diff --git a/GPL/Events/EbpfEventProto.h b/GPL/Events/EbpfEventProto.h index 6dcf922d..bc5e1821 100644 --- a/GPL/Events/EbpfEventProto.h +++ b/GPL/Events/EbpfEventProto.h @@ -159,6 +159,9 @@ struct ebpf_process_exec_event { struct ebpf_pid_info pids; struct ebpf_cred_info creds; struct ebpf_tty_dev ctty; + bool is_memfd; + bool is_setuid; + bool is_setgid; // Variable length fields: cwd, argv, filename, pids_ss_cgroup_path struct ebpf_varlen_fields_start vl_fields; diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c index e39a1fd1..e1c0d546 100644 --- a/GPL/Events/Process/Probe.bpf.c +++ b/GPL/Events/Process/Probe.bpf.c @@ -17,6 +17,9 @@ #include "PathResolver.h" #include "Varlen.h" +#define S_ISUID 0004000 +#define S_ISGID 0002000 + // Limits on large things we send up as variable length parameters. // // These should be kept _well_ under half the size of the event_buffer_map or @@ -115,6 +118,15 @@ int BPF_PROG(sched_process_exec, size = read_kernel_str_or_empty_str(field->data, PATH_MAX, binprm->filename); ebpf_vl_field__set_size(&event->vl_fields, field, size); + // memfd exec + char buf [7]; + bpf_probe_read_kernel_str(buf, 7, binprm->file->f_path.dentry->d_iname); + if (buf[0] == 'm' && buf[1] == 'e' && buf[2] == 'm' && buf[3] == 'f' && buf[4] == 'd' && buf[5] == ':' ) + event->is_memfd = 1; + + event->is_setuid = (binprm->file->f_inode->i_mode & S_ISUID) ? true : false; + event->is_setgid = (binprm->file->f_inode->i_mode & S_ISGID) ? true : false; + bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0); out: diff --git a/non-GPL/Events/EventsTrace/EventsTrace.c b/non-GPL/Events/EventsTrace/EventsTrace.c index f0f198cf..25b51369 100644 --- a/non-GPL/Events/EventsTrace/EventsTrace.c +++ b/non-GPL/Events/EventsTrace/EventsTrace.c @@ -174,6 +174,16 @@ static void out_newline() printf("\n"); } +static void out_bool_flag(const char *name, bool value) +{ + printf("\"%s\":%s", name, value ? "true" : "false"); +} + +static void out_named_object_start(const char *name) +{ + printf("\"%s\":{", name); +} + static void out_object_start() { printf("{"); @@ -446,6 +456,15 @@ static void out_process_exec(struct ebpf_process_exec_event *evt) out_cred_info("creds", &evt->creds); out_comma(); + out_named_object_start("red_flags"); + out_bool_flag("is_memfd", evt->is_memfd); + out_comma(); + out_bool_flag("is_setuid", evt->is_setuid); + out_comma(); + out_bool_flag("is_setgid", evt->is_setgid); + out_object_end(); + out_comma(); + out_tty_dev("ctty", &evt->ctty); struct ebpf_varlen_field *field;