feat(cel/parse): add 3-arg get_exec_path(args, comm, exepath) overload#843
Merged
Merged
Conversation
Adds an exepath-aware overload of parse.get_exec_path to the CEL parse library. The existing 2-arg form resolves argv[0] -> comm; the new 3-arg form resolves the exec path symmetrically with the recording side's resolveExecPath in pkg/containerprofilemanager/v1/event_reporting.go: 1. exepath (kernel-authoritative, spoof-resistant) 2. argv[0] when non-empty AND exepath empty (fexecve / AT_EMPTY_PATH) 3. comm This lets rules query the same identity the recorder stored, closing the fork-shell mismatch (`sh -c ...` records /bin/sh and the rule side now queries /bin/sh) while preserving argv[0]-spoofing protection. The 2-arg overload is unchanged, so existing rules keep working. The overload is consumed by the OSS R0040 rule in kubescape/rulelibrary (the path-resolution half of the get_exec_path migration). It replaces the engine portion of node-agent#805; the rule YAML and component tests from that PR move to rulelibrary instead. Adds TestGetExecPath_SymmetryWithRecordingSide covering exepath-wins, fexecve fallback, comm fallback, busybox symlink, and absolute-argv[0] spoof cases. Signed-off-by: matthyx <matthias.bertschy@gmail.com> Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Docs-exempt: additive CEL helper overload, no node-agent config/API/behavioral change; consumer rule R0040 is documented in kubescape/rulelibrary
matthyx
added
the
ai-assisted
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThe parse CEL library now accepts a 3-argument ChangesExec path overload
Sequence Diagram(s)sequenceDiagram
participant CEL evaluator
participant parseLibrary.Declarations
participant getExecPathWithExePath
participant getExecPath
CEL evaluator->>parseLibrary.Declarations: invoke parse.get_exec_path(args, comm, exepath)
parseLibrary.Declarations->>getExecPathWithExePath: dispatch 3-argument overload
getExecPathWithExePath->>getExecPath: fallback when exepath is empty
getExecPathWithExePath-->>CEL evaluator: resolved exec path string
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
matthyx
added a commit
to kubescape/rulelibrary
that referenced
this pull request
Jun 25, 2026
…igrate rule tests to new mock API Pins node-agent to the pseudo-version of kubescape/node-agent#843 (feat(cel/parse): add 3-arg get_exec_path overload) so the R0040 rule and its test can resolve parse.get_exec_path(args, comm, exepath). Also bumps storage v0.0.258 -> v0.0.278 (MatchExecArgs / CompareExecArgs) and aligns the replace block with node-agent main (inspektor-gadget fork, runtime-spec v1.2.1, syft, stereoscope) so the module graph builds. The node-agent bump (Apr -> Jun main) drifted the test-facing mock API; migrates all rule tests accordingly: * objCache.ApplicationProfileCache().GetApplicationProfile(id) -> objCache.GetApplicationProfile(id) (12 files) * objCache.NetworkNeighborhoodCache().GetNetworkNeighborhood(id) -> objCache.GetNetworkNeighborhood(id) (4 files) * RulePolicyValidator.Validate(ruleId, comm, &profile.Spec.Containers[0]) -> Validate(ruleId, comm, &objectcache.ProjectedContainerProfile{ PolicyByRuleId: profile.Spec.Containers[0].PolicyByRuleId}) (r1011, r1012, r1030 — Validate now takes a ProjectedContainerProfile) Full suite, lint-projection, and the README check pass except one pre-existing R1001 subtest (different_container_name), whose premise (name-based profile isolation) the new RuleObjectCacheMock no longer models — left for an owner decision; it is already covered by the sibling "no application profile" case. Signed-off-by: matthyx <matthias.bertschy@gmail.com> Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Performance Benchmark ResultsNode-Agent Resource Usage
Dedup EffectivenessNo data available. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a 3-arg
parse.get_exec_path(args, comm, exepath)overload to the CEL parse library. This is the engine replacement for node-agent#805 — just the path-resolution helper the OSS R0040 rule needs, branched cleanly frommain. The rule YAML and component tests from #805 move tokubescape/rulelibraryinstead.Details
mainalready carries the rest of the #805 engine —ap.was_executed_with_args, theExecsByPathprojection (incl. mock population), andstorage v0.0.278. The only missing piece for R0040 was the exepath-aware path resolver, which this PR adds.The existing 2-arg form resolves
argv[0] → comm. The new 3-arg form resolves symmetrically with the recording side (pkg/containerprofilemanager/v1/event_reporting.go:resolveExecPath):argv[0]is user-controllable even when absolute, e.g.exec -a /bin/sh sleep).AT_EMPTY_PATH).This closes the fork-shell mismatch (
sh -c …records/bin/sh, and the rule side now queries/bin/shtoo) while preserving argv[0]-spoofing protection. The 2-arg overload is unchanged, so every existing rule keeps working — this is purely additive.Why a new PR instead of #805
Per the issue discussion, #805 is being retired. Its engine already landed on
mainexcept this one overload; its rule content (R0040 + theget_exec_pathmigrations + binding) belongs inkubescape/rulelibrary, not bundled in node-agent. This PR is the minimal engine delta; the rule lives in rulelibrary#39, which will pin this commit via ago.modpseudo-version.Tests
TestGetExecPath_SymmetryWithRecordingSidepins exepath-wins, argv[0]-spoof, fexecve fallback, comm fallback, and busybox-symlink cases, mirroringTestResolveExecPathon the recording side.Summary by CodeRabbit
New Features
parse.get_exec_pathnow supports an additional 3-argument form that can use an explicit executable path when available.Bug Fixes