feat: add argv to security_bprm_check

To allow deeper analysis of the executed program before the execution, a new field for the argv given is added.
aquasecurity · Sep 5, 2023 · a40cb3b · a40cb3b
1 parent 1a47a4e
commit a40cb3b
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 0 deletions.
diff --git a/docs/docs/events/builtin/extra/security_bprm_check.md b/docs/docs/events/builtin/extra/security_bprm_check.md
@@ -0,0 +1,30 @@
+# security_bprm_check
+
+## Intro
+security_bprm_check - verify permissions prior to initiating the binary handler search in the execution flow.
+
+## Description
+This event signifies an attempt to execute a binary via execve or execveat, occurring just before the kernel starts searching for the specific binary handler. During this stage, numerous new process attributes are set, and although the context remains that of the pre-execution process, the event is valuable when that context holds significance. It's a preferred choice over syscall events due to its resolved path and binary details. However, if you need more extensive information and the process context is less crucial, you might find the sched_process_exec event to be a better fit.
+
+## Arguments
+* `pathname`:`const char*`[K] - the resolved path of the file executed.
+* `dev`:`dev_t`[K] - the device of the executed file.
+* `inode`:`unsigned long`[K] - the inode number of the executed file.
+* `argv`:`const char*`[U,TOCTOU] - the arguments given by the user during execution.
+* `envp`:`const char*`[U,TOCTOU,OPT] - the environment variable passed by the user during execution. Will be filled only if requested by the configuration.
+
+## Hooks
+### security_bprm_check
+#### Type
+LSM hook
+#### Purpose
+The LSM hook for the execution phase before context changing.
+
+### sys_enter
+#### Type
+Tracepoint
+#### Purpose
+Used to save the argv of the execution from the syscall arguments.
+
+## Related Events
+`sched_process_exec`,`execve`,`execveat`
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -1946,9 +1946,28 @@ int BPF_KPROBE(trace_security_bprm_check)
     unsigned long inode_nr = get_inode_nr_from_file(file);
     void *file_path = get_path_str(__builtin_preserve_access_index(&file->f_path));
 
+    syscall_data_t *sys = &p.task_info->syscall_data;
+    const char *const *argv = NULL;
+    const char *const *envp = NULL;
+    switch(sys->id) {
+    case SYSCALL_EXECVE:
+        argv = (const char *const *) sys->args.args[1];
+        envp = (const char *const *) sys->args.args[2];
+        break;
+    case SYSCALL_EXECVEAT:
+        argv = (const char *const *) sys->args.args[2];
+        envp = (const char *const *) sys->args.args[3];
+        break;
+    default:
+        break;
+    }
+
     save_str_to_buf(&p.event->args_buf, file_path, 0);
     save_to_submit_buf(&p.event->args_buf, &s_dev, sizeof(dev_t), 1);
     save_to_submit_buf(&p.event->args_buf, &inode_nr, sizeof(unsigned long), 2);
+    save_str_arr_to_buf(&p.event->args_buf, argv, 3);
+    if (p.config->options & OPT_EXEC_ENV)
+        save_str_arr_to_buf(&p.event->args_buf, envp, 4);
 
     return events_perf_submit(&p, SECURITY_BPRM_CHECK, 0);
 }

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -9189,13 +9189,25 @@ var CoreEvents = map[ID]Definition{
 		dependencies: Dependencies{
 			probes: []Probe{
 				{handle: probes.SecurityBPRMCheck, required: true},
+				{handle: probes.SyscallEnter__Internal, required: true},
+			},
+			tailCalls: []TailCall{
+				{
+					"sys_enter_init_tail",
+					"sys_enter_init",
+					[]uint32{
+						uint32(Execve), uint32(Execveat),
+					},
+				},
 			},
 		},
 		sets: []string{"lsm_hooks", "proc", "proc_life"},
 		params: []trace.ArgMeta{
 			{Type: "const char*", Name: "pathname"},
 			{Type: "dev_t", Name: "dev"},
 			{Type: "unsigned long", Name: "inode"},
+			{Type: "const char*const*", Name: "argv"},
+			{Type: "const char*const*", Name: "envp"},
 		},
 	},
 	SecurityFileOpen: {