wip

aquasecurity · Feb 6, 2025 · af7f3c3 · af7f3c3
1 parent e5f4c4d
commit af7f3c3
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 11 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -1518,6 +1518,9 @@ int sched_process_exec_event_submit_tail(struct bpf_raw_tracepoint_args *ctx)
             &p.event->args_buf, (void *) env_start, (void *) env_end, envc, 16);
     }
 
+    if (!evaluate_data_filters(&p, 1))
+        return 0;
+
     events_perf_submit(&p, 0);
     return 0;
 }
@@ -2623,6 +2626,9 @@ int BPF_KPROBE(trace_proc_create)
     save_str_to_buf(&p.event->args_buf, name, 0);
     save_to_submit_buf(&p.event->args_buf, (void *) &proc_ops_addr, sizeof(u64), 1);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -3193,6 +3199,9 @@ do_file_io_operation(struct pt_regs *ctx, u32 event_id, u32 tail_call_id, bool i
     save_to_submit_buf(&p.event->args_buf, &io_data.len, sizeof(unsigned long), 3);
     save_to_submit_buf(&p.event->args_buf, &start_pos, sizeof(off_t), 4);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     // Submit io event
     events_perf_submit(&p, PT_REGS_RC(ctx));
 
@@ -3547,6 +3556,8 @@ int BPF_KPROBE(kernel_write_magic_return)
             save_to_submit_buf(event, &file_info.id.inode, sizeof(unsigned long), 7);              \
             save_to_submit_buf(event, &file_info.id.ctime, sizeof(u64), 8);                        \
         }                                                                                          \
+        if (!evaluate_data_filters(&p, 5))                                                         \
+            return 0;                                                                              \
         events_perf_submit(&p, 0);                                                                 \
     }
 
@@ -4292,6 +4303,9 @@ int BPF_KPROBE(trace_device_add)
     save_str_to_buf(&p.event->args_buf, (void *) name, 0);
     save_str_to_buf(&p.event->args_buf, (void *) parent_name, 1);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -4331,6 +4345,9 @@ int BPF_KPROBE(trace_ret__register_chrdev)
     save_str_to_buf(&p.event->args_buf, char_device_name, 2);
     save_to_submit_buf(&p.event->args_buf, &char_device_fops, sizeof(void *), 3);
 
+    if (!evaluate_data_filters(&p, 2))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -4546,6 +4563,9 @@ int tracepoint__module__module_free(struct bpf_raw_tracepoint_args *ctx)
     save_str_to_buf(&p.event->args_buf, (void *) version, 1);
     save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -4590,6 +4610,10 @@ int BPF_KPROBE(trace_ret_do_init_module)
     save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2);
 
     int ret_val = PT_REGS_RC(ctx);
+
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, ret_val);
 }
 

diff --git a/pkg/filters/data.go b/pkg/filters/data.go
@@ -75,7 +75,7 @@ func NewDataFilter() *DataFilter {
 // list of events and field names allowed to have in-kernel filter
 var allowedKernelField = map[events.ID]string{
 	// LSM hooks
-	events.SecurityBprmCheck:           "pathname",  // 0
+	events.SecurityBprmCheck:           "pathname",  // index: 0
 	events.SecurityFileOpen:            "pathname",  // 0
 	events.SecurityInodeUnlink:         "pathname",  // 0
 	events.SecuritySbMount:             "path",      // 1
@@ -90,19 +90,34 @@ var allowedKernelField = map[events.ID]string{
 	events.SecurityBpfProg:             "name",      // 1
 	events.SecurityPathNotify:          "pathname",  // 0
 	events.SharedObjectLoaded:          "pathname",  // 0
+
+	// Others
+	events.SchedProcessExec:   "pathname", // 1
+	events.VfsWrite:           "pathname", // 0
+	events.VfsWritev:          "pathname", // 0
+	events.VfsRead:            "pathname", // 0
+	events.VfsReadv:           "pathname", // 0
+	events.MemProtAlert:       "pathname", // 5
+	events.MagicWrite:         "pathname", // 0
+	events.KernelWrite:        "pathname", // 0
+	events.CallUsermodeHelper: "pathname", // 0
+	events.LoadElfPhdrs:       "pathname", // 0
+	events.DoMmap:             "pathname", // 1
+	events.VfsUtimes:          "pathname", // 0
+	events.DoTruncate:         "pathname", // 0
+	events.InotifyWatch:       "pathname", // 0
+	// events.ProcessExecuteFailed: "pathname", // 2
+	events.ModuleLoad:     "pathname",         // 3
+	events.ChmodCommon:    "pathname",         // 0
+	events.DeviceAdd:      "name",             // 0
+	events.DoInitModule:   "name",             // 0
+	events.ModuleFree:     "name",             // 0
+	events.ProcCreate:     "name",             // 0
+	events.RegisterChrdev: "char_device_name", // 2
+
 	// Syscalls
 	events.Execve:   "pathname",
 	events.Execveat: "pathname",
-	// Others
-	events.ModuleLoad:         "pathname",
-	events.InotifyWatch:       "pathname",
-	events.DoTruncate:         "pathname",
-	events.MagicWrite:         "pathname",
-	events.VfsUtimes:          "pathname",
-	events.LoadElfPhdrs:       "pathname",
-	events.CallUsermodeHelper: "pathname",
-	events.ChmodCommon:        "pathname",
-	events.DoMmap:             "pathname",
 }
 
 // checkAvailabilityKernelFilter check if event ID and field name are allowed to be an kernel filter