Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] feat: extend string data filtering for other events #4470

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[WIP] feat: extend string data filtering for other events #4470

wants to merge 2 commits into from
+137 −11

Conversation

rscampos
Copy link
Collaborator

@rscampos rscampos commented Jan 7, 2025
edited
Loading

1. Explain what the PR does

41b8fa0 feat: extend string data filtering for other events
f8f0af6 feat: allow different field names

f8f0af6 feat: allow different field names

- Allow any field name in the in-kernel string filter.
- Currently, only one string-type field name is supported.
- Future support for multiple field names is planned.

2. Explain how to test it

3. Other comments

fix: #4432

Enable in-kernel filter (string filter) for the following events:

Event String Name Type Manually Trigger
✅ security_bprm_check pathname lsm Yes
✅ security_file_open pathname lsm Yes
✅ security_inode_unlink pathname lsm Yes
✅ security_sb_mount path lsm Yes
✅ security_bpf_map map_name lsm Yes
✅ security_kernel_read_file pathname lsm Yes
✅ security_inode_mknod file_name lsm Yes
✅ security_kernel_post_read_file pathname lsm Yes
✅ security_inode_symlink pathname lsm Yes
✅ security_mmap_file pathname lsm Yes
✅ security_file_mprotect pathname lsm Yes
✅ security_inode_rename old_path lsm Yes
✅ security_bpf_prog name lsm Yes
✅ security_path_notify pathname lsm Yes
✅ shared_object_loaded pathname lsm Yes
✅ do_mmap pathname other Yes
✅ module_load pathname other Yes
✅ inotify_watch pathname other Yes
✅ do_truncate pathname other Yes
✅ vfs_utimes pathname other Yes
✅ load_elf_phdrs pathname other Yes
✅ call_usermodehelper pathname other Yes
✅ chmod_common pathname other Yes
✅ vfs_write pathname other Yes
✅ vfs_writev pathname other Yes
✅ vfs_read pathname other Yes
✅ vfs_readv pathname other Yes
✅ __kernel_write pathname other Yes
⬜ mem_prot_alert pathname other No
⬜ sched_process_exec pathname other No

@rscampos rscampos self-assigned this Jan 7, 2025
@rscampos rscampos force-pushed the data_filter_in_kernel_phase2 branch 3 times, most recently from 890848a to d939aa8 Compare January 8, 2025 22:14
@rscampos rscampos force-pushed the data_filter_in_kernel_phase2 branch 3 times, most recently from fcc9950 to 447f887 Compare January 31, 2025 20:43
@rscampos
feat: allow different field names
f8f0af6 
- Allow any field name in the in-kernel string filter.
- Currently, only one string-type field name is supported.
- Future support for multiple field names is planned.
@rscampos
feat: extend string data filtering for other events
41b8fa0
@rscampos rscampos force-pushed the data_filter_in_kernel_phase2 branch from 447f887 to 41b8fa0 Compare January 31, 2025 20:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rscampos rscampos

Labels
area/ebpf area/filtering
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Extend In-Kernel Data Filtering for other events
1 participant
@rscampos