Introduce scope_field for process scope

Author: Gui774ume

pkg/security/probe/field_handlers_ebpf.go

@@ -68,6 +68,11 @@ func (fh *EBPFFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, newEntryC
 	return ev.ProcessCacheEntry, true
 }
 
+// ResolveProcessCacheEntryFromPID queries the ProcessResolver to retrieve the ProcessContext of the provided PID
+func (fh *EBPFFieldHandlers) ResolveProcessCacheEntryFromPID(pid uint32) *model.ProcessCacheEntry {
+	return fh.resolvers.ProcessResolver.Resolve(pid, pid, 0, true, nil)
+}
+
 // ResolveFilePath resolves the inode to a full path
 func (fh *EBPFFieldHandlers) ResolveFilePath(ev *model.Event, f *model.FileEvent) string {
 	if !f.IsPathnameStrResolved && len(f.PathnameStr) == 0 {

pkg/security/probe/field_handlers_ebpfless.go

@@ -57,6 +57,12 @@ func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, _ fun
 	return ev.ProcessCacheEntry, true
 }
 
+// ResolveProcessCacheEntryFromPID queries the ProcessResolver to retrieve the ProcessContext of the provided PID
+func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntryFromPID(pid uint32) *model.ProcessCacheEntry {
+	// not supported yet, we're missing NSID
+	return nil
+}
+
 // ResolveFilePath resolves the inode to a full path
 func (fh *EBPFLessFieldHandlers) ResolveFilePath(_ *model.Event, f *model.FileEvent) string {
 	return f.PathnameStr

pkg/security/probe/field_handlers_windows.go

@@ -90,6 +90,11 @@ func (fh *FieldHandlers) ResolveProcessCacheEntry(ev *model.Event, _ func(*model
 	return ev.ProcessCacheEntry, true
 }
 
+// ResolveProcessCacheEntryFromPID queries the ProcessResolver to retrieve the ProcessContext of the provided PID
+func (fh *FieldHandlers) ResolveProcessCacheEntryFromPID(pid uint32) *ProcessCacheEntry {
+	return fh.resolvers.ProcessResolver.Resolve(pid)
+}
+
 // ResolveProcessCmdLineScrubbed returns a scrubbed version of the cmdline
 func (fh *FieldHandlers) ResolveProcessCmdLineScrubbed(_ *model.Event, e *model.Process) string {
 	return fh.resolvers.ProcessResolver.GetProcessCmdLineScrubbed(e)

pkg/security/secl/compiler/eval/variables.go

@@ -47,13 +47,17 @@ type ScopedVariable interface {
 type MutableVariable interface {
 	Set(ctx *Context, value interface{}) error
 	Append(ctx *Context, value interface{}) error
-	GetVariableOpts() VariableOpts
-	SetVariableOpts(opts VariableOpts)
+}
+
+// MutableScopedVariable is the interface for scoped variables whose value can be changed
+type MutableScopedVariable interface {
+	Set(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error
+	Append(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error
 }
 
 // settableVariable describes a SECL variable
 type settableVariable struct {
-	setFnc func(ctx *Context, value interface{}) error
+	setFnc func(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error
 	opts   VariableOpts
 }
 
@@ -62,16 +66,16 @@ type expirableVariable interface {
 }
 
 // Set the variable with the specified value
-func (v *settableVariable) Set(ctx *Context, value interface{}) error {
+func (v *settableVariable) Set(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error {
 	if v.setFnc == nil {
 		return errors.New("variable is not mutable")
 	}
 
-	return v.setFnc(ctx, value)
+	return v.setFnc(ctx, value, scopeFieldEvaluator)
 }
 
 // Append a value to the variable
-func (v *settableVariable) Append(_ *Context, _ interface{}) error {
+func (v *settableVariable) Append(_ *Context, _ interface{}, _ Evaluator) error {
 	return errAppendNotSupported
 }
 
@@ -112,7 +116,7 @@ func (i *ScopedIntVariable) GetValue(ctx *Context) (interface{}, bool) {
 }
 
 // NewScopedIntVariable returns a new integer variable
-func NewScopedIntVariable(intFnc func(ctx *Context) (int, bool), setFnc func(ctx *Context, value interface{}) error) *ScopedIntVariable {
+func NewScopedIntVariable(intFnc func(ctx *Context) (int, bool), setFnc func(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error) *ScopedIntVariable {
 	return &ScopedIntVariable{
 		settableVariable: settableVariable{
 			setFnc: setFnc,
@@ -147,7 +151,7 @@ func (s *ScopedStringVariable) GetValue(ctx *Context) (interface{}, bool) {
 }
 
 // NewScopedStringVariable returns a new scoped string variable
-func NewScopedStringVariable(strFnc func(ctx *Context) (string, bool), setFnc func(ctx *Context, value interface{}) error) *ScopedStringVariable {
+func NewScopedStringVariable(strFnc func(ctx *Context) (string, bool), setFnc func(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error) *ScopedStringVariable {
 	return &ScopedStringVariable{
 		strFnc: strFnc,
 		settableVariable: settableVariable{
@@ -181,7 +185,7 @@ func (b *ScopedBoolVariable) GetValue(ctx *Context) (interface{}, bool) {
 }
 
 // NewScopedBoolVariable returns a new boolean variable
-func NewScopedBoolVariable(boolFnc func(ctx *Context) (bool, bool), setFnc func(ctx *Context, value interface{}) error) *ScopedBoolVariable {
+func NewScopedBoolVariable(boolFnc func(ctx *Context) (bool, bool), setFnc func(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error) *ScopedBoolVariable {
 	return &ScopedBoolVariable{
 		boolFnc: boolFnc,
 		settableVariable: settableVariable{
@@ -215,7 +219,7 @@ func (i *ScopedIPVariable) GetValue(ctx *Context) (interface{}, bool) {
 }
 
 // NewScopedIPVariable returns a new scoped IP variable
-func NewScopedIPVariable(ipFnc func(ctx *Context) (net.IPNet, bool), setFnc func(ctx *Context, value interface{}) error) *ScopedIPVariable {
+func NewScopedIPVariable(ipFnc func(ctx *Context) (net.IPNet, bool), setFnc func(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error) *ScopedIPVariable {
 	return &ScopedIPVariable{
 		ipFnc: ipFnc,
 		settableVariable: settableVariable{
@@ -249,24 +253,24 @@ func (s *ScopedStringArrayVariable) GetValue(ctx *Context) (interface{}, bool) {
 }
 
 // Set the array values
-func (s *ScopedStringArrayVariable) Set(ctx *Context, value interface{}) error {
+func (s *ScopedStringArrayVariable) Set(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error {
 	if s, ok := value.(string); ok {
 		value = []string{s}
 	}
-	return s.settableVariable.Set(ctx, value)
+	return s.settableVariable.Set(ctx, value, scopeFieldEvaluator)
 }
 
 // Append a value to the array
-func (s *ScopedStringArrayVariable) Append(ctx *Context, value interface{}) error {
+func (s *ScopedStringArrayVariable) Append(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error {
 	if val, ok := value.(string); ok {
 		value = []string{val}
 	}
 	values, _ := s.strFnc(ctx)
-	return s.Set(ctx, append(values, value.([]string)...))
+	return s.Set(ctx, append(values, value.([]string)...), scopeFieldEvaluator)
 }
 
 // NewScopedStringArrayVariable returns a new scoped string array variable
-func NewScopedStringArrayVariable(strFnc func(ctx *Context) ([]string, bool), setFnc func(ctx *Context, value interface{}) error) *ScopedStringArrayVariable {
+func NewScopedStringArrayVariable(strFnc func(ctx *Context) ([]string, bool), setFnc func(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error) *ScopedStringArrayVariable {
 	return &ScopedStringArrayVariable{
 		strFnc: strFnc,
 		settableVariable: settableVariable{
@@ -300,24 +304,24 @@ func (v *ScopedIntArrayVariable) GetValue(ctx *Context) (interface{}, bool) {
 }
 
 // Set the array values
-func (v *ScopedIntArrayVariable) Set(ctx *Context, value interface{}) error {
+func (v *ScopedIntArrayVariable) Set(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error {
 	if i, ok := value.(int); ok {
 		value = []int{i}
 	}
-	return v.settableVariable.Set(ctx, value)
+	return v.settableVariable.Set(ctx, value, scopeFieldEvaluator)
 }
 
 // Append a value to the array
-func (v *ScopedIntArrayVariable) Append(ctx *Context, value interface{}) error {
+func (v *ScopedIntArrayVariable) Append(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error {
 	if val, ok := value.(int); ok {
 		value = []int{val}
 	}
 	values, _ := v.intFnc(ctx)
-	return v.Set(ctx, append(values, value.([]int)...))
+	return v.Set(ctx, append(values, value.([]int)...), scopeFieldEvaluator)
 }
 
 // NewScopedIntArrayVariable returns a new integer array variable
-func NewScopedIntArrayVariable(intFnc func(ctx *Context) ([]int, bool), setFnc func(ctx *Context, value interface{}) error) *ScopedIntArrayVariable {
+func NewScopedIntArrayVariable(intFnc func(ctx *Context) ([]int, bool), setFnc func(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error) *ScopedIntArrayVariable {
 	return &ScopedIntArrayVariable{
 		intFnc: intFnc,
 		settableVariable: settableVariable{
@@ -351,24 +355,24 @@ func (i *ScopedIPArrayVariable) GetValue(ctx *Context) (interface{}, bool) {
 }
 
 // Set the array values
-func (i *ScopedIPArrayVariable) Set(ctx *Context, value interface{}) error {
+func (i *ScopedIPArrayVariable) Set(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error {
 	if ip, ok := value.(net.IPNet); ok {
 		value = []net.IPNet{ip}
 	}
-	return i.settableVariable.Set(ctx, value)
+	return i.settableVariable.Set(ctx, value, scopeFieldEvaluator)
 }
 
 // Append a value to the array
-func (i *ScopedIPArrayVariable) Append(ctx *Context, value interface{}) error {
+func (i *ScopedIPArrayVariable) Append(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error {
 	if val, ok := value.(net.IPNet); ok {
 		value = []net.IPNet{val}
 	}
 	values, _ := i.ipFnc(ctx)
-	return i.Set(ctx, append(values, value.([]net.IPNet)...))
+	return i.Set(ctx, append(values, value.([]net.IPNet)...), scopeFieldEvaluator)
 }
 
 // NewScopedIPArrayVariable returns a new IP array variable
-func NewScopedIPArrayVariable(ipFnc func(ctx *Context) ([]net.IPNet, bool), setFnc func(ctx *Context, value interface{}) error) *ScopedIPArrayVariable {
+func NewScopedIPArrayVariable(ipFnc func(ctx *Context) ([]net.IPNet, bool), setFnc func(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error) *ScopedIPArrayVariable {
 	return &ScopedIPArrayVariable{
 		ipFnc: ipFnc,
 		settableVariable: settableVariable{
@@ -952,7 +956,7 @@ type VariableScope interface {
 }
 
 // Scoper maps a variable to the entity its scoped to
-type Scoper func(ctx *Context) VariableScope
+type Scoper func(ctx *Context, scopeFieldEvaluator Evaluator) VariableScope
 
 // Variables holds a set of variables
 type Variables struct {
@@ -1042,7 +1046,7 @@ func (v *ScopedVariables) Len() int {
 // NewSECLVariable returns new variable of the type of the specified value
 func (v *ScopedVariables) NewSECLVariable(name string, value interface{}, opts VariableOpts) (SECLVariable, error) {
 	getVariable := func(ctx *Context) MutableSECLVariable {
-		scope := v.scoper(ctx)
+		scope := v.scoper(ctx, nil)
 		if scope == nil {
 			return nil
 		}
@@ -1060,8 +1064,8 @@ func (v *ScopedVariables) NewSECLVariable(name string, value interface{}, opts V
 		return vars[name]
 	}
 
-	setVariable := func(ctx *Context, value interface{}) error {
-		scope := v.scoper(ctx)
+	setVariable := func(ctx *Context, value interface{}, scopeFieldEvaluator Evaluator) error {
+		scope := v.scoper(ctx, scopeFieldEvaluator)
 		if scope == nil {
 			return fmt.Errorf("failed to scope variable '%s'", name)
 		}

pkg/security/secl/model/model.go

@@ -610,6 +610,7 @@ type AWSSecurityCredentials struct {
 // BaseExtraFieldHandlers handlers not hold by any field
 type BaseExtraFieldHandlers interface {
 	ResolveProcessCacheEntry(ev *Event, newEntryCb func(*ProcessCacheEntry, error)) (*ProcessCacheEntry, bool)
+	ResolveProcessCacheEntryFromPID(pid uint32) *ProcessCacheEntry
 	ResolveContainerContext(ev *Event) (*ContainerContext, bool)
 }
 
@@ -621,6 +622,11 @@ func (dfh *FakeFieldHandlers) ResolveProcessCacheEntry(ev *Event, _ func(*Proces
 	return nil, false
 }
 
+// ResolveProcessCacheEntryFromPID stub implementation
+func (fh *FakeFieldHandlers) ResolveProcessCacheEntryFromPID(pid uint32) *ProcessCacheEntry {
+	return GetPlaceholderProcessCacheEntry(pid, pid, false)
+}
+
 // ResolveContainerContext stub implementation
 func (dfh *FakeFieldHandlers) ResolveContainerContext(_ *Event) (*ContainerContext, bool) {
 	return nil, false

pkg/security/secl/model/model_windows.go

@@ -37,6 +37,14 @@ func NewFakeEvent() *Event {
 	}
 }
 
+var processContextZero = ProcessCacheEntry{}
+
+// GetPlaceholderProcessCacheEntry returns an empty process cache entry for failed process resolutions
+func GetPlaceholderProcessCacheEntry(pid uint32) *ProcessCacheEntry {
+	processContextZero.Pid = pid
+	return &processContextZero
+}
+
 // ValidateField validates the value of a field
 func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error {
 	if m.ExtraValidateFieldFnc != nil {

pkg/security/secl/rules/actions.go

@@ -19,9 +19,10 @@ import (
 // Action represents the action to take when a rule is triggered
 // It can either come from policy a definition or be an internal callback
 type Action struct {
-	Def              *ActionDefinition
-	InternalCallback *InternalCallbackDefinition
-	FilterEvaluator  *eval.RuleEvaluator
+	Def                 *ActionDefinition
+	InternalCallback    *InternalCallbackDefinition
+	FilterEvaluator     *eval.RuleEvaluator
+	ScopeFieldEvaluator eval.Evaluator
 }
 
 // Check returns an error if the action in invalid
@@ -59,6 +60,10 @@ func (a *ActionDefinition) Check(opts PolicyLoaderOpts) error {
 		if a.Set.Inherited && a.Set.Scope != "process" {
 			return fmt.Errorf("only variables scoped to process can be marked as inherited")
 		}
+
+		if len(a.Set.ScopeField) > 0 && a.Set.Scope != "process" {
+			return fmt.Errorf("only variables scoped to process can have a custom scope_field")
+		}
 	} else if a.Kill != nil {
 		if opts.DisableEnforcement {
 			a.Kill = nil
@@ -103,6 +108,21 @@ func (a *Action) CompileFilter(parsingContext *ast.ParsingContext, model eval.Mo
 	return nil
 }
 
+// CompileScopeField compiles the scope field
+func (a *Action) CompileScopeField(model eval.Model) error {
+	if a.Def.Set == nil || len(a.Def.Set.ScopeField) == 0 {
+		return nil
+	}
+
+	evaluator, err := model.GetEvaluator(a.Def.Set.ScopeField, "", 0)
+	if err != nil {
+		return &ErrScopeField{Expression: a.Def.Set.ScopeField, Err: err}
+	}
+
+	a.ScopeFieldEvaluator = evaluator
+	return nil
+}
+
 // IsAccepted returns whether a filter is accepted and has to be executed
 func (a *Action) IsAccepted(ctx *eval.Context) bool {
 	return a.FilterEvaluator == nil || a.FilterEvaluator.Eval(ctx)

pkg/security/secl/rules/errors.go

@@ -176,6 +176,16 @@ func (e ErrActionFilter) Error() string {
 	return fmt.Sprintf("filter `%s` error: %s", e.Expression, e.Err)
 }
 
+// ErrScopeField is return on scope field definition error
+type ErrScopeField struct {
+	Expression string
+	Err        error
+}
+
+func (e ErrScopeField) Error() string {
+	return fmt.Sprintf("scope_field `%s` error: %s", e.Expression, e.Err)
+}
+
 // ErrFieldNotAvailable is returned when a field is not available
 type ErrFieldNotAvailable struct {
 	Field        eval.Field

pkg/security/secl/rules/model.go

@@ -146,6 +146,7 @@ type SetDefinition struct {
 	Expression   string                 `yaml:"expression" json:"expression,omitempty"`
 	Append       bool                   `yaml:"append" json:"append,omitempty"`
 	Scope        Scope                  `yaml:"scope" json:"scope,omitempty" jsonschema:"enum=process,enum=container,enum=cgroup"`
+	ScopeField   string                 `yaml:"scope_field" json:"scope_field,omitempty"`
 	Size         int                    `yaml:"size" json:"size,omitempty"`
 	TTL          *HumanReadableDuration `yaml:"ttl" json:"ttl,omitempty"`
 	Private      bool                   `yaml:"private" json:"private,omitempty"`