-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update: add monitoring of mprotect parameters #174
Conversation
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Hi @loresuso. Thanks for your PR. I'm waiting for a falcosecurity member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great! Thank you!
@FedeDP: changing LGTM is restricted to collaborators In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is great!! |
/ok-to-test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
LGTM label has been added. Git tree hash: 3d6af6c5775505216a7a2d7bcb8282e0f61c1e9a
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leogr, loresuso The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area driver-kmod
/area driver-ebpf
What this PR does / why we need it:
I noticed that we were missing monitoring parameters of the
mprotect
syscall. I think that the latter can be used for malicious purposes, for instance:In general, it may be interesting monitoring pages permissions transitions: every time a page passes from writable permissions to executable ones and vice versa, it may be a clue of something malicious going on. These transitions may be monitored by inspecting
/proc/<pid>/maps
on process startup and using the parameters of everymprotect
andmmap
syscalls to check if a valid transition occurred or not. Let me know what do you think about this, maybe we can use this PR to share more ideas!You can test this system call with this simple C program.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: