ebpf: fix mem_prot_alert invalid args (#2324)

* ebpf: fix mem_prot_alert invalid args In cases where both security_file_mprotect and mem_prot_alert events were chosen by the user, mem_prot_alert could have failed to decode or have invalid arguments. This was caused by the fact we submitted those two events one after the other without reinitializing the submit buffer. Fix mem_prot_alert event by initializing the submit buffer as required. * ebpf: remove redundant submit buffer initialization Since we split the bpf code to separate phases, sys_enter/sys_exit don't contain more than one event to submit in one bpf program. Remove the redundant buffer initialization then. * ebpf: placed should_trace where missing In some cases, should_trace() wasn't called properly. Fix this,
aquasecurity · Nov 3, 2022 · 430c073 · 430c073
1 parent a37dcf6
commit 430c073
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -3007,8 +3007,6 @@ int sys_enter_submit(struct bpf_raw_tracepoint_args *ctx)
         }
     }
     if (sys->id != SYSCALL_RT_SIGRETURN && !data.task_info->syscall_traced) {
-        data.buf_off = sizeof(event_context_t);
-        data.context.argnum = 0;
         save_to_submit_buf(&data, (void *) &(sys->args.args[0]), sizeof(int), 0);
         events_perf_submit(&data, sys->id, 0);
     }
@@ -3117,8 +3115,6 @@ int sys_exit_submit(struct bpf_raw_tracepoint_args *ctx)
             return 0;
         }
         types = *saved_types;
-        data.buf_off = sizeof(event_context_t);
-        data.context.argnum = 0;
         save_args_to_submit_buf(&data, types, &sys->args);
         data.context.ts = sys->ts;
         events_perf_submit(&data, id, ret);
@@ -5561,6 +5557,9 @@ int BPF_KPROBE(trace_mmap_alert)
     if (!init_event_data(&data, ctx))
         return 0;
 
+    if (!should_trace(&data))
+        return 0;
+
     // Load the arguments given to the mmap syscall (which eventually invokes this function)
     syscall_data_t *sys = &data.task_info->syscall_data;
     if (!data.task_info->syscall_traced || sys->id != SYSCALL_MMAP)
@@ -5633,13 +5632,13 @@ int BPF_KPROBE(trace_security_file_mprotect)
     if (!init_event_data(&data, ctx))
         return 0;
 
+    if (!should_trace(&data))
+        return 0;
+
     struct vm_area_struct *vma = (struct vm_area_struct *) PT_REGS_PARM1(ctx);
     unsigned long reqprot = PT_REGS_PARM2(ctx);
 
     if (should_submit(SECURITY_FILE_MPROTECT, data.config)) {
-        if (!should_trace(&data))
-            return 0;
-
         struct file *file = (struct file *) READ_KERN(vma->vm_file);
         void *file_path = get_path_str(GET_FIELD_ADDR(file->f_path));
         u64 ctime = get_ctime_nanosec_from_file(file);
@@ -5668,6 +5667,9 @@ int BPF_KPROBE(trace_security_file_mprotect)
         if (len == 0)
             len = PAGE_SIZE;
 
+        data.buf_off = sizeof(event_context_t);
+        data.context.argnum = 0;
+
         if ((!(prev_prot & VM_EXEC)) && (reqprot & VM_EXEC)) {
             u32 alert = ALERT_MPROT_X_ADD;
             save_to_submit_buf(&data, &alert, sizeof(u32), 0);