diff --git a/pkg/ebpf/c/common/context.h b/pkg/ebpf/c/common/context.h index 5732173c198d..60c42042260a 100644 --- a/pkg/ebpf/c/common/context.h +++ b/pkg/ebpf/c/common/context.h @@ -259,6 +259,7 @@ statfunc bool reset_event(event_data_t *event, u32 event_id) event->config.field_types = event_config->field_types; event->config.submit_for_policies = event_config->submit_for_policies; event->context.matched_policies = event_config->submit_for_policies; + event->config.data_filter = event_config->data_filter; return true; } diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index f53272fc5bea..e9f837c26353 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -387,6 +387,9 @@ int syscall__execve_enter(void *ctx) &p.event->args_buf, (const char *const *) sys->args.args[2] /*envp*/, 2); } + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -417,6 +420,9 @@ int syscall__execve_exit(void *ctx) &p.event->args_buf, (const char *const *) sys->args.args[2] /*envp*/, 2); } + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, sys->ret); } @@ -447,6 +453,9 @@ int syscall__execveat_enter(void *ctx) } save_to_submit_buf(&p.event->args_buf, (void *) &sys->args.args[4] /*flags*/, sizeof(int), 4); + if (!evaluate_data_filters(&p, 1)) + return 0; + return events_perf_submit(&p, 0); } @@ -479,6 +488,9 @@ int syscall__execveat_exit(void *ctx) } save_to_submit_buf(&p.event->args_buf, (void *) &sys->args.args[4] /*flags*/, sizeof(int), 4); + if (!evaluate_data_filters(&p, 1)) + return 0; + return events_perf_submit(&p, sys->ret); } @@ -1714,6 +1726,9 @@ int BPF_KPROBE(trace_call_usermodehelper) save_str_arr_to_buf(&p.event->args_buf, (const char *const *) envp, 2); save_to_submit_buf(&p.event->args_buf, (void *) &wait, sizeof(int), 3); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -2272,6 +2287,9 @@ int BPF_KPROBE(trace_security_bprm_check) if (p.config->options & OPT_EXEC_ENV) save_str_arr_to_buf(&p.event->args_buf, envp, 4); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -2347,6 +2365,9 @@ int BPF_KPROBE(trace_security_sb_mount) save_str_to_buf(&p.event->args_buf, (void *) type, 2); save_to_submit_buf(&p.event->args_buf, &flags, sizeof(unsigned long), 3); + if (!evaluate_data_filters(&p, 1)) + return 0; + return events_perf_submit(&p, 0); } @@ -2381,6 +2402,9 @@ int BPF_KPROBE(trace_security_inode_unlink) save_to_submit_buf(&p.event->args_buf, &unlinked_file_id.device, sizeof(dev_t), 2); save_to_submit_buf(&p.event->args_buf, &unlinked_file_id.ctime, sizeof(u64), 3); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -2580,6 +2604,9 @@ int BPF_KPROBE(trace_security_inode_symlink) save_str_to_buf(&p.event->args_buf, dentry_path, 0); save_str_to_buf(&p.event->args_buf, (void *) old_name, 1); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -3610,6 +3637,9 @@ int BPF_KPROBE(trace_ret_do_mmap) save_to_submit_buf(&p.event->args_buf, &prot, sizeof(unsigned long), 8); save_to_submit_buf(&p.event->args_buf, &mmap_flags, sizeof(unsigned long), 9); + if (!evaluate_data_filters(&p, 1)) + return 0; + return events_perf_submit(&p, 0); } @@ -3643,6 +3673,9 @@ int BPF_KPROBE(trace_security_mmap_file) save_to_submit_buf(&p.event->args_buf, &inode_nr, sizeof(unsigned long), 3); save_to_submit_buf(&p.event->args_buf, &ctime, sizeof(u64), 4); + if (!evaluate_data_filters(&p, 0)) + return 0; + events_perf_submit(&p, 0); } @@ -3711,6 +3744,9 @@ int BPF_KPROBE(trace_security_file_mprotect) save_to_submit_buf(&p.event->args_buf, &pkey, sizeof(int), 6); } + if (!evaluate_data_filters(&p, 0)) + return 0; + events_perf_submit(&p, 0); } @@ -3953,6 +3989,9 @@ int BPF_KPROBE(trace_security_bpf_map) // 2nd argument == map_name (const char *) save_str_to_buf(&p.event->args_buf, (void *) __builtin_preserve_access_index(&map->name), 1); + if (!evaluate_data_filters(&p, 1)) + return 0; + return events_perf_submit(&p, 0); } @@ -4008,6 +4047,9 @@ int BPF_KPROBE(trace_security_bpf_prog) save_to_submit_buf(&p.event->args_buf, &prog_id, sizeof(u32), 3); save_to_submit_buf(&p.event->args_buf, &is_load, sizeof(bool), 4); + if (!evaluate_data_filters(&p, 1)) + return 0; + events_perf_submit(&p, 0); return 0; @@ -4149,6 +4191,9 @@ int BPF_KPROBE(trace_security_kernel_read_file) save_to_submit_buf(&p.event->args_buf, &type_id, sizeof(int), 3); save_to_submit_buf(&p.event->args_buf, &ctime, sizeof(u64), 4); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -4173,6 +4218,10 @@ int BPF_KPROBE(trace_security_kernel_post_read_file) save_str_to_buf(&p.event->args_buf, file_path, 0); save_to_submit_buf(&p.event->args_buf, &size, sizeof(loff_t), 1); save_to_submit_buf(&p.event->args_buf, &type_id, sizeof(int), 2); + + if (!evaluate_data_filters(&p, 0)) + return 0; + events_perf_submit(&p, 0); } @@ -4221,6 +4270,9 @@ int BPF_KPROBE(trace_security_inode_mknod) save_to_submit_buf(&p.event->args_buf, &mode, sizeof(unsigned short), 1); save_to_submit_buf(&p.event->args_buf, &dev, sizeof(dev_t), 2); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -4463,6 +4515,9 @@ int tracepoint__module__module_load(struct bpf_raw_tracepoint_args *ctx) save_str_to_buf(&p.event->args_buf, (void *) version, 1); save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2); + if (!evaluate_data_filters(&p, 3)) + return 0; + return events_perf_submit(&p, 0); } @@ -4571,6 +4626,10 @@ int BPF_KPROBE(trace_load_elf_phdrs) save_str_to_buf(&p.event->args_buf, (void *) elf_pathname, 0); save_to_submit_buf(&p.event->args_buf, &proc_info->interpreter.id.device, sizeof(dev_t), 1); save_to_submit_buf(&p.event->args_buf, &proc_info->interpreter.id.inode, sizeof(unsigned long), 2); + + if (!evaluate_data_filters(&p, 0)) + return 0; + events_perf_submit(&p, 0); return 0; @@ -4678,6 +4737,9 @@ int BPF_KPROBE(trace_security_inode_rename) void *new_dentry_path = get_dentry_path_str(new_dentry); save_str_to_buf(&p.event->args_buf, new_dentry_path, 1); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -4816,6 +4878,9 @@ statfunc int common_utimes(struct pt_regs *ctx) save_to_submit_buf(&p.event->args_buf, &atime, sizeof(u64), 3); save_to_submit_buf(&p.event->args_buf, &mtime, sizeof(u64), 4); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -4853,6 +4918,9 @@ int BPF_KPROBE(trace_do_truncate) save_to_submit_buf(&p.event->args_buf, &dev, sizeof(dev_t), 2); save_to_submit_buf(&p.event->args_buf, &length, sizeof(u64), 3); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -5043,6 +5111,9 @@ int BPF_KPROBE(trace_ret_inotify_find_inode) save_to_submit_buf(&p.event->args_buf, &inode_nr, sizeof(unsigned long), 1); save_to_submit_buf(&p.event->args_buf, &dev, sizeof(dev_t), 2); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -5197,6 +5268,9 @@ int BPF_KPROBE(trace_security_path_notify) save_to_submit_buf(&p.event->args_buf, &mask, sizeof(u64), 3); save_to_submit_buf(&p.event->args_buf, &obj_type, sizeof(unsigned int), 4); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -5300,6 +5374,9 @@ int BPF_KPROBE(trace_chmod_common) save_str_to_buf(&p.event->args_buf, file_path, 0); save_to_submit_buf(&p.event->args_buf, &mode, sizeof(umode_t), 1); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); }