mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

on aarch64 send exec events directly to userspace

Browse source 
On 68c2c8ae1a we excluded failed execve*
calls from being delivered to userspace, in order to get the binary that
was executed and avoid errors/confusion.

But on aarch64, it seems that we fail to save the exec event to a map,
so the event is never delivered to userspace.

So for the time being, send the exec events as soon as they arrive on
aarch64, without checking if the call failed.
This commit is contained in:
Gustavo Iñiguez Goia 2024-01-26 20:58:07 +01:00
parent 27509d6fe0
commit c118058dd8
Failed to generate hash of commit
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
ebpf_prog/opensnitch-procs.c
View file

@ -123,6 +123,10 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
} }
#endif #endif
// FIXME: on aarch64 we fail to save the event to execMap, so send it to userspace here.
#if defined(__aarch64__)
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
#else
// in case of failure adding the item to the map, send it directly // in case of failure adding the item to the map, send it directly
u64 pid_tgid = bpf_get_current_pid_tgid(); u64 pid_tgid = bpf_get_current_pid_tgid();
if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) { if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) {
@ -132,6 +136,7 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
// Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors // Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data)); bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
} }
#endif
return 0; return 0;
}; };
@ -154,6 +159,9 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
const char *argp={0}; const char *argp={0};
data->args_count = 0; data->args_count = 0;
data->args_partial = INCOMPLETE_ARGS; data->args_partial = INCOMPLETE_ARGS;
// FIXME: on i386 arch, the following code fails with permission denied.
#if !defined(__arm__) && !defined(__i386__)
#pragma unroll #pragma unroll
for (int i = 0; i < MAX_ARGS; i++) { for (int i = 0; i < MAX_ARGS; i++) {
bpf_probe_read_user(&argp, sizeof(argp), &ctx->argv[i]); bpf_probe_read_user(&argp, sizeof(argp), &ctx->argv[i]);
@ -164,7 +172,12 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
} }
data->args_count++; data->args_count++;
} }
#endif
// FIXME: on aarch64 we fail to save the event to execMap, so send it to userspace here.
#if defined(__aarch64__)
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
#else
// in case of failure adding the item to the map, send it directly // in case of failure adding the item to the map, send it directly
u64 pid_tgid = bpf_get_current_pid_tgid(); u64 pid_tgid = bpf_get_current_pid_tgid();
if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) { if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) {
@ -174,6 +187,7 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
// Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors // Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data)); bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
} }
#endif
return 0; return 0;
}; };