add argument 'type' to security_kernel_read_file event (#998)

add argument parser for kernel_read_file_id
aquasecurity · Sep 13, 2021 · 8fee4eb · 8fee4eb
1 parent 4904506
commit 8fee4eb
Show file tree

Hide file tree

Showing 5 changed files with 130 additions and 5 deletions.
diff --git a/tracee-ebpf/tracee/argprinters.go b/tracee-ebpf/tracee/argprinters.go
@@ -176,7 +176,71 @@ func (t *Tracee) prepareArgs(ctx *context, args map[string]interface{}) error {
 		if cmd, isInt32 := args["cmd"].(int32); isInt32 {
 			args["cmd"] = helpers.ParseBPFCmd(cmd)
 		}
+	case SecurityKernelReadFileEventID:
+		if readFileId, isUint32 := args["type"].(uint32); isUint32 {
+			typeIdStr, err := ParseKernelReadFileId(int32(readFileId))
+			if err == nil {
+				args["type"] = typeIdStr
+			}
+		}
 	}
 
 	return nil
 }
+
+// initializing kernelReadFileIdStrs once at init.
+var kernelReadFileIdStrs map[int32]string
+
+func init() {
+
+	osInfo, err := helpers.GetOSInfo()
+	if err != nil {
+		return
+	}
+
+	if osInfo.CompareOSBaseKernelRelease("5.9.3") != 1 {
+		// kernel version: >=5.9.3
+		kernelReadFileIdStrs = map[int32]string{
+			0: "unknown",
+			1: "firmware",
+			2: "kernel-module",
+			3: "kexec-image",
+			4: "kexec-initramfs",
+			5: "security-policy",
+			6: "x509-certificate",
+		}
+	} else if osInfo.CompareOSBaseKernelRelease("5.7.0") != 1 && osInfo.CompareOSBaseKernelRelease("5.9.2") != -1 && osInfo.CompareOSBaseKernelRelease("5.8.18") != 0 {
+		// kernel version: >=5.7 && <=5.9.2 && !=5.8.18
+		kernelReadFileIdStrs = map[int32]string{
+			0: "unknown",
+			1: "firmware",
+			2: "firmware",
+			3: "firmware",
+			4: "kernel-module",
+			5: "kexec-image",
+			6: "kexec-initramfs",
+			7: "security-policy",
+			8: "x509-certificate",
+		}
+	} else if osInfo.CompareOSBaseKernelRelease("5.8.18") == 0 || (osInfo.CompareOSBaseKernelRelease("4.18.0") != 1 && osInfo.CompareOSBaseKernelRelease("5.7.0") == 1) {
+		// kernel version: ==5.8.18 || (<5.7 && >=4.18)
+		kernelReadFileIdStrs = map[int32]string{
+			0: "unknown",
+			1: "firmware",
+			2: "firmware",
+			3: "kernel-module",
+			4: "kexec-image",
+			5: "kexec-initramfs",
+			6: "security-policy",
+			7: "x509-certificate",
+		}
+	}
+}
+
+func ParseKernelReadFileId(id int32) (string, error) {
+	kernelReadFileIdStr, idExists := kernelReadFileIdStrs[id]
+	if !idExists {
+		return "", fmt.Errorf("kernelReadFileId doesn't exist in kernelReadFileIdStrs map")
+	}
+	return kernelReadFileIdStr, nil
+}
diff --git a/tracee-ebpf/tracee/consts.go b/tracee-ebpf/tracee/consts.go
@@ -949,7 +949,7 @@ var EventsIDToParams = map[int32][]external.ArgMeta{
 	SecuritySbMountEventID:        {{Type: "const char*", Name: "dev_name"}, {Type: "const char*", Name: "path"}, {Type: "const char*", Name: "type"}, {Type: "unsigned long", Name: "flags"}},
 	SecurityBPFEventID:            {{Type: "int", Name: "cmd"}},
 	SecurityBPFMapEventID:         {{Type: "unsigned int", Name: "map_id"}, {Type: "const char*", Name: "map_name"}},
-	SecurityKernelReadFileEventID: {{Type: "const char*", Name: "pathname"}, {Type: "dev_t", Name: "dev"}, {Type: "unsigned long", Name: "inode"}},
+	SecurityKernelReadFileEventID: {{Type: "const char*", Name: "pathname"}, {Type: "dev_t", Name: "dev"}, {Type: "unsigned long", Name: "inode"}, {Type: "const char*", Name: "type"}},
 	SecurityInodeMknodEventID:     {{Type: "const char*", Name: "file_name"}, {Type: "mode_t", Name: "mode"}, {Type: "dev_t", Name: "dev"}},
 	InitNamespacesEventID:         {{Type: "u32", Name: "cgroup"}, {Type: "u32", Name: "ipc"}, {Type: "u32", Name: "mnt"}, {Type: "u32", Name: "net"}, {Type: "u32", Name: "pid"}, {Type: "u32", Name: "pid_for_children"}, {Type: "u32", Name: "time"}, {Type: "u32", Name: "time_for_children"}, {Type: "u32", Name: "user"}, {Type: "u32", Name: "uts"}},
 }
diff --git a/tracee-ebpf/tracee/tracee.bpf.c b/tracee-ebpf/tracee/tracee.bpf.c
@@ -4074,11 +4074,12 @@ int BPF_KPROBE(trace_security_kernel_read_file)
 
     set_buf_off(SUBMIT_BUF_IDX, sizeof(context_t));
 
-    context_t context = init_and_save_context(ctx, submit_p, SECURITY_KERNEL_READ_FILE, 3 /*argnum*/, 0 /*ret*/);
+    context_t context = init_and_save_context(ctx, submit_p, SECURITY_KERNEL_READ_FILE, 4 /*argnum*/, 0 /*ret*/);
 
     struct file* file = (struct file*)PT_REGS_PARM1(ctx);
     dev_t s_dev = get_dev_from_file(file);
     unsigned long inode_nr = get_inode_nr_from_file(file);
+    enum kernel_read_file_id type_id = (enum kernel_read_file_id)PT_REGS_PARM2(ctx);
 
     // Get per-cpu string buffer
     buf_t *string_p = get_buf(STRING_BUF_IDX);
@@ -4099,6 +4100,7 @@ int BPF_KPROBE(trace_security_kernel_read_file)
     save_str_to_buf(submit_p, (void *)&string_p->buf[*off], DEC_ARG(0, *tags));
     save_to_submit_buf(submit_p, &s_dev, sizeof(dev_t), DEV_T_T, DEC_ARG(1, *tags));
     save_to_submit_buf(submit_p, &inode_nr, sizeof(unsigned long), ULONG_T, DEC_ARG(2, *tags));
+    save_to_submit_buf(submit_p, &type_id, sizeof(int), UINT_T, DEC_ARG(3, *tags));
 
     events_perf_submit(ctx);
     return 0;

diff --git a/tracee-rules/signatures/rego/kernel_module_loading.rego b/tracee-rules/signatures/rego/kernel_module_loading.rego
@@ -1,5 +1,7 @@
 package tracee.TRC_6
 
+import data.tracee.helpers
+
 __rego_metadoc__ := {
     "id": "TRC-6",
     "version": "0.1.0",
@@ -19,7 +21,7 @@ eventSelectors := [
     },
     {
         "source": "tracee",
-        "name": "finit_module"
+        "name": "security_kernel_read_file"
     }
 ]
 
@@ -32,6 +34,14 @@ tracee_match {
     input.eventName == "init_module"
 }
 
-tracee_match {
-    input.eventName == "finit_module"
+tracee_match = res {
+    input.eventName == "security_kernel_read_file"
+
+    load_type = helpers.get_tracee_argument("type")
+
+    load_type == "kernel-module"
+
+    res := {
+        "pathname": helpers.get_tracee_argument("pathname"),
+    }
 }
diff --git a/tracee-rules/signatures/rego/kernel_module_loading_test.rego b/tracee-rules/signatures/rego/kernel_module_loading_test.rego
@@ -9,6 +9,31 @@ test_match_1 {
 
 test_match_2 {
     tracee_match with input as {
+        "eventName": "security_kernel_read_file",
+        "argsNum": 4,
+        "args": [
+            {
+                "name": "pathname",
+                "value": "/path/to/kernel/module.ko"
+            },
+            {
+                "name": "dev",
+                "value": 100
+            },
+            {
+                "name": "inode",
+                "value": 4026532486
+            },
+            {
+                "name": "type",
+                "value": "kernel-module"
+            },
+        ]
+    }
+}
+
+test_match_deprecated_event {
+    not tracee_match with input as {
         "eventName": "finit_module",
         "argsNum": 0
     }
@@ -27,3 +52,27 @@ test_match_wrong_event {
     }
 }
 
+test_match_wrong_type {
+    not tracee_match with input as {
+        "eventName": "security_kernel_read_file",
+        "argsNum": 4,
+        "args": [
+            {
+                "name": "pathname",
+                "value": "/path/to/kernel/module.ko"
+            },
+            {
+                "name": "dev",
+                "value": 100
+            },
+            {
+                "name": "inode",
+                "value": 4026532486
+            },
+            {
+                "name": "type",
+                "value": "security-policy"
+            },
+        ]
+    }
+}