Skip to content

Commit

Permalink
[Backport 7.63.x] [CWS] use iterator name as cache key (#33460)
Browse files Browse the repository at this point in the history 
Co-authored-by: Sylvain Afchain <[email protected]>
  • Loading branch information
@agent-platform-auto-pr @safchain
agent-platform-auto-pr[bot] and safchain authored Jan 28, 2025
1 parent d8e9761 commit 01fe91d
Show file tree
Hide file tree
Showing 8 changed files with 372 additions and 307 deletions.
2 changes: 1 addition & 1 deletion pkg/security/generators/accessors/accessors.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ func (_ *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
{{if $Field.GetArrayPrefix}}
{{$AncestorFunc = "newAncestorsIteratorArray"}}
{{end}}
results := {{$AncestorFunc}}(iterator, field, ctx, {{$Event}}, func(ev *Event, current *{{$Field.Iterator.OrigType}}) {{$Field.GetArrayPrefix}}{{$Field.ReturnType}} {
results := {{$AncestorFunc}}(iterator, "{{$Field.Iterator.Name}}", ctx, {{$Event}}, func(ev *Event, current *{{$Field.Iterator.OrigType}}) {{$Field.GetArrayPrefix}}{{$Field.ReturnType}} {
{{range $Check := $Checks}}
{{if $Field.Iterator.Name | HasPrefix $Check}}
{{$SubName := $Field.Iterator.Name | TrimPrefix $Check}}
Expand Down
20 changes: 10 additions & 10 deletions pkg/security/secl/compiler/eval/context.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ type Context struct {

now time.Time

AncestorsCounters map[string]int
IteratorCountCache map[string]int

resolvedFields []string

Expand Down Expand Up @@ -68,7 +68,7 @@ func (c *Context) Reset() {
clear(c.BoolCache)
clear(c.Registers)
clear(c.RegisterCache)
clear(c.AncestorsCounters)
clear(c.IteratorCountCache)
c.resolvedFields = nil
}

Expand All @@ -80,14 +80,14 @@ func (c *Context) GetResolvedFields() []string {
// NewContext return a new Context
func NewContext(evt Event) *Context {
return &Context{
Event: evt,
StringCache: make(map[string][]string),
IPNetCache: make(map[string][]net.IPNet),
IntCache: make(map[string][]int),
BoolCache: make(map[string][]bool),
Registers: make(map[RegisterID]int),
RegisterCache: make(map[RegisterID]*RegisterCacheEntry),
AncestorsCounters: make(map[string]int),
Event: evt,
StringCache: make(map[string][]string),
IPNetCache: make(map[string][]net.IPNet),
IntCache: make(map[string][]int),
BoolCache: make(map[string][]bool),
Registers: make(map[RegisterID]int),
RegisterCache: make(map[RegisterID]*RegisterCacheEntry),
IteratorCountCache: make(map[string]int),
}
}

Expand Down
516 changes: 258 additions & 258 deletions pkg/security/secl/model/accessors_unix.go
View file

Large diffs are not rendered by default.

26 changes: 13 additions & 13 deletions pkg/security/secl/model/accessors_windows.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 6 additions & 6 deletions pkg/security/secl/model/string_array_iter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,23 +23,23 @@ func isNil[V comparable](v V) bool {
}

func newAncestorsIterator[T any, V comparable](iter AncestorsIterator[V], field eval.Field, ctx *eval.Context, ev *Event, perIter func(ev *Event, current V) T) []T {
results := make([]T, 0, ctx.AncestorsCounters[field])
results := make([]T, 0, ctx.IteratorCountCache[field])
for entry := iter.Front(ctx); !isNil(entry); entry = iter.Next(ctx) {
results = append(results, perIter(ev, entry))
}
ctx.AncestorsCounters[field] = len(results)
ctx.IteratorCountCache[field] = len(results)

return results
}

func newAncestorsIteratorArray[T any, V comparable](iter AncestorsIterator[V], field eval.Field, ctx *eval.Context, ev *Event, perIter func(ev *Event, current V) []T) []T {
results := make([]T, 0, ctx.AncestorsCounters[field])
ancestorsCount := 0
results := make([]T, 0, ctx.IteratorCountCache[field])
count := 0
for entry := iter.Front(ctx); !isNil(entry); entry = iter.Next(ctx) {
results = append(results, perIter(ev, entry)...)
ancestorsCount++
count++
}
ctx.AncestorsCounters[field] = ancestorsCount
ctx.IteratorCountCache[field] = count

return results
}
65 changes: 65 additions & 0 deletions pkg/security/secl/rules/eval_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.

//go:build linux

// Package rules holds rules related files
package rules

import (
"testing"

"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/ast"
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
)

func TestIteratorCache(t *testing.T) {
event := model.NewFakeEvent()

event.Exec = model.ExecEvent{
Process: &model.Process{
FileEvent: model.FileEvent{
FileFields: model.FileFields{
UID: 22,
},
},
},
}
event.ProcessContext = &model.ProcessContext{
Ancestor: &model.ProcessCacheEntry{
ProcessContext: model.ProcessContext{
Process: model.Process{
PIDContext: model.PIDContext{
Pid: 111,
},
PPid: 111,
},
},
},
}

evalRule, err := eval.NewRule("test", `exec.file.uid == 22 && process.ancestors.pid == 111 && process.ancestors.ppid == 111`, ast.NewParsingContext(false), &eval.Opts{})
if err != nil {
t.Error(err)
}

rule := &Rule{
Rule: evalRule,
}

err = rule.GenEvaluator(&model.Model{})
if err != nil {
t.Error(err)
}

ctx := eval.NewContext(event)

rule.Eval(ctx)

if len(ctx.IteratorCountCache) != 1 || ctx.IteratorCountCache["BaseEvent.ProcessContext.Ancestor"] != 1 {
t.Errorf("wrong iterator cache entries: %+v", ctx.IteratorCountCache)
}
}
26 changes: 13 additions & 13 deletions pkg/security/seclwin/model/accessors_win.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 01fe91d

Please sign in to comment.