cleanup

DataDog · Feb 7, 2025 · 09defad · 09defad
1 parent 1d7c79b
commit 09defad
Show file tree

Hide file tree

Showing 13 changed files with 236 additions and 437 deletions.
diff --git a/pkg/security/module/server_linux.go b/pkg/security/module/server_linux.go
@@ -84,7 +84,7 @@ func (a *APIServer) DumpActivity(_ context.Context, params *api.ActivityDumpPara
 		return nil, fmt.Errorf("not supported")
 	}
 
-	if manager := p.GetProfileManagers(); manager != nil {
+	if manager := p.GetProfileManager(); manager != nil {
 		msg, err := manager.DumpActivity(params)
 		if err != nil {
 			seclog.Errorf("%s", err.Error())
@@ -102,7 +102,7 @@ func (a *APIServer) ListActivityDumps(_ context.Context, params *api.ActivityDum
 		return nil, fmt.Errorf("not supported")
 	}
 
-	if manager := p.GetProfileManagers(); manager != nil {
+	if manager := p.GetProfileManager(); manager != nil {
 		msg, err := manager.ListActivityDumps(params)
 		if err != nil {
 			seclog.Errorf("%s", err.Error())
@@ -120,7 +120,7 @@ func (a *APIServer) StopActivityDump(_ context.Context, params *api.ActivityDump
 		return nil, fmt.Errorf("not supported")
 	}
 
-	if manager := p.GetProfileManagers(); manager != nil {
+	if manager := p.GetProfileManager(); manager != nil {
 		msg, err := manager.StopActivityDump(params)
 		if err != nil {
 			seclog.Errorf("%s", err.Error())
@@ -138,7 +138,7 @@ func (a *APIServer) TranscodingRequest(_ context.Context, params *api.Transcodin
 		return nil, fmt.Errorf("not supported")
 	}
 
-	if manager := p.GetProfileManagers(); manager != nil {
+	if manager := p.GetProfileManager(); manager != nil {
 		msg, err := manager.GenerateTranscoding(params)
 		if err != nil {
 			seclog.Errorf("%s", err.Error())
@@ -156,7 +156,7 @@ func (a *APIServer) ListSecurityProfiles(_ context.Context, params *api.Security
 		return nil, fmt.Errorf("not supported")
 	}
 
-	if manager := p.GetProfileManagers(); manager != nil {
+	if manager := p.GetProfileManager(); manager != nil {
 		msg, err := manager.ListSecurityProfiles(params)
 		if err != nil {
 			seclog.Errorf("%s", err.Error())
@@ -174,7 +174,7 @@ func (a *APIServer) SaveSecurityProfile(_ context.Context, params *api.SecurityP
 		return nil, fmt.Errorf("not supported")
 	}
 
-	if manager := p.GetProfileManagers(); manager != nil {
+	if manager := p.GetProfileManager(); manager != nil {
 		msg, err := manager.SaveSecurityProfile(params)
 		if err != nil {
 			seclog.Errorf("%s", err.Error())

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -112,12 +112,12 @@ type EBPFProbe struct {
 	kernelVersion  *kernel.Version
 
 	// internals
-	event           *model.Event
-	monitors        *EBPFMonitors
-	profileManagers securityprofile.ManagerInterface
-	fieldHandlers   *EBPFFieldHandlers
-	eventPool       *ddsync.TypedPool[model.Event]
-	numCPU          int
+	event          *model.Event
+	monitors       *EBPFMonitors
+	profileManager *securityprofile.Manager
+	fieldHandlers  *EBPFFieldHandlers
+	eventPool      *ddsync.TypedPool[model.Event]
+	numCPU         int
 
 	ctx       context.Context
 	cancelFnc context.CancelFunc
@@ -399,7 +399,7 @@ func (p *EBPFProbe) Init() error {
 		return err
 	}
 
-	p.profileManagers, err = securityprofile.NewManager(p.config, p.statsdClient, p.Manager, p.Resolvers, p.kernelVersion, p.NewEvent, p.activityDumpHandler)
+	p.profileManager, err = securityprofile.NewManager(p.config, p.statsdClient, p.Manager, p.Resolvers, p.kernelVersion, p.NewEvent, p.activityDumpHandler)
 	if err != nil {
 		return err
 	}
@@ -546,7 +546,7 @@ func (p *EBPFProbe) Setup() error {
 		p.wg.Add(1)
 		go func() {
 			defer p.wg.Done()
-			p.profileManagers.Start(p.ctx)
+			p.profileManager.Start(p.ctx)
 		}()
 	}
 
@@ -625,11 +625,11 @@ func (p *EBPFProbe) DispatchEvent(event *model.Event, notifyConsumers bool) {
 	logTraceEvent(event.GetEventType(), event)
 
 	// filter out event if already present on a profile
-	p.profileManagers.LookupEventInProfiles(event)
+	p.profileManager.LookupEventInProfiles(event)
 
 	// mark the events that have an associated activity dump
 	// this is needed for auto suppressions performed by the CWS rule engine
-	if p.profileManagers.HasActiveActivityDump(event) {
+	if p.profileManager.HasActiveActivityDump(event) {
 		event.AddToFlags(model.EventFlagsHasActiveActivityDump)
 	}
 
@@ -644,13 +644,13 @@ func (p *EBPFProbe) DispatchEvent(event *model.Event, notifyConsumers bool) {
 	// handle anomaly detections
 	if event.IsAnomalyDetectionEvent() {
 		imageTag := utils.GetTagValue("image_tag", event.ContainerContext.Tags)
-		p.profileManagers.FillProfileContextFromContainerID(event.FieldHandlers.ResolveContainerID(event, event.ContainerContext), &event.SecurityProfileContext, imageTag)
+		p.profileManager.FillProfileContextFromContainerID(event.FieldHandlers.ResolveContainerID(event, event.ContainerContext), &event.SecurityProfileContext, imageTag)
 		if p.config.RuntimeSecurity.AnomalyDetectionEnabled {
 			p.sendAnomalyDetection(event)
 		}
 	} else if event.Error == nil {
 		// Process event after evaluation because some monitors need the DentryResolver to have been called first.
-		p.profileManagers.ProcessEvent(event)
+		p.profileManager.ProcessEvent(event)
 	}
 	p.monitors.ProcessEvent(event)
 }
@@ -661,7 +661,7 @@ func (p *EBPFProbe) SendStats() error {
 
 	p.processKiller.SendStats(p.statsdClient)
 
-	if err := p.profileManagers.SendStats(); err != nil {
+	if err := p.profileManager.SendStats(); err != nil {
 		return err
 	}
 
@@ -728,7 +728,7 @@ func (p *EBPFProbe) unmarshalProcessCacheEntry(ev *model.Event, data []byte) (in
 func (p *EBPFProbe) onEventLost(_ string, perEvent map[string]uint64) {
 	// snapshot traced cgroups if a CgroupTracing event was lost
 	if p.probe.IsActivityDumpEnabled() && perEvent[model.CgroupTracingEventType.String()] > 0 {
-		p.profileManagers.SnapshotTracedCgroups()
+		p.profileManager.SnapshotTracedCgroups()
 	}
 }
 
@@ -875,7 +875,7 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 			seclog.Debugf("Failed to resolve cgroup: %s", err.Error())
 		} else {
 			event.CgroupTracing.CGroupContext = *cgroupContext
-			p.profileManagers.HandleCGroupTracingEvent(&event.CgroupTracing)
+			p.profileManager.HandleCGroupTracingEvent(&event.CgroupTracing)
 		}
 		return
 	case model.CgroupWriteEventType:
@@ -1436,7 +1436,7 @@ func (p *EBPFProbe) setApprovers(eventType eval.EventType, approvers rules.Appro
 
 func (p *EBPFProbe) isNeededForActivityDump(eventType eval.EventType) bool {
 	if p.config.RuntimeSecurity.ActivityDumpEnabled {
-		for _, e := range p.profileManagers.GetActivityDumpTracedEventTypes() {
+		for _, e := range p.config.RuntimeSecurity.ActivityDumpTracedEventTypes {
 			if e.String() == eventType {
 				return true
 			}
@@ -1522,7 +1522,7 @@ func (p *EBPFProbe) updateProbes(ruleEventTypes []eval.EventType, needRawSyscall
 	} else {
 		// ActivityDumps
 		if p.config.RuntimeSecurity.ActivityDumpEnabled {
-			for _, e := range p.profileManagers.GetActivityDumpTracedEventTypes() {
+			for _, e := range p.config.RuntimeSecurity.ActivityDumpTracedEventTypes {
 				if e == model.SyscallsEventType {
 					activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...)
 					break
@@ -1531,7 +1531,7 @@ func (p *EBPFProbe) updateProbes(ruleEventTypes []eval.EventType, needRawSyscall
 		}
 		// SecurityProfiles
 		if p.config.RuntimeSecurity.AnomalyDetectionEnabled {
-			for _, e := range p.profileManagers.GetAnomalyDetectionEventTypes() {
+			for _, e := range p.config.RuntimeSecurity.AnomalyDetectionEventTypes {
 				if e == model.SyscallsEventType {
 					activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...)
 					break
@@ -2333,9 +2333,9 @@ func getFuncArgCount(prog *lib.ProgramSpec) uint64 {
 	return uint64(argc)
 }
 
-// GetProfileManagers returns the security profile managers
-func (p *EBPFProbe) GetProfileManagers() securityprofile.ManagerInterface {
-	return p.profileManagers
+// GetProfileManager returns the security profile manager
+func (p *EBPFProbe) GetProfileManager() *securityprofile.Manager {
+	return p.profileManager
 }
 
 const (

diff --git a/pkg/security/security_profile/compression.go b/pkg/security/security_profile/compression.go
diff --git a/pkg/security/security_profile/directory.go b/pkg/security/security_profile/directory.go
@@ -10,11 +10,13 @@ package securityprofile
 
 import (
 	"bytes"
+	"compress/gzip"
 	"fmt"
 	"io/fs"
 	"os"
 	"path/filepath"
 	"slices"
+	"strings"
 	"sync"
 	"time"
 
@@ -307,3 +309,21 @@ func (d *Directory) SendTelemetry(sender statsd.ClientInterface) {
 		_ = sender.Count(metrics.MetricActivityDumpLocalStorageDeleted, int64(count), nil, 1.0)
 	}
 }
+
+func compressWithGZip(filename string, rawBuf []byte) (*bytes.Buffer, error) {
+	var buf bytes.Buffer
+
+	zw := gzip.NewWriter(&buf)
+	zw.Name = strings.TrimSuffix(filename, ".gz")
+	zw.ModTime = time.Now()
+
+	if _, err := zw.Write(rawBuf); err != nil {
+		return nil, fmt.Errorf("couldn't compress activity dump: %w", err)
+	}
+	// Closing the gzip stream also flushes it
+	if err := zw.Close(); err != nil {
+		return nil, fmt.Errorf("couldn't compress activity dump: %w", err)
+	}
+
+	return &buf, nil
+}
diff --git a/pkg/security/security_profile/dump/activity_dump.go b/pkg/security/security_profile/dump/activity_dump.go
@@ -76,38 +76,12 @@ func NewEmptyActivityDump(pathsReducer *activity_tree.PathsReducer, differentiat
 func NewActivityDump(pathsReducer *activity_tree.PathsReducer, differentiateArgs bool, dnsMatchMaxDepth int, eventTypes []model.EventType, onNeedNewTracedPid OnNeedNewTracedPid, loadConfig *model.ActivityDumpLoadConfig, options ...WithDumpOption) *ActivityDump {
 	ad := NewEmptyActivityDump(pathsReducer, differentiateArgs, dnsMatchMaxDepth, eventTypes, onNeedNewTracedPid)
 
-	/*now := time.Now()
-	ad.Metadata = mtdt.Metadata{
-		AgentVersion:      version.AgentVersion,
-		AgentCommit:       version.Commit,
-		KernelVersion:     adm.kernelVersion.Code.String(),
-		LinuxDistribution: adm.kernelVersion.OsRelease["PRETTY_NAME"],
-		Name:              fmt.Sprintf("activity-dump-%s", utils.RandString(10)),
-		ProtobufVersion:   ProtobufVersion,
-		Start:             now,
-		End:               now.Add(adm.config.RuntimeSecurity.ActivityDumpCgroupDumpTimeout),
-		Arch:              utils.RuntimeArch(),
-	}
-	ad.Host = adm.hostname
-	ad.Source = ActivityDumpSource
-	ad.adm = adm
-
-	// set load configuration to initial defaults
-	ad.LoadConfig = NewActivityDumpLoadConfig(
-		adm.config.RuntimeSecurity.ActivityDumpTracedEventTypes,
-		adm.config.RuntimeSecurity.ActivityDumpCgroupDumpTimeout,
-		adm.config.RuntimeSecurity.ActivityDumpCgroupWaitListTimeout,
-		adm.config.RuntimeSecurity.ActivityDumpRateLimiter,
-		now,
-		cgroupFlags,
-		adm.resolvers.TimeResolver,
-	)
-	ad.LoadConfigCookie = utils.NewCookie()*/
 	ad.LoadConfig.Store(loadConfig)
 
 	for _, option := range options {
 		option(ad)
 	}
+
 	return ad
 }