diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 4149f24ad6a0..131a91979a2c 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -65,6 +65,7 @@ env: BPF_ATTACH CONTAINERS_DATA_SOURCE PROCTREE_DATA_SOURCE + ACCESS_REMOTE_VM jobs: # # CODE VERIFICATION diff --git a/tests/e2e-inst-signatures/e2e-access_remote_vm.go b/tests/e2e-inst-signatures/e2e-access_remote_vm.go new file mode 100644 index 000000000000..a8b38b0335c4 --- /dev/null +++ b/tests/e2e-inst-signatures/e2e-access_remote_vm.go @@ -0,0 +1,78 @@ +package main + +import ( + "fmt" + + "github.com/aquasecurity/tracee/signatures/helpers" + "github.com/aquasecurity/tracee/types/detect" + "github.com/aquasecurity/tracee/types/protocol" + "github.com/aquasecurity/tracee/types/trace" +) + +type e2eAccessRemoteVm struct { + cb detect.SignatureHandler +} + +func (sig *e2eAccessRemoteVm) Init(ctx detect.SignatureContext) error { + sig.cb = ctx.Callback + return nil +} + +func (sig *e2eAccessRemoteVm) GetMetadata() (detect.SignatureMetadata, error) { + return detect.SignatureMetadata{ + ID: "ACCESS_REMOTE_VM", + EventName: "ACCESS_REMOTE_VM", + Version: "0.1.0", + Name: "Access Remote VM Test", + Description: "Instrumentation events E2E Tests: Access Remote VM", + Tags: []string{"e2e", "instrumentation"}, + }, nil +} + +func (sig *e2eAccessRemoteVm) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { + return []detect.SignatureEventSelector{ + {Source: "tracee", Name: "access_remote_vm"}, + }, nil +} + +func (sig *e2eAccessRemoteVm) OnEvent(event protocol.Event) error { + eventObj, ok := event.Payload.(trace.Event) + if !ok { + return fmt.Errorf("failed to cast event's payload") + } + + switch eventObj.EventName { + case "access_remote_vm": + remotePid, err := helpers.GetTraceeIntArgumentByName(eventObj, "remote_pid") + if err != nil { + return err + } + + vmName, err := helpers.GetTraceeStringArgumentByName(eventObj, "mapped.path") + if err != nil { + return err + } + + // check expected values from test for detection + + if remotePid != eventObj.HostParentProcessID || vmName != "[stack]" { + return nil + } + + m, _ := sig.GetMetadata() + + sig.cb(detect.Finding{ + SigMetadata: m, + Event: event, + Data: map[string]interface{}{}, + }) + } + + return nil +} + +func (sig *e2eAccessRemoteVm) OnSignal(s detect.Signal) error { + return nil +} + +func (sig *e2eAccessRemoteVm) Close() {} diff --git a/tests/e2e-inst-signatures/export.go b/tests/e2e-inst-signatures/export.go index 406634198b35..36c6611040d3 100644 --- a/tests/e2e-inst-signatures/export.go +++ b/tests/e2e-inst-signatures/export.go @@ -10,4 +10,5 @@ var ExportedSignatures = []detect.Signature{ &e2eContainersDataSource{}, &e2eBpfAttach{}, &e2eProcessTreeDataSource{}, + &e2eAccessRemoteVm{}, } diff --git a/tests/e2e-inst-signatures/scripts/access_remote_vm.sh b/tests/e2e-inst-signatures/scripts/access_remote_vm.sh new file mode 100755 index 000000000000..397315932702 --- /dev/null +++ b/tests/e2e-inst-signatures/scripts/access_remote_vm.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +info_exit() { + echo -n "INFO: " + echo $@ + exit 0 +} + +info() { + echo -n "INFO: " + echo "$@" +} + +error_exit() { + echo -n "ERROR: " + echo "$@" + exit 1 +} + +# Get the stack address from /proc/self/maps +stack_address="0x"$(grep 'stack' /proc/$$/maps | awk '{split($1, range, "-"); print range[1]}') + +if [ -z "$stack_address" ]; then + error_exit "Failed to find the stack address in /proc/self/maps" +fi + +info "Stack address: $stack_address" + +# Read from /proc/self/mem in given address +read_mem_file() { + tail /proc/$$/mem -c +$1 > /dev/null +} + +# Call the function to read from the stack +read_mem_file $((stack_address)) diff --git a/tests/e2e-inst-test.sh b/tests/e2e-inst-test.sh index 081fc047018d..580477fa1554 100755 --- a/tests/e2e-inst-test.sh +++ b/tests/e2e-inst-test.sh @@ -94,7 +94,7 @@ for TEST in $TESTS; do --output option:parse-arguments \ --log file:$SCRIPT_TMP_DIR/tracee-log-$$ \ --signatures-dir "$SIG_DIR" \ - --scope comm=echo,mv,ls,tracee,proctreetester \ + --scope comm=echo,mv,ls,tracee,proctreetester,tail \ --events "$TEST" & # wait tracee-ebpf to be started (30 sec most)