wip

aquasecurity · Jul 31, 2023 · d04dde7 · d04dde7
1 parent da0db0d
commit d04dde7
Show file tree

Hide file tree

Showing 39 changed files with 1,192 additions and 220 deletions.
diff --git a/go.mod b/go.mod
@@ -172,3 +172,7 @@ require (
 )
 
 replace github.com/kubernetes/cri-api => k8s.io/cri-api v0.23.5-rc.0
+
+replace github.com/aquasecurity/tracee/types => ./types
+
+replace github.com/aquasecurity/libbpfgo => ../libbpfgo
diff --git a/go.sum b/go.sum
@@ -65,12 +65,8 @@ github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVb
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230321174746-8dcc6526cfb1 h1:X8MJ0fnN5FPdcGF5Ij2/OW+HgiJrRg3AfHAx1PJtIzM=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230321174746-8dcc6526cfb1/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
-github.com/aquasecurity/libbpfgo v0.4.8-libbpf-1.2.0.0.20230509162948-80f41e18e690 h1:iDvZaf9Xcw9JfzJyqG9L9cYDwSpaFRg5pLddu4IvId0=
-github.com/aquasecurity/libbpfgo v0.4.8-libbpf-1.2.0.0.20230509162948-80f41e18e690/go.mod h1:UD3Mfr+JZ/ASK2VMucI/zAdEhb35LtvYXvAUdrdqE9s=
 github.com/aquasecurity/libbpfgo/helpers v0.4.6-0.20230321190037-f591a2c5734f h1:l127H3NqJBmw+XMt+haBOeZIrBppuw7TJz26cWMI9kY=
 github.com/aquasecurity/libbpfgo/helpers v0.4.6-0.20230321190037-f591a2c5734f/go.mod h1:j/TQLmsZpOIdF3CnJODzYngG4yu1YoDCoRMELxkQSSA=
-github.com/aquasecurity/tracee/types v0.0.0-20230602152109-e48d0a548fbf h1:bSWqjqjFPGyn+thqof/rph4A5jSqd2d7xWJK5MGMb0I=
-github.com/aquasecurity/tracee/types v0.0.0-20230602152109-e48d0a548fbf/go.mod h1:kHvgUMXGq5QEqSLPgu4RwGSJEoCuMQJnEkGk8OAcSUc=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=

diff --git a/pkg/bufferdecoder/decoder.go b/pkg/bufferdecoder/decoder.go
@@ -73,11 +73,13 @@ func (decoder *EbpfDecoder) DecodeContext(ctx *Context) error {
 
 	ctx.EventID = events.ID(int32(binary.LittleEndian.Uint32(decoder.buffer[offset+96 : offset+100])))
 	ctx.Syscall = int32(binary.LittleEndian.Uint32(decoder.buffer[offset+100 : offset+104]))
-	ctx.MatchedPolicies = binary.LittleEndian.Uint64(decoder.buffer[offset+104 : offset+112])
-	ctx.Retval = int64(binary.LittleEndian.Uint64(decoder.buffer[offset+112 : offset+120]))
-	ctx.StackID = binary.LittleEndian.Uint32(decoder.buffer[offset+120 : offset+124])
-	ctx.ProcessorId = binary.LittleEndian.Uint16(decoder.buffer[offset+124 : offset+126])
-	// 2 byte padding
+	ctx.PoliciesVersion = binary.LittleEndian.Uint32(decoder.buffer[offset+104 : offset+108])
+	_ = decoder.buffer[offset+108 : offset+112] // 4 bytes padding
+	ctx.MatchedPolicies = binary.LittleEndian.Uint64(decoder.buffer[offset+112 : offset+120])
+	ctx.Retval = int64(binary.LittleEndian.Uint64(decoder.buffer[offset+120 : offset+128]))
+	ctx.StackID = binary.LittleEndian.Uint32(decoder.buffer[offset+128 : offset+132])
+	ctx.ProcessorId = binary.LittleEndian.Uint16(decoder.buffer[offset+132 : offset+134])
+	_ = decoder.buffer[offset+134 : offset+136] // 2 bytes padding
 	// event_context end
 
 	decoder.cursor += ctx.GetSizeBytes()

diff --git a/pkg/bufferdecoder/decoder_test.go b/pkg/bufferdecoder/decoder_test.go
@@ -13,23 +13,24 @@ import (
 func TestDecodeContext(t *testing.T) {
 	buf := new(bytes.Buffer)
 	ctxExpected := Context{
-		Ts:          11,
-		CgroupID:    22,
-		ProcessorId: 5,
-		Pid:         543,
-		Tid:         77,
-		Ppid:        4567,
-		HostPid:     5430,
-		HostTid:     124,
-		HostPpid:    555,
-		Uid:         9876,
-		MntID:       1357,
-		PidID:       3758,
-		Comm:        [16]byte{1, 3, 5, 3, 1, 5, 56, 6, 7, 32, 2, 4},
-		UtsName:     [16]byte{5, 6, 7, 8, 9, 4, 3, 2},
-		EventID:     0,
-		Retval:      0,
-		StackID:     0,
+		Ts:              11,
+		CgroupID:        22,
+		ProcessorId:     5,
+		Pid:             543,
+		Tid:             77,
+		Ppid:            4567,
+		HostPid:         5430,
+		HostTid:         124,
+		HostPpid:        555,
+		Uid:             9876,
+		MntID:           1357,
+		PidID:           3758,
+		Comm:            [16]byte{1, 3, 5, 3, 1, 5, 56, 6, 7, 32, 2, 4},
+		UtsName:         [16]byte{5, 6, 7, 8, 9, 4, 3, 2},
+		EventID:         0,
+		PoliciesVersion: 1,
+		Retval:          0,
+		StackID:         0,
 	}
 	err := binary.Write(buf, binary.LittleEndian, ctxExpected)
 	assert.Equal(t, nil, err)

diff --git a/pkg/bufferdecoder/protocol.go b/pkg/bufferdecoder/protocol.go
@@ -40,6 +40,8 @@ type Context struct {
 	Flags           uint32
 	EventID         events.ID // int32
 	Syscall         int32
+	PoliciesVersion uint32
+	_               [4]byte // padding
 	MatchedPolicies uint64
 	Retval          int64
 	StackID         uint32
@@ -48,7 +50,7 @@ type Context struct {
 }
 
 func (Context) GetSizeBytes() int {
-	return 128
+	return 136
 }
 
 type ChunkMeta struct {

diff --git a/pkg/cmd/cobra/cobra.go b/pkg/cmd/cobra/cobra.go
@@ -162,6 +162,9 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 	}
 
 	cfg.Policies = policies
+	if err := cfg.Policies.StoreSnapshot(); err != nil {
+		return runner, err
+	}
 
 	// Output command line flags
 	output, err := flags.PrepareOutput(viper.GetStringSlice("output"), true)

diff --git a/pkg/cmd/urfave/urfave.go b/pkg/cmd/urfave/urfave.go
@@ -116,8 +116,10 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) {
 	if err != nil {
 		return runner, err
 	}
-
 	cfg.Policies = policies
+	if err := cfg.Policies.StoreSnapshot(); err != nil {
+		return runner, err
+	}
 
 	broadcast, err := printer.NewBroadcast(output.PrinterConfigs, cmd.GetContainerMode(cfg))
 	if err != nil {

diff --git a/pkg/ebpf/c/common/buffer.h b/pkg/ebpf/c/common/buffer.h
@@ -351,6 +351,12 @@ statfunc int events_perf_submit(program_data_t *p, u32 id, long ret)
     u32 size = sizeof(event_context_t) + sizeof(u8) +
                p->event->args_buf.offset; // context + argnum + arg buffer size
 
+    // Check, at the last moment, if the policies version changed during the event processing.
+    // If so, skip the event submission as it is considered stale.
+    if (unlikely(p->config->policies_version != p->event->context.policies_version)) {
+        return -1;
+    }
+
     // inline bounds check to force compiler to use the register of size
     asm volatile("if %[size] < %[max_size] goto +1;\n"
                  "%[size] = %[max_size];\n"

diff --git a/pkg/ebpf/c/common/context.h b/pkg/ebpf/c/common/context.h
@@ -153,6 +153,7 @@ statfunc int init_program_data(program_data_t *p, void *ctx)
     // in some places we don't call should_trace() (e.g. sys_exit) which also initializes
     // matched_policies. Use previously found scopes then to initialize it.
     p->event->context.matched_policies = p->task_info->matched_scopes;
+    p->event->context.policies_version = p->config->policies_version;
 
     // check if we need to recompute scope due to context change
     if (context_changed(&p->task_info->context, &p->event->context.task))