diff --git a/tracee-ebpf/go.mod b/tracee-ebpf/go.mod index 4ae6401652b6..907e4a0ba981 100644 --- a/tracee-ebpf/go.mod +++ b/tracee-ebpf/go.mod @@ -3,10 +3,7 @@ module github.com/aquasecurity/tracee/tracee-ebpf go 1.16 require ( - github.com/aquasecurity/tracee/libbpfgo v0.0.0-20210115081842-487d1e44fcda - github.com/kelseyhightower/envconfig v1.4.0 // indirect - github.com/mitchellh/go-ps v1.0.0 // indirect - github.com/onsi/gomega v1.11.0 // indirect + github.com/aquasecurity/tracee/libbpfgo v0.0.0-20210318031738-f66f7bedda26 github.com/stretchr/testify v1.5.1 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 github.com/urfave/cli/v2 v2.1.1 diff --git a/tracee-ebpf/go.sum b/tracee-ebpf/go.sum index b56c71e279cc..534da363d214 100644 --- a/tracee-ebpf/go.sum +++ b/tracee-ebpf/go.sum @@ -1,32 +1,10 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/aquasecurity/tracee/libbpfgo v0.0.0-20210115081842-487d1e44fcda h1:ghWH8XcpEasEd4dfAvhLBDD+ib/DK9uJTQ2rWWHHNRI= -github.com/aquasecurity/tracee/libbpfgo v0.0.0-20210115081842-487d1e44fcda/go.mod h1:Ldem7RTRbX6bdTDxU2eYYvo7pPWYQbbc6rdGv0Ilyts= +github.com/aquasecurity/tracee/libbpfgo v0.0.0-20210318031738-f66f7bedda26 h1:zYdDoWECtiUcSauPlzmMnG6gl60bw0UBO+6SMr5NP9I= +github.com/aquasecurity/tracee/libbpfgo v0.0.0-20210318031738-f66f7bedda26/go.mod h1:QOC4P8cpqRHX0E3kniWORQCYv1/2n92LdEI5I6yX2no= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8= -github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= -github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc= -github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= -github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.11.0 h1:+CqWgvj0OZycCaqclBD1pxKHAU+tOkHmQIWvDHq2aug= -github.com/onsi/gomega v1.11.0/go.mod h1:azGKhqFUon9Vuj0YmTfLSmx0FUwqXYSTl5re8lQLTUg= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= @@ -40,35 +18,8 @@ github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/urfave/cli/v2 v2.1.1 h1:Qt8FeAtxE/vfdrLmR3rxR6JRE0RoVmbXu8+6kZtYU4k= github.com/urfave/cli/v2 v2.1.1/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb h1:eBmm0M9fYhWpKZLjQUUKka/LtIxf46G4fxeEz5KJr9U= -golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= diff --git a/tracee-ebpf/tracee/argprinters.go b/tracee-ebpf/tracee/argprinters.go index e7ec069920fe..376a420d4ae4 100644 --- a/tracee-ebpf/tracee/argprinters.go +++ b/tracee-ebpf/tracee/argprinters.go @@ -4,376 +4,8 @@ import ( "encoding/binary" "net" "strconv" - "strings" ) -// PrintInodeMode prints the `mode` bitmask argument of the `mknod` syscall -// http://man7.org/linux/man-pages/man7/inode.7.html -func PrintInodeMode(mode uint32) string { - var f []string - - // File Type - switch { - case mode&0140000 == 0140000: - f = append(f, "S_IFSOCK") - case mode&0120000 == 0120000: - f = append(f, "S_IFLNK") - case mode&0100000 == 0100000: - f = append(f, "S_IFREG") - case mode&060000 == 060000: - f = append(f, "S_IFBLK") - case mode&040000 == 040000: - f = append(f, "S_IFDIR") - case mode&020000 == 020000: - f = append(f, "S_IFCHR") - case mode&010000 == 010000: - f = append(f, "S_IFIFO") - } - - // File Mode - // Owner - if mode&00700 == 00700 { - f = append(f, "S_IRWXU") - } else { - if mode&00400 == 00400 { - f = append(f, "S_IRUSR") - } - if mode&00200 == 00200 { - f = append(f, "S_IWUSR") - } - if mode&00100 == 00100 { - f = append(f, "S_IXUSR") - } - } - // Group - if mode&00070 == 00070 { - f = append(f, "S_IRWXG") - } else { - if mode&00040 == 00040 { - f = append(f, "S_IRGRP") - } - if mode&00020 == 00020 { - f = append(f, "S_IWGRP") - } - if mode&00010 == 00010 { - f = append(f, "S_IXGRP") - } - } - // Others - if mode&00007 == 00007 { - f = append(f, "S_IRWXO") - } else { - if mode&00004 == 00004 { - f = append(f, "S_IROTH") - } - if mode&00002 == 00002 { - f = append(f, "S_IWOTH") - } - if mode&00001 == 00001 { - f = append(f, "S_IXOTH") - } - } - - return strings.Join(f, "|") -} - -// PrintMemProt prints the `prot` bitmask argument of the `mmap` syscall -// http://man7.org/linux/man-pages/man2/mmap.2.html -// https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/mman-common.h#L10 -func PrintMemProt(prot uint32) string { - var f []string - if prot == 0x0 { - f = append(f, "PROT_NONE") - } else { - if prot&0x01 == 0x01 { - f = append(f, "PROT_READ") - } - if prot&0x02 == 0x02 { - f = append(f, "PROT_WRITE") - } - if prot&0x04 == 0x04 { - f = append(f, "PROT_EXEC") - } - } - return strings.Join(f, "|") -} - -// PrintOpenFlags prints the `flags` bitmask argument of the `open` syscall -// http://man7.org/linux/man-pages/man2/open.2.html -// https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/fcntl.h -func PrintOpenFlags(flags uint32) string { - var f []string - - //access mode - switch { - case flags&01 == 01: - f = append(f, "O_WRONLY") - case flags&02 == 02: - f = append(f, "O_RDWR") - default: - f = append(f, "O_RDONLY") - } - - // file creation and status flags - if flags&0100 == 0100 { - f = append(f, "O_CREAT") - } - if flags&0200 == 0200 { - f = append(f, "O_EXCL") - } - if flags&0400 == 0400 { - f = append(f, "O_NOCTTY") - } - if flags&01000 == 01000 { - f = append(f, "O_TRUNC") - } - if flags&02000 == 02000 { - f = append(f, "O_APPEND") - } - if flags&04000 == 04000 { - f = append(f, "O_NONBLOCK") - } - if flags&04010000 == 04010000 { - f = append(f, "O_SYNC") - } - if flags&020000 == 020000 { - f = append(f, "O_ASYNC") - } - if flags&0100000 == 0100000 { - f = append(f, "O_LARGEFILE") - } - if flags&0200000 == 0200000 { - f = append(f, "O_DIRECTORY") - } - if flags&0400000 == 0400000 { - f = append(f, "O_NOFOLLOW") - } - if flags&02000000 == 02000000 { - f = append(f, "O_CLOEXEC") - } - if flags&040000 == 040000 { - f = append(f, "O_DIRECT") - } - if flags&01000000 == 01000000 { - f = append(f, "O_NOATIME") - } - if flags&010000000 == 010000000 { - f = append(f, "O_PATH") - } - if flags&020000000 == 020000000 { - f = append(f, "O_TMPFILE") - } - - return strings.Join(f, "|") -} - -// http://man7.org/linux/man-pages/man2/access.2.html -// https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/unistd.h.html#tag_13_77_03_04 -func PrintAccessMode(mode uint32) string { - var f []string - if mode == 0x0 { - f = append(f, "F_OK") - } else { - if mode&0x04 == 0x04 { - f = append(f, "R_OK") - } - if mode&0x02 == 0x02 { - f = append(f, "W_OK") - } - if mode&0x01 == 0x01 { - f = append(f, "X_OK") - } - } - return strings.Join(f, "|") -} - -// PrintExecFlags prints the `flags` bitmask argument of the `execve` syscall -// http://man7.org/linux/man-pages/man2/axecveat.2.html -// https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/fcntl.h#L94 -func PrintExecFlags(flags uint32) string { - var f []string - if flags&0x100 == 0x100 { - f = append(f, "AT_EMPTY_PATH") - } - if flags&0x1000 == 0x1000 { - f = append(f, "AT_SYMLINK_NOFOLLOW") - } - if len(f) == 0 { - f = append(f, "0") - } - return strings.Join(f, "|") -} - -// PrintCloneFlags prints the `flags` bitmask argument of the `clone` syscall -// https://man7.org/linux/man-pages/man2/clone.2.html -// https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/sched.h -func PrintCloneFlags(flags uint64) string { - var f []string - if flags&0x00000100 == 0x00000100 { - f = append(f, "CLONE_VM") - } - if flags&0x00000200 == 0x00000200 { - f = append(f, "CLONE_FS") - } - if flags&0x00000400 == 0x00000400 { - f = append(f, "CLONE_FILES") - } - if flags&0x00000800 == 0x00000800 { - f = append(f, "CLONE_SIGHAND") - } - if flags&0x00001000 == 0x00001000 { - f = append(f, "CLONE_PIDFD") - } - if flags&0x00002000 == 0x00002000 { - f = append(f, "CLONE_PTRACE") - } - if flags&0x00004000 == 0x00004000 { - f = append(f, "CLONE_VFORK") - } - if flags&0x00008000 == 0x00008000 { - f = append(f, "CLONE_PARENT") - } - if flags&0x00010000 == 0x00010000 { - f = append(f, "CLONE_THREAD") - } - if flags&0x00020000 == 0x00020000 { - f = append(f, "CLONE_NEWNS") - } - if flags&0x00040000 == 0x00040000 { - f = append(f, "CLONE_SYSVSEM") - } - if flags&0x00080000 == 0x00080000 { - f = append(f, "CLONE_SETTLS") - } - if flags&0x00100000 == 0x00100000 { - f = append(f, "CLONE_PARENT_SETTID") - } - if flags&0x00200000 == 0x00200000 { - f = append(f, "CLONE_CHILD_CLEARTID") - } - if flags&0x00400000 == 0x00400000 { - f = append(f, "CLONE_DETACHED") - } - if flags&0x00800000 == 0x00800000 { - f = append(f, "CLONE_UNTRACED") - } - if flags&0x01000000 == 0x01000000 { - f = append(f, "CLONE_CHILD_SETTID") - } - if flags&0x02000000 == 0x02000000 { - f = append(f, "CLONE_NEWCGROUP") - } - if flags&0x04000000 == 0x04000000 { - f = append(f, "CLONE_NEWUTS") - } - if flags&0x08000000 == 0x08000000 { - f = append(f, "CLONE_NEWIPC") - } - if flags&0x10000000 == 0x10000000 { - f = append(f, "CLONE_NEWUSER") - } - if flags&0x20000000 == 0x20000000 { - f = append(f, "CLONE_NEWPID") - } - if flags&0x40000000 == 0x40000000 { - f = append(f, "CLONE_NEWNET") - } - if flags&0x80000000 == 0x80000000 { - f = append(f, "CLONE_IO") - } - if len(f) == 0 { - f = append(f, "0") - } - return strings.Join(f, "|") -} - -// PrintSocketType prints the `type` bitmask argument of the `socket` syscall -// http://man7.org/linux/man-pages/man2/socket.2.html -// https://elixir.bootlin.com/linux/v5.5.3/source/arch/mips/include/asm/socket.h -func PrintSocketType(st uint32) string { - var socketTypes = map[uint32]string{ - 1: "SOCK_STREAM", - 2: "SOCK_DGRAM", - 3: "SOCK_RAW", - 4: "SOCK_RDM", - 5: "SOCK_SEQPACKET", - 6: "SOCK_DCCP", - 10: "SOCK_PACKET", - } - var f []string - if stName, ok := socketTypes[st&0xf]; ok { - f = append(f, stName) - } else { - f = append(f, strconv.Itoa(int(st))) - } - if st&000004000 == 000004000 { - f = append(f, "SOCK_NONBLOCK") - } - if st&002000000 == 002000000 { - f = append(f, "SOCK_CLOEXEC") - } - return strings.Join(f, "|") -} - -// PrintSocketDomain prints the `domain` bitmask argument of the `socket` syscall -// http://man7.org/linux/man-pages/man2/socket.2.html -func PrintSocketDomain(sd uint32) string { - var socketDomains = map[uint32]string{ - 0: "AF_UNSPEC", - 1: "AF_UNIX", - 2: "AF_INET", - 3: "AF_AX25", - 4: "AF_IPX", - 5: "AF_APPLETALK", - 6: "AF_NETROM", - 7: "AF_BRIDGE", - 8: "AF_ATMPVC", - 9: "AF_X25", - 10: "AF_INET6", - 11: "AF_ROSE", - 12: "AF_DECnet", - 13: "AF_NETBEUI", - 14: "AF_SECURITY", - 15: "AF_KEY", - 16: "AF_NETLINK", - 17: "AF_PACKET", - 18: "AF_ASH", - 19: "AF_ECONET", - 20: "AF_ATMSVC", - 21: "AF_RDS", - 22: "AF_SNA", - 23: "AF_IRDA", - 24: "AF_PPPOX", - 25: "AF_WANPIPE", - 26: "AF_LLC", - 27: "AF_IB", - 28: "AF_MPLS", - 29: "AF_CAN", - 30: "AF_TIPC", - 31: "AF_BLUETOOTH", - 32: "AF_IUCV", - 33: "AF_RXRPC", - 34: "AF_ISDN", - 35: "AF_PHONET", - 36: "AF_IEEE802154", - 37: "AF_CAIF", - 38: "AF_ALG", - 39: "AF_NFC", - 40: "AF_VSOCK", - 41: "AF_KCM", - 42: "AF_QIPCRTR", - 43: "AF_SMC", - 44: "AF_XDP", - } - var res string - if sdName, ok := socketDomains[sd]; ok { - res = sdName - } else { - res = strconv.Itoa(int(sd)) - } - return res -} - // PrintUint32IP prints the IP address encoded as a uint32 func PrintUint32IP(in uint32) string { ip := make(net.IP, net.IPv4len) @@ -388,226 +20,6 @@ func Print16BytesSliceIP(in []byte) string { return ip.String() } -// PrintCapability prints the `capability` bitmask argument of the `cap_capable` function -// include/uapi/linux/capability.h -func PrintCapability(cap int32) string { - var capabilities = map[int32]string{ - 0: "CAP_CHOWN", - 1: "CAP_DAC_OVERRIDE", - 2: "CAP_DAC_READ_SEARCH", - 3: "CAP_FOWNER", - 4: "CAP_FSETID", - 5: "CAP_KILL", - 6: "CAP_SETGID", - 7: "CAP_SETUID", - 8: "CAP_SETPCAP", - 9: "CAP_LINUX_IMMUTABLE", - 10: "CAP_NET_BIND_SERVICE", - 11: "CAP_NET_BROADCAST", - 12: "CAP_NET_ADMIN", - 13: "CAP_NET_RAW", - 14: "CAP_IPC_LOCK", - 15: "CAP_IPC_OWNER", - 16: "CAP_SYS_MODULE", - 17: "CAP_SYS_RAWIO", - 18: "CAP_SYS_CHROOT", - 19: "CAP_SYS_PTRACE", - 20: "CAP_SYS_PACCT", - 21: "CAP_SYS_ADMIN", - 22: "CAP_SYS_BOOT", - 23: "CAP_SYS_NICE", - 24: "CAP_SYS_RESOURCE", - 25: "CAP_SYS_TIME", - 26: "CAP_SYS_TTY_CONFIG", - 27: "CAP_MKNOD", - 28: "CAP_LEASE", - 29: "CAP_AUDIT_WRITE", - 30: "CAP_AUDIT_CONTROL", - 31: "CAP_SETFCAP", - 32: "CAP_MAC_OVERRIDE", - 33: "CAP_MAC_ADMIN", - 34: "CAP_SYSLOG", - 35: "CAP_WAKE_ALARM", - 36: "CAP_BLOCK_SUSPEND", - 37: "CAP_AUDIT_READ", - } - var res string - if capName, ok := capabilities[cap]; ok { - res = capName - } else { - res = strconv.Itoa(int(cap)) - } - return res -} - -// PrintPrctlOption prints the `option` argument of the `prctl` syscall -// http://man7.org/linux/man-pages/man2/prctl.2.html -// https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/prctl.h -func PrintPrctlOption(op int32) string { - var prctlOptions = map[int32]string{ - 1: "PR_SET_PDEATHSIG", - 2: "PR_GET_PDEATHSIG", - 3: "PR_GET_DUMPABLE", - 4: "PR_SET_DUMPABLE", - 5: "PR_GET_UNALIGN", - 6: "PR_SET_UNALIGN", - 7: "PR_GET_KEEPCAPS", - 8: "PR_SET_KEEPCAPS", - 9: "PR_GET_FPEMU", - 10: "PR_SET_FPEMU", - 11: "PR_GET_FPEXC", - 12: "PR_SET_FPEXC", - 13: "PR_GET_TIMING", - 14: "PR_SET_TIMING", - 15: "PR_SET_NAME", - 16: "PR_GET_NAME", - 19: "PR_GET_ENDIAN", - 20: "PR_SET_ENDIAN", - 21: "PR_GET_SECCOMP", - 22: "PR_SET_SECCOMP", - 23: "PR_CAPBSET_READ", - 24: "PR_CAPBSET_DROP", - 25: "PR_GET_TSC", - 26: "PR_SET_TSC", - 27: "PR_GET_SECUREBITS", - 28: "PR_SET_SECUREBITS", - 29: "PR_SET_TIMERSLACK", - 30: "PR_GET_TIMERSLACK", - 31: "PR_TASK_PERF_EVENTS_DISABLE", - 32: "PR_TASK_PERF_EVENTS_ENABLE", - 33: "PR_MCE_KILL", - 34: "PR_MCE_KILL_GET", - 35: "PR_SET_MM", - 36: "PR_SET_CHILD_SUBREAPER", - 37: "PR_GET_CHILD_SUBREAPER", - 38: "PR_SET_NO_NEW_PRIVS", - 39: "PR_GET_NO_NEW_PRIVS", - 40: "PR_GET_TID_ADDRESS", - 41: "PR_SET_THP_DISABLE", - 42: "PR_GET_THP_DISABLE", - 43: "PR_MPX_ENABLE_MANAGEMENT", - 44: "PR_MPX_DISABLE_MANAGEMENT", - 45: "PR_SET_FP_MODE", - 46: "PR_GET_FP_MODE", - 47: "PR_CAP_AMBIENT", - 50: "PR_SVE_SET_VL", - 51: "PR_SVE_GET_VL", - 52: "PR_GET_SPECULATION_CTRL", - 53: "PR_SET_SPECULATION_CTRL", - 54: "PR_PAC_RESET_KEYS", - 55: "PR_SET_TAGGED_ADDR_CTRL", - 56: "PR_GET_TAGGED_ADDR_CTRL", - } - - var res string - if opName, ok := prctlOptions[op]; ok { - res = opName - } else { - res = strconv.Itoa(int(op)) - } - return res -} - -// PrintPtraceRequest prints the `request` argument of the `ptrace` syscall -// http://man7.org/linux/man-pages/man2/ptrace.2.html -// https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/ptrace.h -func PrintPtraceRequest(req int64) string { - var ptraceRequest = map[int64]string{ - 0: "PTRACE_TRACEME", - 1: "PTRACE_PEEKTEXT", - 2: "PTRACE_PEEKDATA", - 3: "PTRACE_PEEKUSER", - 4: "PTRACE_POKETEXT", - 5: "PTRACE_POKEDATA", - 6: "PTRACE_POKEUSER", - 7: "PTRACE_CONT", - 8: "PTRACE_KILL", - 9: "PTRACE_SINGLESTEP", - 12: "PTRACE_GETREGS", - 13: "PTRACE_SETREGS", - 14: "PTRACE_GETFPREGS", - 15: "PTRACE_SETFPREGS", - 16: "PTRACE_ATTACH", - 17: "PTRACE_DETACH", - 18: "PTRACE_GETFPXREGS", - 19: "PTRACE_SETFPXREGS", - 24: "PTRACE_SYSCALL", - 0x4200: "PTRACE_SETOPTIONS", - 0x4201: "PTRACE_GETEVENTMSG", - 0x4202: "PTRACE_GETSIGINFO", - 0x4203: "PTRACE_SETSIGINFO", - 0x4204: "PTRACE_GETREGSET", - 0x4205: "PTRACE_SETREGSET", - 0x4206: "PTRACE_SEIZE", - 0x4207: "PTRACE_INTERRUPT", - 0x4208: "PTRACE_LISTEN", - 0x4209: "PTRACE_PEEKSIGINFO", - 0x420a: "PTRACE_GETSIGMASK", - 0x420b: "PTRACE_SETSIGMASK", - 0x420c: "PTRACE_SECCOMP_GET_FILTER", - 0x420d: "PTRACE_SECCOMP_GET_METADATA", - } - - var res string - if reqName, ok := ptraceRequest[req]; ok { - res = reqName - } else { - res = strconv.Itoa(int(req)) - } - return res -} - -// PrintBPFCmd prints the `cmd` argument of the `bpf` syscall -// https://man7.org/linux/man-pages/man2/bpf.2.html -// https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf.h -func PrintBPFCmd(cmd int32) string { - var bpfCmd = map[int32]string{ - 0: "BPF_MAP_CREATE", - 1: "BPF_MAP_LOOKUP_ELEM", - 2: "BPF_MAP_UPDATE_ELEM", - 3: "BPF_MAP_DELETE_ELEM", - 4: "BPF_MAP_GET_NEXT_KEY", - 5: "BPF_PROG_LOAD", - 6: "BPF_OBJ_PIN", - 7: "BPF_OBJ_GET", - 8: "BPF_PROG_ATTACH", - 9: "BPF_PROG_DETACH", - 10: "BPF_PROG_TEST_RUN", - 11: "BPF_PROG_GET_NEXT_ID", - 12: "BPF_MAP_GET_NEXT_ID", - 13: "BPF_PROG_GET_FD_BY_ID", - 14: "BPF_MAP_GET_FD_BY_ID", - 15: "BPF_OBJ_GET_INFO_BY_FD", - 16: "BPF_PROG_QUERY", - 17: "BPF_RAW_TRACEPOINT_OPEN", - 18: "BPF_BTF_LOAD", - 19: "BPF_BTF_GET_FD_BY_ID", - 20: "BPF_TASK_FD_QUERY", - 21: "BPF_MAP_LOOKUP_AND_DELETE_ELEM", - 22: "BPF_MAP_FREEZE", - 23: "BPF_BTF_GET_NEXT_ID", - 24: "BPF_MAP_LOOKUP_BATCH", - 25: "BPF_MAP_LOOKUP_AND_DELETE_BATCH", - 26: "BPF_MAP_UPDATE_BATCH", - 27: "BPF_MAP_DELETE_BATCH", - 28: "BPF_LINK_CREATE", - 29: "BPF_LINK_UPDATE", - 30: "BPF_LINK_GET_FD_BY_ID", - 31: "BPF_LINK_GET_NEXT_ID", - 32: "BPF_ENABLE_STATS", - 33: "BPF_ITER_CREATE", - 34: "BPF_LINK_DETACH", - } - - var res string - if cmdName, ok := bpfCmd[cmd]; ok { - res = cmdName - } else { - res = strconv.Itoa(int(cmd)) - } - return res -} - // PrintAlert prints the encoded alert message and output file path if required func PrintAlert(alert alert) string { var res string diff --git a/tracee-ebpf/tracee/tracee.go b/tracee-ebpf/tracee/tracee.go index 56dc253348d8..a2c629c70344 100644 --- a/tracee-ebpf/tracee/tracee.go +++ b/tracee-ebpf/tracee/tracee.go @@ -16,6 +16,7 @@ import ( "syscall" bpf "github.com/aquasecurity/tracee/libbpfgo" + "github.com/aquasecurity/tracee/libbpfgo/helpers" "github.com/aquasecurity/tracee/tracee-ebpf/tracee/external" ) @@ -1126,27 +1127,27 @@ func (t *Tracee) prepareArgsForPrint(ctx *context, args map[argTag]interface{}) } if ctx.EventID == CapCapableEventID { if capability, isInt32 := args[t.EncParamName[ctx.EventID%2]["cap"]].(int32); isInt32 { - args[t.EncParamName[ctx.EventID%2]["cap"]] = PrintCapability(capability) + args[t.EncParamName[ctx.EventID%2]["cap"]] = helpers.ParseCapability(capability) } } case MmapEventID, MprotectEventID, PkeyMprotectEventID: if prot, isInt32 := args[t.EncParamName[ctx.EventID%2]["prot"]].(int32); isInt32 { - args[t.EncParamName[ctx.EventID%2]["prot"]] = PrintMemProt(uint32(prot)) + args[t.EncParamName[ctx.EventID%2]["prot"]] = helpers.ParseMemProt(uint32(prot)) } case PtraceEventID: if req, isInt64 := args[t.EncParamName[ctx.EventID%2]["request"]].(int64); isInt64 { - args[t.EncParamName[ctx.EventID%2]["request"]] = PrintPtraceRequest(req) + args[t.EncParamName[ctx.EventID%2]["request"]] = helpers.ParsePtraceRequest(req) } case PrctlEventID: if opt, isInt32 := args[t.EncParamName[ctx.EventID%2]["option"]].(int32); isInt32 { - args[t.EncParamName[ctx.EventID%2]["option"]] = PrintPrctlOption(opt) + args[t.EncParamName[ctx.EventID%2]["option"]] = helpers.ParsePrctlOption(opt) } case SocketEventID: if dom, isInt32 := args[t.EncParamName[ctx.EventID%2]["domain"]].(int32); isInt32 { - args[t.EncParamName[ctx.EventID%2]["domain"]] = PrintSocketDomain(uint32(dom)) + args[t.EncParamName[ctx.EventID%2]["domain"]] = helpers.ParseSocketDomain(uint32(dom)) } if typ, isInt32 := args[t.EncParamName[ctx.EventID%2]["type"]].(int32); isInt32 { - args[t.EncParamName[ctx.EventID%2]["type"]] = PrintSocketType(uint32(typ)) + args[t.EncParamName[ctx.EventID%2]["type"]] = helpers.ParseSocketType(uint32(typ)) } case ConnectEventID, AcceptEventID, Accept4EventID, BindEventID, GetsocknameEventID: if sockAddr, isStrMap := args[t.EncParamName[ctx.EventID%2]["addr"]].(map[string]string); isStrMap { @@ -1160,19 +1161,19 @@ func (t *Tracee) prepareArgsForPrint(ctx *context, args map[argTag]interface{}) } case AccessEventID, FaccessatEventID: if mode, isInt32 := args[t.EncParamName[ctx.EventID%2]["mode"]].(int32); isInt32 { - args[t.EncParamName[ctx.EventID%2]["mode"]] = PrintAccessMode(uint32(mode)) + args[t.EncParamName[ctx.EventID%2]["mode"]] = helpers.ParseAccessMode(uint32(mode)) } case ExecveatEventID: if flags, isInt32 := args[t.EncParamName[ctx.EventID%2]["flags"]].(int32); isInt32 { - args[t.EncParamName[ctx.EventID%2]["flags"]] = PrintExecFlags(uint32(flags)) + args[t.EncParamName[ctx.EventID%2]["flags"]] = helpers.ParseExecFlags(uint32(flags)) } case OpenEventID, OpenatEventID, SecurityFileOpenEventID: if flags, isInt32 := args[t.EncParamName[ctx.EventID%2]["flags"]].(int32); isInt32 { - args[t.EncParamName[ctx.EventID%2]["flags"]] = PrintOpenFlags(uint32(flags)) + args[t.EncParamName[ctx.EventID%2]["flags"]] = helpers.ParseOpenFlags(uint32(flags)) } case MknodEventID, MknodatEventID, ChmodEventID, FchmodEventID, FchmodatEventID: if mode, isUint32 := args[t.EncParamName[ctx.EventID%2]["mode"]].(uint32); isUint32 { - args[t.EncParamName[ctx.EventID%2]["mode"]] = PrintInodeMode(mode) + args[t.EncParamName[ctx.EventID%2]["mode"]] = helpers.ParseInodeMode(mode) } case MemProtAlertEventID: if alert, isAlert := args[t.EncParamName[ctx.EventID%2]["alert"]].(alert); isAlert { @@ -1180,7 +1181,7 @@ func (t *Tracee) prepareArgsForPrint(ctx *context, args map[argTag]interface{}) } case CloneEventID: if flags, isUint64 := args[t.EncParamName[ctx.EventID%2]["flags"]].(uint64); isUint64 { - args[t.EncParamName[ctx.EventID%2]["flags"]] = PrintCloneFlags(flags) + args[t.EncParamName[ctx.EventID%2]["flags"]] = helpers.ParseCloneFlags(flags) } case SendtoEventID, RecvfromEventID: addrTag := t.EncParamName[ctx.EventID%2]["dest_addr"] @@ -1198,7 +1199,7 @@ func (t *Tracee) prepareArgsForPrint(ctx *context, args map[argTag]interface{}) } case BpfEventID: if cmd, isInt32 := args[t.EncParamName[ctx.EventID%2]["cmd"]].(int32); isInt32 { - args[t.EncParamName[ctx.EventID%2]["cmd"]] = PrintBPFCmd(cmd) + args[t.EncParamName[ctx.EventID%2]["cmd"]] = helpers.ParseBPFCmd(cmd) } } @@ -1426,7 +1427,7 @@ func readSockaddrFromBuff(buff io.Reader) (map[string]string, error) { if err != nil { return nil, err } - res["sa_family"] = PrintSocketDomain(uint32(family)) + res["sa_family"] = helpers.ParseSocketDomain(uint32(family)) switch family { case 1: // AF_UNIX /*