Merge pull request #1566 from criblio/feat/remove-proc-arg

Support cmd line args when removing a proc from rules (#1158)
criblio · Jul 10, 2023 · 0d957a9 · 0d957a9
2 parents 9ac9162 + 411f38a
commit 0d957a9
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/cli/cmd/rules.go b/cli/cmd/rules.go
@@ -135,7 +135,7 @@ var rulesCmd = &cobra.Command{
 				util.ErrAndExit("Rules failure: %v", err)
 			}
 		} else if remProc != "" {
-			if err = rules.Remove(rulesFile, remProc, sourceid, rc.Rootdir, rc); err != nil {
+			if err = rules.Remove(rulesFile, remProc, procArg, sourceid, rc.Rootdir, rc); err != nil {
 				util.ErrAndExit("Rules failure: %v", err)
 			}
 		}

diff --git a/cli/rules/rules.go b/cli/rules/rules.go
@@ -189,7 +189,7 @@ func Add(rulesFile libscope.Rules, addProc, procArg, sourceid, rootdir string, r
 
 // Remove a process from the scope rules
 // Note: No matching of the 'arg' field intended for removal.
-func Remove(rulesFile libscope.Rules, remProc, sourceid, rootdir string, rc *run.Config) error {
+func Remove(rulesFile libscope.Rules, remProc, procArg, sourceid, rootdir string, rc *run.Config) error {
 
 	// Create a history directory for logs
 	rc.CreateWorkDirBasic("rules")
@@ -206,7 +206,7 @@ func Remove(rulesFile libscope.Rules, remProc, sourceid, rootdir string, rc *run
 	// (only if there are changes)
 	remove := -1
 	for i, entry := range rulesFile.Allow {
-		if entry.ProcName == remProc && entry.SourceId == sourceid {
+		if entry.ProcName == remProc && entry.SourceId == sourceid && entry.ProcArg == procArg {
 			remove = i
 		}
 	}

diff --git a/src/cfgutils.c b/src/cfgutils.c
@@ -3202,11 +3202,14 @@ processAllowProcCmdLineScalar(yaml_document_t *doc, yaml_node_t *node, void *ext
 
     rules_cfg_t *fCfg = (rules_cfg_t *)extData;
     const char *cmdline = (const char *)node->data.scalar.value;
-    if ((scope_strlen(cmdline) > 0) &&
-        (scope_strstr(fCfg->procCmdLine, cmdline)
-         || !scope_strcmp(MATCH_ALL_VAL, cmdline))) {
-        fCfg->status = PROC_ALLOWED;
-        fCfg->rulesMatch = TRUE;
+    if (scope_strlen(cmdline) > 0) { // an arg is specified in the rules file
+        if (scope_strstr(fCfg->procCmdLine, cmdline) || !scope_strcmp(MATCH_ALL_VAL, cmdline)) {
+            fCfg->status = PROC_ALLOWED;
+            fCfg->rulesMatch = TRUE;
+        } else {
+            fCfg->status = PROC_DENIED;
+            fCfg->rulesMatch = FALSE;
+        }
     }
 }