aquasecurity / tracee

Linux Runtime Security and Forensics using eBPF
https://aquasecurity.github.io/tracee/latest
Apache License 2.0
3.64k stars 420 forks source link

`symbols_loaded` and `symbols_collision` events work incorrectly with multiple policies #4352

Open oshaked1 opened 1 month ago

oshaked1 commented 1 month ago

Description

The derive logic for these events does not take into account cases where multiple policies select the event and specify different sets of symbols or whitelisted libraries.

The current behavior is that the filters for these events are overwritten by the last policy that specifies them:

symbolsLoadedFilters := map[string]filters.Filter[*filters.StringFilter]{}

for it := pManager.CreateAllIterator(); it.HasNext(); {
    p := it.Next()
    f := p.DataFilter.GetEventFilters(events.SymbolsLoaded)
    maps.Copy(symbolsLoadedFilters, f)
}

The copy operation overwrites filters from previous policies. This is easy to observe using 2 simple policies that specify different symbols for symbols_loaded:

policy1.yaml

apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
    name: policy1
spec:
    scope:
      - global
    rules:
      - event: symbols_loaded
        filters:
        - args.symbols=read

policy2.yaml

apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
    name: policy2
spec:
    scope:
      - global
    rules:
      - event: symbols_loaded
        filters:
        - args.symbols=fopen

Running with each policy by itself results in the expected behavior, but when using both:

$ sudo dist/tracee --policy policy1.yaml --policy policy2.yaml
TIME             UID    COMM             PID     TID     RET              EVENT                     ARGS
09:59:19:734864  1000   sh               728898  728898  0                symbols_loaded            library_path: /usr/lib/x86_64-linux-gnu/libc.so.6, symbols: [fopen], sha256:

Only the fopen symbol from the second policy is shown.

Fixing this behavior is not as simple as combining the filters, because the whitelisted libraries of symbols_loaded must be taken into account such that an event from a library excluded by one policy will not be excluded completely.

This probably requires some sort of per-policy derive logic, where a separate event or set of events is derived for each policy and only sent to that policy's output (to avoid duplications in cases where the output filter accepts events that were created for a different policy).

Output of tracee version:

Tracee version: v0.21.0-rc-261-g30b33a4db
geyslan commented 1 month ago

All related policy logic should be handled by PolicyManager from now on, it would help on those edge cases.