feat(events): add chmod_common event

aquasecurity · Oct 9, 2024 · 280d9e9 · 280d9e9
1 parent 7ed9e12
commit 280d9e9
Show file tree

Hide file tree

Showing 8 changed files with 77 additions and 1 deletion.
diff --git a/docs/docs/events/builtin/extra/chmod_common.md b/docs/docs/events/builtin/extra/chmod_common.md
@@ -0,0 +1,34 @@
+# chmod_common
+
+## Intro
+
+chmod_common - An event capturing changes to access permissions of files and directories.
+
+## Description
+
+This event captures any changes to the current working directory (typically by using the `chmod` and similar syscalls).
+
+## Arguments
+
+* `pathname`:`const char*`[K] - path of the file or directory
+* `mode`:`mode_t`[K] - the mode to apply to the file or directory
+
+## Hooks
+
+### chmod_common
+
+#### Type
+
+kprobe
+
+#### Purpose
+
+Catch access permissions changes of files and directories.
+
+## Example Use Case
+
+## Issues
+
+## Related Events
+
+`chmod`, `fchmod`, `fchmodat`
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -110,6 +110,7 @@ nav:
                             - security_path_notify: docs/events/builtin/extra/security_path_notify.md
                             - set_fs_pwd: docs/events/builtin/extra/set_fs_pwd.md
                             - tracee_info: docs/events/builtin/extra/tracee_info.md
+                            - chmod_common: docs/events/builtin/extra/chmod_common.md
                       - Syscalls:
                             - Overview: docs/events/builtin/syscalls/index.md
                             - syscalls:

diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -5161,6 +5161,26 @@ int BPF_KPROBE(trace_security_settime64)
     return events_perf_submit(&p, 0);
 }
 
+SEC("kprobe/chmod_common")
+int BPF_KPROBE(trace_chmod_common)
+{
+    program_data_t p = {};
+    if (!init_program_data(&p, ctx, CHMOD_COMMON))
+        return 0;
+
+    if (!evaluate_scope_filters(&p))
+        return 0;
+
+    struct path *path = (struct path *) PT_REGS_PARM1(ctx);
+    umode_t mode = PT_REGS_PARM2(ctx);
+    void *file_path = get_path_str(path);
+
+    save_str_to_buf(&p.event->args_buf, file_path, 0);
+    save_to_submit_buf(&p.event->args_buf, &mode, sizeof(umode_t), 1);
+
+    return events_perf_submit(&p, 0);
+}
+
 // clang-format off
 
 // Network Packets (works from ~5.2 and beyond)

diff --git a/pkg/ebpf/c/types.h b/pkg/ebpf/c/types.h
@@ -131,6 +131,7 @@ enum event_id_e
     PROCESS_EXECUTE_FAILED_INTERNAL,
     SECURITY_TASK_SETRLIMIT,
     SECURITY_SETTIME64,
+    CHMOD_COMMON,
     MAX_EVENT_ID,
     NO_EVENT_SUBMIT,
 

diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go
@@ -235,6 +235,7 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
 		Dup2Ret:                    NewTraceProbe(SyscallExit, "dup2", "trace_ret_dup2"),
 		Dup3:                       NewTraceProbe(SyscallEnter, "dup3", "trace_dup3"),
 		Dup3Ret:                    NewTraceProbe(SyscallExit, "dup3", "trace_ret_dup3"),
+		ChmodCommon:                NewTraceProbe(KProbe, "chmod_common", "trace_chmod_common"),
 
 		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
 		ExecTest:            NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),

diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go
@@ -161,6 +161,7 @@ const (
 	Dup2Ret
 	Dup3
 	Dup3Ret
+	ChmodCommon
 )
 
 // Test probe handles

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -113,6 +113,7 @@ const (
 	ProcessExecuteFailedInternal
 	SecurityTaskSetrlimit
 	SecuritySettime64
+	ChmodCommon
 	MaxCommonID
 )
 
@@ -13042,6 +13043,23 @@ var CoreEvents = map[ID]Definition{
 			{Type: "int", Name: "tz_dsttime"},
 		},
 	},
+	ChmodCommon: {
+		id:      ChmodCommon,
+		id32Bit: Sys32Undefined,
+		name:    "chmod_common",
+		version: NewVersion(1, 0, 0),
+		syscall: true,
+		sets:    []string{},
+		params: []trace.ArgMeta{
+			{Type: "const char*", Name: "pathname"},
+			{Type: "mode_t", Name: "mode"},
+		},
+		dependencies: Dependencies{
+			probes: []Probe{
+				{handle: probes.ChmodCommon, required: true},
+			},
+		},
+	},
 	//
 	// Begin of Signal Events (Control Plane)
 	//

diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go
@@ -133,7 +133,7 @@ func ParseArgs(event *trace.Event) error {
 				parseOpenFlagArgument(flagsArg, uint64(flags))
 			}
 		}
-	case Mknod, Mknodat, Chmod, Fchmod, Fchmodat:
+	case Mknod, Mknodat, Chmod, Fchmod, Fchmodat, ChmodCommon:
 		if modeArg := GetArg(event, "mode"); modeArg != nil {
 			if mode, isUint32 := modeArg.Value.(uint32); isUint32 {
 				parseInodeMode(modeArg, uint64(mode))