From 6bdafe36bf5747bb5cfdc73ea8e01aa78b92e540 Mon Sep 17 00:00:00 2001 From: Djalal Harouni Date: Mon, 25 Nov 2024 16:01:30 +0100 Subject: [PATCH 1/2] binary: add uid/gid owners of the binary Signed-off-by: Djalal Harouni --- bpf/lib/process.h | 6 +++++- pkg/api/processapi/processapi.go | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/bpf/lib/process.h b/bpf/lib/process.h index 09157fd471f..6fd40cf7878 100644 --- a/bpf/lib/process.h +++ b/bpf/lib/process.h @@ -302,7 +302,7 @@ struct msg_execve_event { typedef __u64 mbset_t; -// This structure stores the binary path that was recorded on execve. +// This structure stores the binary parameters that were recorded on execve. // Technically PATH_MAX is 4096 but we limit the length we store since we have // limits on the length of the string to compare: // - Artificial limits for full string comparison. @@ -323,6 +323,10 @@ struct binary { char end_r[STRING_POSTFIX_MAX_LENGTH]; // matchBinary bitset for binary mbset_t mb_bitset; + // Binary uid owner + __u32 uid; + // Binary gid owner + __u32 gid; }; // All fields aligned so no 'packed' attribute // The execve_map_value is tracked by the TGID of the thread group diff --git a/pkg/api/processapi/processapi.go b/pkg/api/processapi/processapi.go index ce2b117e4e8..de19a12a62c 100644 --- a/pkg/api/processapi/processapi.go +++ b/pkg/api/processapi/processapi.go @@ -157,6 +157,8 @@ type Binary struct { End [STRING_POSTFIX_MAX_LENGTH]byte End_r [STRING_POSTFIX_MAX_LENGTH]byte MBSet uint64 + Uid uint32 + Gid uint32 } type MsgNamespaces struct { From 85778d5508c6414be350561118da18935158b2b4 Mon Sep 17 00:00:00 2001 From: Djalal Harouni Date: Mon, 25 Nov 2024 16:46:37 +0100 Subject: [PATCH 2/2] bpf:execve: record binary file uid/gid Signed-off-by: Djalal Harouni --- bpf/lib/process.h | 2 ++ bpf/process/bpf_execve_event.c | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/bpf/lib/process.h b/bpf/lib/process.h index 6fd40cf7878..1397532e9d4 100644 --- a/bpf/lib/process.h +++ b/bpf/lib/process.h @@ -276,6 +276,8 @@ struct heap_exe { char end[STRING_POSTFIX_MAX_LENGTH]; __u32 len; __u32 error; + __u32 uid_owner; + __u32 gid_owner; }; // All fields aligned so no 'packed' attribute. struct msg_execve_event { diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c index ca82921c2d3..e11530eb3fe 100644 --- a/bpf/process/bpf_execve_event.c +++ b/bpf/process/bpf_execve_event.c @@ -196,6 +196,13 @@ read_exe(struct task_struct *task, struct heap_exe *exe) // matching on the prefix operators, even if we only keep a subset of that char *buffer; + // Initialiaze to invalid uid + exe->uid_owner = -1; + exe->gid_owner = -1; + + BPF_CORE_READ_INTO(&exe->uid_owner, file, f_inode, i_uid.val); + BPF_CORE_READ_INTO(&exe->gid_owner, file, f_inode, i_gid.val); + buffer = d_path_local(path, (int *)&exe->len, (int *)&exe->error); if (!buffer) return 0; @@ -389,6 +396,8 @@ execve_send(void *ctx __arg_ctx) // path is longer than current, we can have leftovers at the end. memset(&curr->bin, 0, sizeof(curr->bin)); #ifdef __LARGE_BPF_PROG + curr->bin.uid = event->exe.uid_owner; + curr->bin.gid = event->exe.gid_owner; // read from proc exe stored at execve time if (event->exe.len <= BINARY_PATH_MAX_LEN) { curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.buf);