chore: fix: improve data parsers

- perf: improvements include reducing the size of the parser logic by using slices instead of maps whenever possible. This allows for direct access to values via index, and when direct access isn't feasible, iterating through slices is generally more efficient than fetching values from a map. - perf: return string only instead of the Argument type since it's the only value used. - fix ParseOpenFlagArgument that wasn't printing O_RDONLY flag alone. - fix ParseAccessMode that wasn't printing F_OK flag alone. - fix ParseExecFlag (now ParseExecveatFlag) to check only related flags. - fix Faccessat and Fchmodat to parse flags arg too. - feat: *at syscalls with dirfd arg now parse for special case AT_FDCWD when ParseArgumentsFDs is true. - chore: try as much as possible to use values defined in the C system, avoiding entering incorrect values. - chore: add to ParseCapability the missing flags: CAP_PERFMON, CAP_BPF and CAP_CHECKPOINT_RESTORE. - chore: add to ParsePrctlOption the missing flags: PR_SET_IO_FLUSHER, PR_GET_IO_FLUSHER, PR_SET_SYSCALL_USER_DISPATCH, PR_PAC_SET_ENABLED_KEYS, PR_PAC_GET_ENABLED_KEYS, PR_SCHED_CORE, PR_SME_SET_VL, PR_SME_GET_VL, PR_SET_MDWE, PR_GET_MDWE, PR_SET_MEMORY_MERGE and PR_GET_MEMORY_MERGE. - chore: add to ParseBPF the missing flags: BPF_PROG_BIND_MAP, BPF_TOKEN_CREATE - chore ParsePtraceRequestArgument including missing flags PTRACE_GET_THREAD_AREA, PTRACE_SET_THREAD_AREA, PTRACE_ARCH_PRCTL, PTRACE_SYSEMU, PTRACE_SYSEMU_SINGLESTEP, PTRACE_SINGLEBLOCK, PTRACE_GET_RSEQ_CONFIGURATION, PTRACE_SET_SYSCALL_USER_DISPATCH_CONFIG and PTRACE_GET_SYSCALL_USER_DISPATCH_CONFIG. - chore: add to ParseSocketDomainArgument the missing: AF_MCTP. This commit reduces the size of the final binary by ~56KB.
aquasecurity · Sep 16, 2024 · 58a8fb4 · 58a8fb4
1 parent d09d7fc
commit 58a8fb4
Show file tree

Hide file tree

Showing 6 changed files with 1,211 additions and 1,146 deletions.
diff --git a/pkg/bufferdecoder/eventsreader.go b/pkg/bufferdecoder/eventsreader.go
@@ -255,9 +255,9 @@ func readSockaddrFromBuff(ebpfMsgDecoder *EbpfDecoder) (map[string]string, error
 	}
 	socketDomainArg, err := parsers.ParseSocketDomainArgument(uint64(family))
 	if err != nil {
-		socketDomainArg = parsers.AF_UNSPEC
+		socketDomainArg = parsers.AF_UNSPEC.String()
 	}
-	res["sa_family"] = socketDomainArg.String()
+	res["sa_family"] = socketDomainArg
 	switch family {
 	case 1: // AF_UNIX
 		/*

diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go
@@ -23,7 +23,8 @@ func ParseArgs(event *trace.Event) error {
 		}
 	}
 
-	switch ID(event.EventID) {
+	evtID := ID(event.EventID)
+	switch evtID {
 	case MemProtAlert:
 		if alertArg := GetArg(event, "alert"); alertArg != nil {
 			if alert, isUint32 := alertArg.Value.(uint32); isUint32 {
@@ -83,8 +84,8 @@ func ParseArgs(event *trace.Event) error {
 		}
 	case Prctl:
 		if optArg := GetArg(event, "option"); optArg != nil {
-			if opt, isInt32 := optArg.Value.(int32); isInt32 {
-				parsePrctlOption(optArg, uint64(opt))
+			if option, isInt32 := optArg.Value.(int32); isInt32 {
+				parsePrctlOption(optArg, uint64(option))
 			}
 		}
 	case Socketcall:
@@ -115,16 +116,27 @@ func ParseArgs(event *trace.Event) error {
 				parseSocketType(typeArg, uint64(typ))
 			}
 		}
-	case Access, Faccessat:
+	case Access:
 		if modeArg := GetArg(event, "mode"); modeArg != nil {
 			if mode, isInt32 := modeArg.Value.(int32); isInt32 {
 				parseAccessMode(modeArg, uint64(mode))
 			}
 		}
+	case Faccessat:
+		if modeArg := GetArg(event, "mode"); modeArg != nil {
+			if mode, isInt32 := modeArg.Value.(int32); isInt32 {
+				parseAccessMode(modeArg, uint64(mode))
+			}
+		}
+		if flagsArg := GetArg(event, "flags"); flagsArg != nil {
+			if flags, isInt32 := flagsArg.Value.(int32); isInt32 {
+				parseFaccessatFlag(flagsArg, uint64(flags))
+			}
+		}
 	case Execveat:
 		if flagsArg := GetArg(event, "flags"); flagsArg != nil {
 			if flags, isInt32 := flagsArg.Value.(int32); isInt32 {
-				parseExecFlag(flagsArg, uint64(flags))
+				parseExecveatFlag(flagsArg, uint64(flags))
 			}
 		}
 	case Open, Openat, SecurityFileOpen:
@@ -139,6 +151,13 @@ func ParseArgs(event *trace.Event) error {
 				parseInodeMode(modeArg, uint64(mode))
 			}
 		}
+		if evtID == Fchmodat {
+			if flagsArg := GetArg(event, "flags"); flagsArg != nil {
+				if flags, isInt32 := flagsArg.Value.(int32); isInt32 {
+					parseFchmodatFlag(flagsArg, uint64(flags))
+				}
+			}
+		}
 	case SecurityInodeMknod:
 		if modeArg := GetArg(event, "mode"); modeArg != nil {
 			if mode, isUint16 := modeArg.Value.(uint16); isUint16 {
@@ -245,6 +264,12 @@ func ParseArgsFDs(event *trace.Event, origTimestamp uint64, fdArgPathMap *bpf.BP
 		}
 	}
 
+	if dirfdArg := GetArg(event, "dirfd"); dirfdArg != nil {
+		if dirfd, isInt32 := dirfdArg.Value.(int32); isInt32 {
+			parseDirfdAt(dirfdArg, uint64(dirfd))
+		}
+	}
+
 	return nil
 }
 

diff --git a/pkg/events/parse_args_helpers.go b/pkg/events/parse_args_helpers.go
@@ -1,6 +1,8 @@
 package events
 
 import (
+	"golang.org/x/sys/unix"
+
 	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -19,7 +21,7 @@ func parseSocketDomainArgument(arg *trace.Argument, domain uint64) {
 		arg.Value = ""
 		return
 	}
-	arg.Value = socketDomainArgument.String()
+	arg.Value = socketDomainArgument
 }
 
 func parseSocketType(arg *trace.Argument, typ uint64) {
@@ -59,7 +61,7 @@ func parseCapability(arg *trace.Argument, capability uint64) {
 		arg.Value = ""
 		return
 	}
-	arg.Value = capabilityFlagArgument.String()
+	arg.Value = capabilityFlagArgument
 }
 
 func parseMemProtAlert(arg *trace.Argument, alert uint32) {
@@ -90,17 +92,17 @@ func parsePtraceRequestArgument(arg *trace.Argument, req uint64) {
 		arg.Value = ""
 		return
 	}
-	arg.Value = ptraceRequestArgument.String()
+	arg.Value = ptraceRequestArgument
 }
 
-func parsePrctlOption(arg *trace.Argument, opt uint64) {
+func parsePrctlOption(arg *trace.Argument, option uint64) {
 	arg.Type = "string"
-	prctlOptionArgument, err := parsers.ParsePrctlOption(opt)
+	prctlOptionArgument, err := parsers.ParsePrctlOption(option)
 	if err != nil {
 		arg.Value = ""
 		return
 	}
-	arg.Value = prctlOptionArgument.String()
+	arg.Value = prctlOptionArgument
 }
 
 func parseSocketcallCall(arg *trace.Argument, call uint64) {
@@ -110,7 +112,7 @@ func parseSocketcallCall(arg *trace.Argument, call uint64) {
 		arg.Value = ""
 		return
 	}
-	arg.Value = socketcallArgument.String()
+	arg.Value = socketcallArgument
 }
 
 func parseAccessMode(arg *trace.Argument, mode uint64) {
@@ -120,17 +122,45 @@ func parseAccessMode(arg *trace.Argument, mode uint64) {
 		arg.Value = ""
 		return
 	}
-	arg.Value = accessModeArgument.String()
+	arg.Value = accessModeArgument
+}
+
+func parseDirfdAt(arg *trace.Argument, dirfd uint64) {
+	if int32(dirfd) == unix.AT_FDCWD {
+		arg.Type = "string"
+		arg.Value = "AT_FDCWD"
+		return
+	}
+}
+
+func parseFaccessatFlag(arg *trace.Argument, flags uint64) {
+	arg.Type = "string"
+	faccessatFlagArgument, err := parsers.ParseFaccessatFlag(flags)
+	if err != nil {
+		arg.Value = ""
+		return
+	}
+	arg.Value = faccessatFlagArgument
+}
+
+func parseFchmodatFlag(arg *trace.Argument, flags uint64) {
+	arg.Type = "string"
+	fchmodatFlagArgument, err := parsers.ParseFchmodatFlag(flags)
+	if err != nil {
+		arg.Value = ""
+		return
+	}
+	arg.Value = fchmodatFlagArgument
 }
 
-func parseExecFlag(arg *trace.Argument, flags uint64) {
+func parseExecveatFlag(arg *trace.Argument, flags uint64) {
 	arg.Type = "string"
-	execFlagArgument, err := parsers.ParseExecFlag(flags)
+	execFlagArgument, err := parsers.ParseExecveatFlag(flags)
 	if err != nil {
 		arg.Value = ""
 		return
 	}
-	arg.Value = execFlagArgument.String()
+	arg.Value = execFlagArgument
 }
 
 func parseOpenFlagArgument(arg *trace.Argument, flags uint64) {
@@ -140,7 +170,7 @@ func parseOpenFlagArgument(arg *trace.Argument, flags uint64) {
 		arg.Value = ""
 		return
 	}
-	arg.Value = openFlagArgument.String()
+	arg.Value = openFlagArgument
 }
 
 func parseCloneFlags(arg *trace.Argument, flags uint64) {
@@ -150,7 +180,7 @@ func parseCloneFlags(arg *trace.Argument, flags uint64) {
 		arg.Value = ""
 		return
 	}
-	arg.Value = cloneFlagArgument.String()
+	arg.Value = cloneFlagArgument
 }
 
 func parseBPFCmd(arg *trace.Argument, cmd uint64) {
@@ -160,7 +190,7 @@ func parseBPFCmd(arg *trace.Argument, cmd uint64) {
 		arg.Value = ""
 		return
 	}
-	arg.Value = bpfCommandArgument.String()
+	arg.Value = bpfCommandArgument
 }
 
 func parseSocketLevel(arg *trace.Argument, level uint64) {