[CWS] Enforce selftests by checking the recieved event file path (#41137)

spikat · web-flow · commit 9d08cd5cde9b · 2025-09-25T14:57:51.000Z
### What does this PR do?

### Motivation

### Describe how you validated your changes

### Additional Notes
diff --git a/pkg/security/probe/selftests/chmod.go b/pkg/security/probe/selftests/chmod.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+	"github.com/DataDog/datadog-agent/pkg/security/seclog"
 )
 
 // ChmodSelfTest defines a chmod self test
@@ -51,7 +52,20 @@ func (o *ChmodSelfTest) GenerateEvent(ctx context.Context) error {
 
 // HandleEvent handles self test events
 func (o *ChmodSelfTest) HandleEvent(event selfTestEvent) {
-	o.isSuccess = event.RuleID == o.ruleID
+	if event.Event == nil ||
+		event.Event.BaseEventSerializer == nil ||
+		event.Event.BaseEventSerializer.FileEventSerializer == nil {
+		seclog.Errorf("Chmod SelfTest event received with nil Event or File fields")
+		o.isSuccess = false
+		return
+	}
+
+	// debug logs
+	if event.RuleID == o.ruleID && o.filename != event.Event.BaseEventSerializer.FileEventSerializer.Path {
+		seclog.Errorf("Chmod SelfTest event received with different filepaths: %s VS %s", o.filename, event.Event.BaseEventSerializer.FileEventSerializer.Path)
+	}
+
+	o.isSuccess = event.RuleID == o.ruleID && o.filename == event.Event.BaseEventSerializer.FileEventSerializer.Path
 }
 
 // IsSuccess return the state of the test
diff --git a/pkg/security/probe/selftests/chown.go b/pkg/security/probe/selftests/chown.go
@@ -16,6 +16,7 @@ import (
 
 	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+	"github.com/DataDog/datadog-agent/pkg/security/seclog"
 )
 
 // ChownSelfTest defines a chown self test
@@ -57,7 +58,20 @@ func (o *ChownSelfTest) GenerateEvent(ctx context.Context) error {
 
 // HandleEvent handles self test events
 func (o *ChownSelfTest) HandleEvent(event selfTestEvent) {
-	o.isSuccess = event.RuleID == o.ruleID
+	if event.Event == nil ||
+		event.Event.BaseEventSerializer == nil ||
+		event.Event.BaseEventSerializer.FileEventSerializer == nil {
+		seclog.Errorf("Chown SelfTest event received with nil Event or File fields")
+		o.isSuccess = false
+		return
+	}
+
+	// debug logs
+	if event.RuleID == o.ruleID && o.filename != event.Event.BaseEventSerializer.FileEventSerializer.Path {
+		seclog.Errorf("Chown SelfTest event received with different filepaths: %s VS %s", o.filename, event.Event.BaseEventSerializer.FileEventSerializer.Path)
+	}
+
+	o.isSuccess = event.RuleID == o.ruleID && o.filename == event.Event.BaseEventSerializer.FileEventSerializer.Path
 }
 
 // IsSuccess return the state of the test
diff --git a/pkg/security/probe/selftests/open.go b/pkg/security/probe/selftests/open.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+	"github.com/DataDog/datadog-agent/pkg/security/seclog"
 )
 
 // OpenSelfTest defines an open self test
@@ -51,7 +52,20 @@ func (o *OpenSelfTest) GenerateEvent(ctx context.Context) error {
 
 // HandleEvent handles self test events
 func (o *OpenSelfTest) HandleEvent(event selfTestEvent) {
-	o.isSuccess = event.RuleID == o.ruleID
+	if event.Event == nil ||
+		event.Event.BaseEventSerializer == nil ||
+		event.Event.BaseEventSerializer.FileEventSerializer == nil {
+		seclog.Errorf("Open SelfTest event received with nil Event or File fields")
+		o.isSuccess = false
+		return
+	}
+
+	// debug logs
+	if event.RuleID == o.ruleID && o.filename != event.Event.BaseEventSerializer.FileEventSerializer.Path {
+		seclog.Errorf("Open SelfTest event received with different filepaths: %s VS %s", o.filename, event.Event.BaseEventSerializer.FileEventSerializer.Path)
+	}
+
+	o.isSuccess = event.RuleID == o.ruleID && o.filename == event.Event.BaseEventSerializer.FileEventSerializer.Path
 }
 
 // IsSuccess return the state of the test
diff --git a/pkg/security/probe/selftests/tester.go b/pkg/security/probe/selftests/tester.go
@@ -234,9 +234,8 @@ func (t *SelfTester) endSelfTests() {
 }
 
 type selfTestEvent struct {
-	RuleID   eval.RuleID
-	Filepath string
-	Event    *serializers.EventSerializer
+	RuleID eval.RuleID
+	Event  *serializers.EventSerializer
 }
 
 // IsExpectedEvent sends an event to the tester

Original file line number	Diff line number	Diff line change
`@@ -234,9 +234,8 @@ func (t *SelfTester) endSelfTests() {`
`234`	`234`	`}`
`235`	`235`
`236`	`236`	`type selfTestEvent struct {`
`237`		`- RuleID eval.RuleID`
`238`		`- Filepath string`
`239`		`- Event *serializers.EventSerializer`
	`237`	`+ RuleID eval.RuleID`
	`238`	`+ Event *serializers.EventSerializer`
`240`	`239`	`}`
`241`	`240`
`242`	`241`	`// IsExpectedEvent sends an event to the tester`