From 752f70ddf0998a472479bad1f0797f129532dec7 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Fri, 20 Sep 2024 12:46:41 +0200 Subject: [PATCH] new(drivers): add a new `pgid` field Signed-off-by: Andrea Terzolo --- driver/bpf/fillers.h | 24 +++++++++++++++++-- driver/event_table.c | 14 ++++++----- .../attached/events/sched_process_exec.bpf.c | 7 ++++++ .../syscall_dispatched_events/execve.bpf.c | 7 ++++++ .../syscall_dispatched_events/execveat.bpf.c | 7 ++++++ driver/ppm_fillers.c | 22 +++++++++++++++++ .../sched_process_exec.cpp | 4 ++-- .../syscall_exit_suite/execve_x.cpp | 21 +++++++++------- .../syscall_exit_suite/execveat_x.cpp | 13 ++++++---- 9 files changed, 95 insertions(+), 24 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 623c834940..9d65572cc6 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -2818,8 +2818,18 @@ FILLER(execve_extra_tail_2, true) { } else { res = bpf_push_empty_param(data); } + CHECK_RES(res); - return res; + /* Parameter 29: pgid (type: PT_UID) */ + pid_t pgid = 0; + struct signal_struct *signal = (struct signal_struct *)_READ(task->signal); + if(signal) { + struct pid *pid_struct = _READ(signal->pids[PIDTYPE_PGID]); + if(pid_struct) { + pgid = _READ(pid_struct->numbers[0].nr); + } + } + return bpf_push_s64_to_ring(data, (int64_t)pgid); } FILLER(sys_accept4_e, true) { @@ -6595,8 +6605,18 @@ FILLER(sched_prog_exec_5, false) { } else { res = bpf_push_empty_param(data); } + CHECK_RES(res); - return res; + /* Parameter 29: pgid (type: PT_UID) */ + pid_t pgid = 0; + struct signal_struct *signal = (struct signal_struct *)_READ(task->signal); + if(signal) { + struct pid *pid_struct = _READ(signal->pids[PIDTYPE_PGID]); + if(pid_struct) { + pgid = _READ(pid_struct->numbers[0].nr); + } + } + return bpf_push_s64_to_ring(data, (int64_t)pgid); } #endif diff --git a/driver/event_table.c b/driver/event_table.c index 0c2a12066f..66d7b3bb5c 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -1644,7 +1644,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_EXECVE_19_X] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, - 28, + 29, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, @@ -1662,7 +1662,7 @@ const struct ppm_event_info g_event_info[] = { {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_UINT32, PF_DEC}, - {"pgid", PT_PID, PF_DEC}, + {"vpgid", PT_PID, PF_DEC}, {"loginuid", PT_UID, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, execve_flags}, {"cap_inheritable", PT_UINT64, PF_HEX}, @@ -1672,7 +1672,8 @@ const struct ppm_event_info g_event_info[] = { {"exe_ino_ctime", PT_ABSTIME, PF_DEC}, {"exe_ino_mtime", PT_ABSTIME, PF_DEC}, {"uid", PT_UID, PF_DEC}, - {"trusted_exepath", PT_FSPATH, PF_NA}}}, + {"trusted_exepath", PT_FSPATH, PF_NA}, + {"pgid", PT_PID, PF_NA}}}, [PPME_SYSCALL_SETPGID_E] = {"setpgid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, @@ -1863,7 +1864,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_EXECVEAT_X] = {"execveat", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, - 28, + 29, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, @@ -1881,7 +1882,7 @@ const struct ppm_event_info g_event_info[] = { {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_UINT32, PF_DEC}, - {"pgid", PT_PID, PF_DEC}, + {"vpgid", PT_PID, PF_DEC}, {"loginuid", PT_UID, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, execve_flags}, {"cap_inheritable", PT_UINT64, PF_HEX}, @@ -1891,7 +1892,8 @@ const struct ppm_event_info g_event_info[] = { {"exe_ino_ctime", PT_ABSTIME, PF_DEC}, {"exe_ino_mtime", PT_ABSTIME, PF_DEC}, {"uid", PT_UID, PF_DEC}, - {"trusted_exepath", PT_FSPATH, PF_NA}}}, + {"trusted_exepath", PT_FSPATH, PF_NA}, + {"pgid", PT_PID, PF_NA}}}, [PPME_SYSCALL_COPY_FILE_RANGE_E] = {"copy_file_range", EC_FILE | EC_SYSCALL, EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD, diff --git a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c index a8ce62ca52..98573fb070 100644 --- a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c +++ b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c @@ -257,6 +257,13 @@ int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) { auxmap__store_empty_param(auxmap); } + /* Parameter 29: pgid (type: PT_UID) */ + pid_t pgid = 0; + struct pid *pid_struct = NULL; + READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]); + BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr); + auxmap__store_s64_param(auxmap, (int64_t)pgid); + /*=============================== COLLECT PARAMETERS ===========================*/ auxmap__finalize_event_header(auxmap); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c index dbbd9390b8..1a7937962f 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c @@ -307,6 +307,13 @@ int BPF_PROG(t2_execve_x, struct pt_regs *regs, long ret) { auxmap__store_empty_param(auxmap); } + /* Parameter 29: pgid (type: PT_UID) */ + pid_t pgid = 0; + struct pid *pid_struct = NULL; + READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]); + BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr); + auxmap__store_s64_param(auxmap, (int64_t)pgid); + /*=============================== COLLECT PARAMETERS ===========================*/ auxmap__finalize_event_header(auxmap); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c index 38174f9628..c2f1dd4269 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c @@ -319,6 +319,13 @@ int BPF_PROG(t2_execveat_x, struct pt_regs *regs, long ret) { auxmap__store_empty_param(auxmap); } + /* Parameter 29: pgid (type: PT_UID) */ + pid_t pgid = 0; + struct pid *pid_struct = NULL; + READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]); + BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr); + auxmap__store_s64_param(auxmap, (int64_t)pgid); + /*=============================== COLLECT PARAMETERS ===========================*/ auxmap__finalize_event_header(auxmap); diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index bb83eb05a0..50bf290ec3 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -1547,6 +1547,17 @@ int f_proc_startupdate(struct event_filler_arguments *args) { /* Parameter 28: trusted_exepath (type: PT_FSPATH) */ res = val_to_ring(args, (unsigned long)trusted_exepath, 0, false, 0); CHECK_RES(res); + + /* Parameter 29: pgid (type: PT_UID) */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) + // task_pgrp_nr_ns has been introduced in 2.6.24 + // https://elixir.bootlin.com/linux/v2.6.24/source/kernel/pid.c#L458 + res = val_to_ring(args, task_pgrp_nr_ns(current, task_active_pid_ns(current)), 0, false, 0); +#else + // https://elixir.bootlin.com/linux/v2.6.23/source/kernel/sys.c#L1543 + res = val_to_ring(args, process_group(current), 0, false, 0); +#endif + CHECK_RES(res); } return add_sentinel(args); } @@ -7432,6 +7443,17 @@ int f_sched_prog_exec(struct event_filler_arguments *args) { res = val_to_ring(args, (unsigned long)trusted_exepath, 0, false, 0); CHECK_RES(res); + /* Parameter 29: pgid (type: PT_UID) */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) + // task_pgrp_nr_ns has been introduced in 2.6.24 + // https://elixir.bootlin.com/linux/v2.6.24/source/kernel/pid.c#L458 + res = val_to_ring(args, task_pgrp_nr_ns(current, task_active_pid_ns(current)), 0, false, 0); +#else + // https://elixir.bootlin.com/linux/v2.6.23/source/kernel/sys.c#L1543 + res = val_to_ring(args, process_group(current), 0, false, 0); +#endif + CHECK_RES(res); + return add_sentinel(args); } #endif diff --git a/test/drivers/test_suites/generic_tracepoints_suite/sched_process_exec.cpp b/test/drivers/test_suites/generic_tracepoints_suite/sched_process_exec.cpp index 8f86e50de7..f85ebcc95d 100644 --- a/test/drivers/test_suites/generic_tracepoints_suite/sched_process_exec.cpp +++ b/test/drivers/test_suites/generic_tracepoints_suite/sched_process_exec.cpp @@ -139,7 +139,7 @@ TEST(GenericTracepoints, sched_proc_exec) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } #if defined(__NR_memfd_create) && defined(__NR_openat) && defined(__NR_read) && defined(__NR_write) @@ -253,7 +253,7 @@ TEST(GenericTracepoints, sched_proc_exec_success_memfd) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } #endif #endif diff --git a/test/drivers/test_suites/syscall_exit_suite/execve_x.cpp b/test/drivers/test_suites/syscall_exit_suite/execve_x.cpp index 49ef28a5c4..6ad4408c89 100644 --- a/test/drivers/test_suites/syscall_exit_suite/execve_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/execve_x.cpp @@ -302,9 +302,12 @@ TEST(SyscallExit, execveX_failure) { * executable */ evt_test->assert_charbuf_param(28, info.exepath); + /* Parameter 29: pgid (type: PT_PID) */ + evt_test->assert_numeric_param(29, (int64_t)info.pgid); + /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } TEST(SyscallExit, execveX_failure_args_env_NULL) { @@ -349,7 +352,7 @@ TEST(SyscallExit, execveX_failure_args_env_NULL) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } TEST(SyscallExit, execveX_failure_path_NULL_but_not_args) { @@ -397,7 +400,7 @@ TEST(SyscallExit, execveX_failure_path_NULL_but_not_args) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } TEST(SyscallExit, execveX_success) { @@ -552,7 +555,7 @@ TEST(SyscallExit, execveX_success) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } TEST(SyscallExit, execveX_not_upperlayer) { @@ -680,7 +683,7 @@ TEST(SyscallExit, execveX_not_upperlayer) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } TEST(SyscallExit, execveX_upperlayer_success) { @@ -807,7 +810,7 @@ TEST(SyscallExit, execveX_upperlayer_success) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } #if defined(__NR_memfd_create) && defined(__NR_openat) && defined(__NR_read) && defined(__NR_write) @@ -921,7 +924,7 @@ TEST(SyscallExit, execveX_success_memfd) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } #endif @@ -1014,7 +1017,7 @@ TEST(SyscallExit, execveX_symlink) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } #endif @@ -1180,7 +1183,7 @@ TEST(SyscallExit, execveX_failure_empty_arg) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } #endif diff --git a/test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp index 296a3ce65e..5f88a3b468 100644 --- a/test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp @@ -206,9 +206,12 @@ TEST(SyscallExit, execveatX_failure) { * executable */ evt_test->assert_charbuf_param(28, info.exepath); + /* Parameter 29: pgid (type: PT_PID) */ + evt_test->assert_numeric_param(29, (int64_t)info.pgid); + /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); } /* All architectures return an `EXECVEAT_X` event when the syscall fails, but only @@ -374,7 +377,7 @@ TEST(SyscallExit, execveatX_correct_exit) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); #else /* We search for a child event. */ evt_test->assert_event_absence(ret_pid); @@ -504,7 +507,7 @@ TEST(SyscallExit, execveatX_execve_exit) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); #endif } @@ -600,7 +603,7 @@ TEST(SyscallExit, execveatX_execve_exit_comm_equal_to_fd) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); #endif } @@ -716,7 +719,7 @@ TEST(SyscallExit, execveatX_success_memfd) { /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(28); + evt_test->assert_num_params_pushed(29); #else /* We search for a child event. */ evt_test->assert_event_absence(ret_pid);