Skip to content

Commit 216438b

Browse files
rscamposrscampos
committed
wip
1 parent e5f4c4d commit 216438b

2 files changed

Lines changed: 88 additions & 11 deletions

File tree

pkg/ebpf/c/tracee.bpf.c

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1518,6 +1518,9 @@ int sched_process_exec_event_submit_tail(struct bpf_raw_tracepoint_args *ctx)
15181518
&p.event->args_buf, (void *) env_start, (void *) env_end, envc, 16);
15191519
}
15201520

1521+
if (!evaluate_data_filters(&p, 1))
1522+
return 0;
1523+
15211524
events_perf_submit(&p, 0);
15221525
return 0;
15231526
}
@@ -1998,6 +2001,9 @@ statfunc int send_bpf_attach(
19982001
save_to_submit_buf(&(p->event->args_buf), &probe_addr, sizeof(u64), 5);
19992002
save_to_submit_buf(&(p->event->args_buf), &perf_type, sizeof(int), 6);
20002003

2004+
if (!evaluate_data_filters(p, 1))
2005+
return 0;
2006+
20012007
events_perf_submit(p, 0);
20022008

20032009
// delete from map
@@ -2188,6 +2194,10 @@ int tracepoint__cgroup__cgroup_attach_task(struct bpf_raw_tracepoint_args *ctx)
21882194
save_str_to_buf(&p.event->args_buf, path, 0);
21892195
save_str_to_buf(&p.event->args_buf, comm, 1);
21902196
save_to_submit_buf(&p.event->args_buf, (void *) &pid, sizeof(int), 2);
2197+
2198+
if (!evaluate_data_filters(&p, 0))
2199+
return 0;
2200+
21912201
events_perf_submit(&p, 0);
21922202

21932203
return 0;
@@ -2214,6 +2224,10 @@ int tracepoint__cgroup__cgroup_mkdir(struct bpf_raw_tracepoint_args *ctx)
22142224
save_to_submit_buf(&p.event->args_buf, &cgroup_id, sizeof(u64), 0);
22152225
save_str_to_buf(&p.event->args_buf, path, 1);
22162226
save_to_submit_buf(&p.event->args_buf, &hierarchy_id, sizeof(u32), 2);
2227+
2228+
if (!evaluate_data_filters(&p, 1))
2229+
return 0;
2230+
22172231
events_perf_submit(&p, 0);
22182232

22192233
return 0;
@@ -2240,6 +2254,10 @@ int tracepoint__cgroup__cgroup_rmdir(struct bpf_raw_tracepoint_args *ctx)
22402254
save_to_submit_buf(&p.event->args_buf, &cgroup_id, sizeof(u64), 0);
22412255
save_str_to_buf(&p.event->args_buf, path, 1);
22422256
save_to_submit_buf(&p.event->args_buf, &hierarchy_id, sizeof(u32), 2);
2257+
2258+
if (!evaluate_data_filters(&p, 1))
2259+
return 0;
2260+
22432261
events_perf_submit(&p, 0);
22442262

22452263
return 0;
@@ -2623,6 +2641,9 @@ int BPF_KPROBE(trace_proc_create)
26232641
save_str_to_buf(&p.event->args_buf, name, 0);
26242642
save_to_submit_buf(&p.event->args_buf, (void *) &proc_ops_addr, sizeof(u64), 1);
26252643

2644+
if (!evaluate_data_filters(&p, 0))
2645+
return 0;
2646+
26262647
return events_perf_submit(&p, 0);
26272648
}
26282649

@@ -2647,6 +2668,9 @@ int BPF_KPROBE(trace_debugfs_create_file)
26472668
save_to_submit_buf(&p.event->args_buf, &mode, sizeof(umode_t), 2);
26482669
save_to_submit_buf(&p.event->args_buf, (void *) &proc_ops_addr, sizeof(u64), 3);
26492670

2671+
if (!evaluate_data_filters(&p, 0))
2672+
return 0;
2673+
26502674
return events_perf_submit(&p, 0);
26512675
}
26522676

@@ -2667,6 +2691,9 @@ int BPF_KPROBE(trace_debugfs_create_dir)
26672691
save_str_to_buf(&p.event->args_buf, name, 0);
26682692
save_str_to_buf(&p.event->args_buf, dentry_path, 1);
26692693

2694+
if (!evaluate_data_filters(&p, 0))
2695+
return 0;
2696+
26702697
return events_perf_submit(&p, 0);
26712698
}
26722699

@@ -3193,6 +3220,9 @@ do_file_io_operation(struct pt_regs *ctx, u32 event_id, u32 tail_call_id, bool i
31933220
save_to_submit_buf(&p.event->args_buf, &io_data.len, sizeof(unsigned long), 3);
31943221
save_to_submit_buf(&p.event->args_buf, &start_pos, sizeof(off_t), 4);
31953222

3223+
if (!evaluate_data_filters(&p, 0))
3224+
return 0;
3225+
31963226
// Submit io event
31973227
events_perf_submit(&p, PT_REGS_RC(ctx));
31983228

@@ -3547,6 +3577,8 @@ int BPF_KPROBE(kernel_write_magic_return)
35473577
save_to_submit_buf(event, &file_info.id.inode, sizeof(unsigned long), 7); \
35483578
save_to_submit_buf(event, &file_info.id.ctime, sizeof(u64), 8); \
35493579
} \
3580+
if (!evaluate_data_filters(&p, 5)) \
3581+
return 0; \
35503582
events_perf_submit(&p, 0); \
35513583
}
35523584

@@ -3950,6 +3982,9 @@ statfunc int arm_kprobe_handler(struct pt_regs *ctx)
39503982
save_to_submit_buf(&p.event->args_buf, (void *) &pre_handler, sizeof(u64), 1);
39513983
save_to_submit_buf(&p.event->args_buf, (void *) &post_handler, sizeof(u64), 2);
39523984

3985+
if (!evaluate_data_filters(&p, 0))
3986+
return 0;
3987+
39533988
return events_perf_submit(&p, 0);
39543989
}
39553990

@@ -4292,6 +4327,9 @@ int BPF_KPROBE(trace_device_add)
42924327
save_str_to_buf(&p.event->args_buf, (void *) name, 0);
42934328
save_str_to_buf(&p.event->args_buf, (void *) parent_name, 1);
42944329

4330+
if (!evaluate_data_filters(&p, 0))
4331+
return 0;
4332+
42954333
return events_perf_submit(&p, 0);
42964334
}
42974335

@@ -4331,6 +4369,9 @@ int BPF_KPROBE(trace_ret__register_chrdev)
43314369
save_str_to_buf(&p.event->args_buf, char_device_name, 2);
43324370
save_to_submit_buf(&p.event->args_buf, &char_device_fops, sizeof(void *), 3);
43334371

4372+
if (!evaluate_data_filters(&p, 2))
4373+
return 0;
4374+
43344375
return events_perf_submit(&p, 0);
43354376
}
43364377

@@ -4546,6 +4587,9 @@ int tracepoint__module__module_free(struct bpf_raw_tracepoint_args *ctx)
45464587
save_str_to_buf(&p.event->args_buf, (void *) version, 1);
45474588
save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);
45484589

4590+
if (!evaluate_data_filters(&p, 0))
4591+
return 0;
4592+
45494593
return events_perf_submit(&p, 0);
45504594
}
45514595

@@ -4590,6 +4634,10 @@ int BPF_KPROBE(trace_ret_do_init_module)
45904634
save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);
45914635

45924636
int ret_val = PT_REGS_RC(ctx);
4637+
4638+
if (!evaluate_data_filters(&p, 0))
4639+
return 0;
4640+
45934641
return events_perf_submit(&p, ret_val);
45944642
}
45954643

@@ -4713,6 +4761,9 @@ int tracepoint__task__task_rename(struct bpf_raw_tracepoint_args *ctx)
47134761
save_str_to_buf(&p.event->args_buf, (void *) old_name, 0);
47144762
save_str_to_buf(&p.event->args_buf, (void *) new_name, 1);
47154763

4764+
if (!evaluate_data_filters(&p, 0))
4765+
return 0;
4766+
47164767
return events_perf_submit(&p, 0);
47174768
}
47184769

@@ -5029,6 +5080,9 @@ statfunc int common_file_modification_ret(struct pt_regs *ctx)
50295080
save_to_submit_buf(&p.event->args_buf, &old_ctime, sizeof(u64), 3);
50305081
save_to_submit_buf(&p.event->args_buf, &file_info.id.ctime, sizeof(u64), 4);
50315082

5083+
if (!evaluate_data_filters(&p, 0))
5084+
return 0;
5085+
50325086
events_perf_submit(&p, 0);
50335087

50345088
return 0;

pkg/filters/data.go

Lines changed: 34 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ func NewDataFilter() *DataFilter {
7575
// list of events and field names allowed to have in-kernel filter
7676
var allowedKernelField = map[events.ID]string{
7777
// LSM hooks
78-
events.SecurityBprmCheck: "pathname", // 0
78+
events.SecurityBprmCheck: "pathname", // index: 0
7979
events.SecurityFileOpen: "pathname", // 0
8080
events.SecurityInodeUnlink: "pathname", // 0
8181
events.SecuritySbMount: "path", // 1
@@ -90,19 +90,42 @@ var allowedKernelField = map[events.ID]string{
9090
events.SecurityBpfProg: "name", // 1
9191
events.SecurityPathNotify: "pathname", // 0
9292
events.SharedObjectLoaded: "pathname", // 0
93+
94+
// Others
95+
events.SchedProcessExec: "pathname", // 1
96+
events.VfsWrite: "pathname", // 0
97+
events.VfsWritev: "pathname", // 0
98+
events.VfsRead: "pathname", // 0
99+
events.VfsReadv: "pathname", // 0
100+
events.MemProtAlert: "pathname", // 5
101+
events.MagicWrite: "pathname", // 0
102+
events.KernelWrite: "pathname", // 0
103+
events.CallUsermodeHelper: "pathname", // 0
104+
events.LoadElfPhdrs: "pathname", // 0
105+
events.DoMmap: "pathname", // 1
106+
events.VfsUtimes: "pathname", // 0
107+
events.DoTruncate: "pathname", // 0
108+
events.InotifyWatch: "pathname", // 0
109+
events.ModuleLoad: "pathname", // 3
110+
events.ChmodCommon: "pathname", // 0
111+
events.DeviceAdd: "name", // 0
112+
events.DoInitModule: "name", // 0
113+
events.ModuleFree: "name", // 0
114+
events.ProcCreate: "name", // 0
115+
events.RegisterChrdev: "char_device_name", // 2
116+
events.DebugfsCreateFile: "file_name", // 0
117+
events.DebugfsCreateDir: "name", // 0
118+
events.CgroupMkdir: "cgroup_path", // 1
119+
events.CgroupRmdir: "cgroup_path", // 1
120+
events.CgroupAttachTask: "cgroup_path", // 0
121+
events.BpfAttach: "prog_name", // 1
122+
events.KprobeAttach: "symbol_name", // 0
123+
events.TaskRename: "old_name", // 0
124+
events.FileModification: "file_path", // 0
125+
93126
// Syscalls
94127
events.Execve: "pathname",
95128
events.Execveat: "pathname",
96-
// Others
97-
events.ModuleLoad: "pathname",
98-
events.InotifyWatch: "pathname",
99-
events.DoTruncate: "pathname",
100-
events.MagicWrite: "pathname",
101-
events.VfsUtimes: "pathname",
102-
events.LoadElfPhdrs: "pathname",
103-
events.CallUsermodeHelper: "pathname",
104-
events.ChmodCommon: "pathname",
105-
events.DoMmap: "pathname",
106129
}
107130

108131
// checkAvailabilityKernelFilter check if event ID and field name are allowed to be an kernel filter

0 commit comments

Comments
 (0)