *eval.StringEvaluator { 29 return &eval.StringEvaluator{ 30 Field: field, 31 EvalFnc: func(ctx *eval.Context) string { 32 if path := ctx.Event.(*Event).ProcessContext.SymlinkPathnameStr[1]; path != "" { 33 return path 34 } 35 return ctx.Event.(*Event).ProcessContext.FileEvent.PathnameStr 36 }, 37 } 38 }, 39 } 40 41 symlinkBasenameEvaluator = func(field eval.Field) *eval.StringEvaluator { 42 return &eval.StringEvaluator{ 43 Field: field, 44 EvalFnc: func(ctx *eval.Context) string { 45 if name := ctx.Event.(*Event).ProcessContext.SymlinkBasenameStr; name != "" { 46 return name 47 } 48 return ctx.Event.(*Event).ProcessContext.FileEvent.BasenameStr 49 }, 50 } 51 } 52 53 // ProcessSymlinkPathname handles symlink for process enrtries 54 ProcessSymlinkPathname = &eval.OpOverrides{ 55 StringEquals: func(a *eval.StringEvaluator, b *eval.StringEvaluator, state *eval.State) (*eval.BoolEvaluator, error) { 56 path, err := eval.GlobCmp.StringEquals(a, b, state) 57 if err != nil { 58 return nil, err 59 } 60 61 // currently only override exec events 62 if a.Field == "exec.file.path" || a.Field == "process.file.path" { 63 se1, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[0](a.Field), b, state) 64 if err != nil { 65 return nil, err 66 } 67 68 se2, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[1](a.Field), b, state) 69 if err != nil { 70 return nil, err 71 } 72 73 or, err := eval.Or(se1, se2, state) 74 if err != nil { 75 return nil, err 76 } 77 78 return eval.Or(path, or, state) 79 } else if b.Field == "exec.file.path" || b.Field == "process.file.path" { 80 se1, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[0](b.Field), a, state) 81 if err != nil { 82 return nil, err 83 } 84 85 se2, err := eval.GlobCmp.StringEquals(symlinkPathnameEvaluators[1](b.Field), a, state) 86 if err != nil { 87 return nil, err 88 } 89 90 or, err := eval.Or(se1, se2, state) 91 if err != nil { 92 return nil, err 93 } 94 95 return eval.Or(path, or, state) 96 } 97 98 return path, nil 99 }, 100 StringValuesContains: func(a *eval.StringEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) { 101 path, err := eval.GlobCmp.StringValuesContains(a, b, state) 102 if err != nil { 103 return nil, err 104 } 105 106 // currently only override exec events 107 if a.Field == "exec.file.path" || a.Field == "process.file.path" { 108 se1, err := eval.GlobCmp.StringValuesContains(symlinkPathnameEvaluators[0](a.Field), b, state) 109 if err != nil { 110 return nil, err 111 } 112 se2, err := eval.GlobCmp.StringValuesContains(symlinkPathnameEvaluators[1](a.Field), b, state) 113 if err != nil { 114 return nil, err 115 } 116 or, err := eval.Or(se1, se2, state) 117 if err != nil { 118 return nil, err 119 } 120 121 return eval.Or(path, or, state) 122 } 123 124 return path, nil 125 }, 126 StringArrayContains: func(a *eval.StringEvaluator, b *eval.StringArrayEvaluator, state *eval.State) (*eval.BoolEvaluator, error) { 127 path, err := eval.GlobCmp.StringArrayContains(a, b, state) 128 if err != nil { 129 return nil, err 130 } 131 132 // currently only override exec events 133 if a.Field == "exec.file.path" || a.Field == "process.file.path" { 134 se1, err := eval.GlobCmp.StringArrayContains(symlinkPathnameEvaluators[0](a.Field), b, state) 135 if err != nil { 136 return nil, err 137 } 138 se2, err := eval.GlobCmp.StringArrayContains(symlinkPathnameEvaluators[1](a.Field), b, state) 139 if err != nil { 140 return nil, err 141 } 142 or, err := eval.Or(se1, se2, state) 143 if err != nil { 144 return nil, err 145 } 146 147 return eval.Or(path, or, state) 148 } 149 150 return path, nil 151 }, 152 StringArrayMatches: func(a *eval.StringArrayEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) { 153 return eval.GlobCmp.StringArrayMatches(a, b, state) 154 }, 155 } 156 157 // ProcessSymlinkBasename handles symlink for process enrtries 158 ProcessSymlinkBasename = &eval.OpOverrides{ 159 StringEquals: func(a *eval.StringEvaluator, b *eval.StringEvaluator, state *eval.State) (*eval.BoolEvaluator, error) { 160 path, err := eval.StringEquals(a, b, state) 161 if err != nil { 162 return nil, err 163 } 164 165 // currently only override exec events 166 if a.Field == "exec.file.name" || a.Field == "process.file.name" { 167 symlink, err := eval.StringEquals(symlinkBasenameEvaluator(a.Field), b, state) 168 if err != nil { 169 return nil, err 170 } 171 return eval.Or(path, symlink, state) 172 } else if b.Field == "exec.file.name" || b.Field == "process.file.name" { 173 symlink, err := eval.StringEquals(a, symlinkBasenameEvaluator(b.Field), state) 174 if err != nil { 175 return nil, err 176 } 177 return eval.Or(path, symlink, state) 178 } 179 180 return path, nil 181 }, 182 StringValuesContains: func(a *eval.StringEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) { 183 path, err := eval.StringValuesContains(a, b, state) 184 if err != nil { 185 return nil, err 186 } 187 188 // currently only override exec events 189 if a.Field == "exec.file.name" || a.Field == "process.file.name" { 190 symlink, err := eval.StringValuesContains(symlinkBasenameEvaluator(a.Field), b, state) 191 if err != nil { 192 return nil, err 193 } 194 return eval.Or(path, symlink, state) 195 } 196 197 return path, nil 198 }, 199 StringArrayContains: func(a *eval.StringEvaluator, b *eval.StringArrayEvaluator, state *eval.State) (*eval.BoolEvaluator, error) { 200 path, err := eval.StringArrayContains(a, b, state) 201 if err != nil { 202 return nil, err 203 } 204 205 // currently only override exec events 206 if a.Field == "exec.file.name" || a.Field == "process.file.name" { 207 symlink, err := eval.StringArrayContains(symlinkBasenameEvaluator(a.Field), b, state) 208 if err != nil { 209 return nil, err 210 } 211 return eval.Or(path, symlink, state) 212 } 213 214 return path, nil 215 }, 216 StringArrayMatches: func(a *eval.StringArrayEvaluator, b *eval.StringValuesEvaluator, state *eval.State) (*eval.BoolEvaluator, error) { 217 return eval.StringArrayMatches(a, b, state) 218 }, 219 } 220 )