fix #38 simplify clone probe

Signed-off-by: qjerome <qjerome@rawsec.lu>
kunai-project · Feb 5, 2024 · b0fd394 · b0fd394
1 parent 6a6ac8e
commit b0fd394
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 62 deletions.
diff --git a/kunai-ebpf/src/probes/clone.rs b/kunai-ebpf/src/probes/clone.rs
@@ -1,17 +1,9 @@
 use aya_bpf::programs::ProbeContext;
-use kunai_common::co_re::{kernel_clone_args, task_struct};
+use kunai_common::co_re::task_struct;
 
 use super::*;
 
-#[kprobe(name = "clone.enter.kernel_clone")]
-pub fn enter_kernel_clone(ctx: ProbeContext) -> u32 {
-    unsafe {
-        ignore_result!(ProbeFn::clone_kernel_clone.save_ctx(&ctx));
-    }
-    0
-}
-
-#[kprobe(name = "clone.enter.wake_up_new_task")]
+#[kprobe(name = "clone.enter.security_task_alloc")]
 pub fn enter_wake_up_new_task(ctx: ProbeContext) -> u32 {
     let rc = match unsafe { try_enter_wake_up_new_task(&ctx) } {
         Ok(_) => error::BPF_PROG_SUCCESS,
@@ -20,68 +12,60 @@ pub fn enter_wake_up_new_task(ctx: ProbeContext) -> u32 {
             error::BPF_PROG_FAILURE
         }
     };
-    // we cleanup saved context
-    ignore_result!(unsafe { ProbeFn::clone_kernel_clone.clean_ctx() });
     rc
 }
 
 unsafe fn try_enter_wake_up_new_task(ctx: &ProbeContext) -> ProbeResult<()> {
-    // makes sure we are inside kernel_clone
-    if let Ok(entry_ctx) = ProbeFn::clone_kernel_clone
-        .restore_ctx()
-        .map_err(ProbeError::from)
-        .and_then(|c| Ok(c.probe_context()))
-    {
-        let clone_args = kernel_clone_args::from_ptr(kprobe_arg!(&entry_ctx, 0)?);
-        let new_task = task_struct::from_ptr(kprobe_arg!(ctx, 0)?);
-        alloc::init()?;
+    let new_task = task_struct::from_ptr(kprobe_arg!(ctx, 0)?);
+    let clone_flags = kprobe_arg!(&ctx, 1)?;
 
-        let event = alloc::alloc_zero::<CloneEvent>()?;
+    alloc::init()?;
 
-        // initializing task
-        event.init_from_task(Type::Clone, new_task)?;
+    let event = alloc::alloc_zero::<CloneEvent>()?;
 
-        // setting clone flags
-        event.data.flags = core_read_kernel!(clone_args, flags)?;
+    // initializing task
+    event.init_from_task(Type::Clone, new_task)?;
 
-        let mm = core_read_kernel!(new_task, mm)?;
+    // setting clone flags
+    event.data.flags = clone_flags;
 
-        if mm.is_null() {
-            return Ok(());
-        }
+    let mm = core_read_kernel!(new_task, mm)?;
+
+    if mm.is_null() {
+        return Ok(());
+    }
+
+    let arg_start = core_read_kernel!(mm, arg_start)?;
+    let arg_len = core_read_kernel!(mm, arg_len)?;
 
-        let arg_start = core_read_kernel!(mm, arg_start)?;
-        let arg_len = core_read_kernel!(mm, arg_len)?;
+    // parsing executable
+    let exe_file = core_read_kernel!(mm, exe_file)?;
+    ignore_result!(inspect_err!(
+        event
+            .data
+            .executable
+            .core_resolve_file(&exe_file, MAX_PATH_DEPTH),
+        |e: &path::Error| warn!(ctx, "failed to resolve exe: {}", e.description())
+    ));
 
-        // parsing executable
-        let exe_file = core_read_kernel!(mm, exe_file)?;
+    // we check that arg_start is not a null pointer
+    if arg_start != 0 && arg_len != 0 {
         ignore_result!(inspect_err!(
             event
                 .data
-                .executable
-                .core_resolve_file(&exe_file, MAX_PATH_DEPTH),
-            |e: &path::Error| warn!(ctx, "failed to resolve exe: {}", e.description())
+                .argv
+                .read_user_at(arg_start as *const u8, arg_len as u32),
+            |_| warn!(ctx, "failed to read argv")
         ));
+    }
 
-        // we check that arg_start is not a null pointer
-        if arg_start != 0 && arg_len != 0 {
-            ignore_result!(inspect_err!(
-                event
-                    .data
-                    .argv
-                    .read_user_at(arg_start as *const u8, arg_len as u32),
-                |_| warn!(ctx, "failed to read argv")
-            ));
-        }
-
-        // cgroup parsing
-        let cgroup = core_read_kernel!(new_task, sched_task_group, css, cgroup)?;
-        if let Err(e) = event.data.cgroup.resolve(cgroup) {
-            warn!(ctx, "failed to resolve cgroup: {}", e.description());
-        }
-
-        pipe_event(ctx, event)
+    // cgroup parsing
+    let cgroup = core_read_kernel!(new_task, sched_task_group, css, cgroup)?;
+    if let Err(e) = event.data.cgroup.resolve(cgroup) {
+        warn!(ctx, "failed to resolve cgroup: {}", e.description());
     }
 
+    pipe_event(ctx, event);
+
     Ok(())
 }
diff --git a/kunai-ebpf/src/util.rs b/kunai-ebpf/src/util.rs
@@ -27,7 +27,6 @@ pub enum ProbeFn {
     fs_security_sb_mount,
     sk_sk_attach_prog,
     sk_reuseport_attach_prog,
-    clone_kernel_clone,
     security_path_unlink,
 }
 

diff --git a/kunai/src/lib.rs b/kunai/src/lib.rs
@@ -39,12 +39,6 @@ pub fn configure_probes(programs: &mut Programs, target: KernelVersion) {
     programs.expect_mut("fd.entry.__fdget").prio = 0;
     programs.expect_mut("fd.exit.__fdget").prio = 10;
 
-    // kernel function name changed above 5.9
-    // kernel_clone -> _do_fork
-    programs
-        .expect_mut("clone.enter.kernel_clone")
-        .rename_if(target < kernel!(5, 9), "clone.enter._do_fork");
-
     // path_mount -> do_mount
     programs
         .expect_mut("fs.exit.path_mount")