Skip to content

Commit a964fc9

Browse files
rscamposrscampos
committed
wip
1 parent 41b8fa0 commit a964fc9

2 files changed

Lines changed: 38 additions & 11 deletions

File tree

pkg/ebpf/c/tracee.bpf.c

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1521,6 +1521,9 @@ int sched_process_exec_event_submit_tail(struct bpf_raw_tracepoint_args *ctx)
15211521
&p.event->args_buf, (void *) env_start, (void *) env_end, envc, 16);
15221522
}
15231523

1524+
if (!evaluate_data_filters(&p, 1))
1525+
return 0;
1526+
15241527
events_perf_submit(&p, 0);
15251528
return 0;
15261529
}
@@ -3196,6 +3199,9 @@ do_file_io_operation(struct pt_regs *ctx, u32 event_id, u32 tail_call_id, bool i
31963199
save_to_submit_buf(&p.event->args_buf, &io_data.len, sizeof(unsigned long), 3);
31973200
save_to_submit_buf(&p.event->args_buf, &start_pos, sizeof(off_t), 4);
31983201

3202+
if (!evaluate_data_filters(&p, 0))
3203+
return 0;
3204+
31993205
// Submit io event
32003206
events_perf_submit(&p, PT_REGS_RC(ctx));
32013207

@@ -3550,6 +3556,8 @@ int BPF_KPROBE(kernel_write_magic_return)
35503556
save_to_submit_buf(event, &file_info.id.inode, sizeof(unsigned long), 7); \
35513557
save_to_submit_buf(event, &file_info.id.ctime, sizeof(u64), 8); \
35523558
} \
3559+
if (!evaluate_data_filters(&p, 5)) \
3560+
return 0; \
35533561
events_perf_submit(&p, 0); \
35543562
}
35553563

@@ -4295,6 +4303,9 @@ int BPF_KPROBE(trace_device_add)
42954303
save_str_to_buf(&p.event->args_buf, (void *) name, 0);
42964304
save_str_to_buf(&p.event->args_buf, (void *) parent_name, 1);
42974305

4306+
if (!evaluate_data_filters(&p, 0))
4307+
return 0;
4308+
42984309
return events_perf_submit(&p, 0);
42994310
}
43004311

@@ -4593,6 +4604,10 @@ int BPF_KPROBE(trace_ret_do_init_module)
45934604
save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);
45944605

45954606
int ret_val = PT_REGS_RC(ctx);
4607+
4608+
if (!evaluate_data_filters(&p, 0))
4609+
return 0;
4610+
45964611
return events_perf_submit(&p, ret_val);
45974612
}
45984613

pkg/filters/data.go

Lines changed: 23 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ func NewDataFilter() *DataFilter {
7575
// list of events and field names allowed to have in-kernel filter
7676
var allowedKernelField = map[events.ID]string{
7777
// LSM hooks
78-
events.SecurityBprmCheck: "pathname", // 0
78+
events.SecurityBprmCheck: "pathname", // index: 0
7979
events.SecurityFileOpen: "pathname", // 0
8080
events.SecurityInodeUnlink: "pathname", // 0
8181
events.SecuritySbMount: "path", // 1
@@ -90,19 +90,31 @@ var allowedKernelField = map[events.ID]string{
9090
events.SecurityBpfProg: "name", // 1
9191
events.SecurityPathNotify: "pathname", // 0
9292
events.SharedObjectLoaded: "pathname", // 0
93+
94+
// Others
95+
events.SchedProcessExec: "pathname", // 1
96+
events.VfsWrite: "pathname", // 0
97+
events.VfsWritev: "pathname", // 0
98+
events.VfsRead: "pathname", // 0
99+
events.VfsReadv: "pathname", // 0
100+
events.MemProtAlert: "pathname", // 5
101+
events.MagicWrite: "pathname", // 0
102+
events.KernelWrite: "pathname", // 0
103+
events.CallUsermodeHelper: "pathname", // 0
104+
events.LoadElfPhdrs: "pathname", // 0
105+
events.DoMmap: "pathname", // 1
106+
events.VfsUtimes: "pathname", // 0
107+
events.DoTruncate: "pathname", // 0
108+
events.InotifyWatch: "pathname", // 0
109+
// events.ProcessExecuteFailed: "pathname", // 2
110+
events.ModuleLoad: "pathname", // 3
111+
events.ChmodCommon: "pathname", // 0
112+
events.DeviceAdd: "name", // 0
113+
events.DoInitModule: "name", // 0
114+
93115
// Syscalls
94116
events.Execve: "pathname",
95117
events.Execveat: "pathname",
96-
// Others
97-
events.ModuleLoad: "pathname",
98-
events.InotifyWatch: "pathname",
99-
events.DoTruncate: "pathname",
100-
events.MagicWrite: "pathname",
101-
events.VfsUtimes: "pathname",
102-
events.LoadElfPhdrs: "pathname",
103-
events.CallUsermodeHelper: "pathname",
104-
events.ChmodCommon: "pathname",
105-
events.DoMmap: "pathname",
106118
}
107119

108120
// checkAvailabilityKernelFilter check if event ID and field name are allowed to be an kernel filter

0 commit comments

Comments
 (0)