-
Notifications
You must be signed in to change notification settings - Fork 393
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add set_fs_pwd
event
#3919
Merged
Merged
Add set_fs_pwd
event
#3919
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
500b558
Added set_fs_pwd event
oshaked1 a666258
Added test for set_fs_pwd
oshaked1 ffc2b3e
Run make fix-fmt
oshaked1 f564c86
Added doc for set_fs_pwd event
oshaked1 abb3e85
Added test to PR workflow
oshaked1 4b503dc
Fix test for systems without bpf_probe_read_user_str
oshaked1 File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# set_fs_pwd | ||
|
||
## Intro | ||
|
||
set_fs_pwd - An event capturing changes to the current working directory. | ||
|
||
## Description | ||
|
||
This event captures any changes to the current working directory (typically by using the `chdir` and `fchdir` syscalls). | ||
|
||
## Arguments | ||
|
||
* `unresolved_pathname`:`const char*`[K,TOCTOU,OPT] - unresolved, user-supplied path which the current working directory is being changed to (only relevant to directory changes using the `chdir` syscall). | ||
* `resolved_pathname`:`const char*`[K] - the fully resolved filesystem path which the current working directory is being changed to. | ||
|
||
## Hooks | ||
|
||
### set_fs_pwd | ||
|
||
#### Type | ||
|
||
kprobe | ||
|
||
#### Purpose | ||
|
||
Catch changes to the current working directory. | ||
|
||
## Example Use Case | ||
|
||
## Issues | ||
|
||
## Related Events | ||
|
||
`chdir`, `fchdir` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
package main | ||
|
||
import ( | ||
"fmt" | ||
"strings" | ||
|
||
libbfgo "github.com/aquasecurity/libbpfgo/helpers" | ||
|
||
"github.com/aquasecurity/tracee/signatures/helpers" | ||
"github.com/aquasecurity/tracee/types/detect" | ||
"github.com/aquasecurity/tracee/types/protocol" | ||
"github.com/aquasecurity/tracee/types/trace" | ||
) | ||
|
||
type e2eSetFsPwd struct { | ||
cb detect.SignatureHandler | ||
hasReadUser bool | ||
} | ||
|
||
func (sig *e2eSetFsPwd) Init(ctx detect.SignatureContext) error { | ||
sig.cb = ctx.Callback | ||
|
||
// Find if this system has the bpf_probe_read_user_str helper. | ||
// If it doesn't we won't expect the unresolved path to contain anything | ||
ksyms, err := libbfgo.NewKernelSymbolTable() | ||
if err != nil { | ||
return err | ||
} | ||
_, err = ksyms.GetSymbolByName("bpf_probe_read_user_str") | ||
if err != nil { | ||
sig.hasReadUser = false | ||
} else { | ||
sig.hasReadUser = true | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func (sig *e2eSetFsPwd) GetMetadata() (detect.SignatureMetadata, error) { | ||
return detect.SignatureMetadata{ | ||
ID: "SET_FS_PWD", | ||
EventName: "SET_FS_PWD", | ||
Version: "0.1.0", | ||
Name: "set_fs_pwd Test", | ||
Description: "Instrumentation events E2E Tests: set_fs_pwd", | ||
Tags: []string{"e2e", "instrumentation"}, | ||
}, nil | ||
} | ||
|
||
func (sig *e2eSetFsPwd) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { | ||
return []detect.SignatureEventSelector{ | ||
{Source: "tracee", Name: "set_fs_pwd"}, | ||
}, nil | ||
} | ||
|
||
func (sig *e2eSetFsPwd) OnEvent(event protocol.Event) error { | ||
eventObj, ok := event.Payload.(trace.Event) | ||
if !ok { | ||
return fmt.Errorf("failed to cast event's payload") | ||
} | ||
|
||
switch eventObj.EventName { | ||
case "set_fs_pwd": | ||
unresolvedPath, err := helpers.GetTraceeStringArgumentByName(eventObj, "unresolved_path") | ||
if sig.hasReadUser && err != nil { | ||
return err | ||
} | ||
|
||
resolvedPath, err := helpers.GetTraceeStringArgumentByName(eventObj, "resolved_path") | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// check expected values from test for detection | ||
|
||
if (sig.hasReadUser && !strings.HasSuffix(unresolvedPath, "/test_link")) || !strings.HasSuffix(resolvedPath, "/test_dir") { | ||
return nil | ||
} | ||
|
||
m, _ := sig.GetMetadata() | ||
|
||
sig.cb(&detect.Finding{ | ||
SigMetadata: m, | ||
Event: event, | ||
Data: map[string]interface{}{}, | ||
}) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func (sig *e2eSetFsPwd) OnSignal(s detect.Signal) error { | ||
return nil | ||
} | ||
|
||
func (sig *e2eSetFsPwd) Close() {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#!/bin/bash | ||
|
||
exit_err() { | ||
echo -n "ERROR: " | ||
echo "$@" | ||
exit 1 | ||
} | ||
|
||
mkdir test_dir || exit_err "failed creating dir" | ||
ln -s test_dir test_link || exit_err "failed creating link" | ||
cd test_link || exit_err "failed changing directory" | ||
cd .. || exit_err "failed changing directory back" | ||
rm test_link || exit_err "failed removing link" | ||
rm -r test_dir || exit_err "failed removing dir" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need to put the script name in the comm filter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
cd
command which is used to trigger the event is a built-in bash command and not a new executable, so it runs from the script's processThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but we can't get the script name
set_fs_pwd.sh
in thecomm
field, right?in the comm field you will only see the executable name (e.g.
bash
), not the script nameThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming the script is run directly (which it is), the script name will be in the comm field: