[CWS] Introduce scope_field for process scope

pkg/security/probe/field_handlers_ebpf.go

@@ -68,6 +68,11 @@ func (fh *EBPFFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, newEntryC
 	return ev.ProcessCacheEntry, true
 }
 
+// ResolveProcessCacheEntryFromPID queries the ProcessResolver to retrieve the ProcessContext of the provided PID
+func (fh *EBPFFieldHandlers) ResolveProcessCacheEntryFromPID(pid uint32) *model.ProcessCacheEntry {
+	return fh.resolvers.ProcessResolver.Resolve(pid, pid, 0, true, nil)
+}
+
 // ResolveFilePath resolves the inode to a full path
 func (fh *EBPFFieldHandlers) ResolveFilePath(ev *model.Event, f *model.FileEvent) string {
 	if !f.IsPathnameStrResolved && len(f.PathnameStr) == 0 {

pkg/security/probe/field_handlers_ebpfless.go

@@ -57,6 +57,12 @@ func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntry(ev *model.Event, _ fun
 	return ev.ProcessCacheEntry, true
 }
 
+// ResolveProcessCacheEntryFromPID queries the ProcessResolver to retrieve the ProcessContext of the provided PID
+func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntryFromPID(pid uint32) *model.ProcessCacheEntry {
+	// not supported yet, we're missing NSID
+	return nil
+}
+
 // ResolveFilePath resolves the inode to a full path
 func (fh *EBPFLessFieldHandlers) ResolveFilePath(_ *model.Event, f *model.FileEvent) string {
 	return f.PathnameStr

pkg/security/probe/field_handlers_windows.go

@@ -90,6 +90,11 @@ func (fh *FieldHandlers) ResolveProcessCacheEntry(ev *model.Event, _ func(*model
 	return ev.ProcessCacheEntry, true
 }
 
+// ResolveProcessCacheEntryFromPID queries the ProcessResolver to retrieve the ProcessContext of the provided PID
+func (fh *FieldHandlers) ResolveProcessCacheEntryFromPID(pid uint32) *ProcessCacheEntry {
+	return fh.resolvers.ProcessResolver.Resolve(pid)
+}
+
 // ResolveProcessCmdLineScrubbed returns a scrubbed version of the cmdline
 func (fh *FieldHandlers) ResolveProcessCmdLineScrubbed(_ *model.Event, e *model.Process) string {
 	return fh.resolvers.ProcessResolver.GetProcessCmdLineScrubbed(e)

pkg/security/secl/compiler/eval/context.go

@@ -55,6 +55,9 @@ type Context struct {
 	// iterator register cache. used to cache entry within a single rule evaluation
 	RegisterCache map[RegisterID]*RegisterCacheEntry
 
+	// Action context, used to cache data within the evaluation of a single action
+	scopeFieldEvaluator Evaluator
+
 	// rule register
 	Registers map[RegisterID]int
 
@@ -96,6 +99,24 @@ func (c *Context) Reset() {
 
 	// per eval
 	c.PerEvalReset()
+
+	// per action
+	c.PerActionReset()
+}
+
+// SetScopeFieldEvaluator sets the scope field evaluator during the evaluation of an action
+func (c *Context) SetScopeFieldEvaluator(evaluator Evaluator) {
+	c.scopeFieldEvaluator = evaluator
+}
+
+// GetScopeFieldEvaluator returns the current scope field evaluator in context
+func (c *Context) GetScopeFieldEvaluator() Evaluator {
+	return c.scopeFieldEvaluator
+}
+
+// PerActionReset the context
+func (c *Context) PerActionReset() {
+	c.scopeFieldEvaluator = nil
 }
 
 // PerEvalReset the context

pkg/security/secl/model/model.go

@@ -610,6 +610,7 @@ type AWSSecurityCredentials struct {
 // BaseExtraFieldHandlers handlers not hold by any field
 type BaseExtraFieldHandlers interface {
 	ResolveProcessCacheEntry(ev *Event, newEntryCb func(*ProcessCacheEntry, error)) (*ProcessCacheEntry, bool)
+	ResolveProcessCacheEntryFromPID(pid uint32) *ProcessCacheEntry
 	ResolveContainerContext(ev *Event) (*ContainerContext, bool)
 }
 
@@ -621,6 +622,11 @@ func (dfh *FakeFieldHandlers) ResolveProcessCacheEntry(ev *Event, _ func(*Proces
 	return nil, false
 }
 
+// ResolveProcessCacheEntryFromPID stub implementation
+func (fh *FakeFieldHandlers) ResolveProcessCacheEntryFromPID(pid uint32) *ProcessCacheEntry {
+	return GetPlaceholderProcessCacheEntry(pid, pid, false)
+}
+
 // ResolveContainerContext stub implementation
 func (dfh *FakeFieldHandlers) ResolveContainerContext(_ *Event) (*ContainerContext, bool) {
 	return nil, false

pkg/security/secl/model/model_windows.go

@@ -37,6 +37,14 @@ func NewFakeEvent() *Event {
 	}
 }
 
+var processContextZero = ProcessCacheEntry{}
+
+// GetPlaceholderProcessCacheEntry returns an empty process cache entry for failed process resolutions
+func GetPlaceholderProcessCacheEntry(pid uint32) *ProcessCacheEntry {
+	processContextZero.Pid = pid
+	return &processContextZero
+}
+
 // ValidateField validates the value of a field
 func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error {
 	if m.ExtraValidateFieldFnc != nil {

pkg/security/secl/rules/actions.go

@@ -19,9 +19,10 @@ import (
 // Action represents the action to take when a rule is triggered
 // It can either come from policy a definition or be an internal callback
 type Action struct {
-	Def              *ActionDefinition
-	InternalCallback *InternalCallbackDefinition
-	FilterEvaluator  *eval.RuleEvaluator
+	Def                 *ActionDefinition
+	InternalCallback    *InternalCallbackDefinition
+	FilterEvaluator     *eval.RuleEvaluator
+	ScopeFieldEvaluator eval.Evaluator
 }
 
 // Check returns an error if the action in invalid
@@ -59,6 +60,10 @@ func (a *ActionDefinition) Check(opts PolicyLoaderOpts) error {
 		if a.Set.Inherited && a.Set.Scope != "process" {
 			return fmt.Errorf("only variables scoped to process can be marked as inherited")
 		}
+
+		if len(a.Set.ScopeField) > 0 && a.Set.Scope != "process" {
+			return fmt.Errorf("only variables scoped to process can have a custom scope_field")
+		}
 	} else if a.Kill != nil {
 		if opts.DisableEnforcement {
 			a.Kill = nil
@@ -103,6 +108,21 @@ func (a *Action) CompileFilter(parsingContext *ast.ParsingContext, model eval.Mo
 	return nil
 }
 
+// CompileScopeField compiles the scope field
+func (a *Action) CompileScopeField(model eval.Model) error {
+	if a.Def.Set == nil || len(a.Def.Set.ScopeField) == 0 {
+		return nil
+	}
+
+	evaluator, err := model.GetEvaluator(a.Def.Set.ScopeField, "", 0)
+	if err != nil {
+		return &ErrScopeField{Expression: a.Def.Set.ScopeField, Err: err}
+	}
+
+	a.ScopeFieldEvaluator = evaluator
+	return nil
+}
+
 // IsAccepted returns whether a filter is accepted and has to be executed
 func (a *Action) IsAccepted(ctx *eval.Context) bool {
 	return a.FilterEvaluator == nil || a.FilterEvaluator.Eval(ctx)

pkg/security/secl/rules/errors.go

@@ -176,6 +176,16 @@ func (e ErrActionFilter) Error() string {
 	return fmt.Sprintf("filter `%s` error: %s", e.Expression, e.Err)
 }
 
+// ErrScopeField is return on scope field definition error
+type ErrScopeField struct {
+	Expression string
+	Err        error
+}
+
+func (e ErrScopeField) Error() string {
+	return fmt.Sprintf("scope_field `%s` error: %s", e.Expression, e.Err)
+}
+
 // ErrFieldNotAvailable is returned when a field is not available
 type ErrFieldNotAvailable struct {
 	Field        eval.Field

pkg/security/secl/rules/model.go

@@ -146,6 +146,7 @@ type SetDefinition struct {
 	Expression   string                 `yaml:"expression" json:"expression,omitempty"`
 	Append       bool                   `yaml:"append" json:"append,omitempty"`
 	Scope        Scope                  `yaml:"scope" json:"scope,omitempty" jsonschema:"enum=process,enum=container,enum=cgroup"`
+	ScopeField   string                 `yaml:"scope_field" json:"scope_field,omitempty"`
 	Size         int                    `yaml:"size" json:"size,omitempty"`
 	TTL          *HumanReadableDuration `yaml:"ttl" json:"ttl,omitempty"`
 	Private      bool                   `yaml:"private" json:"private,omitempty"`