[CWS] remove gopacket dependency from cws-instrumentation (DataDog#32802

)

pkg/dynamicinstrumentation/proctracker/proctracker.go

@@ -26,7 +26,7 @@ import (
 	"github.com/DataDog/datadog-agent/pkg/network/go/bininspect"
 	"github.com/DataDog/datadog-agent/pkg/network/go/binversion"
 	"github.com/DataDog/datadog-agent/pkg/process/monitor"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model/sharedconsts"
 	"github.com/DataDog/datadog-agent/pkg/security/utils"
 	"github.com/DataDog/datadog-agent/pkg/util/kernel"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
@@ -186,7 +186,7 @@ func (pt *ProcessTracker) registerProcess(binID binaryID, pid pid, mTime syscall
 }
 
 func getServiceName(pid uint32) string {
-	envVars, _, err := utils.EnvVars([]string{"DD"}, pid, model.MaxArgsEnvsSize)
+	envVars, _, err := utils.EnvVars([]string{"DD"}, pid, sharedconsts.MaxArgsEnvsSize)
 	if err != nil {
 		return ""
 	}

pkg/security/proto/ebpfless/msg.go

@@ -10,7 +10,7 @@ import (
 	"encoding/json"
 
 	"github.com/DataDog/datadog-agent/pkg/security/secl/containerutils"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model/sharedconsts"
 	"modernc.org/mathutil"
 )
 
@@ -137,7 +137,7 @@ type ForkSyscallMsg struct {
 // ExitSyscallMsg defines an exit message
 type ExitSyscallMsg struct {
 	Code  uint32
-	Cause model.ExitCause
+	Cause sharedconsts.ExitCause
 }
 
 // FileSyscallMsg defines a file message

pkg/security/ptracer/hooks.go

@@ -16,7 +16,7 @@ import (
 	"time"
 
 	"github.com/DataDog/datadog-agent/pkg/security/proto/ebpfless"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model/sharedconsts"
 	"golang.org/x/sys/unix"
 )
 
@@ -169,13 +169,13 @@ func (ctx *CWSPtracerCtx) handleExit(process *Process, waitStatus *syscall.WaitS
 	if process.Pid == process.Tgid && waitStatus != nil {
 		exitCtx := &ebpfless.ExitSyscallMsg{}
 		if waitStatus.Exited() {
-			exitCtx.Cause = model.ExitExited
+			exitCtx.Cause = sharedconsts.ExitExited
 			exitCtx.Code = uint32(waitStatus.ExitStatus())
 		} else if waitStatus.CoreDump() {
-			exitCtx.Cause = model.ExitCoreDumped
+			exitCtx.Cause = sharedconsts.ExitCoreDumped
 			exitCtx.Code = uint32(waitStatus.Signal())
 		} else if waitStatus.Signaled() {
-			exitCtx.Cause = model.ExitSignaled
+			exitCtx.Cause = sharedconsts.ExitSignaled
 			exitCtx.Code = uint32(waitStatus.Signal())
 		} else {
 			exitCtx.Code = uint32(waitStatus.Signal())

pkg/security/ptracer/utils.go

@@ -27,7 +27,7 @@ import (
 	usergrouputils "github.com/DataDog/datadog-agent/pkg/security/common/usergrouputils"
 	"github.com/DataDog/datadog-agent/pkg/security/proto/ebpfless"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/containerutils"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model/sharedconsts"
 	"github.com/DataDog/datadog-agent/pkg/util/safeelf"
 )
 
@@ -280,13 +280,13 @@ func getPidTTY(pid int) string {
 
 func truncateArgs(list []string) ([]string, bool) {
 	truncated := false
-	if len(list) > model.MaxArgsEnvsSize {
-		list = list[:model.MaxArgsEnvsSize]
+	if len(list) > sharedconsts.MaxArgsEnvsSize {
+		list = list[:sharedconsts.MaxArgsEnvsSize]
 		truncated = true
 	}
 	for i, l := range list {
-		if len(l) > model.MaxArgEnvSize {
-			list[i] = l[:model.MaxArgEnvSize-4] + "..."
+		if len(l) > sharedconsts.MaxArgEnvSize {
+			list[i] = l[:sharedconsts.MaxArgEnvSize-4] + "..."
 			truncated = true
 		}
 	}
@@ -350,8 +350,8 @@ func truncateEnvs(it StringIterator) ([]string, bool) {
 		if len(text) > 0 {
 			envCounter++
 			if matchesOnePrefix(text, priorityEnvsPrefixes) {
-				if len(text) > model.MaxArgEnvSize {
-					text = text[:model.MaxArgEnvSize-4] + "..."
+				if len(text) > sharedconsts.MaxArgEnvSize {
+					text = text[:sharedconsts.MaxArgEnvSize-4] + "..."
 					truncated = true
 				}
 				priorityEnvs = append(priorityEnvs, text)
@@ -361,25 +361,25 @@ func truncateEnvs(it StringIterator) ([]string, bool) {
 
 	it.Reset()
 
-	if envCounter > model.MaxArgsEnvsSize {
-		envCounter = model.MaxArgsEnvsSize
+	if envCounter > sharedconsts.MaxArgsEnvsSize {
+		envCounter = sharedconsts.MaxArgsEnvsSize
 	}
 
 	// second pass collecting
 	envs := make([]string, 0, envCounter)
 	envs = append(envs, priorityEnvs...)
 
 	for it.Next() {
-		if len(envs) >= model.MaxArgsEnvsSize {
+		if len(envs) >= sharedconsts.MaxArgsEnvsSize {
 			return envs, true
 		}
 
 		text := it.Text()
 		if len(text) > 0 {
 			// if it matches one prefix, it's already in the envs through priority envs
 			if !matchesOnePrefix(text, priorityEnvsPrefixes) {
-				if len(text) > model.MaxArgEnvSize {
-					text = text[:model.MaxArgEnvSize-4] + "..."
+				if len(text) > sharedconsts.MaxArgEnvSize {
+					text = text[:sharedconsts.MaxArgEnvSize-4] + "..."
 					truncated = true
 				}
 				envs = append(envs, text)

pkg/security/resolvers/envvars/resolver.go

@@ -10,7 +10,7 @@ package envvars
 
 import (
 	"github.com/DataDog/datadog-agent/pkg/security/probe/config"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model/sharedconsts"
 	"github.com/DataDog/datadog-agent/pkg/security/utils"
 )
 
@@ -42,5 +42,5 @@ func (r *Resolver) ResolveEnvVars(pid uint32) ([]string, bool, error) {
 		// communicate the fact that it was truncated
 		return nil, true, nil
 	}
-	return utils.EnvVars(r.priorityEnvs, pid, model.MaxArgsEnvsSize)
+	return utils.EnvVars(r.priorityEnvs, pid, sharedconsts.MaxArgsEnvsSize)
 }

pkg/security/resolvers/process/resolver_ebpf.go

@@ -40,6 +40,7 @@ import (
 	spath "github.com/DataDog/datadog-agent/pkg/security/resolvers/path"
 	"github.com/DataDog/datadog-agent/pkg/security/resolvers/usergroup"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model/sharedconsts"
 	"github.com/DataDog/datadog-agent/pkg/security/seclog"
 	"github.com/DataDog/datadog-agent/pkg/security/utils"
 	stime "github.com/DataDog/datadog-agent/pkg/util/ktime"
@@ -253,7 +254,7 @@ var argsEnvsInterner = utils.NewLRUStringInterner(argsEnvsValueCacheSize)
 func parseStringArray(data []byte) ([]string, bool) {
 	truncated := false
 	values, err := model.UnmarshalStringArray(data)
-	if err != nil || len(data) == model.MaxArgEnvSize {
+	if err != nil || len(data) == sharedconsts.MaxArgEnvSize {
 		if len(values) > 0 {
 			values[len(values)-1] += "..."
 		}

pkg/security/secl/model/args_envs.go

@@ -9,20 +9,15 @@ package model
 import (
 	"slices"
 	"strings"
-)
 
-const (
-	// MaxArgEnvSize maximum size of one argument or environment variable
-	MaxArgEnvSize = 256
-	// MaxArgsEnvsSize maximum number of args and/or envs
-	MaxArgsEnvsSize = 256
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model/sharedconsts"
 )
 
 // ArgsEnvs raw value for args and envs
 type ArgsEnvs struct {
 	ID        uint64
 	Size      uint32
-	ValuesRaw [MaxArgEnvSize]byte
+	ValuesRaw [sharedconsts.MaxArgEnvSize]byte
 }
 
 // ArgsEntry defines a args cache entry

pkg/security/secl/model/consts_common.go

@@ -13,6 +13,7 @@ import (
 	"syscall"
 
 	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model/sharedconsts"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/model/usersession"
 )
 
@@ -320,10 +321,10 @@ var (
 	}
 
 	// exitCauseConstants is the list of supported Exit causes
-	exitCauseConstants = map[string]ExitCause{
-		"EXITED":     ExitExited,
-		"COREDUMPED": ExitCoreDumped,
-		"SIGNALED":   ExitSignaled,
+	exitCauseConstants = map[string]sharedconsts.ExitCause{
+		"EXITED":     sharedconsts.ExitExited,
+		"COREDUMPED": sharedconsts.ExitCoreDumped,
+		"SIGNALED":   sharedconsts.ExitSignaled,
 	}
 
 	tlsVersionContants = map[string]uint16{
@@ -342,7 +343,6 @@ var (
 	l3ProtocolStrings    = map[L3Protocol]string{}
 	l4ProtocolStrings    = map[L4Protocol]string{}
 	addressFamilyStrings = map[uint16]string{}
-	exitCauseStrings     = map[ExitCause]string{}
 	tlsVersionStrings    = map[uint16]string{}
 )
 
@@ -423,7 +423,6 @@ func initAddressFamilyConstants() {
 func initExitCauseConstants() {
 	for k, v := range exitCauseConstants {
 		seclConstants[k] = &eval.IntEvaluator{Value: int(v)}
-		exitCauseStrings[v] = k
 	}
 }
 
@@ -780,19 +779,3 @@ const (
 	// IPProtoRAW Raw IP packets
 	IPProtoRAW L4Protocol = 255
 )
-
-// ExitCause represents the cause of a process termination
-type ExitCause uint32
-
-func (cause ExitCause) String() string {
-	return exitCauseStrings[cause]
-}
-
-const (
-	// ExitExited Process exited normally
-	ExitExited ExitCause = iota
-	// ExitCoreDumped Process was terminated with a coredump signal
-	ExitCoreDumped
-	// ExitSignaled Process was terminated with a signal other than a coredump
-	ExitSignaled
-)

pkg/security/secl/model/sharedconsts/argsenvs.go

@@ -0,0 +1,14 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+// Package sharedconsts holds model related shared constants
+package sharedconsts
+
+const (
+	// MaxArgEnvSize maximum size of one argument or environment variable
+	MaxArgEnvSize = 256
+	// MaxArgsEnvsSize maximum number of args and/or envs
+	MaxArgsEnvsSize = 256
+)

pkg/security/secl/model/sharedconsts/exitcode.go

@@ -0,0 +1,32 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+// Package sharedconsts holds model related shared constants
+package sharedconsts
+
+// ExitCause represents the cause of a process termination
+type ExitCause uint32
+
+func (cause ExitCause) String() string {
+	switch cause {
+	case ExitExited:
+		return "EXITED"
+	case ExitCoreDumped:
+		return "COREDUMPED"
+	case ExitSignaled:
+		return "SIGNALED"
+	default:
+		return "UNKNOWN"
+	}
+}
+
+const (
+	// ExitExited Process exited normally
+	ExitExited ExitCause = iota
+	// ExitCoreDumped Process was terminated with a coredump signal
+	ExitCoreDumped
+	// ExitSignaled Process was terminated with a signal other than a coredump
+	ExitSignaled
+)

pkg/security/secl/model/unmarshallers_linux.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/containerutils"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model/sharedconsts"
 )
 
 func validateReadSize(size, read int) (int, error) {
@@ -316,14 +317,14 @@ func (e *ExitEvent) UnmarshalBinary(data []byte) (int, error) {
 
 	exitStatus := binary.NativeEndian.Uint32(data[0:4])
 	if exitStatus&0x7F == 0x00 { // process terminated normally
-		e.Cause = uint32(ExitExited)
+		e.Cause = uint32(sharedconsts.ExitExited)
 		e.Code = (exitStatus >> 8) & 0xFF
 	} else if exitStatus&0x7F != 0x7F { // process terminated because of a signal
 		if exitStatus&0x80 == 0x80 { // coredump signal
-			e.Cause = uint32(ExitCoreDumped)
+			e.Cause = uint32(sharedconsts.ExitCoreDumped)
 			e.Code = exitStatus & 0x7F
 		} else { // other signals
-			e.Cause = uint32(ExitSignaled)
+			e.Cause = uint32(sharedconsts.ExitSignaled)
 			e.Code = exitStatus & 0x7F
 		}
 	}
@@ -352,8 +353,8 @@ func (e *ArgsEnvsEvent) UnmarshalBinary(data []byte) (int, error) {
 
 	e.ID = binary.NativeEndian.Uint64(data[0:8])
 	e.Size = binary.NativeEndian.Uint32(data[8:12])
-	if e.Size > MaxArgEnvSize {
-		e.Size = MaxArgEnvSize
+	if e.Size > sharedconsts.MaxArgEnvSize {
+		e.Size = sharedconsts.MaxArgEnvSize
 	}
 
 	argsEnvSize := int(e.Size)