diff --git a/.github/actions/install-llvm/action.yaml b/.github/actions/install-llvm/action.yaml new file mode 100644 index 0000000..eb39726 --- /dev/null +++ b/.github/actions/install-llvm/action.yaml @@ -0,0 +1,10 @@ +name: 'Install LLVM Dependencies' +description: 'Install LLVM and Clang dependencies' +runs: + using: composite + steps: + - name: Install llvm deps + shell: bash + run: | + sudo apt-get update + sudo apt-get install -y clang cmake build-essential llvm-dev libclang-dev diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..213b04e --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,30 @@ +version: 2 +updates: + +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + cooldown: + default-days: 7 + groups: + actions-updates: + dependency-type: "production" + applies-to: "version-updates" + actions-dev-updates: + dependency-type: "development" + applies-to: "version-updates" + +- package-ecosystem: "cargo" + directory: "/" + schedule: + interval: "daily" + cooldown: + default-days: 7 + groups: + cargo-updates: + dependency-type: "production" + applies-to: "version-updates" + cargo-dev-updates: + dependency-type: "development" + applies-to: "version-updates" diff --git a/.github/workflows/ci-actions.yaml b/.github/workflows/ci-actions.yaml new file mode 100644 index 0000000..f6b3440 --- /dev/null +++ b/.github/workflows/ci-actions.yaml @@ -0,0 +1,43 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: + contents: read # Default token to read + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write # Needed to write security events to github + contents: read # Needed to read clone repo + actions: read # Needed to read actions + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0 + + - name: Run zizmor + run: uvx zizmor --pedantic --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 + with: + sarif_file: results.sarif + category: zizmor diff --git a/.github/workflows/ci-code.yaml b/.github/workflows/ci-code.yaml new file mode 100644 index 0000000..1df1ccb --- /dev/null +++ b/.github/workflows/ci-code.yaml @@ -0,0 +1,91 @@ +name: Lint and Test Code + +on: + pull_request: + branches: + - main + paths: + - src/** + - Cargo.* + - rust-toolchain.toml + - .github/workflows/ci-code.yaml + +permissions: + contents: read # Default token to read + +jobs: + rustfmt: + name: rustfmt + runs-on: ubuntu-latest + steps: + - name: harden runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + submodules: recursive + persist-credentials: false + + - name: Install llvm deps + uses: ./.github/actions/install-llvm + + - name: 'cargo fmt' + run: cargo fmt --all -- --check + + full-build: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + arch: + - x86_64 + env: + TARGET_ARCH: "${{ matrix.arch }}" + name: 'Full build linux-${{ matrix.arch }}' + steps: + - name: harden runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + submodules: recursive + persist-credentials: false + + - name: Install llvm deps + uses: ./.github/actions/install-llvm + + - name: cargo build + run: cargo build + + clippy: + runs-on: ubuntu-latest + strategy: + matrix: + arch: + - x86_64 + env: + TARGET_ARCH: "${{ matrix.arch }}" + name: 'Full clippy linux-${{ matrix.arch }}' + steps: + - name: harden runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + submodules: recursive + persist-credentials: false + + - name: Install llvm deps + uses: ./.github/actions/install-llvm + + - name: 'cargo clippy' + run: cargo clippy diff --git a/src/base_plugin/mod.rs b/src/base_plugin/mod.rs index 99f2c62..6b90e87 100644 --- a/src/base_plugin/mod.rs +++ b/src/base_plugin/mod.rs @@ -1,3 +1,7 @@ +use crate::proto::generated::protect::control::v1::{ + ZoneKernelFdInfo, ZoneKernelSyscallEvent, ZoneKernelThreadInfo, + zone_kernel_fd_info_data::InfoType, +}; use anyhow::{Error, Result, anyhow}; use dns_lookup::lookup_addr; use falco_event::events::Event; @@ -14,10 +18,6 @@ use libscap_bindings::types::{ }; use log::info; use prost::Message; -use crate::proto::generated::protect::control::v1::{ - ZoneKernelFdInfo, ZoneKernelSyscallEvent, ZoneKernelThreadInfo, - zone_kernel_fd_info_data::InfoType, -}; use std::collections::{HashMap, HashSet}; use std::ffi::{CStr, CString}; use std::net::{IpAddr, Ipv4Addr, Ipv6Addr}; diff --git a/src/lib.rs b/src/lib.rs index f4599ab..e086d8a 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -2,9 +2,9 @@ mod base_plugin; mod extract_plugin; mod parse_plugin; mod parsers; +mod proto; mod source_plugin; mod threadstate; -mod proto; use falco_plugin::{extract_plugin, parse_plugin, plugin, source_plugin}; diff --git a/src/parse_plugin/mod.rs b/src/parse_plugin/mod.rs index 7f39460..be7dae4 100644 --- a/src/parse_plugin/mod.rs +++ b/src/parse_plugin/mod.rs @@ -1,10 +1,10 @@ +use crate::proto::generated::protect::control::v1::ZoneKernelSyscallEvent; use anyhow::Result; use falco_event::events::Event; use falco_plugin::parse::{EventInput as ParseEventInput, ParseInput, ParsePlugin}; use falco_plugin::source::PluginEvent; use log::{debug, error, warn}; use prost::Message; -use crate::proto::generated::protect::control::v1::ZoneKernelSyscallEvent; use crate::{EderaPlugin, threadstate}; diff --git a/src/parsers.rs b/src/parsers.rs index 7568176..935c457 100644 --- a/src/parsers.rs +++ b/src/parsers.rs @@ -1,13 +1,13 @@ +use crate::proto::generated::protect::control::v1::ZoneKernelFdInfo; +use crate::proto::generated::protect::control::v1::{ + ZoneKernelSyscallEvent, ZoneKernelThreadInfo, zone_kernel_fd_info_data::InfoType, +}; use anyhow::{Result, anyhow}; use libscap_bindings::consts as ppm_consts; use libscap_bindings::types::{ ppm_event_code as event_codes, ppm_event_flags as event_flags, scap_l4_proto as l4_types, }; use log::error; -use crate::proto::generated::protect::control::v1::ZoneKernelFdInfo; -use crate::proto::generated::protect::control::v1::{ - ZoneKernelSyscallEvent, ZoneKernelThreadInfo, zone_kernel_fd_info_data::InfoType, -}; use std::ffi::CStr; use std::fs::File; use std::io::{BufRead, BufReader}; diff --git a/src/source_plugin/client/edera_client/client.rs b/src/source_plugin/client/edera_client/client.rs index 04e6165..e6a01de 100644 --- a/src/source_plugin/client/edera_client/client.rs +++ b/src/source_plugin/client/edera_client/client.rs @@ -1,10 +1,10 @@ use super::dial::ControlDialAddress; #[cfg(unix)] use super::unix::HyperUnixConnector; -use anyhow::{Result, bail}; +use crate::proto::generated::protect::control::v1::control_service_client::ControlServiceClient; #[cfg(not(unix))] use anyhow::anyhow; -use crate::proto::generated::protect::control::v1::control_service_client::ControlServiceClient; +use anyhow::{Result, bail}; use tonic::transport::{Channel, Endpoint}; pub struct ControlClientProvider {} diff --git a/src/source_plugin/client/edera_client/events.rs b/src/source_plugin/client/edera_client/events.rs index ce9679b..9d646b4 100644 --- a/src/source_plugin/client/edera_client/events.rs +++ b/src/source_plugin/client/edera_client/events.rs @@ -1,11 +1,11 @@ use std::{sync::Arc, time::Duration}; -use anyhow::Result; -use log::{error, trace, warn}; use crate::proto::generated::protect::control::v1::{ WatchEventsReply, WatchEventsRequest, control_service_client::ControlServiceClient, watch_events_reply::Event, }; +use anyhow::Result; +use log::{error, trace, warn}; use tokio::{sync::broadcast, task::JoinHandle, time::sleep}; use tokio_stream::StreamExt; use tonic::{Streaming, transport::Channel}; diff --git a/src/source_plugin/client/edera_client/zone_watcher.rs b/src/source_plugin/client/edera_client/zone_watcher.rs index cfcf781..79a91bc 100644 --- a/src/source_plugin/client/edera_client/zone_watcher.rs +++ b/src/source_plugin/client/edera_client/zone_watcher.rs @@ -1,10 +1,10 @@ use super::events::EventStream; -use anyhow::Result; -use log::warn; use crate::proto::generated::protect::control::v1::{ ListZonesRequest, Zone, ZoneState, control_service_client::ControlServiceClient, watch_events_reply::Event, }; +use anyhow::Result; +use log::warn; use std::{collections::HashMap, str::FromStr, time::Duration}; use tokio::{select, sync::broadcast::Receiver, time::sleep}; use tonic::transport::Channel; @@ -90,5 +90,4 @@ impl ZoneWatcher { } Ok(()) } - } diff --git a/src/source_plugin/client/mod.rs b/src/source_plugin/client/mod.rs index 64f7d27..9580606 100644 --- a/src/source_plugin/client/mod.rs +++ b/src/source_plugin/client/mod.rs @@ -1,9 +1,6 @@ use anyhow::Result; use async_stream::stream; -use edera_client::{ - client::ControlClientProvider, dial::ControlDialAddress, events::EventStream, -}; use crate::proto::generated::protect::control::v1::{ MonitorZoneKernelEventReply, MonitorZoneKernelEventRequest, ZoneKernelEventStreamStop, ZoneKernelEventStreamUpdate, ZoneState, @@ -11,6 +8,7 @@ use crate::proto::generated::protect::control::v1::{ monitor_zone_kernel_event_request::{self as zk_req}, watch_events_reply::Event, }; +use edera_client::{client::ControlClientProvider, dial::ControlDialAddress, events::EventStream}; mod zone_creation_watcher; use log::{debug, error, info, warn}; @@ -22,8 +20,8 @@ use tokio::{ use tokio_stream::{Stream, StreamExt, wrappers::BroadcastStream}; use tonic::{Streaming, transport::Channel}; -mod enabled_syscalls; mod edera_client; +mod enabled_syscalls; const DAEMON_SOCKET: &str = "unix:///var/lib/edera/protect/daemon.socket"; diff --git a/src/source_plugin/client/zone_creation_watcher.rs b/src/source_plugin/client/zone_creation_watcher.rs index eb935d4..cbfb0f4 100644 --- a/src/source_plugin/client/zone_creation_watcher.rs +++ b/src/source_plugin/client/zone_creation_watcher.rs @@ -1,10 +1,9 @@ -use anyhow::Result; use crate::proto::generated::protect::{ control::v1::ZoneState, control::v1::control_service_client::ControlServiceClient, }; +use anyhow::Result; use tonic::transport::Channel; - use super::edera_client::zone_watcher::ZoneWatcher as watcher; use log::{debug, error}; use tokio::{sync::broadcast, task::JoinHandle}; diff --git a/src/source_plugin/mod.rs b/src/source_plugin/mod.rs index 54b0cd0..f037d21 100644 --- a/src/source_plugin/mod.rs +++ b/src/source_plugin/mod.rs @@ -1,18 +1,18 @@ +use crate::proto::generated::protect::control::v1::{ + MonitorZoneKernelEventReply, monitor_zone_kernel_event_reply::Reply, +}; use anyhow::{Error, Result, anyhow}; +use env_logger::Env; use falco_event::events::EventToBytes; use falco_plugin::FailureReason; use falco_plugin::source::{EventBatch, EventInput, SourcePlugin, SourcePluginInstance}; use log::{debug, info, warn}; use prost::Message; -use crate::proto::generated::protect::control::v1::{ - MonitorZoneKernelEventReply, monitor_zone_kernel_event_reply::Reply, -}; use std::ffi::{CStr, CString}; use std::io::BufWriter; use std::thread; use std::time::Duration; use tokio::{runtime, sync::mpsc, sync::oneshot}; -use env_logger::Env; use crate::EderaPlugin; @@ -105,7 +105,6 @@ impl SourcePlugin for EderaPlugin { type Event<'a> = falco_event::events::RawEvent<'a>; fn open(&mut self, _params: Option<&str>) -> Result { - env_logger::Builder::from_env(Env::default().default_filter_or("info")).init(); log::set_max_level(log::LevelFilter::Trace); diff --git a/src/threadstate.rs b/src/threadstate.rs index 9d195a1..fbed5fa 100644 --- a/src/threadstate.rs +++ b/src/threadstate.rs @@ -4,19 +4,20 @@ use libc::{ SOCK_RAW, SOCK_STREAM, }; -use libscap_bindings::{consts as ppm_consts, +use crate::proto::generated::protect::control::v1::{ + ZoneKernelEventParam, ZoneKernelFdInfo, ZoneKernelFdInfoData, ZoneKernelIpv4SocketInfo, + ZoneKernelIpv6SocketInfo, ZoneKernelPidFd, ZoneKernelRegularFileInfo, ZoneKernelSyscallEvent, + ZoneKernelThreadInfo, ZoneKernelThreadSnapshotEvent, ZoneKernelUnixSocketInfo, + zone_kernel_fd_info_data::InfoType, +}; +use libscap_bindings::{ + consts as ppm_consts, types::{ ppm_event_code as event_codes, ppm_param_type as param_type, scap_fd_type as fd_types, scap_l4_proto as l4_types, - } + }, }; use log::{debug, error, trace, warn}; -use crate::proto::generated::protect::control::v1::{ - ZoneKernelEventParam, ZoneKernelFdInfo, ZoneKernelFdInfoData, ZoneKernelIpv4SocketInfo, - ZoneKernelIpv6SocketInfo, ZoneKernelPidFd, ZoneKernelRegularFileInfo, - ZoneKernelThreadSnapshotEvent, ZoneKernelUnixSocketInfo, - ZoneKernelSyscallEvent, ZoneKernelThreadInfo, zone_kernel_fd_info_data::InfoType, -}; use std::collections::HashMap; use std::ffi::CStr; use std::net::{Ipv4Addr, Ipv6Addr};