[CWS] export SECL related code to own package (#9628)

* [CWS] move SECL related files into own folder * [CWS] packagify the SECL package * [CWS] re-run go mod tidy * [CWS] fix dependency in tidy-all task * [CWS] run go generate * [CWS] improve go generate and add task * [CWS] run lints * [CWS] `secl_compiler` -> `compiler` * [CWS] run go generate * [CWS] revert wrong dependency upgrades * [CWS] add dependabot entry for new secl package * [CWS] fix dependabot file formatting
DataDog · Oct 25, 2021 · 6552cea · 6552cea
1 parent 336d77e
commit 6552cea
Show file tree

Hide file tree

Showing 112 changed files with 247 additions and 138 deletions.
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -39,7 +39,7 @@ updates:
       - team/agent-platform
       - changelog/no-changelog
     milestone: 22
-    ignore: 
+    ignore:
       # Ignore internal modules
       - dependency-name: github.com/DataDog/datadog-agent/*
     schedule:
@@ -51,7 +51,7 @@ updates:
       - team/metrics-aggregation
       - changelog/no-changelog
     milestone: 22
-    ignore: 
+    ignore:
       # Ignore internal modules
       - dependency-name: github.com/DataDog/datadog-agent/*
     schedule:
@@ -63,7 +63,7 @@ updates:
       - team/agent-platform
       - changelog/no-changelog
     milestone: 22
-    ignore: 
+    ignore:
       - dependency-name: github.com/cihub/seelog
       # Ignore internal modules
       - dependency-name: github.com/DataDog/datadog-agent/*
@@ -76,7 +76,19 @@ updates:
       - team/agent-platform
       - changelog/no-changelog
     milestone: 22
-    ignore: 
+    ignore:
+      # Ignore internal modules
+      - dependency-name: github.com/DataDog/datadog-agent/*
+    schedule:
+      interval: weekly
+  - package-ecosystem: gomod
+    directory: /pkg/security/secl
+    labels:
+      - dependencies
+      - team/agent-security
+      - changelog/no-changelog
+    milestone: 22
+    ignore:
       # Ignore internal modules
       - dependency-name: github.com/DataDog/datadog-agent/*
     schedule:

diff --git a/LICENSE-3rdparty.csv b/LICENSE-3rdparty.csv
@@ -318,7 +318,6 @@ core,github.com/emicklei/go-restful-swagger12,MIT,Ernest Micklei
 core,github.com/emicklei/go-restful/log,MIT,Ernest Micklei
 core,github.com/evanphx/json-patch,BSD-3-Clause,Evan Phoenix
 core,github.com/fatih/color,MIT,Fatih Arslan
-core,github.com/fatih/structtag,BSD-3-Clause,Fatih Arslan | The Go Authors
 core,github.com/felixge/httpsnoop,MIT,Felix Geisendörfer (felix@debuggable.com)
 core,github.com/florianl/go-conntrack,MIT,Florian Lehner <dev@der-flo.net>
 core,github.com/florianl/go-conntrack/internal/unix,MIT,Florian Lehner <dev@der-flo.net>

diff --git a/cmd/security-agent/app/runtime.go b/cmd/security-agent/app/runtime.go
@@ -25,10 +25,10 @@ import (
 	secagent "github.com/DataDog/datadog-agent/pkg/security/agent"
 	secconfig "github.com/DataDog/datadog-agent/pkg/security/config"
 	securityLogger "github.com/DataDog/datadog-agent/pkg/security/log"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
 	sprobe "github.com/DataDog/datadog-agent/pkg/security/probe"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/status/health"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 	ddgostatsd "github.com/DataDog/datadog-go/statsd"

diff --git a/go.mod b/go.mod
@@ -36,6 +36,7 @@ replace (
 replace (
 	github.com/DataDog/datadog-agent/pkg/otlp/model => ./pkg/otlp/model
 	github.com/DataDog/datadog-agent/pkg/quantile => ./pkg/quantile
+	github.com/DataDog/datadog-agent/pkg/security/secl => ./pkg/security/secl
 	github.com/DataDog/datadog-agent/pkg/util/log => ./pkg/util/log
 	github.com/DataDog/datadog-agent/pkg/util/winutil => ./pkg/util/winutil
 )
@@ -58,6 +59,7 @@ require (
 	github.com/DataDog/agent-payload v4.87.0+incompatible
 	github.com/DataDog/datadog-agent/pkg/otlp/model v0.32.0-rc.6
 	github.com/DataDog/datadog-agent/pkg/quantile v0.32.0-rc.6
+	github.com/DataDog/datadog-agent/pkg/security/secl v0.0.0-00010101000000-000000000000
 	github.com/DataDog/datadog-agent/pkg/util/log v0.32.0-rc.6
 	github.com/DataDog/datadog-agent/pkg/util/winutil v0.32.0-rc.6
 	github.com/DataDog/datadog-go v4.8.2+incompatible
@@ -107,7 +109,6 @@ require (
 	github.com/dustin/go-humanize v1.0.0
 	github.com/elastic/go-libaudit v0.4.0
 	github.com/fatih/color v1.13.0
-	github.com/fatih/structtag v1.2.0
 	github.com/florianl/go-conntrack v0.2.0
 	github.com/freddierice/go-losetup v0.0.0-20170407175016-fc9adea44124
 	github.com/go-ini/ini v1.62.0

diff --git a/go.sum b/go.sum
diff --git a/pkg/security/ebpf/map.go b/pkg/security/ebpf/map.go
@@ -11,7 +11,7 @@ import (
 	"bytes"
 	"encoding/binary"
 
-	"github.com/DataDog/datadog-agent/pkg/security/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 )
 
 // BytesMapItem describes a raw table key or value

diff --git a/pkg/security/ebpf/probes/event_types.go b/pkg/security/ebpf/probes/event_types.go
@@ -10,7 +10,7 @@ package probes
 import (
 	manager "github.com/DataDog/ebpf-manager"
 
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
 )
 
 // SyscallMonitorSelectors is the list of probes that should be activated for the syscall monitor feature

diff --git a/pkg/security/ebpf/probes/raw_sys_exit.go b/pkg/security/ebpf/probes/raw_sys_exit.go
@@ -8,7 +8,7 @@
 package probes
 
 import (
-	"github.com/DataDog/datadog-agent/pkg/security/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 	manager "github.com/DataDog/ebpf-manager"
 )
 

diff --git a/pkg/security/module/module.go b/pkg/security/module/module.go
@@ -33,10 +33,10 @@ import (
 	skernel "github.com/DataDog/datadog-agent/pkg/security/ebpf/kernel"
 	seclog "github.com/DataDog/datadog-agent/pkg/security/log"
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
 	sprobe "github.com/DataDog/datadog-agent/pkg/security/probe"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/util/kernel"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 	"github.com/DataDog/datadog-agent/pkg/version"

diff --git a/pkg/security/module/rate_limiter.go b/pkg/security/module/rate_limiter.go
@@ -15,7 +15,7 @@ import (
 	"golang.org/x/time/rate"
 
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 )
 
 const (

diff --git a/pkg/security/module/self_tester.go b/pkg/security/module/self_tester.go
@@ -17,8 +17,8 @@ import (
 	"time"
 
 	"github.com/DataDog/datadog-agent/pkg/security/probe"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 	"github.com/pkg/errors"
 )

diff --git a/pkg/security/module/server.go b/pkg/security/module/server.go
@@ -24,7 +24,7 @@ import (
 	seclog "github.com/DataDog/datadog-agent/pkg/security/log"
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
 	sprobe "github.com/DataDog/datadog-agent/pkg/security/probe"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 	"github.com/DataDog/datadog-agent/pkg/version"
 )

diff --git a/pkg/security/probe/accessors.go b/pkg/security/probe/accessors.go
diff --git a/pkg/security/probe/applier.go b/pkg/security/probe/applier.go
@@ -11,8 +11,8 @@ import (
 	"math"
 
 	"github.com/DataDog/datadog-agent/pkg/security/config"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 	"github.com/pkg/errors"
 )

diff --git a/pkg/security/probe/approvers.go b/pkg/security/probe/approvers.go
@@ -11,9 +11,9 @@ import (
 	"path"
 
 	"github.com/DataDog/datadog-agent/pkg/security/ebpf"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 )
 
 type onApproverHandler func(probe *Probe, approvers rules.Approvers) (activeApprovers, error)

diff --git a/pkg/security/probe/capabilities.go b/pkg/security/probe/capabilities.go
@@ -11,8 +11,8 @@ import (
 	"path"
 	"strings"
 
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 )
 
 // allCapabilities hold all the supported filtering capabilities

diff --git a/pkg/security/probe/custom_events.go b/pkg/security/probe/custom_events.go
@@ -13,9 +13,9 @@ import (
 	"encoding/json"
 	"time"
 
-	"github.com/DataDog/datadog-agent/pkg/security/model"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/hashicorp/go-multierror"
 )
 

diff --git a/pkg/security/probe/dentry_resolver.go b/pkg/security/probe/dentry_resolver.go
@@ -24,7 +24,7 @@ import (
 
 	"github.com/DataDog/datadog-agent/pkg/security/ebpf"
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 	"github.com/DataDog/datadog-agent/pkg/security/utils"
 )
 

diff --git a/pkg/security/probe/discarders.go b/pkg/security/probe/discarders.go
@@ -24,9 +24,9 @@ import (
 
 	"github.com/DataDog/datadog-agent/pkg/security/ebpf"
 	seclog "github.com/DataDog/datadog-agent/pkg/security/log"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
 

diff --git a/pkg/security/probe/kfilters_test.go b/pkg/security/probe/kfilters_test.go
@@ -13,9 +13,9 @@ import (
 
 	"github.com/DataDog/datadog-agent/pkg/security/log"
 
-	"github.com/DataDog/datadog-agent/pkg/security/model"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/hashicorp/golang-lru/simplelru"
 )
 

diff --git a/pkg/security/probe/load_controller.go b/pkg/security/probe/load_controller.go
@@ -19,7 +19,7 @@ import (
 
 	seclog "github.com/DataDog/datadog-agent/pkg/security/log"
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
 

diff --git a/pkg/security/probe/model.go b/pkg/security/probe/model.go
@@ -16,8 +16,8 @@ import (
 	"time"
 
 	pconfig "github.com/DataDog/datadog-agent/pkg/process/config"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 )
 
 const (

diff --git a/pkg/security/probe/model_test.go b/pkg/security/probe/model_test.go
@@ -12,8 +12,8 @@ import (
 	"sort"
 	"testing"
 
-	"github.com/DataDog/datadog-agent/pkg/security/model"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 )
 
 func TestPathValidation(t *testing.T) {

diff --git a/pkg/security/probe/mount_resolver.go b/pkg/security/probe/mount_resolver.go
@@ -22,7 +22,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	skernel "github.com/DataDog/datadog-agent/pkg/security/ebpf/kernel"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 	"github.com/DataDog/datadog-agent/pkg/util/kernel"
 )
 

diff --git a/pkg/security/probe/mount_resolver_test.go b/pkg/security/probe/mount_resolver_test.go
@@ -14,7 +14,7 @@ import (
 
 	"gotest.tools/assert"
 
-	"github.com/DataDog/datadog-agent/pkg/security/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 )
 
 func TestMountResolver(t *testing.T) {

diff --git a/pkg/security/probe/open.go b/pkg/security/probe/open.go
@@ -10,9 +10,9 @@ package probe
 import (
 	"fmt"
 
-	"github.com/DataDog/datadog-agent/pkg/security/model"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 )
 
 var openCapabilities = Capabilities{

diff --git a/pkg/security/probe/perf_buffer_monitor.go b/pkg/security/probe/perf_buffer_monitor.go
@@ -18,7 +18,7 @@ import (
 
 	"github.com/DataDog/datadog-agent/pkg/security/ebpf/probes"
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 	"github.com/DataDog/datadog-agent/pkg/security/utils"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )

diff --git a/pkg/security/probe/probe.go b/pkg/security/probe/probe.go
@@ -31,9 +31,9 @@ import (
 	"github.com/DataDog/datadog-agent/pkg/security/ebpf/probes"
 	seclog "github.com/DataDog/datadog-agent/pkg/security/log"
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/security/utils"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )

diff --git a/pkg/security/probe/probe_monitor.go b/pkg/security/probe/probe_monitor.go
@@ -18,7 +18,7 @@ import (
 
 	seclog "github.com/DataDog/datadog-agent/pkg/security/log"
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
 

diff --git a/pkg/security/probe/process_resolver.go b/pkg/security/probe/process_resolver.go
@@ -29,7 +29,7 @@ import (
 	"github.com/DataDog/datadog-agent/pkg/security/ebpf/kernel"
 	seclog "github.com/DataDog/datadog-agent/pkg/security/log"
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 	"github.com/DataDog/datadog-agent/pkg/security/utils"
 )
 

diff --git a/pkg/security/probe/report.go b/pkg/security/probe/report.go
@@ -8,8 +8,8 @@
 package probe
 
 import (
-	"github.com/DataDog/datadog-agent/pkg/security/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 )
 
 // PolicyReport describes the result of the kernel policy and the approvers for an event type

diff --git a/pkg/security/probe/resolvers.go b/pkg/security/probe/resolvers.go
@@ -18,7 +18,7 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/DataDog/datadog-agent/pkg/security/config"
-	"github.com/DataDog/datadog-agent/pkg/security/model"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 	"github.com/DataDog/datadog-agent/pkg/security/utils"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )

diff --git a/pkg/security/probe/serializers.go b/pkg/security/probe/serializers.go
@@ -15,8 +15,8 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/DataDog/datadog-agent/pkg/security/model"
-	"github.com/DataDog/datadog-agent/pkg/security/secl/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 )
 
 // Event categories for JSON serialization