bpf: add bpf_execve_bprm_check program

This program allows to run at security_bprm_check and checks the file and its inode attached to bprm. This allows to detect if we are running a program that was deleted or is not linked on the filesystem. Final event result is: { "process_exec": { "process": { "exec_id": "OjI1MTAxMDY5MDQ2NDMxOjIxNjIwMQ==", "pid": 216201, "uid": 1000, "cwd": "/home/tixxdz/work/station/code/src/github.com/tixxdz/tetragon", "binary": "/proc/self/fd/3", "flags": "execve", "start_time": "2022-10-20T16:46:57.085974850Z", "auid": 1000, "parent_exec_id": "OjI1MTAxMDY1OTI5MjE2OjIxNjIwMQ==" "info": { "inode": { "deleted": true } } }, "parent": { "exec_id": "OjI1MTAxMDY1OTI5MjE2OjIxNjIwMQ==", "pid": 216201, "uid": 1000, "cwd": "/home/tixxdz/work/station/code/src/github.com/tixxdz/tetragon", "binary": "/usr/bin/memfdloader", "arguments": "/bin/true", "flags": "execve clone", "start_time": "2022-10-20T16:46:57.082858558Z", "auid": 1000, "parent_exec_id": "Ojc3NzY4MDAwMDAwMDo2MTMx", "refcnt": 2 }, }, "time": "2022-10-20T16:46:57.085975420Z" } The "process_exec.info.inode.deleted" field allows to predict if we are executing a file from a referenced fd that is not linked on the filesystem. Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
cilium · Oct 21, 2022 · c955c10 · c955c10
1 parent 8ef571e
commit c955c10
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 3 deletions.
diff --git a/bpf/Makefile b/bpf/Makefile
@@ -11,7 +11,7 @@ ALIGNCHECKER = bpf_alignchecker.o
 PROCESS = bpf_execve_event.o bpf_execve_event_v53.o bpf_fork.o bpf_exit.o bpf_generic_kprobe.o \
 	  bpf_generic_kprobe_v53.o bpf_generic_retkprobe.o bpf_generic_retkprobe_v53.o \
 	  bpf_multi_kprobe_v53.o bpf_multi_retkprobe_v53.o \
-	  bpf_generic_tracepoint.o bpf_generic_tracepoint_v53.o
+	  bpf_generic_tracepoint.o bpf_generic_tracepoint_v53.o bpf_execve_bprm_check.o \
 BPFTEST = bpf_lseek.o bpf_globals.o
 
 IDIR = ./include/

diff --git a/bpf/process/bpf_execve_bprm_check.c b/bpf/process/bpf_execve_bprm_check.c
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright Authors of Cilium */
+
+#include "vmlinux.h"
+#include "api.h"
+#include "bpf_tracing.h"
+
+#include "bpf_events.h"
+
+char _license[] __attribute__((section("license"), used)) = "GPL";
+
+__attribute__((section("kprobe/security_bprm_check"), used)) int
+BPF_KPROBE(tg_kp_bprm_check, struct linux_binprm *bprm, int ret)
+{
+	__u32 pid, zero = 0;
+	unsigned int links;
+	struct execve_map_value *curr;
+	struct execve_heap *heap;
+	struct file *file;
+
+	pid = (get_current_pid_tgid() >> 32);
+
+	curr = execve_map_get(pid);
+	if (!curr)
+		return 0;
+
+	heap = map_lookup_elem(&execve_heap, &zero);
+	if (!heap)
+		return 0;
+
+	probe_read(&file, sizeof(file), _(&bprm->file));
+	links = BPF_CORE_READ(file, f_path.dentry, d_inode, __i_nlink);
+	heap->info.inode.i_nlink = links;
+	heap->info.inode.initialized = 1;
+
+	execve_info_map_set(pid, &heap->info);
+
+	return 0;
+}
diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
@@ -250,8 +250,12 @@ execve_send(struct sched_execve_args *ctx)
 			curr->caps.inheritable = event->caps.inheritable;
 		}
 #endif
+
+		execve_info_map_get(pid, &event->info, true);
 	}
 
+	execve_info_map_clear(pid);
+
 	event->common.flags = 0;
 	size = validate_msg_execve_size(
 		sizeof(struct msg_common) + sizeof(struct msg_k8s) +

diff --git a/pkg/sensors/base/base.go b/pkg/sensors/base/base.go
@@ -26,6 +26,14 @@ var (
 		"execve",
 	)
 
+	ExecveBprmCheck = program.Builder(
+		"bpf_execve_bprm_check.o",
+		"security_bprm_check",
+		"kprobe/security_bprm_check",
+		"tg_kp_bprm_check",
+		"kprobe",
+	)
+
 	Exit = program.Builder(
 		"bpf_exit.o",
 		"sched/sched_process_exit",
@@ -47,8 +55,10 @@ var (
 	TCPMonMapV53 = program.MapBuilder("tcpmon_map", ExecveV53)
 
 	/* Networking and Process Monitoring maps */
-	ExecveMap    = program.MapBuilder("execve_map", Execve)
-	ExecveMapV53 = program.MapBuilder("execve_map", ExecveV53)
+	ExecveMap        = program.MapBuilder("execve_map", Execve)
+	ExecveMapV53     = program.MapBuilder("execve_map", ExecveV53)
+	ExecveInfoMap    = program.MapBuilder("execve_info_map", Execve)
+	ExecveInfoMapV53 = program.MapBuilder("execve_info_map", ExecveV53)
 
 	ExecveTailCallsMap    = program.MapBuilderPin("execve_calls", "execve_calls", Execve)
 	ExecveTailCallsMapV53 = program.MapBuilderPin("execve_calls", "execve_calls", ExecveV53)
@@ -97,6 +107,9 @@ func GetDefaultPrograms() []*program.Program {
 	} else {
 		progs = append(progs, Execve)
 	}
+
+	progs = append(progs, ExecveBprmCheck)
+
 	return progs
 }
 
@@ -106,6 +119,7 @@ func GetDefaultMaps() []*program.Map {
 	if kernels.EnableLargeProgs() {
 		maps = append(maps,
 			ExecveMapV53,
+			ExecveInfoMapV53,
 			ExecveStatsV53,
 			ExecveTailCallsMapV53,
 			NamesMapV53,
@@ -115,6 +129,7 @@ func GetDefaultMaps() []*program.Map {
 	} else {
 		maps = append(maps,
 			ExecveMap,
+			ExecveInfoMap,
 			ExecveStats,
 			ExecveTailCallsMap,
 			NamesMap,