The derive logic for these events does not take into account cases where multiple policies select the event and specify different sets of symbols or whitelisted libraries.
The current behavior is that the filters for these events are overwritten by the last policy that specifies them:
symbolsLoadedFilters := map[string]filters.Filter[*filters.StringFilter]{}
for it := pManager.CreateAllIterator(); it.HasNext(); {
p := it.Next()
f := p.DataFilter.GetEventFilters(events.SymbolsLoaded)
maps.Copy(symbolsLoadedFilters, f)
}
The copy operation overwrites filters from previous policies. This is easy to observe using 2 simple policies that specify different symbols for symbols_loaded:
Running with each policy by itself results in the expected behavior, but when using both:
$ sudo dist/tracee --policy policy1.yaml --policy policy2.yaml
TIME UID COMM PID TID RET EVENT ARGS
09:59:19:734864 1000 sh 728898 728898 0 symbols_loaded library_path: /usr/lib/x86_64-linux-gnu/libc.so.6, symbols: [fopen], sha256:
Only the fopen symbol from the second policy is shown.
Fixing this behavior is not as simple as combining the filters, because the whitelisted libraries of symbols_loaded must be taken into account such that an event from a library excluded by one policy will not be excluded completely.
This probably requires some sort of per-policy derive logic, where a separate event or set of events is derived for each policy and only sent to that policy's output (to avoid duplications in cases where the output filter accepts events that were created for a different policy).
Description
The derive logic for these events does not take into account cases where multiple policies select the event and specify different sets of symbols or whitelisted libraries.
The current behavior is that the filters for these events are overwritten by the last policy that specifies them:
The copy operation overwrites filters from previous policies. This is easy to observe using 2 simple policies that specify different symbols for
symbols_loaded
:policy1.yaml
policy2.yaml
Running with each policy by itself results in the expected behavior, but when using both:
Only the
fopen
symbol from the second policy is shown.Fixing this behavior is not as simple as combining the filters, because the whitelisted libraries of
symbols_loaded
must be taken into account such that an event from a library excluded by one policy will not be excluded completely.This probably requires some sort of per-policy derive logic, where a separate event or set of events is derived for each policy and only sent to that policy's output (to avoid duplications in cases where the output filter accepts events that were created for a different policy).
Output of
tracee version
: