a

aquasecurity · Jan 30, 2025 · 7784aa5 · 7784aa5
1 parent 40ff101
commit 7784aa5
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 2 deletions.
diff --git a/pkg/ebpf/c/common/context.h b/pkg/ebpf/c/common/context.h
@@ -259,6 +259,7 @@ statfunc bool reset_event(event_data_t *event, u32 event_id)
     event->config.field_types = event_config->field_types;
     event->config.submit_for_policies = event_config->submit_for_policies;
     event->context.matched_policies = event_config->submit_for_policies;
+    event->config.data_filter = event_config->data_filter;
 
     return true;
 }

diff --git a/pkg/ebpf/c/common/filtering.h b/pkg/ebpf/c/common/filtering.h
@@ -350,6 +350,10 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
     // TODO: Dynamically determine the filter and type based on policy configuration
     string_filter_config_t *str_filter = &p->event->config.data_filter.string;
 
+
+    bpf_printk("[ikf] event:%d index:%d (1)", p->event->context.eventid, index);
+    bpf_printk("[ikf] event. exac:%d pre:%d suf:%d", str_filter->exact_enabled, str_filter->prefix_enabled, str_filter->suffix_enabled);
+
     if (!(str_filter->exact_enabled || str_filter->prefix_enabled || str_filter->suffix_enabled))
         return policies_cfg->enabled_policies;
 
@@ -366,6 +370,9 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
     u32 eventid = p->event->context.eventid;
     u16 version = p->event->context.policies_version;
 
+    bpf_printk("[ikf] event:%d index:%d (2)", p->event->context.eventid, index);
+
+
     // Exact match
     if (str_filter->exact_enabled) {
         data_filter_key_t *key = get_string_data_filter_buf(DATA_FILTER_BUF1_IDX);

diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -43,7 +43,7 @@ char LICENSE[] SEC("license") = "GPL";
 
 // trace/events/syscalls.h: TP_PROTO(struct pt_regs *regs, long id)
 // initial entry for sys_enter syscall logic
-SEC("raw_tracepoint/sys_enter")
+SEC("raw_tracepoint/sys_enter") 
 int tracepoint__raw_syscalls__sys_enter(struct bpf_raw_tracepoint_args *ctx)
 {
     struct task_struct *task = (struct task_struct *) bpf_get_current_task();
@@ -374,9 +374,13 @@ int syscall__execve_enter(void *ctx)
     syscall_data_t *sys = &p.task_info->syscall_data;
     p.event->context.ts = sys->ts;
 
+    bpf_printk("syscall__execve_enter 1");
+
     if (!reset_event(p.event, SYSCALL_EXECVE))
         return 0;
 
+    bpf_printk("syscall__execve_enter 2");
+
     if (!evaluate_scope_filters(&p))
         return 0;
 
@@ -387,6 +391,11 @@ int syscall__execve_enter(void *ctx)
             &p.event->args_buf, (const char *const *) sys->args.args[2] /*envp*/, 2);
     }
 
+    bpf_printk("syscall__execve_enter 3");
+
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -404,9 +413,13 @@ int syscall__execve_exit(void *ctx)
 
     p.event->context.ts = sys->ts;
 
+    bpf_printk("syscall__execve_exit 1");
+
     if (!reset_event(p.event, SYSCALL_EXECVE))
         return 0;
 
+    bpf_printk("syscall__execve_exit 2");
+
     if (!evaluate_scope_filters(&p))
         return 0;
 
@@ -417,6 +430,11 @@ int syscall__execve_exit(void *ctx)
             &p.event->args_buf, (const char *const *) sys->args.args[2] /*envp*/, 2);
     }
 
+    bpf_printk("syscall__execve_exit 3");
+
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, sys->ret);
 }
 
@@ -447,6 +465,9 @@ int syscall__execveat_enter(void *ctx)
     }
     save_to_submit_buf(&p.event->args_buf, (void *) &sys->args.args[4] /*flags*/, sizeof(int), 4);
 
+    if (!evaluate_data_filters(&p, 1))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -479,6 +500,9 @@ int syscall__execveat_exit(void *ctx)
     }
     save_to_submit_buf(&p.event->args_buf, (void *) &sys->args.args[4] /*flags*/, sizeof(int), 4);
 
+    if (!evaluate_data_filters(&p, 1))
+        return 0;
+
     return events_perf_submit(&p, sys->ret);
 }
 

diff --git a/pkg/filters/data.go b/pkg/filters/data.go
@@ -167,14 +167,20 @@ func (f *DataFilter) Parse(id events.ID, fieldName string, operatorAndValues str
 	// before the filter is applied
 	valueHandler := func(val string) (string, error) {
 		switch id {
-		case events.SecurityFileOpen,
+		case
+			// LSM hooks
+			events.SecurityFileOpen,
 			events.SecurityMmapFile,
 			events.SecurityBprmCheck,
 			events.SecurityKernelReadFile,
 			events.SecurityPostReadFile,
 			events.SecurityFileMprotect,
 			events.SecurityPathNotify,
 			events.SecurityInodeUnlink,
+			// Syscalls
+			events.Execve,
+			events.Execveat,
+			// Others
 			events.ModuleLoad,
 			events.InotifyWatch,
 			events.DoTruncate,