Skip to content

Commit 41b8fa0

Browse files
rscamposrscampos
committed
feat: extend string data filtering for other events
1 parent f8f0af6 commit 41b8fa0

2 files changed

Lines changed: 78 additions & 0 deletions

File tree

pkg/ebpf/c/common/context.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -259,6 +259,7 @@ statfunc bool reset_event(event_data_t *event, u32 event_id)
259259
event->config.field_types = event_config->field_types;
260260
event->config.submit_for_policies = event_config->submit_for_policies;
261261
event->context.matched_policies = event_config->submit_for_policies;
262+
event->config.data_filter = event_config->data_filter;
262263

263264
return true;
264265
}

pkg/ebpf/c/tracee.bpf.c

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -387,6 +387,9 @@ int syscall__execve_enter(void *ctx)
387387
&p.event->args_buf, (const char *const *) sys->args.args[2] /*envp*/, 2);
388388
}
389389

390+
if (!evaluate_data_filters(&p, 0))
391+
return 0;
392+
390393
return events_perf_submit(&p, 0);
391394
}
392395

@@ -417,6 +420,9 @@ int syscall__execve_exit(void *ctx)
417420
&p.event->args_buf, (const char *const *) sys->args.args[2] /*envp*/, 2);
418421
}
419422

423+
if (!evaluate_data_filters(&p, 0))
424+
return 0;
425+
420426
return events_perf_submit(&p, sys->ret);
421427
}
422428

@@ -447,6 +453,9 @@ int syscall__execveat_enter(void *ctx)
447453
}
448454
save_to_submit_buf(&p.event->args_buf, (void *) &sys->args.args[4] /*flags*/, sizeof(int), 4);
449455

456+
if (!evaluate_data_filters(&p, 1))
457+
return 0;
458+
450459
return events_perf_submit(&p, 0);
451460
}
452461

@@ -479,6 +488,9 @@ int syscall__execveat_exit(void *ctx)
479488
}
480489
save_to_submit_buf(&p.event->args_buf, (void *) &sys->args.args[4] /*flags*/, sizeof(int), 4);
481490

491+
if (!evaluate_data_filters(&p, 1))
492+
return 0;
493+
482494
return events_perf_submit(&p, sys->ret);
483495
}
484496

@@ -1714,6 +1726,9 @@ int BPF_KPROBE(trace_call_usermodehelper)
17141726
save_str_arr_to_buf(&p.event->args_buf, (const char *const *) envp, 2);
17151727
save_to_submit_buf(&p.event->args_buf, (void *) &wait, sizeof(int), 3);
17161728

1729+
if (!evaluate_data_filters(&p, 0))
1730+
return 0;
1731+
17171732
return events_perf_submit(&p, 0);
17181733
}
17191734

@@ -2272,6 +2287,9 @@ int BPF_KPROBE(trace_security_bprm_check)
22722287
if (p.config->options & OPT_EXEC_ENV)
22732288
save_str_arr_to_buf(&p.event->args_buf, envp, 4);
22742289

2290+
if (!evaluate_data_filters(&p, 0))
2291+
return 0;
2292+
22752293
return events_perf_submit(&p, 0);
22762294
}
22772295

@@ -2347,6 +2365,9 @@ int BPF_KPROBE(trace_security_sb_mount)
23472365
save_str_to_buf(&p.event->args_buf, (void *) type, 2);
23482366
save_to_submit_buf(&p.event->args_buf, &flags, sizeof(unsigned long), 3);
23492367

2368+
if (!evaluate_data_filters(&p, 1))
2369+
return 0;
2370+
23502371
return events_perf_submit(&p, 0);
23512372
}
23522373

@@ -2381,6 +2402,9 @@ int BPF_KPROBE(trace_security_inode_unlink)
23812402
save_to_submit_buf(&p.event->args_buf, &unlinked_file_id.device, sizeof(dev_t), 2);
23822403
save_to_submit_buf(&p.event->args_buf, &unlinked_file_id.ctime, sizeof(u64), 3);
23832404

2405+
if (!evaluate_data_filters(&p, 0))
2406+
return 0;
2407+
23842408
return events_perf_submit(&p, 0);
23852409
}
23862410

@@ -2580,6 +2604,9 @@ int BPF_KPROBE(trace_security_inode_symlink)
25802604
save_str_to_buf(&p.event->args_buf, dentry_path, 0);
25812605
save_str_to_buf(&p.event->args_buf, (void *) old_name, 1);
25822606

2607+
if (!evaluate_data_filters(&p, 0))
2608+
return 0;
2609+
25832610
return events_perf_submit(&p, 0);
25842611
}
25852612

@@ -3610,6 +3637,9 @@ int BPF_KPROBE(trace_ret_do_mmap)
36103637
save_to_submit_buf(&p.event->args_buf, &prot, sizeof(unsigned long), 8);
36113638
save_to_submit_buf(&p.event->args_buf, &mmap_flags, sizeof(unsigned long), 9);
36123639

3640+
if (!evaluate_data_filters(&p, 1))
3641+
return 0;
3642+
36133643
return events_perf_submit(&p, 0);
36143644
}
36153645

@@ -3643,6 +3673,9 @@ int BPF_KPROBE(trace_security_mmap_file)
36433673
save_to_submit_buf(&p.event->args_buf, &inode_nr, sizeof(unsigned long), 3);
36443674
save_to_submit_buf(&p.event->args_buf, &ctime, sizeof(u64), 4);
36453675

3676+
if (!evaluate_data_filters(&p, 0))
3677+
return 0;
3678+
36463679
events_perf_submit(&p, 0);
36473680
}
36483681

@@ -3711,6 +3744,9 @@ int BPF_KPROBE(trace_security_file_mprotect)
37113744
save_to_submit_buf(&p.event->args_buf, &pkey, sizeof(int), 6);
37123745
}
37133746

3747+
if (!evaluate_data_filters(&p, 0))
3748+
return 0;
3749+
37143750
events_perf_submit(&p, 0);
37153751
}
37163752

@@ -3953,6 +3989,9 @@ int BPF_KPROBE(trace_security_bpf_map)
39533989
// 2nd argument == map_name (const char *)
39543990
save_str_to_buf(&p.event->args_buf, (void *) __builtin_preserve_access_index(&map->name), 1);
39553991

3992+
if (!evaluate_data_filters(&p, 1))
3993+
return 0;
3994+
39563995
return events_perf_submit(&p, 0);
39573996
}
39583997

@@ -4008,6 +4047,9 @@ int BPF_KPROBE(trace_security_bpf_prog)
40084047
save_to_submit_buf(&p.event->args_buf, &prog_id, sizeof(u32), 3);
40094048
save_to_submit_buf(&p.event->args_buf, &is_load, sizeof(bool), 4);
40104049

4050+
if (!evaluate_data_filters(&p, 1))
4051+
return 0;
4052+
40114053
events_perf_submit(&p, 0);
40124054

40134055
return 0;
@@ -4149,6 +4191,9 @@ int BPF_KPROBE(trace_security_kernel_read_file)
41494191
save_to_submit_buf(&p.event->args_buf, &type_id, sizeof(int), 3);
41504192
save_to_submit_buf(&p.event->args_buf, &ctime, sizeof(u64), 4);
41514193

4194+
if (!evaluate_data_filters(&p, 0))
4195+
return 0;
4196+
41524197
return events_perf_submit(&p, 0);
41534198
}
41544199

@@ -4173,6 +4218,10 @@ int BPF_KPROBE(trace_security_kernel_post_read_file)
41734218
save_str_to_buf(&p.event->args_buf, file_path, 0);
41744219
save_to_submit_buf(&p.event->args_buf, &size, sizeof(loff_t), 1);
41754220
save_to_submit_buf(&p.event->args_buf, &type_id, sizeof(int), 2);
4221+
4222+
if (!evaluate_data_filters(&p, 0))
4223+
return 0;
4224+
41764225
events_perf_submit(&p, 0);
41774226
}
41784227

@@ -4221,6 +4270,9 @@ int BPF_KPROBE(trace_security_inode_mknod)
42214270
save_to_submit_buf(&p.event->args_buf, &mode, sizeof(unsigned short), 1);
42224271
save_to_submit_buf(&p.event->args_buf, &dev, sizeof(dev_t), 2);
42234272

4273+
if (!evaluate_data_filters(&p, 0))
4274+
return 0;
4275+
42244276
return events_perf_submit(&p, 0);
42254277
}
42264278

@@ -4463,6 +4515,9 @@ int tracepoint__module__module_load(struct bpf_raw_tracepoint_args *ctx)
44634515
save_str_to_buf(&p.event->args_buf, (void *) version, 1);
44644516
save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);
44654517

4518+
if (!evaluate_data_filters(&p, 3))
4519+
return 0;
4520+
44664521
return events_perf_submit(&p, 0);
44674522
}
44684523

@@ -4571,6 +4626,10 @@ int BPF_KPROBE(trace_load_elf_phdrs)
45714626
save_str_to_buf(&p.event->args_buf, (void *) elf_pathname, 0);
45724627
save_to_submit_buf(&p.event->args_buf, &proc_info->interpreter.id.device, sizeof(dev_t), 1);
45734628
save_to_submit_buf(&p.event->args_buf, &proc_info->interpreter.id.inode, sizeof(unsigned long), 2);
4629+
4630+
if (!evaluate_data_filters(&p, 0))
4631+
return 0;
4632+
45744633
events_perf_submit(&p, 0);
45754634

45764635
return 0;
@@ -4678,6 +4737,9 @@ int BPF_KPROBE(trace_security_inode_rename)
46784737
void *new_dentry_path = get_dentry_path_str(new_dentry);
46794738
save_str_to_buf(&p.event->args_buf, new_dentry_path, 1);
46804739

4740+
if (!evaluate_data_filters(&p, 0))
4741+
return 0;
4742+
46814743
return events_perf_submit(&p, 0);
46824744
}
46834745

@@ -4816,6 +4878,9 @@ statfunc int common_utimes(struct pt_regs *ctx)
48164878
save_to_submit_buf(&p.event->args_buf, &atime, sizeof(u64), 3);
48174879
save_to_submit_buf(&p.event->args_buf, &mtime, sizeof(u64), 4);
48184880

4881+
if (!evaluate_data_filters(&p, 0))
4882+
return 0;
4883+
48194884
return events_perf_submit(&p, 0);
48204885
}
48214886

@@ -4853,6 +4918,9 @@ int BPF_KPROBE(trace_do_truncate)
48534918
save_to_submit_buf(&p.event->args_buf, &dev, sizeof(dev_t), 2);
48544919
save_to_submit_buf(&p.event->args_buf, &length, sizeof(u64), 3);
48554920

4921+
if (!evaluate_data_filters(&p, 0))
4922+
return 0;
4923+
48564924
return events_perf_submit(&p, 0);
48574925
}
48584926

@@ -5043,6 +5111,9 @@ int BPF_KPROBE(trace_ret_inotify_find_inode)
50435111
save_to_submit_buf(&p.event->args_buf, &inode_nr, sizeof(unsigned long), 1);
50445112
save_to_submit_buf(&p.event->args_buf, &dev, sizeof(dev_t), 2);
50455113

5114+
if (!evaluate_data_filters(&p, 0))
5115+
return 0;
5116+
50465117
return events_perf_submit(&p, 0);
50475118
}
50485119

@@ -5197,6 +5268,9 @@ int BPF_KPROBE(trace_security_path_notify)
51975268
save_to_submit_buf(&p.event->args_buf, &mask, sizeof(u64), 3);
51985269
save_to_submit_buf(&p.event->args_buf, &obj_type, sizeof(unsigned int), 4);
51995270

5271+
if (!evaluate_data_filters(&p, 0))
5272+
return 0;
5273+
52005274
return events_perf_submit(&p, 0);
52015275
}
52025276

@@ -5300,6 +5374,9 @@ int BPF_KPROBE(trace_chmod_common)
53005374
save_str_to_buf(&p.event->args_buf, file_path, 0);
53015375
save_to_submit_buf(&p.event->args_buf, &mode, sizeof(umode_t), 1);
53025376

5377+
if (!evaluate_data_filters(&p, 0))
5378+
return 0;
5379+
53035380
return events_perf_submit(&p, 0);
53045381
}
53055382

0 commit comments

Comments
 (0)