multiple updates, eBPF, container API quality is improved

Author: vsilent

Cargo.toml

@@ -55,6 +55,7 @@ zstd = "0.13"
 
 # Stream utilities
 futures-util = "0.3"
+lettre = { version = "0.11", default-features = false, features = ["tokio1", "tokio1-rustls-tls", "builder", "smtp-transport"] }
 
 # eBPF (Linux only)
 [target.'cfg(target_os = "linux")'.dependencies]

ebpf/.cargo/config

@@ -0,0 +1,3 @@
+[toolchain]
+channel = "nightly"
+components = ["rust-src"]

ebpf/rust-toolchain.toml

@@ -5,5 +5,10 @@
 #![no_main]
 #![no_std]
 
-#[no_mangle]
-pub fn main() {}
+mod maps;
+mod syscalls;
+
+#[panic_handler]
+fn panic(_info: &core::panic::PanicInfo<'_>) -> ! {
+    loop {}
+}

ebpf/src/main.rs

@@ -2,8 +2,123 @@
 //!
 //! Shared maps for eBPF programs
 
-// TODO: Implement eBPF maps in TASK-003
-// This will include:
-// - Event ring buffer for sending events to userspace
-// - Hash maps for tracking state
-// - Arrays for configuration
+use aya_ebpf::{macros::map, maps::RingBuf};
+
+#[repr(C)]
+#[derive(Clone, Copy)]
+pub union EbpfEventData {
+    pub execve: ExecveData,
+    pub connect: ConnectData,
+    pub openat: OpenatData,
+    pub ptrace: PtraceData,
+    pub raw: [u8; 264],
+}
+
+impl EbpfEventData {
+    pub const fn empty() -> Self {
+        Self { raw: [0u8; 264] }
+    }
+}
+
+#[repr(C)]
+#[derive(Clone, Copy)]
+pub struct EbpfSyscallEvent {
+    pub pid: u32,
+    pub uid: u32,
+    pub syscall_id: u32,
+    pub _pad: u32,
+    pub timestamp: u64,
+    pub comm: [u8; 16],
+    pub data: EbpfEventData,
+}
+
+impl EbpfSyscallEvent {
+    pub const fn empty() -> Self {
+        Self {
+            pid: 0,
+            uid: 0,
+            syscall_id: 0,
+            _pad: 0,
+            timestamp: 0,
+            comm: [0u8; 16],
+            data: EbpfEventData::empty(),
+        }
+    }
+}
+
+#[repr(C)]
+#[derive(Clone, Copy)]
+pub struct ExecveData {
+    pub filename_len: u32,
+    pub filename: [u8; 128],
+    pub argc: u32,
+}
+
+impl ExecveData {
+    pub const fn empty() -> Self {
+        Self {
+            filename_len: 0,
+            filename: [0u8; 128],
+            argc: 0,
+        }
+    }
+}
+
+#[repr(C)]
+#[derive(Clone, Copy)]
+pub struct ConnectData {
+    pub dst_ip: [u8; 16],
+    pub dst_port: u16,
+    pub family: u16,
+}
+
+impl ConnectData {
+    pub const fn empty() -> Self {
+        Self {
+            dst_ip: [0u8; 16],
+            dst_port: 0,
+            family: 0,
+        }
+    }
+}
+
+#[repr(C)]
+#[derive(Clone, Copy)]
+pub struct OpenatData {
+    pub path_len: u32,
+    pub path: [u8; 256],
+    pub flags: u32,
+}
+
+impl OpenatData {
+    pub const fn empty() -> Self {
+        Self {
+            path_len: 0,
+            path: [0u8; 256],
+            flags: 0,
+        }
+    }
+}
+
+#[repr(C)]
+#[derive(Clone, Copy)]
+pub struct PtraceData {
+    pub target_pid: u32,
+    pub request: u32,
+    pub addr: u64,
+    pub data: u64,
+}
+
+impl PtraceData {
+    pub const fn empty() -> Self {
+        Self {
+            target_pid: 0,
+            request: 0,
+            addr: 0,
+            data: 0,
+        }
+    }
+}
+
+#[map(name = "EVENTS")]
+pub static EVENTS: RingBuf = RingBuf::with_byte_size(256 * 1024, 0);

ebpf/src/maps.rs

@@ -2,10 +2,160 @@
 //!
 //! Tracepoints for monitoring security-relevant syscalls
 
-// TODO: Implement eBPF syscall monitoring programs in TASK-003
-// This will include:
-// - execve/execveat monitoring
-// - connect/accept/bind monitoring
-// - open/openat monitoring
-// - ptrace monitoring
-// - mount/umount monitoring
+use aya_ebpf::{
+    helpers::{
+        bpf_get_current_comm, bpf_probe_read_user, bpf_probe_read_user_buf,
+        bpf_probe_read_user_str_bytes,
+    },
+    macros::tracepoint,
+    programs::TracePointContext,
+    EbpfContext,
+};
+
+use crate::maps::{
+    ConnectData, EbpfEventData, EbpfSyscallEvent, ExecveData, OpenatData, PtraceData, EVENTS,
+};
+
+const SYSCALL_ARG_START: usize = 16;
+const SYSCALL_ARG_SIZE: usize = 8;
+
+const SYS_EXECVE: u32 = 59;
+const SYS_CONNECT: u32 = 42;
+const SYS_OPENAT: u32 = 257;
+const SYS_PTRACE: u32 = 101;
+
+const AF_INET: u16 = 2;
+const AF_INET6: u16 = 10;
+const MAX_ARGC_SCAN: usize = 16;
+
+#[tracepoint(name = "sys_enter_execve", category = "syscalls")]
+pub fn trace_execve(ctx: TracePointContext) -> i32 {
+    let _ = unsafe { try_trace_execve(&ctx) };
+    0
+}
+
+#[tracepoint(name = "sys_enter_connect", category = "syscalls")]
+pub fn trace_connect(ctx: TracePointContext) -> i32 {
+    let _ = unsafe { try_trace_connect(&ctx) };
+    0
+}
+
+#[tracepoint(name = "sys_enter_openat", category = "syscalls")]
+pub fn trace_openat(ctx: TracePointContext) -> i32 {
+    let _ = unsafe { try_trace_openat(&ctx) };
+    0
+}
+
+#[tracepoint(name = "sys_enter_ptrace", category = "syscalls")]
+pub fn trace_ptrace(ctx: TracePointContext) -> i32 {
+    let _ = unsafe { try_trace_ptrace(&ctx) };
+    0
+}
+
+unsafe fn try_trace_execve(ctx: &TracePointContext) -> Result<(), i64> {
+    let filename_ptr = read_u64_arg(ctx, 0)? as *const u8;
+    let argv_ptr = read_u64_arg(ctx, 1)? as *const u64;
+    let mut event = base_event(ctx, SYS_EXECVE);
+    let mut data = ExecveData::empty();
+
+    if !filename_ptr.is_null() {
+        if let Ok(bytes) = bpf_probe_read_user_str_bytes(filename_ptr, &mut data.filename) {
+            data.filename_len = bytes.len() as u32;
+        }
+    }
+
+    data.argc = count_argv(argv_ptr).unwrap_or(0);
+    event.data = EbpfEventData { execve: data };
+    submit_event(&event)
+}
+
+unsafe fn try_trace_connect(ctx: &TracePointContext) -> Result<(), i64> {
+    let sockaddr_ptr = read_u64_arg(ctx, 1)? as *const u8;
+    if sockaddr_ptr.is_null() {
+        return Ok(());
+    }
+
+    let family = bpf_probe_read_user(sockaddr_ptr as *const u16)?;
+    let mut event = base_event(ctx, SYS_CONNECT);
+    let mut data = ConnectData::empty();
+    data.family = family;
+
+    if family == AF_INET {
+        data.dst_port = bpf_probe_read_user(sockaddr_ptr.add(2) as *const u16)?;
+        let mut addr = [0u8; 4];
+        bpf_probe_read_user_buf(sockaddr_ptr.add(4), &mut addr)?;
+        data.dst_ip[..4].copy_from_slice(&addr);
+    } else if family == AF_INET6 {
+        data.dst_port = bpf_probe_read_user(sockaddr_ptr.add(2) as *const u16)?;
+        bpf_probe_read_user_buf(sockaddr_ptr.add(8), &mut data.dst_ip)?;
+    }
+
+    event.data = EbpfEventData { connect: data };
+    submit_event(&event)
+}
+
+unsafe fn try_trace_openat(ctx: &TracePointContext) -> Result<(), i64> {
+    let pathname_ptr = read_u64_arg(ctx, 1)? as *const u8;
+    let flags = read_u64_arg(ctx, 2)? as u32;
+    let mut event = base_event(ctx, SYS_OPENAT);
+    let mut data = OpenatData::empty();
+    data.flags = flags;
+
+    if !pathname_ptr.is_null() {
+        if let Ok(bytes) = bpf_probe_read_user_str_bytes(pathname_ptr, &mut data.path) {
+            data.path_len = bytes.len() as u32;
+        }
+    }
+
+    event.data = EbpfEventData { openat: data };
+    submit_event(&event)
+}
+
+unsafe fn try_trace_ptrace(ctx: &TracePointContext) -> Result<(), i64> {
+    let mut event = base_event(ctx, SYS_PTRACE);
+    let data = PtraceData {
+        request: read_u64_arg(ctx, 0)? as u32,
+        target_pid: read_u64_arg(ctx, 1)? as u32,
+        addr: read_u64_arg(ctx, 2)?,
+        data: read_u64_arg(ctx, 3)?,
+    };
+    event.data = EbpfEventData { ptrace: data };
+    submit_event(&event)
+}
+
+fn base_event(ctx: &TracePointContext, syscall_id: u32) -> EbpfSyscallEvent {
+    let mut event = EbpfSyscallEvent::empty();
+    event.pid = ctx.tgid();
+    event.uid = ctx.uid();
+    event.syscall_id = syscall_id;
+    event.timestamp = 0;
+    if let Ok(comm) = bpf_get_current_comm() {
+        event.comm = comm;
+    }
+    event
+}
+
+fn submit_event(event: &EbpfSyscallEvent) -> Result<(), i64> {
+    EVENTS.output(event, 0)
+}
+
+fn read_u64_arg(ctx: &TracePointContext, index: usize) -> Result<u64, i64> {
+    unsafe { ctx.read_at::<u64>(SYSCALL_ARG_START + index * SYSCALL_ARG_SIZE) }
+}
+
+unsafe fn count_argv(argv_ptr: *const u64) -> Result<u32, i64> {
+    if argv_ptr.is_null() {
+        return Ok(0);
+    }
+
+    let mut argc = 0u32;
+    while argc < MAX_ARGC_SCAN as u32 {
+        let arg_ptr = bpf_probe_read_user(argv_ptr.add(argc as usize))?;
+        if arg_ptr == 0 {
+            break;
+        }
+        argc += 1;
+    }
+
+    Ok(argc)
+}

ebpf/src/syscalls.rs

@@ -14,3 +14,6 @@ CREATE TABLE IF NOT EXISTS alerts (
 CREATE INDEX IF NOT EXISTS idx_alerts_status ON alerts(status);
 CREATE INDEX IF NOT EXISTS idx_alerts_severity ON alerts(severity);
 CREATE INDEX IF NOT EXISTS idx_alerts_timestamp ON alerts(timestamp);
+CREATE INDEX IF NOT EXISTS idx_alerts_container_id
+    ON alerts(json_extract(metadata, '$.container_id'))
+    WHERE json_valid(metadata);