implement show-exec-env in go

aquasecurity · Mar 3, 2020 · fd8a89b · fd8a89b
1 parent 7278173
commit fd8a89b
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/main.go b/main.go
@@ -23,6 +23,7 @@ func main() {
 				c.StringSlice("events-to-trace"),
 				c.Bool("container"),
 				c.Bool("detect-original-syscall"),
+				c.Bool("show-exec-env"),
 				c.String("output"),
 			)
 			if err != nil {
@@ -65,6 +66,11 @@ func main() {
 				Value: false,
 				Usage: "when tracing kernel functions which are not syscalls (such as cap_capable), detect and show the original syscall that called that function",
 			},
+			&cli.BoolFlag{
+				Name:  "show-exec-env",
+				Value: false,
+				Usage: "when tracing execve/execveat, show environment variables",
+			},
 		},
 	}
 

diff --git a/tracee/consts.go b/tracee/consts.go
@@ -411,4 +411,5 @@ type bpfConfig uint32
 const (
 	CONFIG_CONT_MODE           bpfConfig = 0
 	CONFIG_DETECT_ORIG_SYSCALL bpfConfig = 1
+	CONFIG_EXEC_ENV            bpfConfig = 2
 )
diff --git a/tracee/tracee.go b/tracee/tracee.go
@@ -56,6 +56,7 @@ type TraceeConfig struct {
 	EventsToTrace         []int32
 	ContainerMode         bool
 	DetectOriginalSyscall bool
+	ShowExecEnv           bool
 	OutputFormat          string
 }
 
@@ -79,7 +80,7 @@ func (tc TraceeConfig) Validate() error {
 // default values:
 //   eventsToTrace: all events
 //   outputFormat: table
-func NewConfig(eventsToTrace []string, containerMode bool, detectOriginalSyscall bool, outputFormat string) (*TraceeConfig, error) {
+func NewConfig(eventsToTrace []string, containerMode bool, detectOriginalSyscall bool, showExecEnv bool, outputFormat string) (*TraceeConfig, error) {
 	var eventsToTraceInternal []int32
 	if eventsToTrace == nil {
 		eventsToTraceInternal = make([]int32, 0, len(EventsIDToName))
@@ -103,6 +104,7 @@ func NewConfig(eventsToTrace []string, containerMode bool, detectOriginalSyscall
 		EventsToTrace:         eventsToTraceInternal,
 		ContainerMode:         containerMode,
 		DetectOriginalSyscall: detectOriginalSyscall,
+		ShowExecEnv:           showExecEnv,
 		OutputFormat:          outputFormat,
 	}
 
@@ -233,6 +235,9 @@ func (t *Tracee) initBPF() error {
 	binary.LittleEndian.PutUint32(key, uint32(CONFIG_DETECT_ORIG_SYSCALL))
 	binary.LittleEndian.PutUint32(leaf, boolToUInt32(t.config.DetectOriginalSyscall))
 	bpfConfig.Set(key, leaf)
+	binary.LittleEndian.PutUint32(key, uint32(CONFIG_EXEC_ENV))
+	binary.LittleEndian.PutUint32(leaf, boolToUInt32(t.config.ShowExecEnv))
+	bpfConfig.Set(key, leaf)
 
 	eventsBPFTable := bpf.NewTable(t.bpfModule.TableId("events"), t.bpfModule)
 	t.eventsChannel = make(chan []byte, 1000)