[CWS] Add 'cgroup' variable scope

cmd/security-agent/subcommands/runtime/command.go

@@ -551,8 +551,13 @@ func eventDataFromJSON(file string) (eval.Event, error) {
 		return nil, errors.New("unknown event type")
 	}
 
-	m := &model.Model{}
-	event := m.NewDefaultEventWithType(kind)
+	event := &model.Event{
+		BaseEvent: model.BaseEvent{
+			Type:             uint32(kind),
+			FieldHandlers:    &model.FakeFieldHandlers{},
+			ContainerContext: &model.ContainerContext{},
+		},
+	}
 	event.Init()
 
 	for k, v := range eventData.Values {

cmd/system-probe/subcommands/runtime/command.go

@@ -533,8 +533,13 @@ func eventDataFromJSON(file string) (eval.Event, error) {
 		return nil, errors.New("unknown event type")
 	}
 
-	m := &model.Model{}
-	event := m.NewDefaultEventWithType(kind)
+	event := &model.Event{
+		BaseEvent: model.BaseEvent{
+			Type:             uint32(kind),
+			FieldHandlers:    &model.FakeFieldHandlers{},
+			ContainerContext: &model.ContainerContext{},
+		},
+	}
 	event.Init()
 
 	for k, v := range eventData.Values {

pkg/network/events/monitor_test.go

@@ -45,7 +45,7 @@ func TestEventConsumerWrapperCopy(t *testing.T) {
 				},
 				FieldHandlers: &model.FakeFieldHandlers{},
 			},
-			CGroupContext: model.CGroupContext{
+			CGroupContext: &model.CGroupContext{
 				CGroupID: "cid_exec",
 			},
 		}
@@ -87,7 +87,7 @@ func TestEventConsumerWrapperCopy(t *testing.T) {
 				},
 				FieldHandlers: &model.FakeFieldHandlers{},
 			},
-			CGroupContext: model.CGroupContext{
+			CGroupContext: &model.CGroupContext{
 				CGroupID: "cid_fork",
 			},
 		}

pkg/security/probe/field_handlers_ebpf.go

@@ -516,8 +516,8 @@ func (fh *EBPFFieldHandlers) ResolveCGroupID(ev *model.Event, e *model.CGroupCon
 				return string(entry.CGroup.CGroupID)
 			}
 
-			if cgroupContext, err := fh.resolvers.ResolveCGroupContext(e.CGroupFile, e.CGroupFlags); err == nil {
-				*e = *cgroupContext
+			if cgroupContext, _, err := fh.resolvers.ResolveCGroupContext(e.CGroupFile, e.CGroupFlags); err == nil {
+				ev.CGroupContext = cgroupContext
 			}
 		}
 	}

pkg/security/probe/probe_ebpf.go

@@ -714,7 +714,7 @@ func (p *EBPFProbe) EventMarshallerCtor(event *model.Event) func() events.EventM
 }
 
 func (p *EBPFProbe) unmarshalContexts(data []byte, event *model.Event) (int, error) {
-	read, err := model.UnmarshalBinary(data, &event.PIDContext, &event.SpanContext, event.ContainerContext, &event.CGroupContext)
+	read, err := model.UnmarshalBinary(data, &event.PIDContext, &event.SpanContext, event.ContainerContext, event.CGroupContext)
 	if err != nil {
 		return 0, err
 	}
@@ -750,8 +750,8 @@ func (p *EBPFProbe) unmarshalProcessCacheEntry(ev *model.Event, data []byte) (in
 	entry.Process.ContainerID = ev.ContainerContext.ContainerID
 	entry.ContainerID = ev.ContainerContext.ContainerID
 
-	entry.Process.CGroup.Merge(&ev.CGroupContext)
-	entry.CGroup.Merge(&ev.CGroupContext)
+	entry.Process.CGroup.Merge(ev.CGroupContext)
+	entry.CGroup.Merge(ev.CGroupContext)
 
 	entry.Source = model.ProcessCacheEntryFromEvent
 
@@ -780,7 +780,7 @@ func (p *EBPFProbe) setProcessContext(eventType model.EventType, event *model.Ev
 	}
 
 	// do the same with cgroup context
-	event.CGroupContext = event.ProcessCacheEntry.CGroup
+	event.CGroupContext = &event.ProcessCacheEntry.CGroup
 
 	if process.IsKThread(event.ProcessContext.PPid, event.ProcessContext.Pid) {
 		return false
@@ -809,9 +809,9 @@ func (p *EBPFProbe) zeroEvent() *model.Event {
 }
 
 func (p *EBPFProbe) resolveCGroup(pid uint32, cgroupPathKey model.PathKey, cgroupFlags containerutils.CGroupFlags, newEntryCb func(entry *model.ProcessCacheEntry, err error)) (*model.CGroupContext, error) {
-	cgroupContext, err := p.Resolvers.ResolveCGroupContext(cgroupPathKey, cgroupFlags)
+	cgroupContext, _, err := p.Resolvers.ResolveCGroupContext(cgroupPathKey, cgroupFlags)
 	if err != nil {
-		return nil, fmt.Errorf("failed to resorve cgroup for pid %d: %w", pid, err)
+		return nil, fmt.Errorf("failed to resolve cgroup for pid %d: %w", pid, err)
 	}
 	updated := p.Resolvers.ProcessResolver.UpdateProcessCGroupContext(pid, cgroupContext, newEntryCb)
 	if !updated {
@@ -908,6 +908,12 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 			seclog.Debugf("Failed to resolve cgroup: %s", err.Error())
 		} else {
 			event.CgroupTracing.CGroupContext = *cgroupContext
+			if cgroupContext.CGroupFlags.IsContainer() {
+				containerID, _ := containerutils.FindContainerID(cgroupContext.CGroupID)
+				event.CgroupTracing.ContainerContext.ContainerID = containerID
+			}
+
+			event.CGroupContext = cgroupContext
 			p.profileManagers.activityDumpManager.HandleCGroupTracingEvent(&event.CgroupTracing)
 		}
 		return

pkg/security/resolvers/cgroup/resolver.go

@@ -69,7 +69,10 @@ func NewResolver(statsdClient statsd.ClientInterface) (*Resolver, error) {
 	}
 
 	cleanup := func(value *cgroupModel.CacheEntry) {
-		value.CallReleaseCallback()
+		if value.CGroupContext.IsContainer() {
+			value.ContainerContext.CallReleaseCallback()
+		}
+		value.CGroupContext.CallReleaseCallback()
 		value.Deleted.Store(true)
 
 		cr.NotifyListeners(CGroupDeleted, value)

pkg/security/resolvers/resolvers_ebpf.go

@@ -218,14 +218,14 @@ func (r *EBPFResolvers) Start(ctx context.Context) error {
 }
 
 // ResolveCGroupContext resolves the cgroup context from a cgroup path key
-func (r *EBPFResolvers) ResolveCGroupContext(pathKey model.PathKey, cgroupFlags containerutils.CGroupFlags) (*model.CGroupContext, error) {
+func (r *EBPFResolvers) ResolveCGroupContext(pathKey model.PathKey, cgroupFlags containerutils.CGroupFlags) (*model.CGroupContext, bool, error) {
 	if cgroupContext, found := r.CGroupResolver.GetCGroupContext(pathKey); found {
-		return cgroupContext, nil
+		return cgroupContext, true, nil
 	}
 
 	cgroup, err := r.DentryResolver.Resolve(pathKey, true)
 	if err != nil {
-		return nil, fmt.Errorf("failed to resolve cgroup file %v: %w", pathKey, err)
+		return nil, false, fmt.Errorf("failed to resolve cgroup file %v: %w", pathKey, err)
 	}
 
 	cgroupContext := &model.CGroupContext{
@@ -235,7 +235,7 @@ func (r *EBPFResolvers) ResolveCGroupContext(pathKey model.PathKey, cgroupFlags
 		CGroupManager: containerutils.CGroupManager(cgroupFlags & containerutils.CGroupManagerMask).String(),
 	}
 
-	return cgroupContext, nil
+	return cgroupContext, false, nil
 }
 
 // Snapshot collects data on the current state of the system to populate user space and kernel space caches.

pkg/security/rules/engine_linux.go

@@ -49,6 +49,34 @@ func (e *RuleEngine) GetSECLVariables() map[string]*api.SECLVariableState {
 					continue
 				}
 
+				scopedValue := fmt.Sprintf("%v", value)
+				seclVariables[scopedName] = &api.SECLVariableState{
+					Name:  scopedName,
+					Value: scopedValue,
+				}
+			}
+		} else if strings.HasPrefix(name, "cgroup.") {
+			scopedVariable := value.(eval.ScopedVariable)
+
+			cgr := e.probe.PlatformProbe.(*probe.EBPFProbe).Resolvers.CGroupResolver
+			containerWorkloads := cgr.GetContainerWorkloads()
+			if containerWorkloads == nil {
+				continue
+			}
+
+			for _, cgce := range containerWorkloads.Values() {
+				cgce.RLock()
+				defer cgce.RUnlock()
+
+				event := e.probe.PlatformProbe.NewEvent()
+				event.CGroupContext = &cgce.CGroupContext
+				ctx := eval.NewContext(event)
+				scopedName := fmt.Sprintf("%s.%s", name, cgce.CGroupID)
+				value, found := scopedVariable.GetValue(ctx)
+				if !found {
+					continue
+				}
+
 				scopedValue := fmt.Sprintf("%v", value)
 				seclVariables[scopedName] = &api.SECLVariableState{
 					Name:  scopedName,

pkg/security/secl/compiler/eval/variables.go

@@ -512,6 +512,7 @@ func NewIntArrayVariable(size int, ttl time.Duration) *IntArrayVariable {
 // VariableScope is the interface to be implemented by scoped variable in order to be released
 type VariableScope interface {
 	AppendReleaseCallback(callback func())
+	Hash() string
 }
 
 // Scoper maps a variable to the entity its scoped to
@@ -566,7 +567,7 @@ type MutableSECLVariable interface {
 // ScopedVariables holds a set of scoped variables
 type ScopedVariables struct {
 	scoper Scoper
-	vars   map[VariableScope]map[string]MutableSECLVariable
+	vars   map[string]map[string]MutableSECLVariable
 }
 
 // Len returns the length of the variable map
@@ -577,19 +578,22 @@ func (v *ScopedVariables) Len() int {
 // NewSECLVariable returns new variable of the type of the specified value
 func (v *ScopedVariables) NewSECLVariable(name string, value interface{}, opts VariableOpts) (SECLVariable, error) {
 	getVariable := func(ctx *Context) MutableSECLVariable {
-		v := v.vars[v.scoper(ctx)]
+		scope := v.scoper(ctx)
+		key := scope.Hash()
+		v := v.vars[key]
 		return v[name]
 	}
 
 	setVariable := func(ctx *Context, value interface{}) error {
-		key := v.scoper(ctx)
-		if key == nil {
+		scope := v.scoper(ctx)
+		if scope == nil {
 			return fmt.Errorf("failed to scope variable '%s'", name)
 		}
 
+		key := scope.Hash()
 		vars := v.vars[key]
 		if vars == nil {
-			key.AppendReleaseCallback(func() {
+			scope.AppendReleaseCallback(func() {
 				v.ReleaseVariable(key)
 			})
 
@@ -655,14 +659,14 @@ func (v *ScopedVariables) NewSECLVariable(name string, value interface{}, opts V
 }
 
 // ReleaseVariable releases a scoped variable
-func (v *ScopedVariables) ReleaseVariable(key VariableScope) {
+func (v *ScopedVariables) ReleaseVariable(key string) {
 	delete(v.vars, key)
 }
 
 // NewScopedVariables returns a new set of scope variables
 func NewScopedVariables(scoper Scoper) *ScopedVariables {
 	return &ScopedVariables{
 		scoper: scoper,
-		vars:   make(map[VariableScope]map[string]MutableSECLVariable),
+		vars:   make(map[string]map[string]MutableSECLVariable),
 	}
 }