Show syscall name in internal kprobes

aquasecurity · Dec 30, 2019 · 4fa4d54 · 4fa4d54
1 parent 85afe0b
commit 4fa4d54
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 6 deletions.
diff --git a/start.py b/start.py
@@ -45,6 +45,8 @@ def parse_args(input_args):
                         help="list events")
     parser.add_argument("-e", "--events-to-trace", default = syscalls + sysevents, action=EventsToTraceAction,
                         help="trace only the specified events and syscalls (default: trace all)")
+    parser.add_argument("--show-syscall", action="store_true",
+                        help="show syscall name in kprobes")
     return parser.parse_args(input_args)
 
 

diff --git a/tracee/event_monitor_ebpf.c b/tracee/event_monitor_ebpf.c
@@ -37,9 +37,11 @@
 #define SOCK_DOM_T  15UL
 #define SOCK_TYPE_T 16UL
 #define CAP_T       17UL
+#define SYSCALL_T   18UL
 #define TYPE_MAX    255UL
 
 #define CONFIG_CONT_MODE    0
+#define CONFIG_SHOW_SYSCALL 1
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0)
 #error Minimal required kernel version is 4.14
@@ -513,6 +515,14 @@ static __always_inline void get_syscall_args(struct pt_regs *ctx, args_t *args)
 #endif
 }
 
+static __always_inline struct pt_regs* get_task_pt_regs()
+{
+    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
+    void* task_stack_page = task->stack;
+    void* __ptr = task_stack_page + THREAD_SIZE - TOP_OF_KERNEL_STACK_PADDING;
+    return ((struct pt_regs *)__ptr) - 1;
+}
+
 /*============================== HELPER FUNCTIONS ==============================*/
 
 static __always_inline u32 lookup_pid()
@@ -591,15 +601,24 @@ static __always_inline void remove_pid_ns_if_needed()
     }
 }
 
-static __always_inline int container_mode()
+static __always_inline int get_config(u32 key)
 {
-    u32 key = CONFIG_CONT_MODE;
-    u32 *mode = config_map.lookup(&key);
+    u32 *config = config_map.lookup(&key);
 
-    if (mode == NULL)
+    if (config == NULL)
         return 0;
 
-    return *mode;
+    return *config;
+}
+
+static __always_inline int container_mode()
+{
+    return get_config(CONFIG_CONT_MODE);
+}
+
+static __always_inline int show_syscall()
+{
+    return get_config(CONFIG_SHOW_SYSCALL);
 }
 
 static __always_inline int init_context(context_t *context)
@@ -1248,7 +1267,10 @@ int trace_cap_capable(struct pt_regs *ctx, const struct cred *cred,
         return 0;
 
     context.eventid = CAP_CAPABLE;
-    context.argnum = 1;
+    if (show_syscall())
+        context.argnum = 2;
+    else
+        context.argnum = 1;
 
   #ifdef CAP_OPT_NONE
     audit = (cap_opt & 0b10) == 0;
@@ -1261,6 +1283,10 @@ int trace_cap_capable(struct pt_regs *ctx, const struct cred *cred,
 
     save_to_submit_buf((void*)&context, sizeof(context_t), NONE_T);
     save_to_submit_buf((void*)&cap, sizeof(int), CAP_T);
+    if (show_syscall()) {
+        struct pt_regs *real_ctx = get_task_pt_regs();
+        save_to_submit_buf((void*)&(real_ctx->orig_ax), sizeof(int), SYSCALL_T);
+    }
     events_perf_submit(ctx);
     return 0;
 };
diff --git a/tracee/tracer.py b/tracee/tracer.py
@@ -499,10 +499,12 @@ class ArgType(object):
     SOCK_DOM_T      = 15
     SOCK_TYPE_T     = 16
     CAP_T           = 17
+    SYSCALL_T       = 18
     TYPE_MAX        = 255
 
 class shared_config(object):
     CONFIG_CONT_MODE    = 0
+    CONFIG_SHOW_SYSCALL = 1
 
 class context_t(ctypes.Structure):  # match layout of eBPF C's context_t struct
     _fields_ = [("ts", ctypes.c_uint64),
@@ -759,6 +761,7 @@ def __init__(self, args):
         self.list_events = args.list
         self.events_to_trace = args.events_to_trace
         self.buf_pages = args.buf_pages
+        self.show_syscall = args.show_syscall
 
     def init_bpf(self):
         bpf_text = load_bpf_program()
@@ -782,6 +785,8 @@ def init_bpf(self):
         # set shared config
         key = ctypes.c_uint32(shared_config.CONFIG_CONT_MODE)
         self.bpf["config_map"][key] = ctypes.c_uint32(self.cont_mode)
+        key = ctypes.c_uint32(shared_config.CONFIG_SHOW_SYSCALL)
+        self.bpf["config_map"][key] = ctypes.c_uint32(self.show_syscall)
 
         # attaching kprobes
         sk, se = get_kprobes(self.events_to_trace)
@@ -963,6 +968,12 @@ def parse_event(self, event_buf):
                         args.append(capabilities[capability])
                     else:
                         args.append(str(capability))
+                elif argtype == ArgType.SYSCALL_T:
+                    syscall = self.get_int_from_buf(event_buf)
+                    if syscall in event_id:
+                        args.append('(%s)' % event_id[syscall])
+                    else:
+                        args.append('(%s)' % str(syscall))
         else:
             return