feat(ebpf): add path&ctime to module_load event

aquasecurity · Aug 7, 2024 · 010e577 · 010e577
1 parent 0a32ea2
commit 010e577
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -4324,6 +4324,19 @@ int tracepoint__module__module_load(struct bpf_raw_tracepoint_args *ctx)
     if (!evaluate_scope_filters(&p))
         return 0;
 
+    if (p.event->context.syscall == SYSCALL_FINIT_MODULE) {
+        struct pt_regs *task_context =
+            get_task_pt_regs((struct task_struct *) bpf_get_current_task());
+        int fd = PT_REGS_PARM1_CORE_SYSCALL(task_context);
+        struct file *file = get_struct_file_from_fd(fd);
+        void *file_path = get_path_str(__builtin_preserve_access_index(&file->f_path));
+        u64 ctime = get_ctime_nanosec_from_file(file);
+
+        // add path and ctime if module is loaded from a file
+        save_str_to_buf(&p.event->args_buf, &file_path, 3);
+        save_to_submit_buf(&p.event->args_buf, &ctime, sizeof(u64), 4);
+    }
+
     const char *version = BPF_CORE_READ(mod, version);
     const char *srcversion = BPF_CORE_READ(mod, srcversion);
     save_str_to_buf(&p.event->args_buf, &mod->name, 0);

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -11367,7 +11367,7 @@ var CoreEvents = map[ID]Definition{
 			{Type: "const char*", Name: "pathname"},
 			{Type: "dev_t", Name: "dev"},
 			{Type: "unsigned long", Name: "inode"},
-			{Type: "u64", Name: "ctime"},
+			{Type: "unsigned long", Name: "ctime"},
 		},
 	},
 	CommitCreds: {
@@ -12503,6 +12503,8 @@ var CoreEvents = map[ID]Definition{
 			{Type: "const char*", Name: "name"},
 			{Type: "const char*", Name: "version"},
 			{Type: "const char*", Name: "src_version"},
+			{Type: "const char*", Name: "pathname"},
+			{Type: "u64", Name: "ctime"},
 		},
 	},
 	ModuleFree: {