From 993bf7d271d004ce3e9241d17cc865ee342b1741 Mon Sep 17 00:00:00 2001 From: Ori Glassman Date: Sun, 4 Aug 2024 13:59:33 +0300 Subject: [PATCH] feat(ebpf): make security_socket_setsockopt not rely on sys_enter/exit --- pkg/ebpf/c/tracee.bpf.c | 20 ++++++++------------ pkg/events/core.go | 4 ---- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index d364de379872..5dc843d6fd17 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -2815,22 +2815,18 @@ int BPF_KPROBE(trace_security_socket_setsockopt) int level = (int) PT_REGS_PARM2(ctx); int optname = (int) PT_REGS_PARM3(ctx); - // Load the arguments given to the setsockopt syscall (which eventually invokes this function) - syscall_data_t *sys = &p.task_info->syscall_data; - if (sys == NULL) { - return -1; - } - - if (!p.task_info->syscall_traced) - return 0; - - switch (sys->id) { + struct pt_regs *task_regs = get_current_task_pt_regs(); + int sockfd; + u32 sockfd_addr; + switch (p.event->context.syscall) { case SYSCALL_SETSOCKOPT: - save_to_submit_buf(&p.event->args_buf, (void *) &sys->args.args[0], sizeof(u32), 0); + sockfd = get_syscall_arg1(p.event->task, task_regs, false); + save_to_submit_buf(&p.event->args_buf, (void *) &sockfd, sizeof(u32), 0); break; #if defined(bpf_target_x86) // armhf makes use of SYSCALL_SETSOCKOPT case SYSCALL_SOCKETCALL: - save_to_submit_buf(&p.event->args_buf, (void *) sys->args.args[1], sizeof(u32), 0); + sockfd_addr = get_syscall_arg2(p.event->task, task_regs, false); + save_to_submit_buf(&p.event->args_buf, (void *) sockfd_addr, sizeof(u32), 0); break; #endif default: diff --git a/pkg/events/core.go b/pkg/events/core.go index 5f1544137f49..54d71c2490f5 100644 --- a/pkg/events/core.go +++ b/pkg/events/core.go @@ -11688,10 +11688,6 @@ var CoreEvents = map[ID]Definition{ dependencies: Dependencies{ probes: []Probe{ {handle: probes.SecuritySocketSetsockopt, required: true}, - {handle: probes.SyscallEnter__Internal, required: true}, - }, - tailCalls: []TailCall{ - {"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Setsockopt)}}, }, }, sets: []string{"lsm_hooks", "net", "net_sock"},