Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

symbols_loaded and symbols_collision events work incorrectly with multiple policies #4352

Open
oshaked1 opened this issue Oct 14, 2024 · 1 comment
Open

symbols_loaded and symbols_collision events work incorrectly with multiple policies #4352

oshaked1 opened this issue Oct 14, 2024 · 1 comment
Labels
kind/bug

Comments

@oshaked1
Copy link
Contributor

Description

The derive logic for these events does not take into account cases where multiple policies select the event and specify different sets of symbols or whitelisted libraries.

The current behavior is that the filters for these events are overwritten by the last policy that specifies them:

symbolsLoadedFilters := map[string]filters.Filter[*filters.StringFilter]{}

for it := pManager.CreateAllIterator(); it.HasNext(); {
	p := it.Next()
	f := p.DataFilter.GetEventFilters(events.SymbolsLoaded)
	maps.Copy(symbolsLoadedFilters, f)
}

The copy operation overwrites filters from previous policies. This is easy to observe using 2 simple policies that specify different symbols for symbols_loaded:

policy1.yaml

apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
    name: policy1
spec:
    scope:
      - global
    rules:
      - event: symbols_loaded
        filters:
        - args.symbols=read

policy2.yaml

apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
    name: policy2
spec:
    scope:
      - global
    rules:
      - event: symbols_loaded
        filters:
        - args.symbols=fopen

Running with each policy by itself results in the expected behavior, but when using both:

$ sudo dist/tracee --policy policy1.yaml --policy policy2.yaml
TIME             UID    COMM             PID     TID     RET              EVENT                     ARGS
09:59:19:734864  1000   sh               728898  728898  0                symbols_loaded            library_path: /usr/lib/x86_64-linux-gnu/libc.so.6, symbols: [fopen], sha256:

Only the fopen symbol from the second policy is shown.

Fixing this behavior is not as simple as combining the filters, because the whitelisted libraries of symbols_loaded must be taken into account such that an event from a library excluded by one policy will not be excluded completely.

This probably requires some sort of per-policy derive logic, where a separate event or set of events is derived for each policy and only sent to that policy's output (to avoid duplications in cases where the output filter accepts events that were created for a different policy).

Output of tracee version:

Tracee version: v0.21.0-rc-261-g30b33a4db
@geyslan
Copy link
Member

geyslan commented Oct 14, 2024

All related policy logic should be handled by PolicyManager from now on, it would help on those edge cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@geyslan @oshaked1