support security_file_open lsm hook

aquasecurity · Mar 18, 2020 · 6bc4686 · 6bc4686
1 parent dff978e
commit 6bc4686
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/tracee/consts.go b/tracee/consts.go
@@ -378,6 +378,7 @@ var EventsIDToName = map[int32]string{
 	335: "do_exit",
 	336: "cap_capable",
 	337: "security_bprm_check",
+	338: "security_file_open",
 }
 
 // EventIDMax marks the highest event ID in the EventsIDToName map

diff --git a/tracee/event_monitor_ebpf.c b/tracee/event_monitor_ebpf.c
@@ -397,6 +397,7 @@ enum event_id {
     DO_EXIT,
     CAP_CAPABLE,
     SECURITY_BPRM_CHECK,
+    SECURITY_FILE_OPEN,
 };
 
 /*=============================== INTERNAL STRUCTS ===========================*/
@@ -1406,6 +1407,34 @@ int trace_security_bprm_check(struct pt_regs *ctx, struct linux_binprm *bprm)
     return 0;
 }
 
+int trace_security_file_open(struct pt_regs *ctx, struct file *file)
+{
+    context_t context = {};
+
+    if (init_context(&context) || init_submit_buf())
+        return 0;
+
+    submit_buf_t *submit_p = get_submit_buf();
+    if (submit_p == NULL)
+        return 0;
+
+    context.eventid = SECURITY_FILE_OPEN;
+    context.argnum = 2;
+    context.retval = 0;
+
+    struct pt_regs *real_ctx = get_task_pt_regs();
+    int syscall_nr = real_ctx->orig_ax;
+    if (syscall_nr != 2 && syscall_nr != 257) // only monitor open and openat syscalls
+        return 0;
+
+    save_to_submit_buf(submit_p, (void*)&context, sizeof(context_t), NONE_T);
+    save_path_to_buf(submit_p, &file->f_path);
+    save_to_submit_buf(submit_p, (void*)&file->f_flags, sizeof(int), OPEN_FLAGS_T);
+
+    events_perf_submit(ctx);
+    return 0;
+}
+
 int trace_cap_capable(struct pt_regs *ctx, const struct cred *cred,
     struct user_namespace *targ_ns, int cap, int cap_opt)
 {

diff --git a/tracee/tracer.py b/tracee/tracer.py
@@ -226,7 +226,7 @@ class SupportedAF(object):
             "symlink", "symlinkat", "getdents", "getdents64", "creat", "open", "openat",
             "mount", "umount", "unlink", "unlinkat", "setuid", "setgid", "setreuid", "setregid",
             "setresuid", "setresgid", "setfsuid", "setfsgid"]
-sysevents = ["cap_capable", "do_exit", "security_bprm_check"]
+sysevents = ["cap_capable", "do_exit", "security_bprm_check", "security_file_open"]
 
 # We always need kprobes for execve[at] so that we capture the new PID namespace, 
 # and do_exit so we clean up  
@@ -573,7 +573,8 @@ class SupportedAF(object):
     # Non syscall events start here
     335: "do_exit",
     336: "cap_capable",
-    337: "security_bprm_check"
+    337: "security_bprm_check",
+    338: "security_file_open"
 }
 
 # argument types should match defined values in ebpf file code