[CWS] Resolve file path before performing a hash action (#46012)

### What does this PR do?

Force a file path resolution when performing a hash action.

### Motivation

Otherwise the path is empty for rules like the following and the hash computation just fails:

```yaml
id: hash_open
expression: open.flags&O_CREAT == O_CREAT
actions:
  - hash:
      field: open.file
```

### Describe how you validated your changes

### Additional Notes


Co-authored-by: yoann.ghigoff <yoann.ghigoff@datadoghq.com>

Author: YoannGh

pkg/security/probe/file_hasher.go

@@ -17,7 +17,6 @@ import (
 	"github.com/DataDog/datadog-agent/pkg/security/resolvers/hash"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
-	"github.com/DataDog/datadog-agent/pkg/security/seclog"
 	"github.com/DataDog/datadog-agent/pkg/security/utils"
 )
 
@@ -93,19 +92,11 @@ func (p *FileHasher) HandleProcessExited(event *model.Event) {
 }
 
 // HashAndReport hash and report, returns true if the hash computation is supported for the given event
-func (p *FileHasher) HashAndReport(rule *rules.Rule, action *rules.HashDefinition, ev *model.Event) bool {
-	eventType := ev.GetEventType()
-
+func (p *FileHasher) HashAndReport(rule *rules.Rule, action *rules.HashDefinition, ev *model.Event, fileEvent *model.FileEvent) bool {
 	if !p.cfg.RuntimeSecurity.HashResolverEnabled {
 		return false
 	}
 
-	fileEvent, err := ev.GetFileField(action.Field)
-	if err != nil {
-		seclog.Errorf("failed to get file field %s: %v", action.Field, err)
-		return false
-	}
-
 	if ev.ProcessContext.Pid == utils.Getpid() {
 		return false
 	}
@@ -124,7 +115,7 @@ func (p *FileHasher) HashAndReport(rule *rules.Rule, action *rules.HashDefinitio
 		maxFileSize: action.MaxFileSize,
 		seenAt:      ev.ResolveEventTime(),
 		fileEvent:   *fileEvent,
-		eventType:   eventType,
+		eventType:   ev.GetEventType(),
 	}
 	ev.ActionReports = append(ev.ActionReports, report)
 	p.pendingReports = append(p.pendingReports, report)

pkg/security/probe/probe_ebpf.go

@@ -3420,7 +3420,17 @@ func (p *EBPFProbe) HandleActions(ctx *eval.Context, rule *rules.Rule) {
 				p.probe.onRuleActionPerformed(rule, action.Def)
 			}
 		case action.Def.Hash != nil:
-			if p.fileHasher.HashAndReport(rule, action.Def.Hash, ev) {
+			fileEvent, err := ev.GetFileField(action.Def.Hash.Field)
+			if err != nil {
+				seclog.Errorf("failed to get file field %s: %v", action.Def.Hash.Field, err)
+				continue
+			}
+
+			if p.fieldHandlers.ResolveFilePath(ev, fileEvent) == "" {
+				continue
+			}
+
+			if p.fileHasher.HashAndReport(rule, action.Def.Hash, ev, fileEvent) {
 				p.probe.onRuleActionPerformed(rule, action.Def)
 			}
 		case action.Def.NetworkFilter != nil:

pkg/security/probe/probe_ebpfless.go

@@ -667,7 +667,17 @@ func (p *EBPFLessProbe) HandleActions(ctx *eval.Context, rule *rules.Rule) {
 				p.probe.onRuleActionPerformed(rule, action.Def)
 			}
 		case action.Def.Hash != nil:
-			if p.fileHasher.HashAndReport(rule, action.Def.Hash, ev) {
+			fileEvent, err := ev.GetFileField(action.Def.Hash.Field)
+			if err != nil {
+				seclog.Errorf("failed to get file field %s: %v", action.Def.Hash.Field, err)
+				continue
+			}
+
+			if p.fieldHandlers.ResolveFilePath(ev, fileEvent) == "" {
+				continue
+			}
+
+			if p.fileHasher.HashAndReport(rule, action.Def.Hash, ev, fileEvent) {
 				p.probe.onRuleActionPerformed(rule, action.Def)
 			}
 		}

pkg/security/tests/action_test.go

@@ -785,6 +785,79 @@ func TestActionHash(t *testing.T) {
 		}, retry.Delay(500*time.Millisecond), retry.Attempts(30), retry.DelayType(retry.FixedDelay))
 		assert.NoError(t, err)
 	})
+
+	t.Run("open-force-path", func(t *testing.T) {
+		// test that we correctly force a path resolution when we run the hash action
+		newRuleDefs := []*rules.RuleDefinition{
+			{
+				ID:         "hash_action_open_no_path",
+				Expression: `open.flags&O_CREAT == O_CREAT && process.file.name == "syscall_tester"`,
+				Actions: []*rules.ActionDefinition{
+					{
+						Hash: &rules.HashDefinition{
+							Field: "open.file",
+						},
+					},
+				},
+			},
+		}
+
+		// Set the new policy and reload (without closing/restarting the module)
+		// On reload, exec events are replayed for running processes, so the kill rule should trigger
+		if err := setTestPolicy(commonCfgDir, nil, newRuleDefs); err != nil {
+			t.Fatalf("failed to set new policy: %v", err)
+		}
+
+		err := test.reloadPolicies()
+		if err != nil {
+			t.Fatalf("failed to reload policies: %v", err)
+		}
+
+		test.msgSender.flush()
+		test.WaitSignalFromRule(t, func() error {
+			go func() {
+				timeoutCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+				defer cancel()
+
+				if err := runSyscallTesterFunc(
+					timeoutCtx, t, syscallTester,
+					"slow-write", "2", testFile, "aaa",
+				); err != nil {
+					t.Error(err)
+				}
+
+				done <- true
+			}()
+			return nil
+		}, func(_ *model.Event, rule *rules.Rule) {
+			assertTriggeredRule(t, rule, "hash_action_open_no_path")
+		}, "hash_action_open_no_path")
+
+		err = retry.Do(func() error {
+			msg := test.msgSender.getMsg("hash_action_open_no_path")
+			if msg == nil {
+				return errors.New("not found")
+			}
+			validateMessageSchema(t, string(msg.Data))
+
+			jsonPathValidation(test, msg.Data, func(_ *testModule, obj interface{}) {
+				if el, err := jsonpath.JsonPathLookup(obj, `$.agent.rule_actions[?(@.state == 'Done')]`); err != nil || el == nil || len(el.([]interface{})) == 0 {
+					t.Errorf("element not found %s => %v", string(msg.Data), err)
+				}
+				if el, err := jsonpath.JsonPathLookup(obj, `$.agent.rule_actions[?(@.trigger == 'process_exit')]`); err != nil || el == nil || len(el.([]interface{})) == 0 {
+					t.Errorf("element not found %s => %v", string(msg.Data), err)
+				}
+				if el, err := jsonpath.JsonPathLookup(obj, `$.file.hashes`); err != nil || el == nil || len(el.([]interface{})) == 0 {
+					t.Errorf("element not found %s => %v", string(msg.Data), err)
+				}
+			})
+
+			return nil
+		}, retry.Delay(500*time.Millisecond), retry.Attempts(30), retry.DelayType(retry.FixedDelay))
+		assert.NoError(t, err)
+
+		<-done
+	})
 }
 
 func TestActionKillWithSignature(t *testing.T) {