From 2700d03e19d23764f48b4cea4f74548691c1aa81 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Sat, 16 Nov 2024 11:19:16 +0100 Subject: [PATCH] pipe tag resolver to windows probe --- pkg/security/probe/opts_windows.go | 4 ++ pkg/security/probe/probe_windows.go | 6 +- pkg/security/resolvers/cgroup/model/model.go | 51 ---------------- pkg/security/resolvers/cgroup/model/types.go | 63 ++++++++++++++++++++ pkg/security/resolvers/opts_windows.go | 14 +++++ pkg/security/resolvers/resolvers_windows.go | 4 +- pkg/security/tests/fake_tags_resolver.go | 2 +- pkg/security/tests/module_tester_windows.go | 6 ++ 8 files changed, 95 insertions(+), 55 deletions(-) create mode 100644 pkg/security/resolvers/cgroup/model/types.go create mode 100644 pkg/security/resolvers/opts_windows.go diff --git a/pkg/security/probe/opts_windows.go b/pkg/security/probe/opts_windows.go index da287cf997c59..ec3bad2ca7a80 100644 --- a/pkg/security/probe/opts_windows.go +++ b/pkg/security/probe/opts_windows.go @@ -9,6 +9,7 @@ package probe import ( + "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags" "github.com/DataDog/datadog-go/v5/statsd" ) @@ -23,6 +24,9 @@ type Opts struct { // EnvsVarResolutionEnabled defines if environment variables resolution is enabled EnvsVarResolutionEnabled bool + // Tagger will override the default one. Mainly here for tests. + Tagger tags.Tagger + // this option for test purposes only; should never be true in main code disableProcmon bool } diff --git a/pkg/security/probe/probe_windows.go b/pkg/security/probe/probe_windows.go index 8d4019daaf1ed..02761f8d95fd0 100644 --- a/pkg/security/probe/probe_windows.go +++ b/pkg/security/probe/probe_windows.go @@ -1296,7 +1296,11 @@ func NewWindowsProbe(probe *Probe, config *config.Config, opts Opts, telemetry t return nil, err } p.probe = probe - p.Resolvers, err = resolvers.NewResolvers(config, p.statsdClient, probe.scrubber, telemetry) + + resolversOpts := resolvers.Opts{ + Tagger: probe.Opts.Tagger, + } + p.Resolvers, err = resolvers.NewResolvers(config, p.statsdClient, probe.scrubber, telemetry, resolversOpts) if err != nil { return nil, err } diff --git a/pkg/security/resolvers/cgroup/model/model.go b/pkg/security/resolvers/cgroup/model/model.go index 15a9046510363..8abaf74cd47bb 100644 --- a/pkg/security/resolvers/cgroup/model/model.go +++ b/pkg/security/resolvers/cgroup/model/model.go @@ -9,8 +9,6 @@ package model import ( - "errors" - "fmt" "sync" "go.uber.org/atomic" @@ -20,55 +18,6 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/utils" ) -var ( - ErrNoImageProvided = errors.New("no image name provided") // ErrNoImageProvided is returned when no image name is provided -) - -// WorkloadSelector is a selector used to uniquely indentify the image of a workload -type WorkloadSelector struct { - Image string - Tag string -} - -// NewWorkloadSelector returns an initialized instance of a WorkloadSelector -func NewWorkloadSelector(image string, tag string) (WorkloadSelector, error) { - if image == "" { - return WorkloadSelector{}, ErrNoImageProvided - } else if tag == "" { - tag = "latest" - } - return WorkloadSelector{ - Image: image, - Tag: tag, - }, nil -} - -// IsReady returns true if the selector is ready -func (ws *WorkloadSelector) IsReady() bool { - return len(ws.Image) != 0 -} - -// Match returns true if the input selector matches the current selector -func (ws *WorkloadSelector) Match(selector WorkloadSelector) bool { - if ws.Tag == "*" || selector.Tag == "*" { - return ws.Image == selector.Image - } - return ws.Image == selector.Image && ws.Tag == selector.Tag -} - -// String returns a string representation of a workload selector -func (ws WorkloadSelector) String() string { - return fmt.Sprintf("[image_name:%s image_tag:%s]", ws.Image, ws.Tag) -} - -// ToTags returns a string array representation of a workload selector -func (ws WorkloadSelector) ToTags() []string { - return []string{ - "image_name:" + ws.Image, - "image_tag:" + ws.Tag, - } -} - // CacheEntry cgroup resolver cache entry type CacheEntry struct { model.CGroupContext diff --git a/pkg/security/resolvers/cgroup/model/types.go b/pkg/security/resolvers/cgroup/model/types.go new file mode 100644 index 0000000000000..d07f94be04121 --- /dev/null +++ b/pkg/security/resolvers/cgroup/model/types.go @@ -0,0 +1,63 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +//go:build linux || windows + +// Package model holds model related files +package model + +import ( + "errors" + "fmt" +) + +var ( + ErrNoImageProvided = errors.New("no image name provided") // ErrNoImageProvided is returned when no image name is provided +) + +// WorkloadSelector is a selector used to uniquely indentify the image of a workload +type WorkloadSelector struct { + Image string + Tag string +} + +// NewWorkloadSelector returns an initialized instance of a WorkloadSelector +func NewWorkloadSelector(image string, tag string) (WorkloadSelector, error) { + if image == "" { + return WorkloadSelector{}, ErrNoImageProvided + } else if tag == "" { + tag = "latest" + } + return WorkloadSelector{ + Image: image, + Tag: tag, + }, nil +} + +// IsReady returns true if the selector is ready +func (ws *WorkloadSelector) IsReady() bool { + return len(ws.Image) != 0 +} + +// Match returns true if the input selector matches the current selector +func (ws *WorkloadSelector) Match(selector WorkloadSelector) bool { + if ws.Tag == "*" || selector.Tag == "*" { + return ws.Image == selector.Image + } + return ws.Image == selector.Image && ws.Tag == selector.Tag +} + +// String returns a string representation of a workload selector +func (ws WorkloadSelector) String() string { + return fmt.Sprintf("[image_name:%s image_tag:%s]", ws.Image, ws.Tag) +} + +// ToTags returns a string array representation of a workload selector +func (ws WorkloadSelector) ToTags() []string { + return []string{ + "image_name:" + ws.Image, + "image_tag:" + ws.Tag, + } +} diff --git a/pkg/security/resolvers/opts_windows.go b/pkg/security/resolvers/opts_windows.go new file mode 100644 index 0000000000000..017c9dcdc2848 --- /dev/null +++ b/pkg/security/resolvers/opts_windows.go @@ -0,0 +1,14 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +// Package resolvers holds resolvers related files +package resolvers + +import "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags" + +// Opts defines common options +type Opts struct { + Tagger tags.Tagger +} diff --git a/pkg/security/resolvers/resolvers_windows.go b/pkg/security/resolvers/resolvers_windows.go index 2df2a38813070..1ff1d0354bb94 100644 --- a/pkg/security/resolvers/resolvers_windows.go +++ b/pkg/security/resolvers/resolvers_windows.go @@ -29,13 +29,13 @@ type Resolvers struct { } // NewResolvers creates a new instance of Resolvers -func NewResolvers(config *config.Config, statsdClient statsd.ClientInterface, scrubber *procutil.DataScrubber, telemetry telemetry.Component) (*Resolvers, error) { +func NewResolvers(config *config.Config, statsdClient statsd.ClientInterface, scrubber *procutil.DataScrubber, telemetry telemetry.Component, opts Opts) (*Resolvers, error) { processResolver, err := process.NewResolver(config, statsdClient, scrubber, process.NewResolverOpts()) if err != nil { return nil, err } - tagsResolver := tags.NewResolver(telemetry, nil) + tagsResolver := tags.NewResolver(telemetry, opts.Tagger) userSessionsResolver, err := usersessions.NewResolver(config.RuntimeSecurity) if err != nil { diff --git a/pkg/security/tests/fake_tags_resolver.go b/pkg/security/tests/fake_tags_resolver.go index a26859a29ad76..02bd896865298 100644 --- a/pkg/security/tests/fake_tags_resolver.go +++ b/pkg/security/tests/fake_tags_resolver.go @@ -3,7 +3,7 @@ // This product includes software developed at Datadog (https://www.datadoghq.com/). // Copyright 2016-present Datadog, Inc. -//go:build linux +//go:build linux || windows // Package tests holds tests related files package tests diff --git a/pkg/security/tests/module_tester_windows.go b/pkg/security/tests/module_tester_windows.go index e25537626a9cf..a52bf144c7db6 100644 --- a/pkg/security/tests/module_tester_windows.go +++ b/pkg/security/tests/module_tester_windows.go @@ -157,6 +157,12 @@ func newTestModule(t testing.TB, macroDefs []*rules.MacroDefinition, ruleDefs [] DontDiscardRuntime: true, }, } + if opts.staticOpts.tagger != nil { + emopts.ProbeOpts.Tagger = opts.staticOpts.tagger + } else { + emopts.ProbeOpts.Tagger = NewFakeTaggerDifferentImageNames() + } + testMod.eventMonitor, err = eventmonitor.NewEventMonitor(emconfig, secconfig, emopts, nil) if err != nil { return nil, err