Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
  • Loading branch information
@rscampos
rscampos committed Feb 5, 2025
1 parent 41b8fa0 commit a964fc9
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 11 deletions.
15 changes: 15 additions & 0 deletions pkg/ebpf/c/tracee.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1521,6 +1521,9 @@ int sched_process_exec_event_submit_tail(struct bpf_raw_tracepoint_args *ctx)
&p.event->args_buf, (void *) env_start, (void *) env_end, envc, 16);
}

if (!evaluate_data_filters(&p, 1))
return 0;

events_perf_submit(&p, 0);
return 0;
}
Expand Down Expand Up @@ -3196,6 +3199,9 @@ do_file_io_operation(struct pt_regs *ctx, u32 event_id, u32 tail_call_id, bool i
save_to_submit_buf(&p.event->args_buf, &io_data.len, sizeof(unsigned long), 3);
save_to_submit_buf(&p.event->args_buf, &start_pos, sizeof(off_t), 4);

if (!evaluate_data_filters(&p, 0))
return 0;

// Submit io event
events_perf_submit(&p, PT_REGS_RC(ctx));

Expand Down Expand Up @@ -3550,6 +3556,8 @@ int BPF_KPROBE(kernel_write_magic_return)
save_to_submit_buf(event, &file_info.id.inode, sizeof(unsigned long), 7); \
save_to_submit_buf(event, &file_info.id.ctime, sizeof(u64), 8); \
} \
if (!evaluate_data_filters(&p, 5)) \
return 0; \
events_perf_submit(&p, 0); \
}

Expand Down Expand Up @@ -4295,6 +4303,9 @@ int BPF_KPROBE(trace_device_add)
save_str_to_buf(&p.event->args_buf, (void *) name, 0);
save_str_to_buf(&p.event->args_buf, (void *) parent_name, 1);

if (!evaluate_data_filters(&p, 0))
return 0;

return events_perf_submit(&p, 0);
}

Expand Down Expand Up @@ -4593,6 +4604,10 @@ int BPF_KPROBE(trace_ret_do_init_module)
save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);

int ret_val = PT_REGS_RC(ctx);

if (!evaluate_data_filters(&p, 0))
return 0;

return events_perf_submit(&p, ret_val);
}

Expand Down
34 changes: 23 additions & 11 deletions pkg/filters/data.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ func NewDataFilter() *DataFilter {
// list of events and field names allowed to have in-kernel filter
var allowedKernelField = map[events.ID]string{
// LSM hooks
events.SecurityBprmCheck: "pathname", // 0
events.SecurityBprmCheck: "pathname", // index: 0
events.SecurityFileOpen: "pathname", // 0
events.SecurityInodeUnlink: "pathname", // 0
events.SecuritySbMount: "path", // 1
Expand All @@ -90,19 +90,31 @@ var allowedKernelField = map[events.ID]string{
events.SecurityBpfProg: "name", // 1
events.SecurityPathNotify: "pathname", // 0
events.SharedObjectLoaded: "pathname", // 0

// Others
events.SchedProcessExec: "pathname", // 1
events.VfsWrite: "pathname", // 0
events.VfsWritev: "pathname", // 0
events.VfsRead: "pathname", // 0
events.VfsReadv: "pathname", // 0
events.MemProtAlert: "pathname", // 5
events.MagicWrite: "pathname", // 0
events.KernelWrite: "pathname", // 0
events.CallUsermodeHelper: "pathname", // 0
events.LoadElfPhdrs: "pathname", // 0
events.DoMmap: "pathname", // 1
events.VfsUtimes: "pathname", // 0
events.DoTruncate: "pathname", // 0
events.InotifyWatch: "pathname", // 0
// events.ProcessExecuteFailed: "pathname", // 2
events.ModuleLoad: "pathname", // 3
events.ChmodCommon: "pathname", // 0
events.DeviceAdd: "name", // 0
events.DoInitModule: "name", // 0

// Syscalls
events.Execve: "pathname",
events.Execveat: "pathname",
// Others
events.ModuleLoad: "pathname",
events.InotifyWatch: "pathname",
events.DoTruncate: "pathname",
events.MagicWrite: "pathname",
events.VfsUtimes: "pathname",
events.LoadElfPhdrs: "pathname",
events.CallUsermodeHelper: "pathname",
events.ChmodCommon: "pathname",
events.DoMmap: "pathname",
}

// checkAvailabilityKernelFilter check if event ID and field name are allowed to be an kernel filter
Expand Down

0 comments on commit a964fc9

Please sign in to comment.