start of darwin support in event monitor

DataDog · Feb 29, 2024 · a1a287b · a1a287b
1 parent 06321a2
commit a1a287b
Show file tree

Hide file tree

Showing 40 changed files with 5,696 additions and 107 deletions.
diff --git a/cmd/system-probe/modules/all_darwin.go b/cmd/system-probe/modules/all_darwin.go
@@ -0,0 +1,18 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build darwin
+
+//nolint:revive // TODO(EBPF) Fix revive linter
+package modules
+
+import (
+	"github.com/DataDog/datadog-agent/cmd/system-probe/api/module"
+)
+
+// All System Probe modules should register their factories here
+var All = []module.Factory{
+	EventMonitor,
+}
diff --git a/cmd/system-probe/modules/all_unsupported.go b/cmd/system-probe/modules/all_unsupported.go
@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build !linux && !windows
+//go:build !(linux || windows || darwin)
 
 // Package modules is all the module definitions for system-probe
 package modules

diff --git a/cmd/system-probe/modules/eventmonitor.go b/cmd/system-probe/modules/eventmonitor.go
@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build linux || windows
+//go:build linux || windows || darwin
 
 package modules
 

diff --git a/...tem-probe/modules/eventmonitor_windows.go → ...stem-probe/modules/eventmonitor_others.go b/...tem-probe/modules/eventmonitor_windows.go → ...stem-probe/modules/eventmonitor_others.go
@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build windows
+//go:build windows || darwin
 
 package modules
 

diff --git a/pkg/eventmonitor/eventmonitor.go b/pkg/eventmonitor/eventmonitor.go
@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build linux || windows
+//go:build linux || windows || darwin
 
 // Package eventmonitor holds eventmonitor related files
 package eventmonitor

diff --git a/pkg/eventmonitor/eventmonitor_darwin.go b/pkg/eventmonitor/eventmonitor_darwin.go
@@ -0,0 +1,35 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build darwin
+
+package eventmonitor
+
+import (
+	"net"
+	"os"
+)
+
+func (m *EventMonitor) getListener() (net.Listener, error) {
+	ln, err := net.Listen("unix", m.Config.SocketPath)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = os.Chmod(m.Config.SocketPath, 0700); err != nil {
+		return nil, err
+	}
+	return ln, nil
+}
+
+func (m *EventMonitor) init() error {
+	// force socket cleanup of previous socket not cleanup
+	os.Remove(m.Config.SocketPath)
+	return nil
+}
+
+func (m *EventMonitor) cleanup() {
+	os.Remove(m.Config.SocketPath)
+}
diff --git a/pkg/eventmonitor/eventmonitor_other.go b/pkg/eventmonitor/eventmonitor_other.go
@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build !linux && !windows
+//go:build !(linux || windows || darwin)
 
 // Package eventmonitor holds eventmonitor related files
 package eventmonitor

diff --git a/pkg/network/events/monitor_windows.go → pkg/network/events/monitor_others.go b/pkg/network/events/monitor_windows.go → pkg/network/events/monitor_others.go
@@ -3,6 +3,8 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
+//go:build !linux
+
 // Package events handles process events
 package events
 

diff --git a/...etwork/events/network_consumer_windows.go → ...network/events/network_consumer_others.go b/...etwork/events/network_consumer_windows.go → ...network/events/network_consumer_others.go
@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build windows
+//go:build !linux
 
 // Package events handles process events
 package events

diff --git a/pkg/process/events/consumer/events_consumer_darwin.go b/pkg/process/events/consumer/events_consumer_darwin.go
@@ -0,0 +1,33 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build darwin
+
+package consumer
+
+import (
+	"github.com/DataDog/datadog-agent/pkg/process/events/model"
+	smodel "github.com/DataDog/datadog-agent/pkg/security/secl/model"
+)
+
+// Copy copies the necessary fields from the event received from the event monitor
+func (p *ProcessConsumer) Copy(event *smodel.Event) any {
+	return &model.ProcessEvent{
+		EventType:      model.NewEventType(event.GetEventType().String()),
+		CollectionTime: event.GetTimestamp(),
+		Pid:            event.GetProcessPid(),
+		ContainerID:    event.GetContainerId(),
+		Ppid:           event.GetProcessPpid(),
+		UID:            event.GetProcessUid(),
+		GID:            event.GetProcessGid(),
+		Username:       event.GetProcessUser(),
+		Group:          event.GetProcessGroup(),
+		Exe:            event.GetExecFilePath(),
+		Cmdline:        event.GetProcessArgv(),
+		ExecTime:       event.GetProcessExecTime(),
+		ExitTime:       event.GetProcessExitTime(),
+		ExitCode:       event.GetExitCode(),
+	}
+}
diff --git a/...s/events/consumer/events_consumer_unix.go → .../events/consumer/events_consumer_linux.go b/...s/events/consumer/events_consumer_unix.go → .../events/consumer/events_consumer_linux.go
@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build unix
+//go:build linux
 
 package consumer
 

diff --git a/pkg/security/probe/field_handlers_darwin.go b/pkg/security/probe/field_handlers_darwin.go
@@ -0,0 +1,18 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+// Package probe holds probe related files
+package probe
+
+import (
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+)
+
+// FieldHandlers defines a field handlers
+type FieldHandlers struct {
+	// TODO(safchain) remove this when support for multiple platform with the same build tags is available
+	// keeping it can be dangerous as it can hide non implemented handlers
+	model.FakeFieldHandlers
+}
diff --git a/pkg/security/probe/model_darwin.go b/pkg/security/probe/model_darwin.go
@@ -0,0 +1,37 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+// Package probe holds probe related files
+package probe
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+)
+
+// NewDarwinModel returns a new model with some extra field validation
+func NewDarwinModel() *model.Model {
+	return &model.Model{
+		ExtraValidateFieldFnc: func(field eval.Field, fieldValue eval.FieldValue) error {
+			// TODO(safchain) remove this check when multiple model per platform will be supported in the SECL package
+			if !strings.HasPrefix(field, "exec.") &&
+				!strings.HasPrefix(field, "exit.") &&
+				!strings.HasPrefix(field, "process.") {
+				return fmt.Errorf("%s is not available with the Windows version", field)
+			}
+			return nil
+		},
+	}
+}
+
+// NewDarwinEvent returns a new event
+func NewDarwinEvent(fh *FieldHandlers) *model.Event {
+	event := model.NewFakeEvent()
+	event.FieldHandlers = fh
+	return event
+}
diff --git a/pkg/security/probe/opts_darwin.go b/pkg/security/probe/opts_darwin.go
@@ -0,0 +1,25 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build darwin
+
+// Package probe holds probe related files
+package probe
+
+import (
+	"github.com/DataDog/datadog-go/v5/statsd"
+)
+
+// Opts defines some probe options
+type Opts struct {
+	// StatsdClient to be used for probe stats
+	StatsdClient statsd.ClientInterface
+}
+
+func (o *Opts) normalize() {
+	if o.StatsdClient == nil {
+		o.StatsdClient = &statsd.NoOpClient{}
+	}
+}
diff --git a/pkg/security/probe/probe.go b/pkg/security/probe/probe.go
@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build linux || windows
+//go:build linux || windows || darwin
 
 // Package probe holds probe related files
 package probe