From 1a0dcb1f4cb32cb9e188d723a5c5f943b8bca762 Mon Sep 17 00:00:00 2001
From: Yoann Ghigoff <yoann.ghigoff@datadoghq.com>
Date: Fri, 11 Oct 2024 12:07:10 +0200
Subject: [PATCH 1/2] [CWS] Reset rule disarmers only after a new ruleset is
 loaded (#30030)

(cherry picked from commit f4e705ef64e1001251d777600efea372dbd9af69)
---
 pkg/security/probe/probe.go          | 8 +++++++-
 pkg/security/probe/probe_ebpf.go     | 7 +++++--
 pkg/security/probe/probe_ebpfless.go | 8 ++++++--
 pkg/security/probe/probe_windows.go  | 7 +++++--
 pkg/security/probe/process_killer.go | 4 ++--
 pkg/security/rules/engine.go         | 3 +++
 6 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/pkg/security/probe/probe.go b/pkg/security/probe/probe.go
index 0f550b77dec2c..d22c41504a49a 100644
--- a/pkg/security/probe/probe.go
+++ b/pkg/security/probe/probe.go
@@ -47,6 +47,7 @@ type PlatformProbe interface {
 	DumpDiscarders() (string, error)
 	FlushDiscarders() error
 	ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)
+	OnNewRuleSetLoaded(_ *rules.RuleSet)
 	OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)
 	HandleActions(_ *eval.Context, _ *rules.Rule)
 	NewEvent() *model.Event
@@ -229,10 +230,15 @@ func (p *Probe) FlushDiscarders() error {
 
 // ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.
 func (p *Probe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
+	return p.PlatformProbe.ApplyRuleSet(rs)
+}
+
+// OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded
+func (p *Probe) OnNewRuleSetLoaded(rs *rules.RuleSet) {
 	p.ruleActionStatsLock.Lock()
 	clear(p.ruleActionStats)
 	p.ruleActionStatsLock.Unlock()
-	return p.PlatformProbe.ApplyRuleSet(rs)
+	p.PlatformProbe.OnNewRuleSetLoaded(rs)
 }
 
 // Snapshot runs the different snapshot functions of the resolvers that
diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
index 6a23376e49248..26e83231c4293 100644
--- a/pkg/security/probe/probe_ebpf.go
+++ b/pkg/security/probe/probe_ebpf.go
@@ -1601,8 +1601,6 @@ func (p *EBPFProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetRepor
 	// activity dump & security profiles
 	needRawSyscalls := p.isNeededForActivityDump(model.SyscallsEventType.String())
 
-	p.processKiller.Apply(rs)
-
 	// kill action
 	if p.config.RuntimeSecurity.EnforcementEnabled && isKillActionPresent(rs) {
 		if !p.config.RuntimeSecurity.EnforcementRawSyscallEnabled {
@@ -1640,6 +1638,11 @@ func (p *EBPFProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetRepor
 	return ars, nil
 }
 
+// OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded
+func (p *EBPFProbe) OnNewRuleSetLoaded(rs *rules.RuleSet) {
+	p.processKiller.Reset(rs)
+}
+
 // NewEvent returns a new event
 func (p *EBPFProbe) NewEvent() *model.Event {
 	return NewEBPFEvent(p.fieldHandlers)
diff --git a/pkg/security/probe/probe_ebpfless.go b/pkg/security/probe/probe_ebpfless.go
index 8cdd164cb3655..ec7a807e2360a 100644
--- a/pkg/security/probe/probe_ebpfless.go
+++ b/pkg/security/probe/probe_ebpfless.go
@@ -580,11 +580,15 @@ func (p *EBPFLessProbe) FlushDiscarders() error {
 }
 
 // ApplyRuleSet applies the new ruleset
-func (p *EBPFLessProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
-	p.processKiller.Apply(rs)
+func (p *EBPFLessProbe) ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
 	return &kfilters.ApplyRuleSetReport{}, nil
 }
 
+// OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded
+func (p *EBPFLessProbe) OnNewRuleSetLoaded(rs *rules.RuleSet) {
+	p.processKiller.Reset(rs)
+}
+
 // HandleActions handles the rule actions
 func (p *EBPFLessProbe) HandleActions(ctx *eval.Context, rule *rules.Rule) {
 	ev := ctx.Event.(*model.Event)
diff --git a/pkg/security/probe/probe_windows.go b/pkg/security/probe/probe_windows.go
index 2f4ded01234e4..22b0ab6dd6a49 100644
--- a/pkg/security/probe/probe_windows.go
+++ b/pkg/security/probe/probe_windows.go
@@ -1263,8 +1263,6 @@ func (p *WindowsProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetRe
 		}
 	}
 
-	p.processKiller.Apply(rs)
-
 	ars, err := kfilters.NewApplyRuleSetReport(p.config.Probe, rs)
 	if err != nil {
 		return nil, err
@@ -1289,6 +1287,11 @@ func (p *WindowsProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetRe
 	return ars, nil
 }
 
+// OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded
+func (p *WindowsProbe) OnNewRuleSetLoaded(rs *rules.RuleSet) {
+	p.processKiller.Reset(rs)
+}
+
 // FlushDiscarders invalidates all the discarders
 func (p *WindowsProbe) FlushDiscarders() error {
 	p.discardedPaths.Purge()
diff --git a/pkg/security/probe/process_killer.go b/pkg/security/probe/process_killer.go
index ab0c9c5333000..4e61f1d147418 100644
--- a/pkg/security/probe/process_killer.go
+++ b/pkg/security/probe/process_killer.go
@@ -267,8 +267,8 @@ func (p *ProcessKiller) KillAndReport(kill *rules.KillDefinition, rule *rules.Ru
 	return true
 }
 
-// Apply applies to ruleset to the process killer
-func (p *ProcessKiller) Apply(rs *rules.RuleSet) {
+// Reset the state and statistics of the process killer
+func (p *ProcessKiller) Reset(rs *rules.RuleSet) {
 	if p.cfg.RuntimeSecurity.EnforcementEnabled {
 		var ruleSetHasKillAction bool
 		var rulesetHasKillDisarmer bool
diff --git a/pkg/security/rules/engine.go b/pkg/security/rules/engine.go
index 6992f83dc23a6..16a0d00297974 100644
--- a/pkg/security/rules/engine.go
+++ b/pkg/security/rules/engine.go
@@ -333,6 +333,9 @@ func (e *RuleEngine) LoadPolicies(providers []rules.PolicyProvider, sendLoadedRe
 		return fmt.Errorf("failed to flush discarders: %w", err)
 	}
 
+	// reset the probe process killer state once the new ruleset is loaded
+	e.probe.OnNewRuleSetLoaded(rs)
+
 	content, _ := json.Marshal(report)
 	seclog.Debugf("Policy report: %s", content)
 

From b403c11e9f9ac1cec418bb2d046581d2a671c2c4 Mon Sep 17 00:00:00 2001
From: YoannGh <yoann.ghigoff@datadoghq.com>
Date: Fri, 11 Oct 2024 13:44:06 +0200
Subject: [PATCH 2/2] fix MacOS build

---
 pkg/security/probe/probe_others.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/security/probe/probe_others.go b/pkg/security/probe/probe_others.go
index 5e12a021aa871..6112ab5b188c5 100644
--- a/pkg/security/probe/probe_others.go
+++ b/pkg/security/probe/probe_others.go
@@ -67,6 +67,10 @@ func (p *Probe) ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, er
 	return nil, nil
 }
 
+// OnNewRuleSetLoaded resets statistics and states once a new rule set is loaded
+func (p *Probe) OnNewRuleSetLoaded(_ *rules.RuleSet) {
+}
+
 // OnNewDiscarder is called when a new discarder is found. We currently don't generate discarders on Windows.
 func (p *Probe) OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType) {
 }