[mq] working branch - merge ca70de4 on top of main at 8ef9f6a

{"baseBranch":"main","baseCommit":"8ef9f6af6039cd5eea449a1308b1afd72ea2315d","createdAt":"2024-11-14T17:06:41.926822Z","headSha":"ca70de4d45106089f71763ca80357615c3330c25","id":"82cd6efd-f820-4660-b5b3-c2b1160eab8d","priority":"200","pullRequestNumber":"31047","queuedAt":"2024-11-14T17:06:41.924602Z","status":"STATUS_QUEUED"}
DataDog · Nov 14, 2024 · 2810b4b · 2810b4b
2 parents cf7ff3c + ca70de4
commit 2810b4b
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 41 deletions.
diff --git a/pkg/security/probe/probe_kernel_file_windows_test.go b/pkg/security/probe/probe_kernel_file_windows_test.go
@@ -18,10 +18,12 @@ import (
 
 	"github.com/DataDog/datadog-agent/pkg/ebpf/ebpftest"
 
-	"github.com/DataDog/datadog-agent/pkg/security/config"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/DataDog/datadog-agent/pkg/security/config"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+
 	"golang.org/x/sys/windows"
 )
 
@@ -40,9 +42,10 @@ func createTestProbe() (*WindowsProbe, error) {
 	if err != nil {
 		return nil, err
 	}
-	wp.isRenameEnabled = true
-	wp.isDeleteEnabled = true
-	wp.isWriteEnabled = true
+
+	wp.enabledEventTypes[model.FileRenameEventType.String()] = true
+	wp.enabledEventTypes[model.DeleteFileEventType.String()] = true
+	wp.enabledEventTypes[model.WriteFileEventType.String()] = true
 
 	err = wp.Init()
 

diff --git a/pkg/security/probe/probe_windows.go b/pkg/security/probe/probe_windows.go
@@ -11,7 +11,6 @@ import (
 	"errors"
 	"fmt"
 	"path/filepath"
-	"slices"
 	"sync"
 	"time"
 
@@ -102,19 +101,16 @@ type WindowsProbe struct {
 	// actions
 	processKiller *ProcessKiller
 
-	// enabled probes
-	isRenameEnabled           bool
-	isWriteEnabled            bool
-	isDeleteEnabled           bool
-	isChangePermissionEnabled bool
+	enabledEventTypesLock sync.RWMutex
+	enabledEventTypes     map[string]bool
+
 	// channel handling.  Currently configurable, but should probably be set
 	// to false with a configurable size value
 	blockonchannelsend bool
 
 	// approvers
-	currentEventTypes []string
-	approvers         map[eval.Field][]approver
-	approverLock      sync.RWMutex
+	approvers    map[eval.Field][]approver
+	approverLock sync.RWMutex
 }
 
 type approver interface {
@@ -309,16 +305,17 @@ func (p *WindowsProbe) reconfigureProvider() error {
 			idClose,
 		}
 
-		if p.isWriteEnabled {
+		// reconfigureProvider should be called with the enabledEventTypesLock held for reading
+		if p.enabledEventTypes[model.WriteFileEventType.String()] {
 			fileIDs = append(fileIDs, idWrite)
 		}
-		if p.isRenameEnabled {
+		if p.enabledEventTypes[model.FileRenameEventType.String()] {
 			fileIDs = append(fileIDs, idRename, idRenamePath, idRename29)
 		}
-		if p.isDeleteEnabled {
+		if p.enabledEventTypes[model.DeleteFileEventType.String()] {
 			fileIDs = append(fileIDs, idSetDelete, idDeletePath)
 		}
-		if p.isChangePermissionEnabled {
+		if p.enabledEventTypes[model.ChangePermissionEventType.String()] {
 			fileIDs = append(fileIDs, idObjectPermsChange)
 		}
 
@@ -352,6 +349,23 @@ func (p *WindowsProbe) reconfigureProvider() error {
 		// try masking on create & create_new_file
 		// given the current requirements, I think we can _probably_ just do create_new_file
 		cfg.MatchAnyKeyword = 0xF7E3
+
+		regIDs := []uint16{}
+		// reconfigureProvider should be called with the enabledEventTypesLock held for reading
+		if p.enabledEventTypes[model.CreateRegistryKeyEventType.String()] {
+			regIDs = append(regIDs, idRegCreateKey)
+		}
+		if p.enabledEventTypes[model.OpenRegistryKeyEventType.String()] {
+			regIDs = append(regIDs, idRegOpenKey)
+		}
+		if p.enabledEventTypes[model.DeleteRegistryKeyEventType.String()] {
+			regIDs = append(regIDs, idRegDeleteKey)
+		}
+		if p.enabledEventTypes[model.SetRegistryKeyValueEventType.String()] {
+			regIDs = append(regIDs, idRegSetValueKey)
+		}
+
+		cfg.EnabledIDs = regIDs
 	})
 
 	if p.auditSession != nil {
@@ -423,8 +437,10 @@ func (p *WindowsProbe) approve(field eval.Field, eventType string, value string)
 
 	approvers, exists := p.approvers[field]
 	if !exists {
+		p.enabledEventTypesLock.RLock()
+		defer p.enabledEventTypesLock.RUnlock()
 		// no approvers, so no filtering for this field, except if no rule for this event type
-		return slices.Contains(p.currentEventTypes, eventType)
+		return p.enabledEventTypes[eventType]
 	}
 
 	for _, approver := range approvers {
@@ -444,11 +460,9 @@ func (p *WindowsProbe) auditEtw(ecb etwCallback) error {
 		case etw.DDGUID(p.auditguid):
 			switch e.EventHeader.EventDescriptor.ID {
 			case idObjectPermsChange:
-				if p.isChangePermissionEnabled {
-					if pc, err := p.parseObjectPermsChange(e); err == nil {
-						log.Infof("Received objectPermsChange event %d %s\n", e.EventHeader.EventDescriptor.ID, pc)
-						ecb(pc, e.EventHeader.ProcessID)
-					}
+				if pc, err := p.parseObjectPermsChange(e); err == nil {
+					log.Tracef("Received objectPermsChange event %d %s\n", e.EventHeader.EventDescriptor.ID, pc)
+					ecb(pc, e.EventHeader.ProcessID)
 				}
 			}
 		}
@@ -1233,6 +1247,8 @@ func initializeWindowsProbe(config *config.Config, opts Opts) (*WindowsProbe, er
 
 		discardedFileHandles: dfh,
 
+		enabledEventTypes: make(map[string]bool),
+
 		approvers: make(map[eval.Field][]approver),
 
 		volumeMap: make(map[string]string),
@@ -1284,24 +1300,12 @@ func NewWindowsProbe(probe *Probe, config *config.Config, opts Opts, telemetry t
 
 // ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.
 func (p *WindowsProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
-	p.isWriteEnabled = false
-	p.isRenameEnabled = false
-	p.isDeleteEnabled = false
-	p.isChangePermissionEnabled = false
-	p.currentEventTypes = rs.GetEventTypes()
-
-	for _, eventType := range p.currentEventTypes {
-		switch eventType {
-		case model.FileRenameEventType.String():
-			p.isRenameEnabled = true
-		case model.WriteFileEventType.String():
-			p.isWriteEnabled = true
-		case model.DeleteFileEventType.String():
-			p.isDeleteEnabled = true
-		case model.ChangePermissionEventType.String():
-			p.isChangePermissionEnabled = true
-		}
+	p.enabledEventTypesLock.Lock()
+	clear(p.enabledEventTypes)
+	for _, eventType := range rs.GetEventTypes() {
+		p.enabledEventTypes[eventType] = true
 	}
+	p.enabledEventTypesLock.Unlock()
 
 	ars, err := kfilters.NewApplyRuleSetReport(p.config.Probe, rs)
 	if err != nil {
@@ -1311,7 +1315,6 @@ func (p *WindowsProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetRe
 	// remove old approvers
 	p.approverLock.Lock()
 	defer p.approverLock.Unlock()
-
 	clear(p.approvers)
 
 	for eventType, report := range ars.Policies {
@@ -1320,6 +1323,8 @@ func (p *WindowsProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetRe
 		}
 	}
 
+	p.enabledEventTypesLock.RLock()
+	defer p.enabledEventTypesLock.RLock()
 	if err := p.reconfigureProvider(); err != nil {
 		return nil, err
 	}