add symlink(at) syscalls

container_event_monitor_ebpf.c

@@ -76,6 +76,8 @@ enum event_id {
     SYS_INIT_MODULE,
     SYS_FINIT_MODULE,
     SYS_DELETE_MODULE,
+    SYS_SYMLINK,
+    SYS_SYMLINKAT,
     DO_EXIT,
     CAP_CAPABLE,
 };
@@ -554,6 +556,10 @@ TRACE_ENT_FUNC(sys_finit_module);
 TRACE_RET_FUNC(sys_finit_module, SYS_FINIT_MODULE, ARG_TYPE0(INT_T)|ARG_TYPE1(STR_T)|ARG_TYPE2(INT_T));
 TRACE_ENT_FUNC(sys_delete_module);
 TRACE_RET_FUNC(sys_delete_module, SYS_DELETE_MODULE, ARG_TYPE0(STR_T)|ARG_TYPE1(INT_T));
+TRACE_ENT_FUNC(sys_symlink);
+TRACE_RET_FUNC(sys_symlink, SYS_SYMLINK, ARG_TYPE0(STR_T)|ARG_TYPE1(STR_T));
+TRACE_ENT_FUNC(sys_symlinkat);
+TRACE_RET_FUNC(sys_symlinkat, SYS_SYMLINKAT, ARG_TYPE0(STR_T)|ARG_TYPE1(INT_T)|ARG_TYPE2(STR_T));
 
 
 // Note: race condition may occur if a malicious user changes the arguments concurrently

container_tracer.py

@@ -142,7 +142,8 @@
             "newfstat", "newlstat", "mknod", "mknodat", "dup", "dup2", "dup3",
             "memfd_create", "socket", "close", "ioctl", "access", "faccessat", "kill", "listen",
             "connect", "accept", "accept4", "bind", "getsockname", "prctl", "ptrace",
-            "process_vm_writev", "process_vm_readv", "init_module", "finit_module", "delete_module"]
+            "process_vm_writev", "process_vm_readv", "init_module", "finit_module", "delete_module",
+            "symlink", "symlinkat"]
 
 class EventType(object):
     EVENT_ARG = 0
@@ -186,8 +187,10 @@ class EventId(object):
     SYS_INIT_MODULE = 33
     SYS_FINIT_MODULE = 34
     SYS_DELETE_MODULE = 35
-    DO_EXIT = 36
-    CAP_CAPABLE = 37
+    SYS_SYMLINK = 36
+    SYS_SYMLINKAT = 37
+    DO_EXIT = 38
+    CAP_CAPABLE = 39
 
 class context_t(ctypes.Structure): # match layout of eBPF C's context_t struct
     _fields_ = [("ts", ctypes.c_uint64),
@@ -399,6 +402,19 @@ class delete_module_info_t(ctypes.Structure):
                 ("name_loc", ctypes.c_uint),
                 ("flags", ctypes.c_int),]
 
+class symlink_info_t(ctypes.Structure):
+    _pack_ = 1
+    _fields_ = [("context", context_t),
+                ("target_loc", ctypes.c_uint),
+                ("linkpath_loc", ctypes.c_uint),]
+
+class symlinkat_info_t(ctypes.Structure):
+    _pack_ = 1
+    _fields_ = [("context", context_t),
+                ("target_loc", ctypes.c_uint),
+                ("newdirfd", ctypes.c_int),
+                ("linkpath_loc", ctypes.c_uint),]
+
 class cap_info_t(ctypes.Structure):
     _fields_ = [("context", context_t),
                 ("capability", ctypes.c_int),]
@@ -921,6 +937,17 @@ def print_event(self, cpu, data, size):
             event = ctypes.cast(data, ctypes.POINTER(delete_module_info_t)).contents
             args.append(self.get_string_from_buf(cpu, int(event.name_loc)))
             args.append(str(event.flags))
+        elif context.eventid == EventId.SYS_SYMLINK:
+            eventname = "symlink"
+            event = ctypes.cast(data, ctypes.POINTER(symlink_info_t)).contents
+            args.append(self.get_string_from_buf(cpu, int(event.target_loc)))
+            args.append(self.get_string_from_buf(cpu, int(event.linkpath_loc)))
+        elif context.eventid == EventId.SYS_SYMLINKAT:
+            eventname = "symlinkat"
+            event = ctypes.cast(data, ctypes.POINTER(symlinkat_info_t)).contents
+            args.append(self.get_string_from_buf(cpu, int(event.target_loc)))
+            args.append(str(event.newdirfd))
+            args.append(self.get_string_from_buf(cpu, int(event.linkpath_loc)))
         elif context.eventid == EventId.SYS_CLONE:
             eventname = "clone"
         elif context.eventid == EventId.SYS_FORK: