Merge #34297: Re-apply "[CWS] Change rules override policy #34048"

cmd/security-agent/subcommands/runtime/activity_dump.go

@@ -779,7 +779,7 @@ func activityDumpToWorkloadPolicy(_ log.Component, _ config.Component, _ secrets
 	} else {
 		policyName = "workload_policy"
 	}
-	policy, err := rules.LoadPolicyFromDefinition(policyName, "workload", &policyDef, nil, nil)
+	policy, err := rules.LoadPolicyFromDefinition(policyName, "workload", rules.InternalPolicyType, &policyDef, nil, nil)
 
 	if err != nil {
 		return fmt.Errorf("error in generated ruleset's syntax: '%s'", err)

pkg/security/probe/selftests/tester.go

@@ -182,7 +182,7 @@ func (t *SelfTester) LoadPolicies(_ []rules.MacroFilter, _ []rules.RuleFilter) (
 		policyDef.Rules[i] = selfTest.GetRuleDefinition()
 	}
 
-	policy, err := rules.LoadPolicyFromDefinition(policyName, policySource, policyDef, nil, nil)
+	policy, err := rules.LoadPolicyFromDefinition(policyName, policySource, rules.SelftestPolicy, policyDef, nil, nil)
 	if err != nil {
 		return nil, multierror.Append(nil, err)
 	}

pkg/security/rconfig/policies.go

@@ -159,7 +159,7 @@ func (r *RCPolicyProvider) LoadPolicies(macroFilters []rules.MacroFilter, ruleFi
 	r.RLock()
 	defer r.RUnlock()
 
-	load := func(id string, cfg []byte) error {
+	load := func(policyType rules.PolicyType, id string, cfg []byte) error {
 		if r.dumpPolicies {
 			name, err := writePolicy(id, cfg)
 			if err != nil {
@@ -170,7 +170,7 @@ func (r *RCPolicyProvider) LoadPolicies(macroFilters []rules.MacroFilter, ruleFi
 		}
 
 		reader := bytes.NewReader(cfg)
-		policy, err := rules.LoadPolicy(id, rules.PolicyProviderTypeRC, reader, macroFilters, ruleFilters)
+		policy, err := rules.LoadPolicy(id, rules.PolicyProviderTypeRC, policyType, reader, macroFilters, ruleFilters)
 		normalize(policy)
 		policies = append(policies, policy)
 		return err
@@ -179,7 +179,7 @@ func (r *RCPolicyProvider) LoadPolicies(macroFilters []rules.MacroFilter, ruleFi
 	for _, cfgPath := range slices.Sorted(maps.Keys(r.lastDefaults)) {
 		rawConfig := r.lastDefaults[cfgPath]
 
-		if err := load(rawConfig.Metadata.ID, rawConfig.Config); err != nil {
+		if err := load(rules.DefaultPolicyType, rawConfig.Metadata.ID, rawConfig.Config); err != nil {
 			r.client.UpdateApplyStatus(cfgPath, state.ApplyStatus{State: state.ApplyStateError, Error: err.Error()})
 			errs = multierror.Append(errs, err)
 		} else {
@@ -190,7 +190,7 @@ func (r *RCPolicyProvider) LoadPolicies(macroFilters []rules.MacroFilter, ruleFi
 	for _, cfgPath := range slices.Sorted(maps.Keys(r.lastCustoms)) {
 		rawConfig := r.lastCustoms[cfgPath]
 
-		if err := load(rawConfig.Metadata.ID, rawConfig.Config); err != nil {
+		if err := load(rules.CustomPolicyType, rawConfig.Metadata.ID, rawConfig.Config); err != nil {
 			r.client.UpdateApplyStatus(cfgPath, state.ApplyStatus{State: state.ApplyStateError, Error: err.Error()})
 			errs = multierror.Append(errs, err)
 		} else {

pkg/security/rules/bundled/bundled_policy_provider.go

@@ -33,7 +33,7 @@ func (p *PolicyProvider) LoadPolicies([]rules.MacroFilter, []rules.RuleFilter) (
 		Rules:   newBundledPolicyRules(p.cfg),
 	}
 
-	policy, err := rules.LoadPolicyFromDefinition("bundled_policy", "bundled", policyDef, nil, nil)
+	policy, err := rules.LoadPolicyFromDefinition("bundled_policy", "bundled", rules.InternalPolicyType, policyDef, nil, nil)
 	if err != nil {
 		return nil, multierror.Append(nil, err)
 	}

pkg/security/secl/rules/model.go

@@ -32,8 +32,6 @@ type OverrideField = string
 const (
 	// OverrideAllFields used to override all the fields
 	OverrideAllFields OverrideField = "all"
-	// OverrideExpressionField used to override the expression
-	OverrideExpressionField OverrideField = "expression"
 	// OverrideActionFields used to override the actions
 	OverrideActionFields OverrideField = "actions"
 	// OverrideEveryField used to override the every field

pkg/security/secl/rules/policy.go

@@ -9,6 +9,7 @@ package rules
 import (
 	"fmt"
 	"io"
+	"reflect"
 	"slices"
 
 	"github.com/hashicorp/go-multierror"
@@ -63,50 +64,110 @@ func applyOverride(rd1, rd2 *PolicyRule) {
 	// keep track of the combine
 	rd1.Def.Combine = rd2.Def.Combine
 
+	wasOverridden := false
 	// for backward compatibility, by default only the expression is copied if no options
-	if len(rd2.Def.OverrideOptions.Fields) == 0 {
-		rd1.Def.Expression = rd2.Def.Expression
-	} else if slices.Contains(rd2.Def.OverrideOptions.Fields, OverrideAllFields) {
+	if slices.Contains(rd2.Def.OverrideOptions.Fields, OverrideAllFields) && rd1.Policy.Type == DefaultPolicyType {
+		tmpExpression := rd1.Def.Expression
 		*rd1.Def = *rd2.Def
+		rd1.Def.Expression = tmpExpression
+		wasOverridden = true
 	} else {
-		if slices.Contains(rd2.Def.OverrideOptions.Fields, OverrideExpressionField) {
-			rd1.Def.Expression = rd2.Def.Expression
-		}
 		if slices.Contains(rd2.Def.OverrideOptions.Fields, OverrideActionFields) {
-			rd1.Def.Actions = rd2.Def.Actions
+			var toAdd []*ActionDefinition
+			for _, action := range rd2.Def.Actions {
+				duplicated := false
+				for _, a := range rd1.Def.Actions {
+					if reflect.DeepEqual(action, a) {
+						duplicated = true
+						break
+					}
+				}
+				if !duplicated {
+					toAdd = append(toAdd, action)
+				}
+			}
+
+			if len(toAdd) > 0 {
+				wasOverridden = true
+				rd1.Def.Actions = append(rd1.Def.Actions, toAdd...)
+			}
 		}
 		if slices.Contains(rd2.Def.OverrideOptions.Fields, OverrideEveryField) {
 			rd1.Def.Every = rd2.Def.Every
+			wasOverridden = true
 		}
 		if slices.Contains(rd2.Def.OverrideOptions.Fields, OverrideTagsField) {
-			rd1.Def.Tags = rd2.Def.Tags
+			for k, tag := range rd2.Def.Tags {
+				rd1.Def.Tags[k] = tag
+				wasOverridden = true
+			}
 		}
 		if slices.Contains(rd2.Def.OverrideOptions.Fields, OverrideProductTagsField) {
 			rd1.Def.ProductTags = rd2.Def.ProductTags
 		}
 	}
+
+	if wasOverridden {
+		rd1.Policy.Name = rd2.Policy.Name
+		rd1.Policy.Source = rd2.Policy.Source
+		rd1.Policy.Type = rd2.Policy.Type
+
+	}
 }
 
 // MergeWith merges rule r2 into r
 func (r *PolicyRule) MergeWith(r2 *PolicyRule) error {
 	switch r2.Def.Combine {
 	case OverridePolicy:
-		applyOverride(r, r2)
+		if !r2.Def.Disabled {
+			applyOverride(r, r2)
+		}
 	default:
 		if r.Def.Disabled == r2.Def.Disabled {
 			return &ErrRuleLoad{Rule: r2, Err: ErrDefinitionIDConflict}
 		}
 	}
-	r.Def.Disabled = r2.Def.Disabled
+
+	if r.Def.Disabled {
+		r.Def.Disabled = r2.Def.Disabled
+		r.Policy.Name = r2.Policy.Name
+		r.Policy.Source = r2.Policy.Source
+		r.Policy.Type = r2.Policy.Type
+
+	} else {
+		if r.Policy.Type == DefaultPolicyType && r2.Policy.Type == CustomPolicyType {
+			r.Def.Disabled = r2.Def.Disabled
+			r.Policy.Name = r2.Policy.Name
+			r.Policy.Source = r2.Policy.Source
+			r.Policy.Type = r2.Policy.Type
+		}
+	}
+
 	r.ModifiedBy = append(r.ModifiedBy, r2)
+
 	return nil
 }
 
+// PolicyType represents the type of a policy
+type PolicyType string
+
+const (
+	// DefaultPolicyType is the default policy type
+	DefaultPolicyType PolicyType = "default"
+	// CustomPolicyType is the custom policy type
+	CustomPolicyType PolicyType = "custom"
+	// InternalPolicyType is the policy for internal use (bundled_policy_provider)
+	InternalPolicyType PolicyType = "internal"
+	// SelftestPolicy is the policy for self tests
+	SelftestPolicy PolicyType = "selftest"
+)
+
 // Policy represents a policy which is composed of a list of rules, macros and on-demand hook points
 type Policy struct {
 	Def        *PolicyDef
 	Name       string
 	Source     string
+	Type       PolicyType
 	IsInternal bool
 	// multiple macros can have the same ID but different filters (e.g. agent version)
 	macros map[MacroID][]*PolicyMacro
@@ -240,11 +301,12 @@ RULES:
 }
 
 // LoadPolicyFromDefinition load a policy from a definition
-func LoadPolicyFromDefinition(name string, source string, def *PolicyDef, macroFilters []MacroFilter, ruleFilters []RuleFilter) (*Policy, error) {
+func LoadPolicyFromDefinition(name string, source string, policyType PolicyType, def *PolicyDef, macroFilters []MacroFilter, ruleFilters []RuleFilter) (*Policy, error) {
 	p := &Policy{
 		Def:    def,
 		Name:   name,
 		Source: source,
+		Type:   policyType,
 		macros: make(map[MacroID][]*PolicyMacro, len(def.Macros)),
 		rules:  make(map[RuleID][]*PolicyRule, len(def.Rules)),
 	}
@@ -253,12 +315,12 @@ func LoadPolicyFromDefinition(name string, source string, def *PolicyDef, macroF
 }
 
 // LoadPolicy load a policy
-func LoadPolicy(name string, source string, reader io.Reader, macroFilters []MacroFilter, ruleFilters []RuleFilter) (*Policy, error) {
+func LoadPolicy(name string, source string, policyType PolicyType, reader io.Reader, macroFilters []MacroFilter, ruleFilters []RuleFilter) (*Policy, error) {
 	def := PolicyDef{}
 	decoder := yaml.NewDecoder(reader)
 	if err := decoder.Decode(&def); err != nil {
 		return nil, &ErrPolicyLoad{Name: name, Err: err}
 	}
 
-	return LoadPolicyFromDefinition(name, source, &def, macroFilters, ruleFilters)
+	return LoadPolicyFromDefinition(name, source, policyType, &def, macroFilters, ruleFilters)
 }

pkg/security/secl/rules/policy_dir.go

@@ -40,8 +40,14 @@ func (p *PoliciesDirProvider) loadPolicy(filename string, macroFilters []MacroFi
 	defer f.Close()
 
 	name := filepath.Base(filename)
+	var policyType PolicyType
+	if name == DefaultPolicyName {
+		policyType = DefaultPolicyType
+	} else {
+		policyType = CustomPolicyType
+	}
 
-	return LoadPolicy(name, PolicyProviderTypeDir, f, macroFilters, ruleFilters)
+	return LoadPolicy(name, PolicyProviderTypeDir, policyType, f, macroFilters, ruleFilters)
 }
 
 func (p *PoliciesDirProvider) getPolicyFiles() ([]string, error) {