Skip to content

Commit 890848a

Browse files
rscamposrscampos
committed
feat: extend string data filtering for other events
1 parent 22fa7ba commit 890848a

2 files changed

Lines changed: 46 additions & 1 deletion

File tree

pkg/ebpf/c/tracee.bpf.c

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2209,6 +2209,9 @@ int BPF_KPROBE(trace_security_bprm_check)
22092209
if (p.config->options & OPT_EXEC_ENV)
22102210
save_str_arr_to_buf(&p.event->args_buf, envp, 4);
22112211

2212+
if (!evaluate_data_filters(&p, 0))
2213+
return 0;
2214+
22122215
return events_perf_submit(&p, 0);
22132216
}
22142217

@@ -2318,6 +2321,9 @@ int BPF_KPROBE(trace_security_inode_unlink)
23182321
save_to_submit_buf(&p.event->args_buf, &unlinked_file_id.device, sizeof(dev_t), 2);
23192322
save_to_submit_buf(&p.event->args_buf, &unlinked_file_id.ctime, sizeof(u64), 3);
23202323

2324+
if (!evaluate_data_filters(&p, 0))
2325+
return 0;
2326+
23212327
return events_perf_submit(&p, 0);
23222328
}
23232329

@@ -3547,6 +3553,9 @@ int BPF_KPROBE(trace_ret_do_mmap)
35473553
save_to_submit_buf(&p.event->args_buf, &prot, sizeof(unsigned long), 8);
35483554
save_to_submit_buf(&p.event->args_buf, &mmap_flags, sizeof(unsigned long), 9);
35493555

3556+
if (!evaluate_data_filters(&p, 1))
3557+
return 0;
3558+
35503559
return events_perf_submit(&p, 0);
35513560
}
35523561

@@ -3648,6 +3657,9 @@ int BPF_KPROBE(trace_security_file_mprotect)
36483657
save_to_submit_buf(&p.event->args_buf, &pkey, sizeof(int), 6);
36493658
}
36503659

3660+
if (!evaluate_data_filters(&p, 0))
3661+
return 0;
3662+
36513663
events_perf_submit(&p, 0);
36523664
}
36533665

@@ -4086,6 +4098,9 @@ int BPF_KPROBE(trace_security_kernel_read_file)
40864098
save_to_submit_buf(&p.event->args_buf, &type_id, sizeof(int), 3);
40874099
save_to_submit_buf(&p.event->args_buf, &ctime, sizeof(u64), 4);
40884100

4101+
if (!evaluate_data_filters(&p, 0))
4102+
return 0;
4103+
40894104
return events_perf_submit(&p, 0);
40904105
}
40914106

@@ -4110,6 +4125,10 @@ int BPF_KPROBE(trace_security_kernel_post_read_file)
41104125
save_str_to_buf(&p.event->args_buf, file_path, 0);
41114126
save_to_submit_buf(&p.event->args_buf, &size, sizeof(loff_t), 1);
41124127
save_to_submit_buf(&p.event->args_buf, &type_id, sizeof(int), 2);
4128+
4129+
if (!evaluate_data_filters(&p, 0))
4130+
return 0;
4131+
41134132
events_perf_submit(&p, 0);
41144133
}
41154134

@@ -4400,6 +4419,9 @@ int tracepoint__module__module_load(struct bpf_raw_tracepoint_args *ctx)
44004419
save_str_to_buf(&p.event->args_buf, (void *) version, 1);
44014420
save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);
44024421

4422+
if (!evaluate_data_filters(&p, 3))
4423+
return 0;
4424+
44034425
return events_perf_submit(&p, 0);
44044426
}
44054427

@@ -4753,6 +4775,9 @@ statfunc int common_utimes(struct pt_regs *ctx)
47534775
save_to_submit_buf(&p.event->args_buf, &atime, sizeof(u64), 3);
47544776
save_to_submit_buf(&p.event->args_buf, &mtime, sizeof(u64), 4);
47554777

4778+
if (!evaluate_data_filters(&p, 0))
4779+
return 0;
4780+
47564781
return events_perf_submit(&p, 0);
47574782
}
47584783

@@ -4790,6 +4815,9 @@ int BPF_KPROBE(trace_do_truncate)
47904815
save_to_submit_buf(&p.event->args_buf, &dev, sizeof(dev_t), 2);
47914816
save_to_submit_buf(&p.event->args_buf, &length, sizeof(u64), 3);
47924817

4818+
if (!evaluate_data_filters(&p, 0))
4819+
return 0;
4820+
47934821
return events_perf_submit(&p, 0);
47944822
}
47954823

@@ -4980,6 +5008,9 @@ int BPF_KPROBE(trace_ret_inotify_find_inode)
49805008
save_to_submit_buf(&p.event->args_buf, &inode_nr, sizeof(unsigned long), 1);
49815009
save_to_submit_buf(&p.event->args_buf, &dev, sizeof(dev_t), 2);
49825010

5011+
if (!evaluate_data_filters(&p, 0))
5012+
return 0;
5013+
49835014
return events_perf_submit(&p, 0);
49845015
}
49855016

@@ -5134,6 +5165,9 @@ int BPF_KPROBE(trace_security_path_notify)
51345165
save_to_submit_buf(&p.event->args_buf, &mask, sizeof(u64), 3);
51355166
save_to_submit_buf(&p.event->args_buf, &obj_type, sizeof(unsigned int), 4);
51365167

5168+
if (!evaluate_data_filters(&p, 0))
5169+
return 0;
5170+
51375171
return events_perf_submit(&p, 0);
51385172
}
51395173

pkg/filters/data.go

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -167,8 +167,19 @@ func (f *DataFilter) Parse(id events.ID, fieldName string, operatorAndValues str
167167
valueHandler := func(val string) (string, error) {
168168
switch id {
169169
case events.SecurityFileOpen,
170+
events.SecurityMmapFile,
171+
events.SecurityBprmCheck,
172+
events.SecurityKernelReadFile,
173+
events.SecurityPostReadFile,
174+
events.SecurityFileMprotect,
175+
events.SecurityPathNotify,
176+
events.SecurityInodeUnlink,
177+
events.ModuleLoad,
178+
events.InotifyWatch,
179+
events.DoTruncate,
170180
events.MagicWrite,
171-
events.SecurityMmapFile:
181+
events.VfsUtimes,
182+
events.DoMmap:
172183
return f.processKernelFilter(val, fieldName)
173184

174185
case events.SysEnter,

0 commit comments

Comments
 (0)