Detects, classifies, and penalizes

Co-authored-by: Ona <[email protected]>

Author: kylos101

components/ee/agent-smith/pkg/agent/agent.go

@@ -149,22 +149,15 @@ func NewAgentSmith(cfg config.Config) (*Smith, error) {
 			WorkingArea:  cfg.FilesystemScanning.WorkingArea,
 		}
 
-		filesystemDetec, err = detector.NewFilesystemDetector(fsConfig)
-		if err != nil {
-			log.WithError(err).Warn("failed to create filesystem detector")
-		}
-
-		// Use the same signature classifier for filesystem signatures
-		if sigClassifier, ok := class.(*classifier.SignatureMatchClassifier); ok {
-			filesystemClass = sigClassifier
-		} else if composite, ok := class.(classifier.CompositeClassifier); ok {
-			// Look for SignatureMatchClassifier in composite
-			for _, c := range composite {
-				if sigClassifier, ok := c.(*classifier.SignatureMatchClassifier); ok {
-					filesystemClass = sigClassifier
-					break
-				}
+		// Check if the main classifier supports filesystem detection
+		if fsc, ok := class.(classifier.FilesystemClassifier); ok {
+			filesystemClass = fsc
+			filesystemDetec, err = detector.NewFilesystemDetector(fsConfig, filesystemClass)
+			if err != nil {
+				log.WithError(err).Warn("failed to create filesystem detector")
 			}
+		} else {
+			log.Warn("classifier does not support filesystem detection, filesystem scanning disabled")
 		}
 	}
 
@@ -327,11 +320,14 @@ func (agent *Smith) Start(ctx context.Context, callback func(InfringingWorkspace
 			go func() {
 				defer wg.Done()
 				for file := range fli {
-					class, err := agent.filesystemClassifier.MatchesFilesystemFile(file.Path)
+					log.Infof("Classifying filesystem file: %s", file.Path)
+					class, err := agent.filesystemClassifier.MatchesFile(file.Path)
 					// Early out for no matches
 					if err == nil && class.Level == classifier.LevelNoMatch {
+						log.Infof("File classification: no match - %s", file.Path)
 						continue
 					}
+					log.Infof("File classification result: %s (level: %s, err: %v)", file.Path, class.Level, err)
 					flo <- classifiedFilesystemFile{F: file, C: class, Err: err}
 				}
 			}()
@@ -399,15 +395,18 @@ func (agent *Smith) Start(ctx context.Context, callback func(InfringingWorkspace
 				},
 			})
 		case fileClass := <-flo:
+			log.Infof("Received classified file from flo channel")
 			file, cl, err := fileClass.F, fileClass.C, fileClass.Err
 			if err != nil {
 				log.WithError(err).WithFields(log.OWI(file.Workspace.OwnerID, file.Workspace.WorkspaceID, file.Workspace.InstanceID)).WithField("path", file.Path).Error("cannot classify filesystem file")
 				continue
 			}
 			if cl == nil || cl.Level == classifier.LevelNoMatch {
+				log.Warn("filesystem signature not detected", "path", file.Path, "workspace", file.Workspace.WorkspaceID)
 				continue
 			}
 
+			log.Info("filesystem signature detected", "path", file.Path, "workspace", file.Workspace.WorkspaceID, "severity", cl.Level, "message", cl.Message)
 			_, _ = agent.Penalize(InfringingWorkspace{
 				SupervisorPID: file.Workspace.PID,
 				Owner:         file.Workspace.OwnerID,

components/ee/agent-smith/pkg/classifier/classifier.go

@@ -10,7 +10,6 @@ import (
 	"io"
 	"io/fs"
 	"os"
-	"path/filepath"
 	"regexp"
 	"strings"
 
@@ -53,7 +52,8 @@ type ProcessClassifier interface {
 type FilesystemClassifier interface {
 	prometheus.Collector
 
-	MatchesFilesystemFile(filePath string) (*Classification, error)
+	MatchesFile(filePath string) (*Classification, error)
+	GetFileSignatures() []*Signature
 }
 
 func NewCommandlineClassifier(name string, level Level, allowList []string, blockList []string) (*CommandlineClassifier, error) {
@@ -252,8 +252,8 @@ func (sigcl *SignatureMatchClassifier) Matches(executable string, cmdline []stri
 	return sigNoMatch, nil
 }
 
-// MatchesFilesystemFile checks if a filesystem file matches any filesystem signatures
-func (sigcl *SignatureMatchClassifier) MatchesFilesystemFile(filePath string) (c *Classification, err error) {
+// MatchesFile checks if a filesystem file matches any filesystem signatures
+func (sigcl *SignatureMatchClassifier) MatchesFile(filePath string) (c *Classification, err error) {
 	// Only check signatures with DomainFileSystem
 	filesystemSignatures := make([]*Signature, 0)
 	for _, sig := range sigcl.Signatures {
@@ -266,28 +266,10 @@ func (sigcl *SignatureMatchClassifier) MatchesFilesystemFile(filePath string) (c
 		return sigNoMatch, nil
 	}
 
-	// Check filename matching first (cheapest check)
-	filename := filepath.Base(filePath)
-	matchingSignatures := make([]*Signature, 0)
-
-	for _, sig := range filesystemSignatures {
-		if len(sig.Filename) == 0 {
-			// No filename restriction, include all signatures
-			matchingSignatures = append(matchingSignatures, sig)
-		} else {
-			// Check if filename matches any of the signature filenames
-			for _, sigFilename := range sig.Filename {
-				if matched, _ := filepath.Match(sigFilename, filename); matched {
-					matchingSignatures = append(matchingSignatures, sig)
-					break
-				}
-			}
-		}
-	}
-
-	if len(matchingSignatures) == 0 {
-		return sigNoMatch, nil
-	}
+	// Skip filename matching - the filesystem detector already filtered files
+	// based on signature filename patterns, so any file that reaches here
+	// should be checked for content matching against all filesystem signatures
+	matchingSignatures := filesystemSignatures
 
 	// Open file for signature matching
 	r, err := os.Open(filePath)
@@ -356,6 +338,17 @@ func (sigcl *SignatureMatchClassifier) Collect(m chan<- prometheus.Metric) {
 	sigcl.filesystemMissTotal.Collect(m)
 }
 
+// GetFileSignatures returns signatures that are configured for filesystem domain
+func (sigcl *SignatureMatchClassifier) GetFileSignatures() []*Signature {
+	var filesystemSignatures []*Signature
+	for _, sig := range sigcl.Signatures {
+		if sig.Domain == DomainFileSystem {
+			filesystemSignatures = append(filesystemSignatures, sig)
+		}
+	}
+	return filesystemSignatures
+}
+
 // CompositeClassifier combines multiple classifiers into one. The first match wins.
 type CompositeClassifier []ProcessClassifier
 
@@ -514,6 +507,14 @@ func (cl *CountingMetricsClassifier) Matches(executable string, cmdline []string
 	return cl.D.Matches(executable, cmdline)
 }
 
+func (cl *CountingMetricsClassifier) MatchesFile(filePath string) (*Classification, error) {
+	cl.callCount.Inc()
+	if fsc, ok := cl.D.(FilesystemClassifier); ok {
+		return fsc.MatchesFile(filePath)
+	}
+	return sigNoMatch, nil
+}
+
 func (cl *CountingMetricsClassifier) Describe(d chan<- *prometheus.Desc) {
 	cl.callCount.Describe(d)
 	cl.D.Describe(d)
@@ -523,3 +524,99 @@ func (cl *CountingMetricsClassifier) Collect(m chan<- prometheus.Metric) {
 	cl.callCount.Collect(m)
 	cl.D.Collect(m)
 }
+
+func (cl *CountingMetricsClassifier) GetFileSignatures() []*Signature {
+	if fsc, ok := cl.D.(FilesystemClassifier); ok {
+		return fsc.GetFileSignatures()
+	}
+	return nil
+}
+
+func (cl GradedClassifier) MatchesFile(filePath string) (*Classification, error) {
+	order := []Level{LevelVery, LevelBarely, LevelAudit}
+
+	var (
+		c   *Classification
+		err error
+	)
+	for _, level := range order {
+		classifier, exists := cl[level]
+		if !exists {
+			continue
+		}
+
+		if fsc, ok := classifier.(FilesystemClassifier); ok {
+			c, err = fsc.MatchesFile(filePath)
+			if err != nil {
+				return nil, err
+			}
+			if c.Level != LevelNoMatch {
+				break
+			}
+		}
+	}
+
+	if c == nil || c.Level == LevelNoMatch {
+		return sigNoMatch, nil
+	}
+
+	res := *c
+	res.Classifier = ClassifierGraded + "." + res.Classifier
+	return &res, nil
+}
+
+func (cl GradedClassifier) GetFileSignatures() []*Signature {
+	var allSignatures []*Signature
+
+	for _, classifier := range cl {
+		if fsc, ok := classifier.(FilesystemClassifier); ok {
+			signatures := fsc.GetFileSignatures()
+			allSignatures = append(allSignatures, signatures...)
+		}
+	}
+
+	return allSignatures
+}
+
+func (cl CompositeClassifier) MatchesFile(filePath string) (*Classification, error) {
+	var (
+		c   *Classification
+		err error
+	)
+	for _, classifier := range cl {
+		if fsc, ok := classifier.(FilesystemClassifier); ok {
+			c, err = fsc.MatchesFile(filePath)
+			if err != nil {
+				return nil, err
+			}
+			if c.Level != LevelNoMatch {
+				break
+			}
+		}
+	}
+
+	if c == nil || len(cl) == 0 {
+		// empty composite classifier
+		return sigNoMatch, nil
+	}
+	if c.Level == LevelNoMatch {
+		return sigNoMatch, nil
+	}
+
+	res := *c
+	res.Classifier = ClassifierComposite + "." + res.Classifier
+	return &res, nil
+}
+
+func (cl CompositeClassifier) GetFileSignatures() []*Signature {
+	var allSignatures []*Signature
+
+	for _, classifier := range cl {
+		if fsc, ok := classifier.(FilesystemClassifier); ok {
+			signatures := fsc.GetFileSignatures()
+			allSignatures = append(allSignatures, signatures...)
+		}
+	}
+
+	return allSignatures
+}

components/ee/agent-smith/pkg/classifier/classifier_test.go

@@ -91,3 +91,38 @@ func TestCommandlineClassifier(t *testing.T) {
 		})
 	}
 }
+
+func TestCountingMetricsClassifierFilesystemInterface(t *testing.T) {
+	// Create a signature classifier with filesystem signatures
+	signatures := []*classifier.Signature{
+		{
+			Name:     "test-filesystem",
+			Domain:   classifier.DomainFileSystem,
+			Pattern:  []byte("malware"),
+			Filename: []string{"malware.exe"},
+		},
+	}
+
+	sigClassifier := classifier.NewSignatureMatchClassifier("test", classifier.LevelAudit, signatures)
+	countingClassifier := classifier.NewCountingMetricsClassifier("counting", sigClassifier)
+
+	// Test that CountingMetricsClassifier implements FilesystemClassifier
+	var fsc classifier.FilesystemClassifier = countingClassifier
+
+	// Test filesystem file matching (file doesn't exist, should return no match without error)
+	result, err := fsc.MatchesFile("/nonexistent/path/malware.exe")
+	if err != nil {
+		t.Fatalf("MatchesFile failed: %v", err)
+	}
+
+	// Should return no match since file doesn't exist, but no error
+	if result.Level != classifier.LevelNoMatch {
+		t.Errorf("Expected LevelNoMatch for nonexistent file, got %v", result.Level)
+	}
+
+	// Test that the interface delegation works by checking that it doesn't panic
+	// and returns a valid Classification
+	if result == nil {
+		t.Error("Expected non-nil Classification result")
+	}
+}