diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index d364de379872..e9aab60bdd16 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -5133,6 +5133,31 @@ int BPF_KPROBE(trace_security_task_setrlimit) return events_perf_submit(&p, 0); } +SEC("kprobe/ptrace") +int BPF_KPROBE(trace_ptrace) +{ + program_data_t p = {}; + if (!init_program_data(&p, ctx, PTRACE_NO_SYS_ENTER)) + return 0; + + if (!evaluate_scope_filters(&p)) + return 0; + + // use this helper to avoid the unwrapping of struct pt_regs + struct pt_regs *task_context = get_task_pt_regs((struct task_struct *) bpf_get_current_task()); + long request = PT_REGS_PARM1_CORE_SYSCALL(task_context); + pid_t pid = PT_REGS_PARM2_CORE_SYSCALL(task_context); + void *addr = (void *) PT_REGS_PARM3_CORE_SYSCALL(task_context); + void *data = (void *) PT_REGS_PARM4_CORE_SYSCALL(task_context); + + save_to_submit_buf(&p.event->args_buf, &request, sizeof(long), 0); + save_to_submit_buf(&p.event->args_buf, &pid, sizeof(pid_t), 1); + save_to_submit_buf(&p.event->args_buf, &addr, sizeof(void *), 2); + save_to_submit_buf(&p.event->args_buf, &data, sizeof(void *), 3); + + return events_perf_submit(&p, 0); +} + SEC("kprobe/security_settime64") int BPF_KPROBE(trace_security_settime64) { diff --git a/pkg/ebpf/c/types.h b/pkg/ebpf/c/types.h index 89aac425d9f4..71cc517b0a75 100644 --- a/pkg/ebpf/c/types.h +++ b/pkg/ebpf/c/types.h @@ -131,6 +131,7 @@ enum event_id_e SECURITY_BPRM_CREDS_FOR_EXEC, SECURITY_TASK_SETRLIMIT, SECURITY_SETTIME64, + PTRACE_NO_SYS_ENTER, MAX_EVENT_ID, NO_EVENT_SUBMIT, diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go index dbf17ebff4d9..9b520d823bee 100644 --- a/pkg/ebpf/probes/probe_group.go +++ b/pkg/ebpf/probes/probe_group.go @@ -224,6 +224,10 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err ExecuteAtFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execveat", "trace_execute_finished"), SecurityTaskSetrlimit: NewTraceProbe(KProbe, "security_task_setrlimit", "trace_security_task_setrlimit"), SecuritySettime64: NewTraceProbe(KProbe, "security_settime64", "trace_security_settime64"), + PtraceX86: NewTraceProbe(KProbe, "__x64_sys_ptrace", "trace_ptrace"), + PtraceCompatX86: NewTraceProbe(KProbe, "__ia32_compat_sys_ptrace", "trace_ptrace"), + PtraceARM: NewTraceProbe(KProbe, "__arm64_sys_ptrace", "trace_ptrace"), + PtraceCompatARM: NewTraceProbe(KProbe, "__arm64_compat_sys_ptrace", "trace_ptrace"), TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"), ExecTest: NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"), diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go index 4117f863b6f6..c628aeb00702 100644 --- a/pkg/ebpf/probes/probes.go +++ b/pkg/ebpf/probes/probes.go @@ -150,6 +150,10 @@ const ( ExecuteAtFinishedCompatARM SecurityTaskSetrlimit SecuritySettime64 + PtraceX86 + PtraceCompatX86 + PtraceARM + PtraceCompatARM ) // Test probe handles diff --git a/pkg/events/core.go b/pkg/events/core.go index 5f1544137f49..e722e9549bc9 100644 --- a/pkg/events/core.go +++ b/pkg/events/core.go @@ -113,6 +113,7 @@ const ( SecurityBprmCredsForExec SecurityTaskSetrlimit SecuritySettime64 + PtraceSyscallNoSysenter MaxCommonID ) @@ -2675,32 +2676,6 @@ var CoreEvents = map[ID]Definition{ }, }, }, - Ptrace: { - id: Ptrace, - id32Bit: Sys32ptrace, - name: "ptrace", - version: NewVersion(1, 0, 0), - syscall: true, - sets: []string{"default", "syscalls", "proc"}, - params: []trace.ArgMeta{ - {Type: "long", Name: "request"}, - {Type: "pid_t", Name: "pid"}, - {Type: "void*", Name: "addr"}, - {Type: "void*", Name: "data"}, - }, - dependencies: Dependencies{ - probes: []Probe{ - {handle: probes.SyscallEnter__Internal, required: true}, - {handle: probes.SyscallExit__Internal, required: true}, - }, - tailCalls: []TailCall{ - {"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Ptrace)}}, - {"sys_enter_submit_tail", "sys_enter_submit", []uint32{uint32(Ptrace)}}, - {"sys_exit_init_tail", "sys_exit_init", []uint32{uint32(Ptrace)}}, - {"sys_exit_submit_tail", "sys_exit_submit", []uint32{uint32(Ptrace)}}, - }, - }, - }, Getuid: { id: Getuid, id32Bit: Sys32getuid32, @@ -13106,6 +13081,28 @@ var CoreEvents = map[ID]Definition{ {Type: "int", Name: "tz_dsttime"}, }, }, + PtraceSyscallNoSysenter: { + id: PtraceSyscallNoSysenter, + id32Bit: Sys32ptrace, + name: "ptrace", + version: NewVersion(1, 0, 0), + syscall: true, + sets: []string{"default", "syscalls", "proc"}, + params: []trace.ArgMeta{ + {Type: "long", Name: "request"}, + {Type: "pid_t", Name: "pid"}, + {Type: "void*", Name: "addr"}, + {Type: "void*", Name: "data"}, + }, + dependencies: Dependencies{ + probes: []Probe{ + {handle: probes.PtraceX86, required: false}, + {handle: probes.PtraceCompatX86, required: false}, + {handle: probes.PtraceARM, required: false}, + {handle: probes.PtraceCompatARM, required: false}, + }, + }, + }, // // Begin of Signal Events (Control Plane) // diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go index c646d211fd05..6f9ff0341b8e 100644 --- a/pkg/events/parse_args.go +++ b/pkg/events/parse_args.go @@ -101,7 +101,7 @@ func ParseArgs(event *trace.Event) error { parseOrEmptyString(prevProtArg, mmapProtArgument, nil) } } - case Ptrace: + case PtraceSyscallNoSysenter: if reqArg := GetArg(event, "request"); reqArg != nil { if req, isInt64 := reqArg.Value.(int64); isInt64 { ptraceRequestArgument, err := parsers.ParsePtraceRequestArgument(uint64(req))