-
Notifications
You must be signed in to change notification settings - Fork 412
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(events): add e2e for ftrace_hook
- Loading branch information
1 parent
66c5baf
commit c31aaa2
Showing
9 changed files
with
190 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
package main | ||
|
||
import ( | ||
"fmt" | ||
|
||
"github.com/aquasecurity/tracee/signatures/helpers" | ||
"github.com/aquasecurity/tracee/types/detect" | ||
"github.com/aquasecurity/tracee/types/protocol" | ||
"github.com/aquasecurity/tracee/types/trace" | ||
) | ||
|
||
type e2eFtraceHook struct { | ||
cb detect.SignatureHandler | ||
} | ||
|
||
func (sig *e2eFtraceHook) Init(ctx detect.SignatureContext) error { | ||
sig.cb = ctx.Callback | ||
return nil | ||
} | ||
|
||
func (sig *e2eFtraceHook) GetMetadata() (detect.SignatureMetadata, error) { | ||
return detect.SignatureMetadata{ | ||
ID: "FTRACE_HOOK", | ||
EventName: "FTRACE_HOOK", | ||
Version: "0.1.0", | ||
Name: "ftrace_hook Test", | ||
Description: "Instrumentation events E2E Tests: ftrace_hook", | ||
Tags: []string{"e2e", "instrumentation"}, | ||
}, nil | ||
} | ||
|
||
func (sig *e2eFtraceHook) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { | ||
return []detect.SignatureEventSelector{ | ||
{Source: "tracee", Name: "ftrace_hook"}, | ||
}, nil | ||
} | ||
|
||
func (sig *e2eFtraceHook) OnEvent(event protocol.Event) error { | ||
eventObj, ok := event.Payload.(trace.Event) | ||
if !ok { | ||
return fmt.Errorf("failed to cast event's payload") | ||
} | ||
|
||
switch eventObj.EventName { | ||
case "ftrace_hook": | ||
symbolName, err := helpers.GetTraceeStringArgumentByName(eventObj, "symbol") | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if symbolName != "commit_creds" { | ||
return nil | ||
} | ||
|
||
m, _ := sig.GetMetadata() | ||
sig.cb(&detect.Finding{ | ||
SigMetadata: m, | ||
Event: event, | ||
Data: map[string]interface{}{}, | ||
}) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func (sig *e2eFtraceHook) OnSignal(s detect.Signal) error { | ||
return nil | ||
} | ||
|
||
func (sig *e2eFtraceHook) Close() {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
#!/usr/bin/bash -e | ||
|
||
KERNEL_VERSION=$(uname -r) | ||
|
||
exit_err() { | ||
echo -n "ERROR: " | ||
echo "$@" | ||
exit 1 | ||
} | ||
|
||
. /etc/os-release | ||
|
||
# Build and load module | ||
dir="tests/e2e-inst-signatures/scripts/hooker" | ||
cd $dir || exit_err "could not cd to $dir" | ||
make && ./load.sh || exit_err "could not load module" | ||
|
||
# Sleep a bit to allow module to load | ||
sleep 5 | ||
lsmod | grep hooker || exit_err "module not loaded" | ||
|
||
# Unload module after 30 seconds | ||
nohup sleep 30 > /dev/null 2>&1 && ./unload.sh & |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
obj-m += hooker.o | ||
|
||
PWD := $(shell pwd) | ||
|
||
KBUILD_CFLAGS += -g -Wall | ||
KERNELDIR ?= /lib/modules/$(shell uname -r)/build | ||
|
||
hooker.o: | ||
make -C $(KERNELDIR) M=$(PWD) modules | ||
|
||
clean: | ||
rm -f hooker.mod hooker.o hooker.mod.c hooker.mod.o hooker.ko | ||
rm -f modules.order Module.symvers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
#include <linux/init.h> | ||
#include <linux/module.h> | ||
#include <linux/kprobes.h> | ||
|
||
|
||
MODULE_LICENSE("GPL"); | ||
|
||
static char *symbol = "commit_creds"; | ||
module_param(symbol, charp, 0000); | ||
MODULE_PARM_DESC(symbol, "The symbol to hook"); | ||
|
||
static struct kprobe kp; | ||
|
||
/* Handler for pre-kprobe (executed just before the probed instruction) */ | ||
static int handler_pre(struct kprobe *p, struct pt_regs *regs) | ||
{ | ||
return 0; | ||
} | ||
|
||
static int __init hooker_init(void) | ||
{ | ||
int ret; | ||
|
||
kp.symbol_name = symbol; | ||
kp.pre_handler = handler_pre; | ||
|
||
ret = register_kprobe(&kp); | ||
if (ret < 0) { | ||
pr_err("register_kprobe failed, returned %d\n", ret); | ||
return ret; | ||
} | ||
pr_info("Planted kprobe at %p\n", kp.addr); | ||
return 0; | ||
} | ||
|
||
static void __exit hooker_exit(void) | ||
{ | ||
unregister_kprobe(&kp); | ||
pr_info("kprobe at %p unregistered\n", kp.addr); | ||
} | ||
|
||
module_init(hooker_init); | ||
module_exit(hooker_exit); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/bin/bash | ||
|
||
if [[ $UID -ne 0 ]]; then | ||
echo must be root | ||
exit 1 | ||
fi | ||
|
||
sudo lsmod | grep -q hooker && { | ||
echo module already loaded | ||
exit 0 | ||
} | ||
|
||
insmod ./hooker.ko "commit_creds" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/bash | ||
|
||
if [[ $UID -ne 0 ]]; then | ||
echo must be root | ||
exit 1 | ||
fi | ||
|
||
rmmod hooker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters