diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index 72c7452763ad..e0daf783d96b 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -1518,6 +1518,9 @@ int sched_process_exec_event_submit_tail(struct bpf_raw_tracepoint_args *ctx) &p.event->args_buf, (void *) env_start, (void *) env_end, envc, 16); } + if (!evaluate_data_filters(&p, 1)) + return 0; + events_perf_submit(&p, 0); return 0; } @@ -1998,6 +2001,9 @@ statfunc int send_bpf_attach( save_to_submit_buf(&(p->event->args_buf), &probe_addr, sizeof(u64), 5); save_to_submit_buf(&(p->event->args_buf), &perf_type, sizeof(int), 6); + if (!evaluate_data_filters(p, 1)) + return 0; + events_perf_submit(p, 0); // delete from map @@ -2188,6 +2194,10 @@ int tracepoint__cgroup__cgroup_attach_task(struct bpf_raw_tracepoint_args *ctx) save_str_to_buf(&p.event->args_buf, path, 0); save_str_to_buf(&p.event->args_buf, comm, 1); save_to_submit_buf(&p.event->args_buf, (void *) &pid, sizeof(int), 2); + + if (!evaluate_data_filters(&p, 0)) + return 0; + events_perf_submit(&p, 0); return 0; @@ -2214,6 +2224,10 @@ int tracepoint__cgroup__cgroup_mkdir(struct bpf_raw_tracepoint_args *ctx) save_to_submit_buf(&p.event->args_buf, &cgroup_id, sizeof(u64), 0); save_str_to_buf(&p.event->args_buf, path, 1); save_to_submit_buf(&p.event->args_buf, &hierarchy_id, sizeof(u32), 2); + + if (!evaluate_data_filters(&p, 1)) + return 0; + events_perf_submit(&p, 0); return 0; @@ -2240,6 +2254,10 @@ int tracepoint__cgroup__cgroup_rmdir(struct bpf_raw_tracepoint_args *ctx) save_to_submit_buf(&p.event->args_buf, &cgroup_id, sizeof(u64), 0); save_str_to_buf(&p.event->args_buf, path, 1); save_to_submit_buf(&p.event->args_buf, &hierarchy_id, sizeof(u32), 2); + + if (!evaluate_data_filters(&p, 1)) + return 0; + events_perf_submit(&p, 0); return 0; @@ -2623,6 +2641,9 @@ int BPF_KPROBE(trace_proc_create) save_str_to_buf(&p.event->args_buf, name, 0); save_to_submit_buf(&p.event->args_buf, (void *) &proc_ops_addr, sizeof(u64), 1); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -2647,6 +2668,9 @@ int BPF_KPROBE(trace_debugfs_create_file) save_to_submit_buf(&p.event->args_buf, &mode, sizeof(umode_t), 2); save_to_submit_buf(&p.event->args_buf, (void *) &proc_ops_addr, sizeof(u64), 3); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -2667,6 +2691,9 @@ int BPF_KPROBE(trace_debugfs_create_dir) save_str_to_buf(&p.event->args_buf, name, 0); save_str_to_buf(&p.event->args_buf, dentry_path, 1); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -3193,6 +3220,9 @@ do_file_io_operation(struct pt_regs *ctx, u32 event_id, u32 tail_call_id, bool i save_to_submit_buf(&p.event->args_buf, &io_data.len, sizeof(unsigned long), 3); save_to_submit_buf(&p.event->args_buf, &start_pos, sizeof(off_t), 4); + if (!evaluate_data_filters(&p, 0)) + return 0; + // Submit io event events_perf_submit(&p, PT_REGS_RC(ctx)); @@ -3547,6 +3577,8 @@ int BPF_KPROBE(kernel_write_magic_return) save_to_submit_buf(event, &file_info.id.inode, sizeof(unsigned long), 7); \ save_to_submit_buf(event, &file_info.id.ctime, sizeof(u64), 8); \ } \ + if (!evaluate_data_filters(&p, 5)) \ + return 0; \ events_perf_submit(&p, 0); \ } @@ -3950,6 +3982,9 @@ statfunc int arm_kprobe_handler(struct pt_regs *ctx) save_to_submit_buf(&p.event->args_buf, (void *) &pre_handler, sizeof(u64), 1); save_to_submit_buf(&p.event->args_buf, (void *) &post_handler, sizeof(u64), 2); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -4292,6 +4327,9 @@ int BPF_KPROBE(trace_device_add) save_str_to_buf(&p.event->args_buf, (void *) name, 0); save_str_to_buf(&p.event->args_buf, (void *) parent_name, 1); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -4331,6 +4369,9 @@ int BPF_KPROBE(trace_ret__register_chrdev) save_str_to_buf(&p.event->args_buf, char_device_name, 2); save_to_submit_buf(&p.event->args_buf, &char_device_fops, sizeof(void *), 3); + if (!evaluate_data_filters(&p, 2)) + return 0; + return events_perf_submit(&p, 0); } @@ -4546,6 +4587,9 @@ int tracepoint__module__module_free(struct bpf_raw_tracepoint_args *ctx) save_str_to_buf(&p.event->args_buf, (void *) version, 1); save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -4590,6 +4634,10 @@ int BPF_KPROBE(trace_ret_do_init_module) save_str_to_buf(&p.event->args_buf, (void *) srcversion, 2); int ret_val = PT_REGS_RC(ctx); + + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, ret_val); } @@ -4713,6 +4761,9 @@ int tracepoint__task__task_rename(struct bpf_raw_tracepoint_args *ctx) save_str_to_buf(&p.event->args_buf, (void *) old_name, 0); save_str_to_buf(&p.event->args_buf, (void *) new_name, 1); + if (!evaluate_data_filters(&p, 0)) + return 0; + return events_perf_submit(&p, 0); } @@ -5029,6 +5080,9 @@ statfunc int common_file_modification_ret(struct pt_regs *ctx) save_to_submit_buf(&p.event->args_buf, &old_ctime, sizeof(u64), 3); save_to_submit_buf(&p.event->args_buf, &file_info.id.ctime, sizeof(u64), 4); + if (!evaluate_data_filters(&p, 0)) + return 0; + events_perf_submit(&p, 0); return 0; diff --git a/pkg/filters/data.go b/pkg/filters/data.go index cb7b1b49c9f0..357ed26fb038 100644 --- a/pkg/filters/data.go +++ b/pkg/filters/data.go @@ -75,7 +75,7 @@ func NewDataFilter() *DataFilter { // list of events and field names allowed to have in-kernel filter var allowedKernelField = map[events.ID]string{ // LSM hooks - events.SecurityBprmCheck: "pathname", // 0 + events.SecurityBprmCheck: "pathname", // index: 0 events.SecurityFileOpen: "pathname", // 0 events.SecurityInodeUnlink: "pathname", // 0 events.SecuritySbMount: "path", // 1 @@ -90,19 +90,42 @@ var allowedKernelField = map[events.ID]string{ events.SecurityBpfProg: "name", // 1 events.SecurityPathNotify: "pathname", // 0 events.SharedObjectLoaded: "pathname", // 0 + + // Others + events.SchedProcessExec: "pathname", // 1 + events.VfsWrite: "pathname", // 0 + events.VfsWritev: "pathname", // 0 + events.VfsRead: "pathname", // 0 + events.VfsReadv: "pathname", // 0 + events.MemProtAlert: "pathname", // 5 + events.MagicWrite: "pathname", // 0 + events.KernelWrite: "pathname", // 0 + events.CallUsermodeHelper: "pathname", // 0 + events.LoadElfPhdrs: "pathname", // 0 + events.DoMmap: "pathname", // 1 + events.VfsUtimes: "pathname", // 0 + events.DoTruncate: "pathname", // 0 + events.InotifyWatch: "pathname", // 0 + events.ModuleLoad: "pathname", // 3 + events.ChmodCommon: "pathname", // 0 + events.DeviceAdd: "name", // 0 + events.DoInitModule: "name", // 0 + events.ModuleFree: "name", // 0 + events.ProcCreate: "name", // 0 + events.RegisterChrdev: "char_device_name", // 2 + events.DebugfsCreateFile: "file_name", // 0 + events.DebugfsCreateDir: "name", // 0 + events.CgroupMkdir: "cgroup_path", // 1 + events.CgroupRmdir: "cgroup_path", // 1 + events.CgroupAttachTask: "cgroup_path", // 0 + events.BpfAttach: "prog_name", // 1 + events.KprobeAttach: "symbol_name", // 0 + events.TaskRename: "old_name", // 0 + events.FileModification: "file_path", // 0 + // Syscalls events.Execve: "pathname", events.Execveat: "pathname", - // Others - events.ModuleLoad: "pathname", - events.InotifyWatch: "pathname", - events.DoTruncate: "pathname", - events.MagicWrite: "pathname", - events.VfsUtimes: "pathname", - events.LoadElfPhdrs: "pathname", - events.CallUsermodeHelper: "pathname", - events.ChmodCommon: "pathname", - events.DoMmap: "pathname", } // checkAvailabilityKernelFilter check if event ID and field name are allowed to be an kernel filter