From b0922be2d2d0101429ab93922596df595b8b8cc6 Mon Sep 17 00:00:00 2001 From: Sean Valeo Date: Tue, 27 Jun 2023 18:44:11 -0400 Subject: [PATCH 1/2] match arg on remove proc from rules --- cli/cmd/rules.go | 2 +- cli/rules/rules.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cli/cmd/rules.go b/cli/cmd/rules.go index 53dfad55b..0647010bb 100644 --- a/cli/cmd/rules.go +++ b/cli/cmd/rules.go @@ -133,7 +133,7 @@ var rulesCmd = &cobra.Command{ if addProc != "" { return rules.Add(rulesFile, addProc, procArg, sourceid, rc.Rootdir, rc) } else if remProc != "" { - return rules.Remove(rulesFile, remProc, sourceid, rc.Rootdir, rc) + return rules.Remove(rulesFile, remProc, procArg, sourceid, rc.Rootdir, rc) } return nil diff --git a/cli/rules/rules.go b/cli/rules/rules.go index 5615db230..93f3995eb 100644 --- a/cli/rules/rules.go +++ b/cli/rules/rules.go @@ -186,7 +186,7 @@ func Add(rulesFile libscope.Rules, addProc, procArg, sourceid, rootdir string, r // Remove a process from the scope rules // Note: No matching of the 'arg' field intended for removal. -func Remove(rulesFile libscope.Rules, remProc, sourceid, rootdir string, rc *run.Config) error { +func Remove(rulesFile libscope.Rules, remProc, procArg, sourceid, rootdir string, rc *run.Config) error { // Create a history directory for logs rc.CreateWorkDirBasic("rules") @@ -204,7 +204,7 @@ func Remove(rulesFile libscope.Rules, remProc, sourceid, rootdir string, rc *run if allowList, ok := rulesFile["allow"]; ok { remove := -1 for i, entry := range allowList { - if entry.ProcName == remProc && entry.SourceId == sourceid { + if entry.ProcName == remProc && entry.SourceId == sourceid && entry.ProcArg == procArg { remove = i } } From 411f38ad11c148154678a92110c3f17cf5cbdbbd Mon Sep 17 00:00:00 2001 From: Sean Valeo Date: Mon, 10 Jul 2023 15:04:41 -0400 Subject: [PATCH 2/2] deny a process if the argument does not match --- src/cfgutils.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/cfgutils.c b/src/cfgutils.c index c74c4de08..e1cae6da8 100644 --- a/src/cfgutils.c +++ b/src/cfgutils.c @@ -3202,11 +3202,14 @@ processAllowProcCmdLineScalar(yaml_document_t *doc, yaml_node_t *node, void *ext rules_cfg_t *fCfg = (rules_cfg_t *)extData; const char *cmdline = (const char *)node->data.scalar.value; - if ((scope_strlen(cmdline) > 0) && - (scope_strstr(fCfg->procCmdLine, cmdline) - || !scope_strcmp(MATCH_ALL_VAL, cmdline))) { - fCfg->status = PROC_ALLOWED; - fCfg->rulesMatch = TRUE; + if (scope_strlen(cmdline) > 0) { // an arg is specified in the rules file + if (scope_strstr(fCfg->procCmdLine, cmdline) || !scope_strcmp(MATCH_ALL_VAL, cmdline)) { + fCfg->status = PROC_ALLOWED; + fCfg->rulesMatch = TRUE; + } else { + fCfg->status = PROC_DENIED; + fCfg->rulesMatch = FALSE; + } } }