Skip to content

v0.15.29

Choose a tag to compare

View all tags
@github-actions github-actions released this 27 Jun 08:04
· 6 commits to main since this release
v0.15.29
a4e97c0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

InnerWarden 0.15.29

Fixed

  • execve events never carried the parent PID in-kernel, leaving the fileless-systemd false-positive gate (0.15.28) inert in production. The 0.15.28 post-deploy re-audit found fileless:systemd still firing on Azure. Root cause: the eBPF execve handler hardcoded event.ppid = 0, so every execve ppid came from a userspace /proc/<pid>/status fallback. That works for long-lived processes (it is why connect events have a parent) but misses short-lived ones, notably systemd's sealed-executor fexecve of /proc/self/fd/N whose /proc entry is gone before the ring reader can read it (the audit measured ppid=0 on 4995/5000 execve events). Because the 0.15.28 fileless-systemd parent-lineage gate needs the parent, it almost never engaged in prod. The fix reads task_struct->real_parent->tgid in-kernel at execve, mirroring the Execution Gate's BPRM_OFFSETS pattern: a new TASK_OFFSETS map (real_parent + tgid byte offsets) is populated by the userspace loader from kernel BTF (member_offset), and the handler does two bounded bpf_probe_read_kernel hops. If BTF is unavailable the offsets stay 0, the handler returns 0, and the /proc fallback applies unchanged (it never reads a guessed offset). Validated live on a 6.x x86_64 kernel: the verifier accepts the program, the offsets resolve from BTF, and a comm=systemd fexecve of /proc/self/fd/N now reports ppid=1, so the gate resolves /proc/1/exe to systemd and suppresses the false positive. aarch64 offsets are BTF-resolved identically.

Install / upgrade (Linux, toolchain-free, signed binaries)

curl -fsSL https://innerwarden.com/install | sudo bash
# already installed:  sudo innerwarden upgrade --yes

Every binary below is signed (Ed25519 + Sigstore bundle). Docs: https://github.com/InnerWarden/innerwarden/wiki · Site: https://www.innerwarden.com

What's Changed

  • fix(sensor): capture execve parent PID in-kernel so the fileless-systemd gate works by @maiconburn in #1123
  • release: 0.15.29 (eBPF execve parent-PID capture) by @maiconburn in #1124

Full Changelog: v0.15.28...v0.15.29

Contributors

maiconburn
Assets 49
Loading