From 4138fbb2973ee394ae2a0fb4a63017c99d0ff459 Mon Sep 17 00:00:00 2001 From: Ori Glassman Date: Mon, 5 Aug 2024 22:39:57 +0300 Subject: [PATCH] wip dont send twice --- pkg/ebpf/c/tracee.bpf.c | 46 ++++++++++++++++++++++++++++------------- pkg/events/core.go | 12 +++++------ 2 files changed, 38 insertions(+), 20 deletions(-) diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index 5a3718105189..1463033e624f 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -4950,8 +4950,10 @@ statfunc int submit_process_execute_failed(struct pt_regs *ctx, program_data_t * return -1; } -statfunc int execute_failed_tail1(struct pt_regs *ctx, u32 tail_call_id) +SEC("kprobe/execute_failed_tail1") +int execute_failed_tail1(struct pt_regs *ctx) { + bpf_printk("running execute_failed_tail1"); program_data_t p = {}; if (!init_tailcall_program_data(&p, ctx)) return -1; @@ -4968,12 +4970,15 @@ statfunc int execute_failed_tail1(struct pt_regs *ctx, u32 tail_call_id) int kernel_invoked = (get_task_parent_flags(task) & PF_KTHREAD) ? 1 : 0; save_to_submit_buf(&p.event->args_buf, &kernel_invoked, sizeof(int), 9); - bpf_tail_call(ctx, &prog_array, tail_call_id); + bpf_tail_call(ctx, &prog_array, TAIL_PROCESS_EXECUTE_FAILED2); return -1; } -statfunc int execute_failed_tail2(struct pt_regs *ctx) +SEC("kprobe/execute_failed_tail2") +int execute_failed_tail2(struct pt_regs *ctx) { + bpf_printk("running execute_failed_tail1"); + program_data_t p = {}; if (!init_tailcall_program_data(&p, ctx)) return -1; @@ -5021,17 +5026,19 @@ int BPF_KPROBE(trace_ret_exec_binprm) return submit_process_execute_failed(ctx, &p); } -SEC("kretprobe/trace_execute_failed1") -int BPF_KPROBE(trace_execute_failed1) -{ - return execute_failed_tail1(ctx, TAIL_PROCESS_EXECUTE_FAILED2); -} +// SEC("kretprobe/trace_execute_failed1") +// int BPF_KPROBE(trace_execute_failed1) +// { +// bpf_printk("execute_failed_tail1"); +// return execute_failed_tail1(ctx, TAIL_PROCESS_EXECUTE_FAILED2); +// } -SEC("kretprobe/trace_execute_failed2") -int BPF_KPROBE(trace_execute_failed2) -{ - return execute_failed_tail2(ctx); -} +// SEC("kretprobe/trace_execute_failed2") +// int BPF_KPROBE(trace_execute_failed2) +// { +// bpf_printk("execute_failed_tail2"); +// return execute_failed_tail2(ctx); +// } SEC("kprobe/security_bprm_creds_for_exec") int BPF_KPROBE(trace_security_bprm_creds_for_exec) @@ -5054,7 +5061,18 @@ int BPF_KPROBE(trace_execute_finished) return 0; long exec_ret = PT_REGS_RC(ctx); - return events_perf_submit(&p, exec_ret); + events_perf_submit(&p, exec_ret); + + if (!reset_event(p.event, PROCESS_EXECUTION_FAILED)) + return 0; + + if (!evaluate_scope_filters(&p)) + return 0; + + if (exec_ret < 0) + bpf_tail_call(ctx, &prog_array, TAIL_PROCESS_EXECUTE_FAILED1); +//TODO: save event (in bprm_creds_for_check and exec_binprm) and submit it only from here + return 0; } SEC("kprobe/security_path_notify") diff --git a/pkg/events/core.go b/pkg/events/core.go index beb101656200..d0321b955408 100644 --- a/pkg/events/core.go +++ b/pkg/events/core.go @@ -12956,8 +12956,8 @@ var CoreEvents = map[ID]Definition{ {handle: probes.SecurityBprmCredsForExec, required: false}, // TODO: Change to required once fallbacks are supported }, tailCalls: []TailCall{ - {"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}}, - {"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}}, + {"prog_array", "execute_failed_tail1", []uint32{TailProcessExecuteFailed1}}, + {"prog_array", "execute_failed_tail2", []uint32{TailProcessExecuteFailed2}}, }, }, params: []trace.ArgMeta{ @@ -12987,10 +12987,10 @@ var CoreEvents = map[ID]Definition{ {handle: probes.ExecBinprm, required: false}, {handle: probes.ExecBinprmRet, required: false}, }, - tailCalls: []TailCall{ - {"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}}, - {"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}}, - }, + //tailCalls: []TailCall{ + // {"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}}, + // {"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}}, + //}, }, params: []trace.ArgMeta{ {Type: "const char*", Name: "path"},