Skip to content

Commit

Permalink
add getdents(64) syscalls
Browse files Browse the repository at this point in the history
  • Loading branch information
@yanivagman
yanivagman committed Oct 2, 2019
1 parent 50c939e commit af9abf3
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 3 deletions.
6 changes: 6 additions & 0 deletions container_event_monitor_ebpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ enum event_id {
SYS_DELETE_MODULE,
SYS_SYMLINK,
SYS_SYMLINKAT,
SYS_GETDENTS,
SYS_GETDENTS64,
DO_EXIT,
CAP_CAPABLE,
};
Expand Down Expand Up @@ -560,6 +562,10 @@ TRACE_ENT_FUNC(sys_symlink);
TRACE_RET_FUNC(sys_symlink, SYS_SYMLINK, ARG_TYPE0(STR_T)|ARG_TYPE1(STR_T));
TRACE_ENT_FUNC(sys_symlinkat);
TRACE_RET_FUNC(sys_symlinkat, SYS_SYMLINKAT, ARG_TYPE0(STR_T)|ARG_TYPE1(INT_T)|ARG_TYPE2(STR_T));
TRACE_ENT_FUNC(sys_getdents);
TRACE_RET_FUNC(sys_getdents, SYS_GETDENTS, ARG_TYPE0(INT_T));
TRACE_ENT_FUNC(sys_getdents64);
TRACE_RET_FUNC(sys_getdents64, SYS_GETDENTS64, ARG_TYPE0(INT_T));


// Note: race condition may occur if a malicious user changes the arguments concurrently
Expand Down
21 changes: 18 additions & 3 deletions container_tracer.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@
"memfd_create", "socket", "close", "ioctl", "access", "faccessat", "kill", "listen",
"connect", "accept", "accept4", "bind", "getsockname", "prctl", "ptrace",
"process_vm_writev", "process_vm_readv", "init_module", "finit_module", "delete_module",
"symlink", "symlinkat"]
"symlink", "symlinkat", "getdents", "getdents64"]

class EventType(object):
EVENT_ARG = 0
Expand Down Expand Up @@ -189,8 +189,10 @@ class EventId(object):
SYS_DELETE_MODULE = 35
SYS_SYMLINK = 36
SYS_SYMLINKAT = 37
DO_EXIT = 38
CAP_CAPABLE = 39
SYS_GETDENTS = 38
SYS_GETDENTS64 = 39
DO_EXIT = 40
CAP_CAPABLE = 41

class context_t(ctypes.Structure): # match layout of eBPF C's context_t struct
_fields_ = [("ts", ctypes.c_uint64),
Expand Down Expand Up @@ -415,6 +417,11 @@ class symlinkat_info_t(ctypes.Structure):
("newdirfd", ctypes.c_int),
("linkpath_loc", ctypes.c_uint),]

class getdents_info_t(ctypes.Structure):
_pack_ = 1
_fields_ = [("context", context_t),
("fd", ctypes.c_uint),]

class cap_info_t(ctypes.Structure):
_fields_ = [("context", context_t),
("capability", ctypes.c_int),]
Expand Down Expand Up @@ -948,6 +955,14 @@ def print_event(self, cpu, data, size):
args.append(self.get_string_from_buf(cpu, int(event.target_loc)))
args.append(str(event.newdirfd))
args.append(self.get_string_from_buf(cpu, int(event.linkpath_loc)))
elif context.eventid == EventId.SYS_GETDENTS:
eventname = "getdents"
event = ctypes.cast(data, ctypes.POINTER(getdents_info_t)).contents
args.append(str(event.fd))
elif context.eventid == EventId.SYS_GETDENTS64:
eventname = "getdents64"
event = ctypes.cast(data, ctypes.POINTER(getdents_info_t)).contents
args.append(str(event.fd))
elif context.eventid == EventId.SYS_CLONE:
eventname = "clone"
elif context.eventid == EventId.SYS_FORK:
Expand Down

0 comments on commit af9abf3

Please sign in to comment.