Skip to content

Commit

Permalink
chore: move argtype and reduce type variance
Browse files Browse the repository at this point in the history
  • Loading branch information
@NDStrahilevitz
NDStrahilevitz committed Oct 16, 2024
1 parent 47451f5 commit 8a30a56
Show file tree
Hide file tree
Showing 13 changed files with 929 additions and 966 deletions.
2 changes: 2 additions & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,3 +179,5 @@ require (
gopkg.in/yaml.v3 v3.0.1 // indirect
kernel.org/pub/linux/libs/security/libcap/psx v1.2.70 // indirect
)

replace github.com/aquasecurity/tracee/types => ./types
134 changes: 46 additions & 88 deletions pkg/bufferdecoder/eventsreader.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,40 +13,6 @@ import (
"github.com/aquasecurity/tracee/types/trace"
)

// argType is an enum that encodes the argument types that the BPF program may write to the shared buffer
// argument types should match defined values in ebpf code
type ArgType uint8

const (
noneT ArgType = iota
intT
uintT
longT
ulongT
offT
modeT
devT
sizeT
pointerT
strT
strArrT
sockAddrT
bytesT
u16T
credT
intArr2T
uint64ArrT
u8T
timespecT
)

// These types don't match the ones defined in the ebpf code since they are not being used by syscalls arguments.
// They have their own set of value to avoid collision in the future.
const (
argsArrT ArgType = iota + 0x80
boolT
)

// readArgFromBuff read the next argument from the buffer.
// Return the index of the argument and the parsed argument.
func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.ArgMeta,
Expand All @@ -69,47 +35,47 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
argType := GetParamType(arg.Type)

switch argType {
case u8T:
case trace.U8_T:
var data uint8
err = ebpfMsgDecoder.DecodeUint8(&data)
res = data
case u16T:
case trace.U16_T:
var data uint16
err = ebpfMsgDecoder.DecodeUint16(&data)
res = data
case intT:
case trace.INT_T:
var data int32
err = ebpfMsgDecoder.DecodeInt32(&data)
res = data
case uintT, devT, modeT:
case trace.UINT_T:
var data uint32
err = ebpfMsgDecoder.DecodeUint32(&data)
res = data
case longT:
case trace.LONG_T:
var data int64
err = ebpfMsgDecoder.DecodeInt64(&data)
res = data
case ulongT, offT, sizeT:
case trace.ULONG_T:
var data uint64
err = ebpfMsgDecoder.DecodeUint64(&data)
res = data
case boolT:
case trace.BOOL_T:
var data bool
err = ebpfMsgDecoder.DecodeBool(&data)
res = data
case pointerT:
case trace.POINTER_T:
var data uint64
err = ebpfMsgDecoder.DecodeUint64(&data)
res = uintptr(data)
case sockAddrT:
case trace.SOCK_ADDR_T:
res, err = readSockaddrFromBuff(ebpfMsgDecoder)
case credT:
case trace.CRED_T:
var data SlimCred
err = ebpfMsgDecoder.DecodeSlimCred(&data)
res = trace.SlimCred(data) // here we cast to trace.SlimCred to ensure we send the public interface and not bufferdecoder.SlimCred
case strT:
case trace.STR_T:
res, err = readStringFromBuff(ebpfMsgDecoder)
case strArrT:
case trace.STR_ARR_T:
// TODO optimization: create slice after getting arrLen
var ss []string
var arrLen uint8
Expand All @@ -125,7 +91,7 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
ss = append(ss, s)
}
res = ss
case argsArrT:
case trace.ARGS_ARR_T:
var ss []string
var arrLen uint32
var argNum uint32
Expand All @@ -150,7 +116,7 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
ss = append(ss, "?")
}
res = ss
case bytesT:
case trace.BYTES_T:
var size uint32
err = ebpfMsgDecoder.DecodeUint32(&size)
if err != nil {
Expand All @@ -161,21 +127,21 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
return uint(argIdx), arg, errfmt.Errorf("byte array size too big: %d", size)
}
res, err = ReadByteSliceFromBuff(ebpfMsgDecoder, int(size))
case intArr2T:
case trace.INT_ARR_2_T:
var intArray [2]int32
err = ebpfMsgDecoder.DecodeIntArray(intArray[:], 2)
if err != nil {
return uint(argIdx), arg, errfmt.Errorf("error reading int elements: %v", err)
}
res = intArray
case uint64ArrT:
case trace.UINT64_ARR_T:
ulongArray := make([]uint64, 0)
err := ebpfMsgDecoder.DecodeUint64Array(&ulongArray)
if err != nil {
return uint(argIdx), arg, errfmt.Errorf("error reading ulong elements: %v", err)
}
res = ulongArray
case timespecT:
case trace.TIMESPEC_T:
var sec int64
var nsec int64
err = ebpfMsgDecoder.DecodeInt64(&sec)
Expand All @@ -196,53 +162,45 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
return uint(argIdx), arg, nil
}

func GetParamType(paramType string) ArgType {
func GetParamType(paramType string) trace.DecodeAs {
switch paramType {
case "int", "pid_t", "uid_t", "gid_t", "mqd_t", "clockid_t", "const clockid_t", "key_t", "key_serial_t", "timer_t":
return intT
case "unsigned int", "u32":
return uintT
case "int":
return trace.INT_T
case "unsigned int":
return trace.UINT_T
case "long":
return longT
case "unsigned long", "u64":
return ulongT
return trace.LONG_T
case "unsigned long":
return trace.ULONG_T
case "u16":
return trace.U16_T
case "u8":
return trace.U8_T
case "bool":
return boolT
case "off_t", "loff_t":
return offT
case "mode_t":
return modeT
case "dev_t":
return devT
case "size_t":
return sizeT
case "void*", "const void*":
return pointerT
case "char*", "const char*":
return strT
return trace.BOOL_T
case "void*":
return trace.POINTER_T
case "char*":
return trace.STR_T
case "const char*const*": // used by execve(at) argv and env
return strArrT
case "const char**": // used by sched_process_exec argv and envp
return argsArrT
case "const struct sockaddr*", "struct sockaddr*":
return sockAddrT
return trace.STR_ARR_T
case "const char**": // used by sched_process_exec argv and env
return trace.ARGS_ARR_T
case "struct sockaddr*":
return trace.SOCK_ADDR_T
case "bytes":
return bytesT
return trace.BYTES_T
case "int[2]":
return intArr2T
return trace.INT_ARR_2_T
case "slim_cred_t":
return credT
case "umode_t":
return u16T
case "u8":
return u8T
return trace.CRED_T
case "unsigned long[]", "[]trace.HookedSymbolData":
return uint64ArrT
case "struct timespec*", "const struct timespec*":
return timespecT
return trace.UINT64_ARR_T
case "struct timespec*":
return trace.TIMESPEC_T
default:
// Default to pointer (printed as hex) for unsupported types
return pointerT
return trace.POINTER_T
}
}

Expand Down
6 changes: 3 additions & 3 deletions pkg/bufferdecoder/eventsreader_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,15 +64,15 @@ func TestReadArgFromBuff(t *testing.T) {
input: []byte{0,
0xFF, 0xFF, 0xFF, 0xFF, // 4294967295
},
params: []trace.ArgMeta{{Type: "dev_t", Name: "devT0"}},
params: []trace.ArgMeta{{Type: "unsigned int", Name: "devT0"}},
expectedArg: uint32(4294967295),
},
{
name: "offT",
input: []byte{0,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 18446744073709551615
},
params: []trace.ArgMeta{{Type: "off_t", Name: "offT0"}},
params: []trace.ArgMeta{{Type: "long", Name: "offT0"}},
expectedArg: uint64(18446744073709551615),
},
{
Expand Down Expand Up @@ -161,7 +161,7 @@ func TestReadArgFromBuff(t *testing.T) {
input: []byte{1,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 18446744073709551615
},
params: []trace.ArgMeta{{Type: "const char*", Name: "str0"}, {Type: "off_t", Name: "offT1"}},
params: []trace.ArgMeta{{Type: "const char*", Name: "str0"}, {Type: "long", Name: "offT1"}},
expectedArg: uint64(18446744073709551615),
},
}
Expand Down
3 changes: 2 additions & 1 deletion pkg/ebpf/c/types.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,8 @@ typedef struct args {
} args_t;

// NOTE: If any fields are added to argument_type_e, the array type_size_table
// (and related defines) must be updated accordingly.
// (and related defines) must be updated accordingly. Corresponds to the ArgType enum in
// pkg/bufferdecoder/eventsreader.go.
enum argument_type_e
{
NONE_T = 0UL,
Expand Down
18 changes: 9 additions & 9 deletions pkg/ebpf/tracee.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,11 @@ type Tracee struct {
stats metrics.Stats
sigEngine *engine.Engine
// Events
eventsSorter *sorting.EventsChronologicalSorter
eventsPool *sync.Pool
eventsParamTypes map[events.ID][]bufferdecoder.ArgType
eventProcessor map[events.ID][]func(evt *trace.Event) error
eventDerivations derive.Table
eventsSorter *sorting.EventsChronologicalSorter
eventsPool *sync.Pool
eventArgumentTypes map[events.ID][]trace.DecodeAs
eventProcessor map[events.ID][]func(evt *trace.Event) error
eventDerivations derive.Table
// Artifacts
fileHashes *filehash.Cache
capturedFiles map[string]int64
Expand Down Expand Up @@ -417,12 +417,12 @@ func (t *Tracee) Init(ctx gocontext.Context) error {

// Initialize events parameter types map

t.eventsParamTypes = make(map[events.ID][]bufferdecoder.ArgType)
t.eventArgumentTypes = make(map[events.ID][]trace.DecodeAs)
for _, eventDefinition := range events.Core.GetDefinitions() {
id := eventDefinition.GetID()
params := eventDefinition.GetParams()
for _, param := range params {
t.eventsParamTypes[id] = append(t.eventsParamTypes[id], bufferdecoder.GetParamType(param.Type))
t.eventArgumentTypes[id] = append(t.eventArgumentTypes[id], bufferdecoder.GetDecodeType(param.Type))
}
}

Expand Down Expand Up @@ -1115,7 +1115,7 @@ func (t *Tracee) populateFilterMaps(updateProcTree bool) error {
polCfg, err := t.policyManager.UpdateBPF(
t.bpfModule,
t.containers,
t.eventsParamTypes,
t.eventArgumentTypes,
true,
updateProcTree,
)
Expand Down Expand Up @@ -1277,7 +1277,7 @@ func (t *Tracee) initBPF() error {
}

// returned PoliciesConfig is not used here, therefore it's discarded
_, err = t.policyManager.UpdateBPF(t.bpfModule, t.containers, t.eventsParamTypes, false, true)
_, err = t.policyManager.UpdateBPF(t.bpfModule, t.containers, t.eventArgumentTypes, false, true)
if err != nil {
return errfmt.WrapError(err)
}
Expand Down
Loading

0 comments on commit 8a30a56

Please sign in to comment.