feat(ebpf): make ptrace no rely on sys_enter/exit

aquasecurity · Aug 5, 2024 · 48e4b04 · 48e4b04
1 parent 0a32ea2
commit 48e4b04
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 27 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -5133,6 +5133,31 @@ int BPF_KPROBE(trace_security_task_setrlimit)
     return events_perf_submit(&p, 0);
 }
 
+SEC("kprobe/ptrace")
+int BPF_KPROBE(trace_ptrace)
+{
+    program_data_t p = {};
+    if (!init_program_data(&p, ctx, PTRACE_NO_SYS_ENTER))
+        return 0;
+
+    if (!evaluate_scope_filters(&p))
+        return 0;
+
+    // use this helper to avoid the unwrapping of struct pt_regs
+    struct pt_regs *task_context = get_task_pt_regs((struct task_struct *) bpf_get_current_task());
+    long request = PT_REGS_PARM1_CORE_SYSCALL(task_context);
+    pid_t pid = PT_REGS_PARM2_CORE_SYSCALL(task_context);
+    void *addr = (void *) PT_REGS_PARM3_CORE_SYSCALL(task_context);
+    void *data = (void *) PT_REGS_PARM4_CORE_SYSCALL(task_context);
+
+    save_to_submit_buf(&p.event->args_buf, &request, sizeof(long), 0);
+    save_to_submit_buf(&p.event->args_buf, &pid, sizeof(pid_t), 1);
+    save_to_submit_buf(&p.event->args_buf, &addr, sizeof(void *), 2);
+    save_to_submit_buf(&p.event->args_buf, &data, sizeof(void *), 3);
+
+    return events_perf_submit(&p, 0);
+}
+
 SEC("kprobe/security_settime64")
 int BPF_KPROBE(trace_security_settime64)
 {

diff --git a/pkg/ebpf/c/types.h b/pkg/ebpf/c/types.h
@@ -131,6 +131,7 @@ enum event_id_e
     SECURITY_BPRM_CREDS_FOR_EXEC,
     SECURITY_TASK_SETRLIMIT,
     SECURITY_SETTIME64,
+    PTRACE_NO_SYS_ENTER,
     MAX_EVENT_ID,
     NO_EVENT_SUBMIT,
 

diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go
@@ -224,6 +224,10 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
 		ExecuteAtFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execveat", "trace_execute_finished"),
 		SecurityTaskSetrlimit:      NewTraceProbe(KProbe, "security_task_setrlimit", "trace_security_task_setrlimit"),
 		SecuritySettime64:          NewTraceProbe(KProbe, "security_settime64", "trace_security_settime64"),
+		PtraceX86:                  NewTraceProbe(KProbe, "__x64_sys_ptrace", "trace_ptrace"),
+		PtraceCompatX86:            NewTraceProbe(KProbe, "__ia32_compat_sys_ptrace", "trace_ptrace"),
+		PtraceARM:                  NewTraceProbe(KProbe, "__arm64_sys_ptrace", "trace_ptrace"),
+		PtraceCompatARM:            NewTraceProbe(KProbe, "__arm64_compat_sys_ptrace", "trace_ptrace"),
 
 		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
 		ExecTest:            NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),

diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go
@@ -150,6 +150,10 @@ const (
 	ExecuteAtFinishedCompatARM
 	SecurityTaskSetrlimit
 	SecuritySettime64
+	PtraceX86
+	PtraceCompatX86
+	PtraceARM
+	PtraceCompatARM
 )
 
 // Test probe handles

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -113,6 +113,7 @@ const (
 	SecurityBprmCredsForExec
 	SecurityTaskSetrlimit
 	SecuritySettime64
+	PtraceSyscallNoSysenter
 	MaxCommonID
 )
 
@@ -2675,32 +2676,6 @@ var CoreEvents = map[ID]Definition{
 			},
 		},
 	},
-	Ptrace: {
-		id:      Ptrace,
-		id32Bit: Sys32ptrace,
-		name:    "ptrace",
-		version: NewVersion(1, 0, 0),
-		syscall: true,
-		sets:    []string{"default", "syscalls", "proc"},
-		params: []trace.ArgMeta{
-			{Type: "long", Name: "request"},
-			{Type: "pid_t", Name: "pid"},
-			{Type: "void*", Name: "addr"},
-			{Type: "void*", Name: "data"},
-		},
-		dependencies: Dependencies{
-			probes: []Probe{
-				{handle: probes.SyscallEnter__Internal, required: true},
-				{handle: probes.SyscallExit__Internal, required: true},
-			},
-			tailCalls: []TailCall{
-				{"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Ptrace)}},
-				{"sys_enter_submit_tail", "sys_enter_submit", []uint32{uint32(Ptrace)}},
-				{"sys_exit_init_tail", "sys_exit_init", []uint32{uint32(Ptrace)}},
-				{"sys_exit_submit_tail", "sys_exit_submit", []uint32{uint32(Ptrace)}},
-			},
-		},
-	},
 	Getuid: {
 		id:      Getuid,
 		id32Bit: Sys32getuid32,
@@ -13106,6 +13081,28 @@ var CoreEvents = map[ID]Definition{
 			{Type: "int", Name: "tz_dsttime"},
 		},
 	},
+	PtraceSyscallNoSysenter: {
+		id:      PtraceSyscallNoSysenter,
+		id32Bit: Sys32ptrace,
+		name:    "ptrace",
+		version: NewVersion(1, 0, 0),
+		syscall: true,
+		sets:    []string{"default", "syscalls", "proc"},
+		params: []trace.ArgMeta{
+			{Type: "long", Name: "request"},
+			{Type: "pid_t", Name: "pid"},
+			{Type: "void*", Name: "addr"},
+			{Type: "void*", Name: "data"},
+		},
+		dependencies: Dependencies{
+			probes: []Probe{
+				{handle: probes.PtraceX86, required: false},
+				{handle: probes.PtraceCompatX86, required: false},
+				{handle: probes.PtraceARM, required: false},
+				{handle: probes.PtraceCompatARM, required: false},
+			},
+		},
+	},
 	//
 	// Begin of Signal Events (Control Plane)
 	//

diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go
@@ -101,7 +101,7 @@ func ParseArgs(event *trace.Event) error {
 				parseOrEmptyString(prevProtArg, mmapProtArgument, nil)
 			}
 		}
-	case Ptrace:
+	case PtraceSyscallNoSysenter:
 		if reqArg := GetArg(event, "request"); reqArg != nil {
 			if req, isInt64 := reqArg.Value.(int64); isInt64 {
 				ptraceRequestArgument, err := parsers.ParsePtraceRequestArgument(uint64(req))