From 0b164b1a1f6028c9956ca6174c2f8ebf71dec408 Mon Sep 17 00:00:00 2001 From: Raphael Campos Date: Thu, 19 Sep 2024 15:14:13 -0500 Subject: [PATCH] fix: clone sig metadata properties --- go.mod | 2 ++ go.sum | 2 -- signatures/golang/anti_debugging_ptraceme.go | 1 + signatures/golang/aslr_inspection.go | 1 + .../golang/cgroup_notify_on_release_modification.go | 1 + signatures/golang/cgroup_release_agent_modification.go | 1 + signatures/golang/core_pattern_modification.go | 1 + signatures/golang/default_loader_modification.go | 1 + signatures/golang/disk_mount.go | 1 + signatures/golang/docker_abuse.go | 1 + signatures/golang/dropped_executable.go | 1 + signatures/golang/dynamic_code_loading.go | 1 + signatures/golang/fileless_execution.go | 1 + signatures/golang/hidden_file_created.go | 1 + signatures/golang/illegitimate_shell.go | 1 + signatures/golang/k8s_service_account_token.go | 1 + signatures/golang/kernel_module_loading.go | 1 + signatures/golang/kubernetes_api_connection.go | 1 + signatures/golang/kubernetes_certificate_theft_attempt.go | 1 + signatures/golang/ld_preload.go | 1 + signatures/golang/proc_fops_hooking.go | 1 + signatures/golang/proc_kcore_read.go | 1 + signatures/golang/proc_mem_access.go | 1 + signatures/golang/proc_mem_code_injection.go | 1 + signatures/golang/process_vm_write_code_injection.go | 1 + signatures/golang/ptrace_code_injection.go | 1 + signatures/golang/rcd_modification.go | 1 + signatures/golang/sched_debug_recon.go | 1 + signatures/golang/scheduled_task_modification.go | 1 + signatures/golang/stdio_over_socket.go | 1 + signatures/golang/sudoers_modification.go | 1 + signatures/golang/syscall_table_hooking.go | 2 ++ .../golang/system_request_key_config_modification.go | 1 + signatures/helpers/helpers.go | 8 ++++++++ 34 files changed, 42 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 264cf7a91973..405f52a6b7e4 100644 --- a/go.mod +++ b/go.mod @@ -43,6 +43,8 @@ require ( sigs.k8s.io/controller-runtime v0.18.2 ) +replace github.com/aquasecurity/tracee/signatures/helpers => ./signatures/helpers + require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect diff --git a/go.sum b/go.sum index e5150abb189e..1584c24b05c6 100644 --- a/go.sum +++ b/go.sum @@ -408,8 +408,6 @@ github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca/go.mod h1:UpO6kTehEgAGGKR2twztBxvzjTiLiV/cb2xmlYb+TfE= github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f h1:O4UmMQViaaP1wKL1eXe7C6VylwrUmUB5mYM+roqnUZg= github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f/go.mod h1:Gn6xVkaBkVe1pOQ0++uuHl+lMMClv0TPY8mCQ6j88aA= -github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240607205742-90c301111aee h1:1KJy6Z2bSpmKQVPShU7hhbXgGVOgMwvzf9rjoWMTYEg= -github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240607205742-90c301111aee/go.mod h1:SX08YRCsPFh8CvCvzkV8FSn1sqWAarNVEJq9RSZoF/8= github.com/aquasecurity/tracee/types v0.0.0-20240607205742-90c301111aee h1:PDQn0NcQnF/O8wX2zDak0TteAR89IMUTcCm1IwVmo0M= github.com/aquasecurity/tracee/types v0.0.0-20240607205742-90c301111aee/go.mod h1:Jwh9OOuiMHXDoGQY12N9ls5YB+j1FlRcXvFMvh1CmIU= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go index 46f07129dd05..075cf66783a1 100644 --- a/signatures/golang/anti_debugging_ptraceme.go +++ b/signatures/golang/anti_debugging_ptraceme.go @@ -37,6 +37,7 @@ func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error { } func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&antiDebuggingPtracemeMetada) return antiDebuggingPtracemeMetada, nil } diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go index 09339d5ae416..2c39bb9e2028 100644 --- a/signatures/golang/aslr_inspection.go +++ b/signatures/golang/aslr_inspection.go @@ -37,6 +37,7 @@ func (sig *AslrInspection) Init(ctx detect.SignatureContext) error { } func (sig *AslrInspection) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&aslrInspectionMetadata) return aslrInspectionMetadata, nil } diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go index ad209b44b0f3..189bd1527837 100644 --- a/signatures/golang/cgroup_notify_on_release_modification.go +++ b/signatures/golang/cgroup_notify_on_release_modification.go @@ -38,6 +38,7 @@ func (sig *CgroupNotifyOnReleaseModification) Init(ctx detect.SignatureContext) } func (sig *CgroupNotifyOnReleaseModification) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&cgroupNotifyOnReleaseModificationMetadata) return cgroupNotifyOnReleaseModificationMetadata, nil } diff --git a/signatures/golang/cgroup_release_agent_modification.go b/signatures/golang/cgroup_release_agent_modification.go index 655ab30ceed4..0526a372c4ba 100644 --- a/signatures/golang/cgroup_release_agent_modification.go +++ b/signatures/golang/cgroup_release_agent_modification.go @@ -38,6 +38,7 @@ func (sig *CgroupReleaseAgentModification) Init(ctx detect.SignatureContext) err } func (sig *CgroupReleaseAgentModification) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&cgroupReleaseAgentModificationMetadata) return cgroupReleaseAgentModificationMetadata, nil } diff --git a/signatures/golang/core_pattern_modification.go b/signatures/golang/core_pattern_modification.go index a4d4e40908bc..21bcae23f7da 100644 --- a/signatures/golang/core_pattern_modification.go +++ b/signatures/golang/core_pattern_modification.go @@ -38,6 +38,7 @@ func (sig *CorePatternModification) Init(ctx detect.SignatureContext) error { } func (sig *CorePatternModification) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&corePatternModificationMetadata) return corePatternModificationMetadata, nil } diff --git a/signatures/golang/default_loader_modification.go b/signatures/golang/default_loader_modification.go index dd1d054b006c..9475a0046093 100644 --- a/signatures/golang/default_loader_modification.go +++ b/signatures/golang/default_loader_modification.go @@ -41,6 +41,7 @@ func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error { } func (sig *DefaultLoaderModification) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&defaultLoaderModificationMetadata) return defaultLoaderModificationMetadata, nil } diff --git a/signatures/golang/disk_mount.go b/signatures/golang/disk_mount.go index f5ddf9f29ac9..37f10716f13e 100644 --- a/signatures/golang/disk_mount.go +++ b/signatures/golang/disk_mount.go @@ -38,6 +38,7 @@ func (sig *DiskMount) Init(ctx detect.SignatureContext) error { } func (sig *DiskMount) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&diskMountMetadata) return diskMountMetadata, nil } diff --git a/signatures/golang/docker_abuse.go b/signatures/golang/docker_abuse.go index d1e82d0d78f8..c0e90ec75d82 100644 --- a/signatures/golang/docker_abuse.go +++ b/signatures/golang/docker_abuse.go @@ -38,6 +38,7 @@ func (sig *DockerAbuse) Init(ctx detect.SignatureContext) error { } func (sig *DockerAbuse) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&dockerAbuseMetadata) return dockerAbuseMetadata, nil } diff --git a/signatures/golang/dropped_executable.go b/signatures/golang/dropped_executable.go index dfe2756a9866..e7c2c3c4f3b8 100644 --- a/signatures/golang/dropped_executable.go +++ b/signatures/golang/dropped_executable.go @@ -35,6 +35,7 @@ func (sig *DroppedExecutable) Init(ctx detect.SignatureContext) error { } func (sig *DroppedExecutable) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&droppedExecutableMetadata) return droppedExecutableMetadata, nil } diff --git a/signatures/golang/dynamic_code_loading.go b/signatures/golang/dynamic_code_loading.go index 81c7728161e4..299623474e6e 100644 --- a/signatures/golang/dynamic_code_loading.go +++ b/signatures/golang/dynamic_code_loading.go @@ -37,6 +37,7 @@ func (sig *DynamicCodeLoading) Init(ctx detect.SignatureContext) error { } func (sig *DynamicCodeLoading) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&dynamicCodeLoadingMetadata) return dynamicCodeLoadingMetadata, nil } diff --git a/signatures/golang/fileless_execution.go b/signatures/golang/fileless_execution.go index 1728476b192a..c05e8efb5fae 100644 --- a/signatures/golang/fileless_execution.go +++ b/signatures/golang/fileless_execution.go @@ -35,6 +35,7 @@ func (sig *FilelessExecution) Init(ctx detect.SignatureContext) error { } func (sig *FilelessExecution) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&filelessExecutionMetadata) return filelessExecutionMetadata, nil } diff --git a/signatures/golang/hidden_file_created.go b/signatures/golang/hidden_file_created.go index 69a5a68ec9fa..960516c19062 100644 --- a/signatures/golang/hidden_file_created.go +++ b/signatures/golang/hidden_file_created.go @@ -38,6 +38,7 @@ func (sig *HiddenFileCreated) Init(ctx detect.SignatureContext) error { } func (sig *HiddenFileCreated) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&hiddenFileCreatedMetadata) return hiddenFileCreatedMetadata, nil } diff --git a/signatures/golang/illegitimate_shell.go b/signatures/golang/illegitimate_shell.go index d9234df0f285..5874f5d6e59b 100644 --- a/signatures/golang/illegitimate_shell.go +++ b/signatures/golang/illegitimate_shell.go @@ -40,6 +40,7 @@ func (sig *IllegitimateShell) Init(ctx detect.SignatureContext) error { } func (sig *IllegitimateShell) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&illegitimateShellMetadata) return illegitimateShellMetadata, nil } diff --git a/signatures/golang/k8s_service_account_token.go b/signatures/golang/k8s_service_account_token.go index 4f9bc02a087d..4691d97e2b5f 100644 --- a/signatures/golang/k8s_service_account_token.go +++ b/signatures/golang/k8s_service_account_token.go @@ -43,6 +43,7 @@ func (sig *K8SServiceAccountToken) Init(ctx detect.SignatureContext) error { } func (sig *K8SServiceAccountToken) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&k8SServiceAccountTokenMetadata) return k8SServiceAccountTokenMetadata, nil } diff --git a/signatures/golang/kernel_module_loading.go b/signatures/golang/kernel_module_loading.go index 22b207ab793e..d11b64c42d5c 100644 --- a/signatures/golang/kernel_module_loading.go +++ b/signatures/golang/kernel_module_loading.go @@ -35,6 +35,7 @@ func (sig *KernelModuleLoading) Init(ctx detect.SignatureContext) error { } func (sig *KernelModuleLoading) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&kernelModuleLoadingMetadata) return kernelModuleLoadingMetadata, nil } diff --git a/signatures/golang/kubernetes_api_connection.go b/signatures/golang/kubernetes_api_connection.go index e26f79b053ce..eb3ec203fafc 100644 --- a/signatures/golang/kubernetes_api_connection.go +++ b/signatures/golang/kubernetes_api_connection.go @@ -36,6 +36,7 @@ func (sig *K8sApiConnection) Init(ctx detect.SignatureContext) error { } func (sig *K8sApiConnection) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&k8sApiConnectionMetadata) return k8sApiConnectionMetadata, nil } diff --git a/signatures/golang/kubernetes_certificate_theft_attempt.go b/signatures/golang/kubernetes_certificate_theft_attempt.go index 62032dc6e7ad..6aa5d4533145 100644 --- a/signatures/golang/kubernetes_certificate_theft_attempt.go +++ b/signatures/golang/kubernetes_certificate_theft_attempt.go @@ -40,6 +40,7 @@ func (sig *KubernetesCertificateTheftAttempt) Init(ctx detect.SignatureContext) } func (sig *KubernetesCertificateTheftAttempt) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&kubernetesCertificateTheftAttemptMetadata) return kubernetesCertificateTheftAttemptMetadata, nil } diff --git a/signatures/golang/ld_preload.go b/signatures/golang/ld_preload.go index fc508f652773..ccd4c8461643 100644 --- a/signatures/golang/ld_preload.go +++ b/signatures/golang/ld_preload.go @@ -40,6 +40,7 @@ func (sig *LdPreload) Init(ctx detect.SignatureContext) error { } func (sig *LdPreload) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&ldPreloadMetadata) return ldPreloadMetadata, nil } diff --git a/signatures/golang/proc_fops_hooking.go b/signatures/golang/proc_fops_hooking.go index 5af0ecf686ae..bd7d40ab3726 100644 --- a/signatures/golang/proc_fops_hooking.go +++ b/signatures/golang/proc_fops_hooking.go @@ -35,6 +35,7 @@ func (sig *ProcFopsHooking) Init(ctx detect.SignatureContext) error { } func (sig *ProcFopsHooking) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&procFopsHookingMetadata) return procFopsHookingMetadata, nil } diff --git a/signatures/golang/proc_kcore_read.go b/signatures/golang/proc_kcore_read.go index e505f0dfd90c..589153504f95 100644 --- a/signatures/golang/proc_kcore_read.go +++ b/signatures/golang/proc_kcore_read.go @@ -38,6 +38,7 @@ func (sig *ProcKcoreRead) Init(ctx detect.SignatureContext) error { } func (sig *ProcKcoreRead) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&procKcoreReadMetadata) return procKcoreReadMetadata, nil } diff --git a/signatures/golang/proc_mem_access.go b/signatures/golang/proc_mem_access.go index 7d171b253949..d5bb467cb889 100644 --- a/signatures/golang/proc_mem_access.go +++ b/signatures/golang/proc_mem_access.go @@ -41,6 +41,7 @@ func (sig *ProcMemAccess) Init(ctx detect.SignatureContext) error { } func (sig *ProcMemAccess) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&procMemAccessMetadata) return procMemAccessMetadata, nil } diff --git a/signatures/golang/proc_mem_code_injection.go b/signatures/golang/proc_mem_code_injection.go index f5ae29b21676..fc098befe115 100644 --- a/signatures/golang/proc_mem_code_injection.go +++ b/signatures/golang/proc_mem_code_injection.go @@ -41,6 +41,7 @@ func (sig *ProcMemCodeInjection) Init(ctx detect.SignatureContext) error { } func (sig *ProcMemCodeInjection) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&procMemCodeInjectionMetadata) return procMemCodeInjectionMetadata, nil } diff --git a/signatures/golang/process_vm_write_code_injection.go b/signatures/golang/process_vm_write_code_injection.go index d742260b5aa1..f1f073a3a4e3 100644 --- a/signatures/golang/process_vm_write_code_injection.go +++ b/signatures/golang/process_vm_write_code_injection.go @@ -36,6 +36,7 @@ func (sig *ProcessVmWriteCodeInjection) Init(ctx detect.SignatureContext) error } func (sig *ProcessVmWriteCodeInjection) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&processVmWriteCodeInjectionMetadata) return processVmWriteCodeInjectionMetadata, nil } diff --git a/signatures/golang/ptrace_code_injection.go b/signatures/golang/ptrace_code_injection.go index 233060e5b54b..2eab531e5287 100644 --- a/signatures/golang/ptrace_code_injection.go +++ b/signatures/golang/ptrace_code_injection.go @@ -39,6 +39,7 @@ func (sig *PtraceCodeInjection) Init(ctx detect.SignatureContext) error { } func (sig *PtraceCodeInjection) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&ptraceCodeInjectionMetadata) return ptraceCodeInjectionMetadata, nil } diff --git a/signatures/golang/rcd_modification.go b/signatures/golang/rcd_modification.go index 3a01b2857a87..0d764b55aad9 100644 --- a/signatures/golang/rcd_modification.go +++ b/signatures/golang/rcd_modification.go @@ -43,6 +43,7 @@ func (sig *RcdModification) Init(ctx detect.SignatureContext) error { } func (sig *RcdModification) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&rcdModificationMetadata) return rcdModificationMetadata, nil } diff --git a/signatures/golang/sched_debug_recon.go b/signatures/golang/sched_debug_recon.go index 02ea12f067ec..d71b7cd743aa 100644 --- a/signatures/golang/sched_debug_recon.go +++ b/signatures/golang/sched_debug_recon.go @@ -37,6 +37,7 @@ func (sig *SchedDebugRecon) Init(ctx detect.SignatureContext) error { } func (sig *SchedDebugRecon) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&schedDebugReconMetadata) return schedDebugReconMetadata, nil } diff --git a/signatures/golang/scheduled_task_modification.go b/signatures/golang/scheduled_task_modification.go index 2586ef7482a9..1d2e51dc9c89 100644 --- a/signatures/golang/scheduled_task_modification.go +++ b/signatures/golang/scheduled_task_modification.go @@ -43,6 +43,7 @@ func (sig *ScheduledTaskModification) Init(ctx detect.SignatureContext) error { } func (sig *ScheduledTaskModification) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&scheduledTaskModificationMetadata) return scheduledTaskModificationMetadata, nil } diff --git a/signatures/golang/stdio_over_socket.go b/signatures/golang/stdio_over_socket.go index d2e89f4d57d6..4c8966b9c0d7 100644 --- a/signatures/golang/stdio_over_socket.go +++ b/signatures/golang/stdio_over_socket.go @@ -37,6 +37,7 @@ func (sig *StdioOverSocket) Init(ctx detect.SignatureContext) error { } func (sig *StdioOverSocket) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&stdioOverSocketMetadata) return stdioOverSocketMetadata, nil } diff --git a/signatures/golang/sudoers_modification.go b/signatures/golang/sudoers_modification.go index 8c2645b510a2..999feed344a5 100644 --- a/signatures/golang/sudoers_modification.go +++ b/signatures/golang/sudoers_modification.go @@ -40,6 +40,7 @@ func (sig *SudoersModification) Init(ctx detect.SignatureContext) error { } func (sig *SudoersModification) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&sudoersModificationMetadata) return sudoersModificationMetadata, nil } diff --git a/signatures/golang/syscall_table_hooking.go b/signatures/golang/syscall_table_hooking.go index 9749c67ad90c..d8b6f9757152 100644 --- a/signatures/golang/syscall_table_hooking.go +++ b/signatures/golang/syscall_table_hooking.go @@ -3,6 +3,7 @@ package main import ( "fmt" + "github.com/aquasecurity/tracee/signatures/helpers" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/protocol" "github.com/aquasecurity/tracee/types/trace" @@ -34,6 +35,7 @@ func (sig *SyscallTableHooking) Init(ctx detect.SignatureContext) error { } func (sig *SyscallTableHooking) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&syscallTableHookingMetadata) return syscallTableHookingMetadata, nil } diff --git a/signatures/golang/system_request_key_config_modification.go b/signatures/golang/system_request_key_config_modification.go index bb80aa12832a..6fa64e18e15b 100644 --- a/signatures/golang/system_request_key_config_modification.go +++ b/signatures/golang/system_request_key_config_modification.go @@ -37,6 +37,7 @@ func (sig *SystemRequestKeyConfigModification) Init(ctx detect.SignatureContext) } func (sig *SystemRequestKeyConfigModification) GetMetadata() (detect.SignatureMetadata, error) { + helpers.CloneProperties(&systemRequestKeyConfigModificationMetadata) return systemRequestKeyConfigModificationMetadata, nil } diff --git a/signatures/helpers/helpers.go b/signatures/helpers/helpers.go index f137ec29bc9e..dd513907b348 100644 --- a/signatures/helpers/helpers.go +++ b/signatures/helpers/helpers.go @@ -2,8 +2,10 @@ package helpers import ( "fmt" + "maps" "strings" + "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" ) @@ -435,3 +437,9 @@ func GetProtoHTTPByName( return trace.ProtoHTTP{}, fmt.Errorf("protocol HTTP: type error (should be trace.ProtoHTTP, is %T)", arg.Value) } + +func CloneProperties(m *detect.SignatureMetadata) { + // do a shallow clone of Properties map getting a new reference + // avoiding leaking the original pointer + m.Properties = maps.Clone(m.Properties) +}