Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Execution: store the binary uid and gid owners #3165

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Execution: store the binary uid and gid owners #3165

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6bdafe3
binary: add uid/gid owners of the binary
tixxdz Nov 25, 2024
85778d5
bpf:execve: record binary file uid/gid
tixxdz Nov 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion bpf/lib/process.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,8 @@ struct heap_exe {
char end[STRING_POSTFIX_MAX_LENGTH];
__u32 len;
__u32 error;
__u32 uid_owner;
__u32 gid_owner;
}; // All fields aligned so no 'packed' attribute.

struct msg_execve_event {
Expand All @@ -302,7 +304,7 @@ struct msg_execve_event {

typedef __u64 mbset_t;

// This structure stores the binary path that was recorded on execve.
// This structure stores the binary parameters that were recorded on execve.
// Technically PATH_MAX is 4096 but we limit the length we store since we have
// limits on the length of the string to compare:
// - Artificial limits for full string comparison.
Expand All @@ -323,6 +325,10 @@ struct binary {
char end_r[STRING_POSTFIX_MAX_LENGTH];
// matchBinary bitset for binary
mbset_t mb_bitset;
// Binary uid owner
__u32 uid;
// Binary gid owner
__u32 gid;
}; // All fields aligned so no 'packed' attribute

// The execve_map_value is tracked by the TGID of the thread group
Expand Down
9 changes: 9 additions & 0 deletions bpf/process/bpf_execve_event.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,13 @@ read_exe(struct task_struct *task, struct heap_exe *exe)
// matching on the prefix operators, even if we only keep a subset of that
char *buffer;

// Initialiaze to invalid uid
exe->uid_owner = -1;
exe->gid_owner = -1;

BPF_CORE_READ_INTO(&exe->uid_owner, file, f_inode, i_uid.val);
BPF_CORE_READ_INTO(&exe->gid_owner, file, f_inode, i_gid.val);

buffer = d_path_local(path, (int *)&exe->len, (int *)&exe->error);
if (!buffer)
return 0;
Expand Down Expand Up @@ -389,6 +396,8 @@ execve_send(void *ctx __arg_ctx)
// path is longer than current, we can have leftovers at the end.
memset(&curr->bin, 0, sizeof(curr->bin));
#ifdef __LARGE_BPF_PROG
curr->bin.uid = event->exe.uid_owner;
curr->bin.gid = event->exe.gid_owner;
// read from proc exe stored at execve time
if (event->exe.len <= BINARY_PATH_MAX_LEN) {
curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.buf);
Expand Down
2 changes: 2 additions & 0 deletions pkg/api/processapi/processapi.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,8 @@ type Binary struct {
End [STRING_POSTFIX_MAX_LENGTH]byte
End_r [STRING_POSTFIX_MAX_LENGTH]byte
MBSet uint64
Uid uint32
Gid uint32
}

type MsgNamespaces struct {
Expand Down
Loading