[CWS] expose service

DataDog · Dec 18, 2023 · a83d0f9 · a83d0f9
1 parent a87ec42
commit a83d0f9
Show file tree

Hide file tree

Showing 17 changed files with 624 additions and 539 deletions.
diff --git a/docs/cloud-workload-security/secl.json b/docs/cloud-workload-security/secl.json
@@ -27,6 +27,11 @@
           "definition": "True if the syscall was asynchronous",
           "property_doc_link": "event-async-doc"
         },
+        {
+          "name": "event.service",
+          "definition": "Service associated with the event",
+          "property_doc_link": "event-service-doc"
+        },
         {
           "name": "event.timestamp",
           "definition": "Timestamp of the event",
@@ -8716,6 +8721,18 @@
       "constants_link": "",
       "examples": []
     },
+    {
+      "name": "event.service",
+      "link": "event-service-doc",
+      "type": "string",
+      "definition": "Service associated with the event",
+      "prefixes": [
+        ""
+      ],
+      "constants": "",
+      "constants_link": "",
+      "examples": []
+    },
     {
       "name": "event.timestamp",
       "link": "event-timestamp-doc",

diff --git a/pkg/security/probe/field_handlers.go b/pkg/security/probe/field_handlers.go
@@ -12,6 +12,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/DataDog/datadog-agent/pkg/security/config"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 )
 
@@ -41,7 +42,7 @@ func bestGuessServiceTag(serviceValues []string) string {
 }
 
 // getProcessService returns the service tag based on the process context
-func getProcessService(entry *model.ProcessCacheEntry) string {
+func getProcessService(config *config.Config, entry *model.ProcessCacheEntry) string {
 	var serviceValues []string
 
 	// first search in the process context itself
@@ -66,5 +67,9 @@ func getProcessService(entry *model.ProcessCacheEntry) string {
 		}
 	}
 
-	return bestGuessServiceTag(serviceValues)
+	if service := bestGuessServiceTag(serviceValues); service != "" {
+		return service
+	}
+
+	return config.RuntimeSecurity.HostServiceName
 }
diff --git a/pkg/security/probe/field_handlers_ebpf.go b/pkg/security/probe/field_handlers_ebpf.go
@@ -14,6 +14,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/DataDog/datadog-agent/pkg/security/config"
 	"github.com/DataDog/datadog-agent/pkg/security/resolvers"
 	sprocess "github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
 
@@ -23,6 +24,7 @@ import (
 
 // EBPFFieldHandlers defines a field handlers
 type EBPFFieldHandlers struct {
+	config    *config.Config
 	resolvers *resolvers.EBPFResolvers
 }
 
@@ -350,13 +352,13 @@ func (fh *EBPFFieldHandlers) ResolveEventTimestamp(ev *model.Event, e *model.Bas
 	return int(fh.ResolveEventTime(ev, e).UnixNano())
 }
 
-// GetProcessService returns the service tag based on the process context
-func (fh *EBPFFieldHandlers) GetProcessService(ev *model.Event) string {
+// ResolveService returns the service tag based on the process context
+func (fh *EBPFFieldHandlers) ResolveService(ev *model.Event, e *model.BaseEvent) string {
 	entry, _ := fh.ResolveProcessCacheEntry(ev)
 	if entry == nil {
 		return ""
 	}
-	return getProcessService(entry)
+	return getProcessService(fh.config, entry)
 }
 
 // ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time

diff --git a/pkg/security/probe/field_handlers_ebpfless.go b/pkg/security/probe/field_handlers_ebpfless.go
@@ -12,6 +12,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/DataDog/datadog-agent/pkg/security/config"
 	"github.com/DataDog/datadog-agent/pkg/security/resolvers"
 	sprocess "github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
 
@@ -25,16 +26,17 @@ type EBPFLessFieldHandlers struct {
 	// keeping it can be dangerous as it can hide non implemented handlers
 	model.DefaultFieldHandlers
 
+	config    *config.Config
 	resolvers *resolvers.EBPFLessResolvers
 }
 
-// GetProcessService returns the service tag based on the process context
-func (fh *EBPFLessFieldHandlers) GetProcessService(ev *model.Event) string {
+// ResolveService returns the service tag based on the process context
+func (fh *EBPFLessFieldHandlers) ResolveService(ev *model.Event, e *model.BaseEvent) string {
 	entry, _ := fh.ResolveProcessCacheEntry(ev)
 	if entry == nil {
 		return ""
 	}
-	return getProcessService(entry)
+	return getProcessService(fh.config, entry)
 }
 
 // ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

diff --git a/pkg/security/probe/field_handlers_windows.go b/pkg/security/probe/field_handlers_windows.go
@@ -9,6 +9,7 @@ package probe
 import (
 	"time"
 
+	"github.com/DataDog/datadog-agent/pkg/security/config"
 	"github.com/DataDog/datadog-agent/pkg/security/resolvers"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 )
@@ -19,6 +20,7 @@ type FieldHandlers struct {
 	// keeping it can be dangerous as it can hide non implemented handlers
 	model.DefaultFieldHandlers
 
+	config    *config.Config
 	resolvers *resolvers.Resolvers
 }
 

diff --git a/pkg/security/probe/probe.go b/pkg/security/probe/probe.go
@@ -254,7 +254,7 @@ func (p *Probe) GetEventTags(containerID string) []string {
 
 // GetService returns the service name from the process tree
 func (p *Probe) GetService(ev *model.Event) string {
-	if service := ev.FieldHandlers.GetProcessService(ev); service != "" {
+	if service := ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent); service != "" {
 		return service
 	}
 	return p.Config.RuntimeSecurity.HostServiceName

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -1684,7 +1684,7 @@ func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFProbe, e
 	}
 
 	// TODO safchain change the fields handlers
-	p.fieldHandlers = &EBPFFieldHandlers{resolvers: p.Resolvers}
+	p.fieldHandlers = &EBPFFieldHandlers{config: config, resolvers: p.Resolvers}
 
 	if useRingBuffers {
 		p.eventStream = ringbuffer.New(p.handleEvent)

diff --git a/pkg/security/probe/probe_epbfless.go b/pkg/security/probe/probe_epbfless.go
@@ -376,7 +376,7 @@ func NewEBPFLessProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFLess
 		return nil, err
 	}
 
-	p.fieldHandlers = &EBPFLessFieldHandlers{resolvers: p.Resolvers}
+	p.fieldHandlers = &EBPFLessFieldHandlers{config: config, resolvers: p.Resolvers}
 
 	p.event = p.NewEvent()
 

diff --git a/pkg/security/probe/probe_windows.go b/pkg/security/probe/probe_windows.go
@@ -199,7 +199,7 @@ func NewWindowsProbe(probe *Probe, config *config.Config, opts Opts) (*WindowsPr
 		return nil, err
 	}
 
-	p.fieldHandlers = &FieldHandlers{resolvers: p.Resolvers}
+	p.fieldHandlers = &FieldHandlers{config: config, resolvers: p.Resolvers}
 
 	p.event = p.NewEvent()
 

diff --git a/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl b/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl
@@ -97,7 +97,7 @@ func (ev *Event) Get{{$pascalCaseName}}() {{ $accessorReturnType }} {
         {{range $Check := $Checks}}
         {{$Check = $Check | printf "ev.%s"}}
         if !{{$Check}}() {
-            return {{ GetDefaultValueOfType $accessorReturnType}}
+            return {{ GetDefaultValueOfType $accessorReturnType}} // ici
         }
         {{end}}
 

diff --git a/pkg/security/secl/model/accessors_unix.go b/pkg/security/secl/model/accessors_unix.go
diff --git a/pkg/security/secl/model/accessors_windows.go b/pkg/security/secl/model/accessors_windows.go