Skip to content

Commit

Permalink
new(drivers): add a new pgid field
Browse files Browse the repository at this point in the history 
Signed-off-by: Andrea Terzolo <[email protected]>
  • Loading branch information
@Andreagit97 @poiana
Andreagit97 authored and poiana committed Oct 7, 2024
1 parent 37d4383 commit 752f70d
Show file tree
Hide file tree
Showing 9 changed files with 95 additions and 24 deletions.
24 changes: 22 additions & 2 deletions driver/bpf/fillers.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2818,8 +2818,18 @@ FILLER(execve_extra_tail_2, true) {
} else {
res = bpf_push_empty_param(data);
}
CHECK_RES(res);

return res;
/* Parameter 29: pgid (type: PT_UID) */
pid_t pgid = 0;
struct signal_struct *signal = (struct signal_struct *)_READ(task->signal);
if(signal) {
struct pid *pid_struct = _READ(signal->pids[PIDTYPE_PGID]);
if(pid_struct) {
pgid = _READ(pid_struct->numbers[0].nr);
}
}
return bpf_push_s64_to_ring(data, (int64_t)pgid);
}

FILLER(sys_accept4_e, true) {
Expand Down Expand Up @@ -6595,8 +6605,18 @@ FILLER(sched_prog_exec_5, false) {
} else {
res = bpf_push_empty_param(data);
}
CHECK_RES(res);

return res;
/* Parameter 29: pgid (type: PT_UID) */
pid_t pgid = 0;
struct signal_struct *signal = (struct signal_struct *)_READ(task->signal);
if(signal) {
struct pid *pid_struct = _READ(signal->pids[PIDTYPE_PGID]);
if(pid_struct) {
pgid = _READ(pid_struct->numbers[0].nr);
}
}
return bpf_push_s64_to_ring(data, (int64_t)pgid);
}

#endif
Expand Down
14 changes: 8 additions & 6 deletions driver/event_table.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1644,7 +1644,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SYSCALL_EXECVE_19_X] = {"execve",
EC_PROCESS | EC_SYSCALL,
EF_MODIFIES_STATE,
28,
29,
{{"res", PT_ERRNO, PF_DEC},
{"exe", PT_CHARBUF, PF_NA},
{"args", PT_BYTEBUF, PF_NA},
Expand All @@ -1662,7 +1662,7 @@ const struct ppm_event_info g_event_info[] = {
{"cgroups", PT_BYTEBUF, PF_NA},
{"env", PT_BYTEBUF, PF_NA},
{"tty", PT_UINT32, PF_DEC},
{"pgid", PT_PID, PF_DEC},
{"vpgid", PT_PID, PF_DEC},
{"loginuid", PT_UID, PF_DEC},
{"flags", PT_FLAGS32, PF_HEX, execve_flags},
{"cap_inheritable", PT_UINT64, PF_HEX},
Expand All @@ -1672,7 +1672,8 @@ const struct ppm_event_info g_event_info[] = {
{"exe_ino_ctime", PT_ABSTIME, PF_DEC},
{"exe_ino_mtime", PT_ABSTIME, PF_DEC},
{"uid", PT_UID, PF_DEC},
{"trusted_exepath", PT_FSPATH, PF_NA}}},
{"trusted_exepath", PT_FSPATH, PF_NA},
{"pgid", PT_PID, PF_NA}}},
[PPME_SYSCALL_SETPGID_E] = {"setpgid",
EC_PROCESS | EC_SYSCALL,
EF_MODIFIES_STATE,
Expand Down Expand Up @@ -1863,7 +1864,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SYSCALL_EXECVEAT_X] = {"execveat",
EC_PROCESS | EC_SYSCALL,
EF_MODIFIES_STATE,
28,
29,
{{"res", PT_ERRNO, PF_DEC},
{"exe", PT_CHARBUF, PF_NA},
{"args", PT_BYTEBUF, PF_NA},
Expand All @@ -1881,7 +1882,7 @@ const struct ppm_event_info g_event_info[] = {
{"cgroups", PT_BYTEBUF, PF_NA},
{"env", PT_BYTEBUF, PF_NA},
{"tty", PT_UINT32, PF_DEC},
{"pgid", PT_PID, PF_DEC},
{"vpgid", PT_PID, PF_DEC},
{"loginuid", PT_UID, PF_DEC},
{"flags", PT_FLAGS32, PF_HEX, execve_flags},
{"cap_inheritable", PT_UINT64, PF_HEX},
Expand All @@ -1891,7 +1892,8 @@ const struct ppm_event_info g_event_info[] = {
{"exe_ino_ctime", PT_ABSTIME, PF_DEC},
{"exe_ino_mtime", PT_ABSTIME, PF_DEC},
{"uid", PT_UID, PF_DEC},
{"trusted_exepath", PT_FSPATH, PF_NA}}},
{"trusted_exepath", PT_FSPATH, PF_NA},
{"pgid", PT_PID, PF_NA}}},
[PPME_SYSCALL_COPY_FILE_RANGE_E] = {"copy_file_range",
EC_FILE | EC_SYSCALL,
EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD,
Expand Down
7 changes: 7 additions & 0 deletions driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,13 @@ int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) {
auxmap__store_empty_param(auxmap);
}

/* Parameter 29: pgid (type: PT_UID) */
pid_t pgid = 0;
struct pid *pid_struct = NULL;
READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]);
BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr);
auxmap__store_s64_param(auxmap, (int64_t)pgid);

/*=============================== COLLECT PARAMETERS ===========================*/

auxmap__finalize_event_header(auxmap);
Expand Down
7 changes: 7 additions & 0 deletions driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,13 @@ int BPF_PROG(t2_execve_x, struct pt_regs *regs, long ret) {
auxmap__store_empty_param(auxmap);
}

/* Parameter 29: pgid (type: PT_UID) */
pid_t pgid = 0;
struct pid *pid_struct = NULL;
READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]);
BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr);
auxmap__store_s64_param(auxmap, (int64_t)pgid);

/*=============================== COLLECT PARAMETERS ===========================*/

auxmap__finalize_event_header(auxmap);
Expand Down
7 changes: 7 additions & 0 deletions driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,13 @@ int BPF_PROG(t2_execveat_x, struct pt_regs *regs, long ret) {
auxmap__store_empty_param(auxmap);
}

/* Parameter 29: pgid (type: PT_UID) */
pid_t pgid = 0;
struct pid *pid_struct = NULL;
READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]);
BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr);
auxmap__store_s64_param(auxmap, (int64_t)pgid);

/*=============================== COLLECT PARAMETERS ===========================*/

auxmap__finalize_event_header(auxmap);
Expand Down
22 changes: 22 additions & 0 deletions driver/ppm_fillers.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1547,6 +1547,17 @@ int f_proc_startupdate(struct event_filler_arguments *args) {
/* Parameter 28: trusted_exepath (type: PT_FSPATH) */
res = val_to_ring(args, (unsigned long)trusted_exepath, 0, false, 0);
CHECK_RES(res);

/* Parameter 29: pgid (type: PT_UID) */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
// task_pgrp_nr_ns has been introduced in 2.6.24
// https://elixir.bootlin.com/linux/v2.6.24/source/kernel/pid.c#L458
res = val_to_ring(args, task_pgrp_nr_ns(current, task_active_pid_ns(current)), 0, false, 0);
#else
// https://elixir.bootlin.com/linux/v2.6.23/source/kernel/sys.c#L1543
res = val_to_ring(args, process_group(current), 0, false, 0);
#endif
CHECK_RES(res);
}
return add_sentinel(args);
}
Expand Down Expand Up @@ -7432,6 +7443,17 @@ int f_sched_prog_exec(struct event_filler_arguments *args) {
res = val_to_ring(args, (unsigned long)trusted_exepath, 0, false, 0);
CHECK_RES(res);

/* Parameter 29: pgid (type: PT_UID) */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
// task_pgrp_nr_ns has been introduced in 2.6.24
// https://elixir.bootlin.com/linux/v2.6.24/source/kernel/pid.c#L458
res = val_to_ring(args, task_pgrp_nr_ns(current, task_active_pid_ns(current)), 0, false, 0);
#else
// https://elixir.bootlin.com/linux/v2.6.23/source/kernel/sys.c#L1543
res = val_to_ring(args, process_group(current), 0, false, 0);
#endif
CHECK_RES(res);

return add_sentinel(args);
}
#endif
Expand Down
4 changes: 2 additions & 2 deletions test/drivers/test_suites/generic_tracepoints_suite/sched_process_exec.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ TEST(GenericTracepoints, sched_proc_exec) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}

#if defined(__NR_memfd_create) && defined(__NR_openat) && defined(__NR_read) && defined(__NR_write)
Expand Down Expand Up @@ -253,7 +253,7 @@ TEST(GenericTracepoints, sched_proc_exec_success_memfd) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}
#endif
#endif
21 changes: 12 additions & 9 deletions test/drivers/test_suites/syscall_exit_suite/execve_x.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,9 +302,12 @@ TEST(SyscallExit, execveX_failure) {
* executable */
evt_test->assert_charbuf_param(28, info.exepath);

/* Parameter 29: pgid (type: PT_PID) */
evt_test->assert_numeric_param(29, (int64_t)info.pgid);

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}

TEST(SyscallExit, execveX_failure_args_env_NULL) {
Expand Down Expand Up @@ -349,7 +352,7 @@ TEST(SyscallExit, execveX_failure_args_env_NULL) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}

TEST(SyscallExit, execveX_failure_path_NULL_but_not_args) {
Expand Down Expand Up @@ -397,7 +400,7 @@ TEST(SyscallExit, execveX_failure_path_NULL_but_not_args) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}

TEST(SyscallExit, execveX_success) {
Expand Down Expand Up @@ -552,7 +555,7 @@ TEST(SyscallExit, execveX_success) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}

TEST(SyscallExit, execveX_not_upperlayer) {
Expand Down Expand Up @@ -680,7 +683,7 @@ TEST(SyscallExit, execveX_not_upperlayer) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}

TEST(SyscallExit, execveX_upperlayer_success) {
Expand Down Expand Up @@ -807,7 +810,7 @@ TEST(SyscallExit, execveX_upperlayer_success) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}

#if defined(__NR_memfd_create) && defined(__NR_openat) && defined(__NR_read) && defined(__NR_write)
Expand Down Expand Up @@ -921,7 +924,7 @@ TEST(SyscallExit, execveX_success_memfd) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}
#endif

Expand Down Expand Up @@ -1014,7 +1017,7 @@ TEST(SyscallExit, execveX_symlink) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}
#endif

Expand Down Expand Up @@ -1180,7 +1183,7 @@ TEST(SyscallExit, execveX_failure_empty_arg) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}

#endif
13 changes: 8 additions & 5 deletions test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,9 +206,12 @@ TEST(SyscallExit, execveatX_failure) {
* executable */
evt_test->assert_charbuf_param(28, info.exepath);

/* Parameter 29: pgid (type: PT_PID) */
evt_test->assert_numeric_param(29, (int64_t)info.pgid);

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
}

/* All architectures return an `EXECVEAT_X` event when the syscall fails, but only
Expand Down Expand Up @@ -374,7 +377,7 @@ TEST(SyscallExit, execveatX_correct_exit) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
#else
/* We search for a child event. */
evt_test->assert_event_absence(ret_pid);
Expand Down Expand Up @@ -504,7 +507,7 @@ TEST(SyscallExit, execveatX_execve_exit) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
#endif
}

Expand Down Expand Up @@ -600,7 +603,7 @@ TEST(SyscallExit, execveatX_execve_exit_comm_equal_to_fd) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
#endif
}

Expand Down Expand Up @@ -716,7 +719,7 @@ TEST(SyscallExit, execveatX_success_memfd) {

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(28);
evt_test->assert_num_params_pushed(29);
#else
/* We search for a child event. */
evt_test->assert_event_absence(ret_pid);
Expand Down

0 comments on commit 752f70d

Please sign in to comment.