From 5f8a098f2526bb66a90522a12cb84edaa600047b Mon Sep 17 00:00:00 2001
From: Afek Berger <afekb@armosec.io>
Date: Thu, 19 Dec 2024 10:13:33 +0200
Subject: [PATCH] Added rule extras (#442)

Signed-off-by: Afek Berger <afekb@armosec.io>
---
 .../v1/r0006_unexpected_service_account_token_access.go     | 1 +
 pkg/ruleengine/v1/r1005_fileless_execution.go               | 1 +
 pkg/ruleengine/v1/r1011_ld_preload_hook.go                  | 6 ++++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go
index 115bcb58..9bb741bf 100644
--- a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go
+++ b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go
@@ -168,6 +168,7 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti
 			PodLabels: openEvent.K8s.PodLabels,
 		},
 		RuleID: rule.ID(),
+		Extra:  convertedEvent.GetExtra(),
 	}
 }
 
diff --git a/pkg/ruleengine/v1/r1005_fileless_execution.go b/pkg/ruleengine/v1/r1005_fileless_execution.go
index a8db0506..ad1cf7d9 100644
--- a/pkg/ruleengine/v1/r1005_fileless_execution.go
+++ b/pkg/ruleengine/v1/r1005_fileless_execution.go
@@ -107,6 +107,7 @@ func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *events.ExecEven
 				PodLabels: execEvent.K8s.PodLabels,
 			},
 			RuleID: rule.ID(),
+			Extra:  execEvent.GetExtra(),
 		}
 
 		return &ruleFailure
diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go
index cc5f143e..dad3769a 100644
--- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go
+++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go
@@ -90,7 +90,7 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut
 			return nil
 		}
 
-		return rule.ruleFailureOpenEvent(&openEvent.Event)
+		return rule.ruleFailureOpenEvent(&openEvent.Event, openEvent.GetExtra())
 	}
 
 	return nil
@@ -165,12 +165,13 @@ func (rule *R1011LdPreloadHook) ruleFailureExecEvent(execEvent *events.ExecEvent
 			PodLabels: execEvent.K8s.PodLabels,
 		},
 		RuleID: rule.ID(),
+		Extra:  execEvent.GetExtra(),
 	}
 
 	return &ruleFailure
 }
 
-func (rule *R1011LdPreloadHook) ruleFailureOpenEvent(openEvent *traceropentype.Event) ruleengine.RuleFailure {
+func (rule *R1011LdPreloadHook) ruleFailureOpenEvent(openEvent *traceropentype.Event, extra interface{}) ruleengine.RuleFailure {
 	ruleFailure := GenericRuleFailure{
 		BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
 			AlertName: rule.Name(),
@@ -199,6 +200,7 @@ func (rule *R1011LdPreloadHook) ruleFailureOpenEvent(openEvent *traceropentype.E
 			PodLabels: openEvent.K8s.PodLabels,
 		},
 		RuleID: rule.ID(),
+		Extra:  extra,
 	}
 
 	return &ruleFailure