Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tracee-ebpf: add security_bpf{,_map} events (#617) #739

Merged
merged 1 commit into from Jun 2, 2021
Merged

tracee-ebpf: add security_bpf{,_map} events (#617) #739

merged 1 commit into from Jun 2, 2021

Conversation

rafaeldtinoco
Copy link
Contributor

Add the following events to tracee-ebpf:

  • security_bpf: allows bpf() syscall command to be traced.
  • security_bpf_map: called from bpf() BPF_MAP_GET_FD_BY_ID command.

The first is important for generic bpf syscall tracing while the later
is triggered whenever some process tries to get an eBPF MAP fd in order
to read or update MAP contents: an important feature for tampering
prevention.

Signed-off-by: Rafael David Tinoco rafaeldtinoco@gmail.com

yanivagman
yanivagman requested changes Jun 1, 2021
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @rafaeldtinoco
After this is merged we can think about how we are going to implement the rule that checks if there was a tamper attempt

tracee-ebpf/tracee/consts.go Outdated Show resolved Hide resolved
tracee-ebpf/tracee/consts.go Outdated Show resolved Hide resolved
tracee-ebpf/tracee/tracee.bpf.c Outdated Show resolved Hide resolved
tracee-ebpf/tracee/consts.go Outdated Show resolved Hide resolved
yanivagman
yanivagman reviewed Jun 2, 2021
View reviewed changes
tracee-ebpf/tracee/consts.go Outdated Show resolved Hide resolved
tracee-ebpf/tracee/tracee.bpf.c Outdated Show resolved Hide resolved
tracee-ebpf/tracee/tracee.bpf.c Outdated Show resolved Hide resolved
tracee-ebpf: add security_bpf{,_map} events (#617)
22a3058 
Add the following events to tracee-ebpf:

 - security_bpf: allows bpf() syscall command to be traced.
 - security_bpf_map: called from bpf() BPF_MAP_GET_FD_BY_ID command.

The first is important for generic bpf syscall tracing while the later
is triggered whenever some process tries to get an eBPF MAP fd in order
to read or update MAP contents: an important feature for tampering
prevention.

Signed-off-by: Rafael David Tinoco <rafaeldtinoco@gmail.com>
@yanivagman yanivagman merged commit 58a120a into aquasecurity:main Jun 2, 2021
@yanivagman
Copy link
Collaborator

Thanks @rafaeldtinoco!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rafaeldtinoco @yanivagman