fix: clone sig metadata properties

aquasecurity · Sep 20, 2024 · 0b164b1 · 0b164b1
1 parent 66e1ae5
commit 0b164b1
Show file tree

Hide file tree

Showing 34 changed files with 42 additions and 2 deletions.
diff --git a/go.mod b/go.mod
@@ -43,6 +43,8 @@ require (
 	sigs.k8s.io/controller-runtime v0.18.2
 )
 
+replace github.com/aquasecurity/tracee/signatures/helpers => ./signatures/helpers
+
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect

diff --git a/go.sum b/go.sum
@@ -408,8 +408,6 @@ github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca
 github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca/go.mod h1:UpO6kTehEgAGGKR2twztBxvzjTiLiV/cb2xmlYb+TfE=
 github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f h1:O4UmMQViaaP1wKL1eXe7C6VylwrUmUB5mYM+roqnUZg=
 github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f/go.mod h1:Gn6xVkaBkVe1pOQ0++uuHl+lMMClv0TPY8mCQ6j88aA=
-github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240607205742-90c301111aee h1:1KJy6Z2bSpmKQVPShU7hhbXgGVOgMwvzf9rjoWMTYEg=
-github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240607205742-90c301111aee/go.mod h1:SX08YRCsPFh8CvCvzkV8FSn1sqWAarNVEJq9RSZoF/8=
 github.com/aquasecurity/tracee/types v0.0.0-20240607205742-90c301111aee h1:PDQn0NcQnF/O8wX2zDak0TteAR89IMUTcCm1IwVmo0M=
 github.com/aquasecurity/tracee/types v0.0.0-20240607205742-90c301111aee/go.mod h1:Jwh9OOuiMHXDoGQY12N9ls5YB+j1FlRcXvFMvh1CmIU=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=

diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go
@@ -37,6 +37,7 @@ func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&antiDebuggingPtracemeMetada)
 	return antiDebuggingPtracemeMetada, nil
 }
 

diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go
@@ -37,6 +37,7 @@ func (sig *AslrInspection) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *AslrInspection) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&aslrInspectionMetadata)
 	return aslrInspectionMetadata, nil
 }
 

diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go
@@ -38,6 +38,7 @@ func (sig *CgroupNotifyOnReleaseModification) Init(ctx detect.SignatureContext)
 }
 
 func (sig *CgroupNotifyOnReleaseModification) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&cgroupNotifyOnReleaseModificationMetadata)
 	return cgroupNotifyOnReleaseModificationMetadata, nil
 }
 

diff --git a/signatures/golang/cgroup_release_agent_modification.go b/signatures/golang/cgroup_release_agent_modification.go
@@ -38,6 +38,7 @@ func (sig *CgroupReleaseAgentModification) Init(ctx detect.SignatureContext) err
 }
 
 func (sig *CgroupReleaseAgentModification) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&cgroupReleaseAgentModificationMetadata)
 	return cgroupReleaseAgentModificationMetadata, nil
 }
 

diff --git a/signatures/golang/core_pattern_modification.go b/signatures/golang/core_pattern_modification.go
@@ -38,6 +38,7 @@ func (sig *CorePatternModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *CorePatternModification) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&corePatternModificationMetadata)
 	return corePatternModificationMetadata, nil
 }
 

diff --git a/signatures/golang/default_loader_modification.go b/signatures/golang/default_loader_modification.go
@@ -41,6 +41,7 @@ func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DefaultLoaderModification) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&defaultLoaderModificationMetadata)
 	return defaultLoaderModificationMetadata, nil
 }
 

diff --git a/signatures/golang/disk_mount.go b/signatures/golang/disk_mount.go
@@ -38,6 +38,7 @@ func (sig *DiskMount) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DiskMount) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&diskMountMetadata)
 	return diskMountMetadata, nil
 }
 

diff --git a/signatures/golang/docker_abuse.go b/signatures/golang/docker_abuse.go
@@ -38,6 +38,7 @@ func (sig *DockerAbuse) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DockerAbuse) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&dockerAbuseMetadata)
 	return dockerAbuseMetadata, nil
 }
 

diff --git a/signatures/golang/dropped_executable.go b/signatures/golang/dropped_executable.go
@@ -35,6 +35,7 @@ func (sig *DroppedExecutable) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DroppedExecutable) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&droppedExecutableMetadata)
 	return droppedExecutableMetadata, nil
 }
 

diff --git a/signatures/golang/dynamic_code_loading.go b/signatures/golang/dynamic_code_loading.go
@@ -37,6 +37,7 @@ func (sig *DynamicCodeLoading) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DynamicCodeLoading) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&dynamicCodeLoadingMetadata)
 	return dynamicCodeLoadingMetadata, nil
 }
 

diff --git a/signatures/golang/fileless_execution.go b/signatures/golang/fileless_execution.go
@@ -35,6 +35,7 @@ func (sig *FilelessExecution) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *FilelessExecution) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&filelessExecutionMetadata)
 	return filelessExecutionMetadata, nil
 }
 

diff --git a/signatures/golang/hidden_file_created.go b/signatures/golang/hidden_file_created.go
@@ -38,6 +38,7 @@ func (sig *HiddenFileCreated) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *HiddenFileCreated) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&hiddenFileCreatedMetadata)
 	return hiddenFileCreatedMetadata, nil
 }
 

diff --git a/signatures/golang/illegitimate_shell.go b/signatures/golang/illegitimate_shell.go
@@ -40,6 +40,7 @@ func (sig *IllegitimateShell) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *IllegitimateShell) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&illegitimateShellMetadata)
 	return illegitimateShellMetadata, nil
 }
 

diff --git a/signatures/golang/k8s_service_account_token.go b/signatures/golang/k8s_service_account_token.go
@@ -43,6 +43,7 @@ func (sig *K8SServiceAccountToken) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *K8SServiceAccountToken) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&k8SServiceAccountTokenMetadata)
 	return k8SServiceAccountTokenMetadata, nil
 }
 

diff --git a/signatures/golang/kernel_module_loading.go b/signatures/golang/kernel_module_loading.go
@@ -35,6 +35,7 @@ func (sig *KernelModuleLoading) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *KernelModuleLoading) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&kernelModuleLoadingMetadata)
 	return kernelModuleLoadingMetadata, nil
 }
 

diff --git a/signatures/golang/kubernetes_api_connection.go b/signatures/golang/kubernetes_api_connection.go
@@ -36,6 +36,7 @@ func (sig *K8sApiConnection) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *K8sApiConnection) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&k8sApiConnectionMetadata)
 	return k8sApiConnectionMetadata, nil
 }
 

diff --git a/signatures/golang/kubernetes_certificate_theft_attempt.go b/signatures/golang/kubernetes_certificate_theft_attempt.go
@@ -40,6 +40,7 @@ func (sig *KubernetesCertificateTheftAttempt) Init(ctx detect.SignatureContext)
 }
 
 func (sig *KubernetesCertificateTheftAttempt) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&kubernetesCertificateTheftAttemptMetadata)
 	return kubernetesCertificateTheftAttemptMetadata, nil
 }
 

diff --git a/signatures/golang/ld_preload.go b/signatures/golang/ld_preload.go
@@ -40,6 +40,7 @@ func (sig *LdPreload) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *LdPreload) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&ldPreloadMetadata)
 	return ldPreloadMetadata, nil
 }
 

diff --git a/signatures/golang/proc_fops_hooking.go b/signatures/golang/proc_fops_hooking.go
@@ -35,6 +35,7 @@ func (sig *ProcFopsHooking) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ProcFopsHooking) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&procFopsHookingMetadata)
 	return procFopsHookingMetadata, nil
 }
 

diff --git a/signatures/golang/proc_kcore_read.go b/signatures/golang/proc_kcore_read.go
@@ -38,6 +38,7 @@ func (sig *ProcKcoreRead) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ProcKcoreRead) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&procKcoreReadMetadata)
 	return procKcoreReadMetadata, nil
 }
 

diff --git a/signatures/golang/proc_mem_access.go b/signatures/golang/proc_mem_access.go
@@ -41,6 +41,7 @@ func (sig *ProcMemAccess) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ProcMemAccess) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&procMemAccessMetadata)
 	return procMemAccessMetadata, nil
 }
 

diff --git a/signatures/golang/proc_mem_code_injection.go b/signatures/golang/proc_mem_code_injection.go
@@ -41,6 +41,7 @@ func (sig *ProcMemCodeInjection) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ProcMemCodeInjection) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&procMemCodeInjectionMetadata)
 	return procMemCodeInjectionMetadata, nil
 }
 

diff --git a/signatures/golang/process_vm_write_code_injection.go b/signatures/golang/process_vm_write_code_injection.go
@@ -36,6 +36,7 @@ func (sig *ProcessVmWriteCodeInjection) Init(ctx detect.SignatureContext) error
 }
 
 func (sig *ProcessVmWriteCodeInjection) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&processVmWriteCodeInjectionMetadata)
 	return processVmWriteCodeInjectionMetadata, nil
 }
 

diff --git a/signatures/golang/ptrace_code_injection.go b/signatures/golang/ptrace_code_injection.go
@@ -39,6 +39,7 @@ func (sig *PtraceCodeInjection) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *PtraceCodeInjection) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&ptraceCodeInjectionMetadata)
 	return ptraceCodeInjectionMetadata, nil
 }
 

diff --git a/signatures/golang/rcd_modification.go b/signatures/golang/rcd_modification.go
@@ -43,6 +43,7 @@ func (sig *RcdModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *RcdModification) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&rcdModificationMetadata)
 	return rcdModificationMetadata, nil
 }
 

diff --git a/signatures/golang/sched_debug_recon.go b/signatures/golang/sched_debug_recon.go
@@ -37,6 +37,7 @@ func (sig *SchedDebugRecon) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *SchedDebugRecon) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&schedDebugReconMetadata)
 	return schedDebugReconMetadata, nil
 }
 

diff --git a/signatures/golang/scheduled_task_modification.go b/signatures/golang/scheduled_task_modification.go
@@ -43,6 +43,7 @@ func (sig *ScheduledTaskModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ScheduledTaskModification) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&scheduledTaskModificationMetadata)
 	return scheduledTaskModificationMetadata, nil
 }
 

diff --git a/signatures/golang/stdio_over_socket.go b/signatures/golang/stdio_over_socket.go
@@ -37,6 +37,7 @@ func (sig *StdioOverSocket) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *StdioOverSocket) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&stdioOverSocketMetadata)
 	return stdioOverSocketMetadata, nil
 }
 

diff --git a/signatures/golang/sudoers_modification.go b/signatures/golang/sudoers_modification.go
@@ -40,6 +40,7 @@ func (sig *SudoersModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *SudoersModification) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&sudoersModificationMetadata)
 	return sudoersModificationMetadata, nil
 }
 

diff --git a/signatures/golang/syscall_table_hooking.go b/signatures/golang/syscall_table_hooking.go
@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 
+	"github.com/aquasecurity/tracee/signatures/helpers"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -34,6 +35,7 @@ func (sig *SyscallTableHooking) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *SyscallTableHooking) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&syscallTableHookingMetadata)
 	return syscallTableHookingMetadata, nil
 }
 

diff --git a/signatures/golang/system_request_key_config_modification.go b/signatures/golang/system_request_key_config_modification.go
@@ -37,6 +37,7 @@ func (sig *SystemRequestKeyConfigModification) Init(ctx detect.SignatureContext)
 }
 
 func (sig *SystemRequestKeyConfigModification) GetMetadata() (detect.SignatureMetadata, error) {
+	helpers.CloneProperties(&systemRequestKeyConfigModificationMetadata)
 	return systemRequestKeyConfigModificationMetadata, nil
 }
 

diff --git a/signatures/helpers/helpers.go b/signatures/helpers/helpers.go
@@ -2,8 +2,10 @@ package helpers
 
 import (
 	"fmt"
+	"maps"
 	"strings"
 
+	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
 )
 
@@ -435,3 +437,9 @@ func GetProtoHTTPByName(
 
 	return trace.ProtoHTTP{}, fmt.Errorf("protocol HTTP: type error (should be trace.ProtoHTTP, is %T)", arg.Value)
 }
+
+func CloneProperties(m *detect.SignatureMetadata) {
+	// do a shallow clone of Properties map getting a new reference
+	// avoiding leaking the original pointer
+	m.Properties = maps.Clone(m.Properties)
+}