wip

aquasecurity · Feb 7, 2025 · 96d4912 · 96d4912
1 parent e5f4c4d
commit 96d4912
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 11 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -1518,6 +1518,9 @@ int sched_process_exec_event_submit_tail(struct bpf_raw_tracepoint_args *ctx)
             &p.event->args_buf, (void *) env_start, (void *) env_end, envc, 16);
     }
 
+    if (!evaluate_data_filters(&p, 1))
+        return 0;
+
     events_perf_submit(&p, 0);
     return 0;
 }
@@ -2188,6 +2191,10 @@ int tracepoint__cgroup__cgroup_attach_task(struct bpf_raw_tracepoint_args *ctx)
     save_str_to_buf(&p.event->args_buf, path, 0);
     save_str_to_buf(&p.event->args_buf, comm, 1);
     save_to_submit_buf(&p.event->args_buf, (void *) &pid, sizeof(int), 2);
+
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     events_perf_submit(&p, 0);
 
     return 0;
@@ -2214,6 +2221,10 @@ int tracepoint__cgroup__cgroup_mkdir(struct bpf_raw_tracepoint_args *ctx)
     save_to_submit_buf(&p.event->args_buf, &cgroup_id, sizeof(u64), 0);
     save_str_to_buf(&p.event->args_buf, path, 1);
     save_to_submit_buf(&p.event->args_buf, &hierarchy_id, sizeof(u32), 2);
+
+    if (!evaluate_data_filters(&p, 1))
+        return 0;
+
     events_perf_submit(&p, 0);
 
     return 0;
@@ -2240,6 +2251,10 @@ int tracepoint__cgroup__cgroup_rmdir(struct bpf_raw_tracepoint_args *ctx)
     save_to_submit_buf(&p.event->args_buf, &cgroup_id, sizeof(u64), 0);
     save_str_to_buf(&p.event->args_buf, path, 1);
     save_to_submit_buf(&p.event->args_buf, &hierarchy_id, sizeof(u32), 2);
+
+    if (!evaluate_data_filters(&p, 1))
+        return 0;
+
     events_perf_submit(&p, 0);
 
     return 0;
@@ -2623,6 +2638,9 @@ int BPF_KPROBE(trace_proc_create)
     save_str_to_buf(&p.event->args_buf, name, 0);
     save_to_submit_buf(&p.event->args_buf, (void *) &proc_ops_addr, sizeof(u64), 1);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -2647,6 +2665,9 @@ int BPF_KPROBE(trace_debugfs_create_file)
     save_to_submit_buf(&p.event->args_buf, &mode, sizeof(umode_t), 2);
     save_to_submit_buf(&p.event->args_buf, (void *) &proc_ops_addr, sizeof(u64), 3);
 
+   if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -2662,11 +2683,15 @@ int BPF_KPROBE(trace_debugfs_create_dir)
 
     char *name = (char *) PT_REGS_PARM1(ctx);
     struct dentry *dentry = (struct dentry *) PT_REGS_PARM2(ctx);
+    bpf_printk("dentry:%p", dentry);
     void *dentry_path = get_dentry_path_str(dentry);
 
     save_str_to_buf(&p.event->args_buf, name, 0);
     save_str_to_buf(&p.event->args_buf, dentry_path, 1);
 
+   if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -3193,6 +3218,9 @@ do_file_io_operation(struct pt_regs *ctx, u32 event_id, u32 tail_call_id, bool i
     save_to_submit_buf(&p.event->args_buf, &io_data.len, sizeof(unsigned long), 3);
     save_to_submit_buf(&p.event->args_buf, &start_pos, sizeof(off_t), 4);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     // Submit io event
     events_perf_submit(&p, PT_REGS_RC(ctx));
 
@@ -3547,6 +3575,8 @@ int BPF_KPROBE(kernel_write_magic_return)
             save_to_submit_buf(event, &file_info.id.inode, sizeof(unsigned long), 7);              \
             save_to_submit_buf(event, &file_info.id.ctime, sizeof(u64), 8);                        \
         }                                                                                          \
+        if (!evaluate_data_filters(&p, 5))                                                         \
+            return 0;                                                                              \
         events_perf_submit(&p, 0);                                                                 \
     }
 
@@ -4292,6 +4322,9 @@ int BPF_KPROBE(trace_device_add)
     save_str_to_buf(&p.event->args_buf, (void *) name, 0);
     save_str_to_buf(&p.event->args_buf, (void *) parent_name, 1);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -4331,6 +4364,9 @@ int BPF_KPROBE(trace_ret__register_chrdev)
     save_str_to_buf(&p.event->args_buf, char_device_name, 2);
     save_to_submit_buf(&p.event->args_buf, &char_device_fops, sizeof(void *), 3);
 
+    if (!evaluate_data_filters(&p, 2))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -4546,6 +4582,9 @@ int tracepoint__module__module_free(struct bpf_raw_tracepoint_args *ctx)
     save_str_to_buf(&p.event->args_buf, (void *) version, 1);
     save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -4590,6 +4629,10 @@ int BPF_KPROBE(trace_ret_do_init_module)
     save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);
 
     int ret_val = PT_REGS_RC(ctx);
+
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, ret_val);
 }
 

diff --git a/pkg/filters/data.go b/pkg/filters/data.go
@@ -75,7 +75,7 @@ func NewDataFilter() *DataFilter {
 // list of events and field names allowed to have in-kernel filter
 var allowedKernelField = map[events.ID]string{
 	// LSM hooks
-	events.SecurityBprmCheck:           "pathname",  // 0
+	events.SecurityBprmCheck:           "pathname",  // index: 0
 	events.SecurityFileOpen:            "pathname",  // 0
 	events.SecurityInodeUnlink:         "pathname",  // 0
 	events.SecuritySbMount:             "path",      // 1
@@ -90,19 +90,38 @@ var allowedKernelField = map[events.ID]string{
 	events.SecurityBpfProg:             "name",      // 1
 	events.SecurityPathNotify:          "pathname",  // 0
 	events.SharedObjectLoaded:          "pathname",  // 0
+
+	// Others
+	events.SchedProcessExec:   "pathname",         // 1
+	events.VfsWrite:           "pathname",         // 0
+	events.VfsWritev:          "pathname",         // 0
+	events.VfsRead:            "pathname",         // 0
+	events.VfsReadv:           "pathname",         // 0
+	events.MemProtAlert:       "pathname",         // 5
+	events.MagicWrite:         "pathname",         // 0
+	events.KernelWrite:        "pathname",         // 0
+	events.CallUsermodeHelper: "pathname",         // 0
+	events.LoadElfPhdrs:       "pathname",         // 0
+	events.DoMmap:             "pathname",         // 1
+	events.VfsUtimes:          "pathname",         // 0
+	events.DoTruncate:         "pathname",         // 0
+	events.InotifyWatch:       "pathname",         // 0
+	events.ModuleLoad:         "pathname",         // 3
+	events.ChmodCommon:        "pathname",         // 0
+	events.DeviceAdd:          "name",             // 0
+	events.DoInitModule:       "name",             // 0
+	events.ModuleFree:         "name",             // 0
+	events.ProcCreate:         "name",             // 0
+	events.RegisterChrdev:     "char_device_name", // 2
+	events.DebugfsCreateFile:  "file_name",        // 0
+	events.DebugfsCreateDir:   "name",             // 0
+	events.CgroupMkdir:        "cgroup_path",      // 1
+	events.CgroupRmdir:        "cgroup_path",      // 1
+	events.CgroupAttachTask:   "cgroup_path",      // 0
+
 	// Syscalls
 	events.Execve:   "pathname",
 	events.Execveat: "pathname",
-	// Others
-	events.ModuleLoad:         "pathname",
-	events.InotifyWatch:       "pathname",
-	events.DoTruncate:         "pathname",
-	events.MagicWrite:         "pathname",
-	events.VfsUtimes:          "pathname",
-	events.LoadElfPhdrs:       "pathname",
-	events.CallUsermodeHelper: "pathname",
-	events.ChmodCommon:        "pathname",
-	events.DoMmap:             "pathname",
 }
 
 // checkAvailabilityKernelFilter check if event ID and field name are allowed to be an kernel filter