Merge branch 'aquasecurity:main' into traceectl

aquasecurity · Feb 2, 2025 · a824494 · a824494
2 parents 8a507ef + a13d497
commit a824494
Show file tree

Hide file tree

Showing 14 changed files with 70 additions and 35 deletions.
diff --git a/pkg/ebpf/c/common/task.h b/pkg/ebpf/c/common/task.h
@@ -28,7 +28,7 @@ statfunc u64 get_task_start_time(struct task_struct *task);
 statfunc u32 get_task_host_pid(struct task_struct *task);
 statfunc u32 get_task_host_tgid(struct task_struct *task);
 statfunc struct task_struct *get_parent_task(struct task_struct *task);
-statfunc u32 get_task_exit_code(struct task_struct *task);
+statfunc int get_task_exit_code(struct task_struct *task);
 statfunc int get_task_parent_flags(struct task_struct *task);
 statfunc const struct cred *get_task_real_cred(struct task_struct *task);
 
@@ -195,7 +195,7 @@ statfunc struct task_struct *get_leader_task(struct task_struct *task)
     return BPF_CORE_READ(task, group_leader);
 }
 
-statfunc u32 get_task_exit_code(struct task_struct *task)
+statfunc int get_task_exit_code(struct task_struct *task)
 {
     return BPF_CORE_READ(task, exit_code);
 }

diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -1547,7 +1547,6 @@ int tracepoint__sched__sched_process_exit(struct bpf_raw_tracepoint_args *ctx)
     if (!policies_matched(p.event))
         return 0;
 
-    long exit_code = get_task_exit_code(p.event->task);
     bool group_dead = false;
     struct task_struct *task = p.event->task;
     struct signal_struct *signal = BPF_CORE_READ(task, signal);
@@ -1559,8 +1558,16 @@ int tracepoint__sched__sched_process_exit(struct bpf_raw_tracepoint_args *ctx)
         group_dead = true;
     }
 
-    save_to_submit_buf(&p.event->args_buf, (void *) &exit_code, sizeof(long), 0);
-    save_to_submit_buf(&p.event->args_buf, (void *) &group_dead, sizeof(bool), 1);
+    // extract exit code and signal values
+    int exit_code = get_task_exit_code(p.event->task);
+    int exit_code_real = exit_code >> 8;
+
+    save_to_submit_buf(&p.event->args_buf, (void *) &exit_code_real, sizeof(int), 0);
+    if (task_flags & PF_SIGNALED) {
+        int signal_code = exit_code & 0xFF;
+        save_to_submit_buf(&p.event->args_buf, (void *) &signal_code, sizeof(int), 1);
+    }
+    save_to_submit_buf(&p.event->args_buf, (void *) &group_dead, sizeof(bool), 2);
 
     events_perf_submit(&p, 0);
 
@@ -7155,10 +7162,17 @@ int sched_process_exit_signal(struct bpf_raw_tracepoint_args *ctx)
     if (live.counter == 0)
         group_dead = true;
 
-    long exit_code = get_task_exit_code(task);
+    // extract exit code and signal values
+    int task_flags = get_task_flags(task);
+    int exit_code = get_task_exit_code(task);
+    int exit_code_real = exit_code >> 8;
 
-    save_to_submit_buf(&signal->args_buf, (void *) &exit_code, sizeof(long), 4);
-    save_to_submit_buf(&signal->args_buf, (void *) &group_dead, sizeof(bool), 5);
+    save_to_submit_buf(&signal->args_buf, (void *) &exit_code_real, sizeof(int), 4);
+    if (task_flags & PF_SIGNALED) {
+        int signal_code = exit_code & 0xFF;
+        save_to_submit_buf(&signal->args_buf, (void *) &signal_code, sizeof(int), 5);
+    }
+    save_to_submit_buf(&signal->args_buf, (void *) &group_dead, sizeof(bool), 6);
 
     signal_perf_submit(ctx, signal);
 

diff --git a/pkg/ebpf/controlplane/processes.go b/pkg/ebpf/controlplane/processes.go
@@ -219,7 +219,11 @@ func (ctrl *Controller) procTreeExitProcessor(args []trace.Argument) error {
 	// }
 
 	// // Exit logic arguments
-	// exitFeed.ExitCode, err = parse.ArgVal[int64](args, "exit_code")
+	// exitFeed.ExitCode, err = parse.ArgVal[int32](args, "exit_code")
+	// if err != nil {
+	// 	return err
+	// }
+	// exitFeed.SignalCode, err = parse.ArgVal[int32](args, "signal_code")
 	// if err != nil {
 	// 	return err
 	// }

diff --git a/pkg/ebpf/controlplane/processes_bench_test.go b/pkg/ebpf/controlplane/processes_bench_test.go
@@ -98,7 +98,8 @@ func Benchmark_procTreeExitProcessor(b *testing.B) {
 		{ArgMeta: trace.ArgMeta{Name: "task_hash"}, Value: uint32(1)},
 		{ArgMeta: trace.ArgMeta{Name: "parent_hash"}, Value: uint32(1)},
 		{ArgMeta: trace.ArgMeta{Name: "leader_hash"}, Value: uint32(1)},
-		{ArgMeta: trace.ArgMeta{Name: "exit_code"}, Value: int64(1)},
+		{ArgMeta: trace.ArgMeta{Name: "exit_code"}, Value: int32(1)},
+		{ArgMeta: trace.ArgMeta{Name: "signal_code"}, Value: int32(1)},
 		{ArgMeta: trace.ArgMeta{Name: "process_group_exit"}, Value: true},
 	}
 

diff --git a/pkg/ebpf/processor.go b/pkg/ebpf/processor.go
@@ -131,6 +131,8 @@ func (t *Tracee) registerEventProcessors() {
 	t.RegisterEventProcessor(events.PrintMemDump, t.processTriggeredEvent)
 	t.RegisterEventProcessor(events.PrintMemDump, t.processPrintMemDump)
 	t.RegisterEventProcessor(events.SharedObjectLoaded, t.processSharedObjectLoaded)
+	t.RegisterEventProcessor(events.SuspiciousSyscallSource, t.convertSyscallIDToName)
+	t.RegisterEventProcessor(events.StackPivot, t.convertSyscallIDToName)
 
 	//
 	// Uprobe based events processors

diff --git a/pkg/ebpf/processor_funcs.go b/pkg/ebpf/processor_funcs.go
@@ -487,3 +487,25 @@ func (t *Tracee) removeIrrelevantContext(event *trace.Event) error {
 
 	return nil
 }
+
+func (t *Tracee) convertSyscallIDToName(event *trace.Event) error {
+	syscallArg := events.GetArg(event, "syscall")
+	if syscallArg == nil {
+		return errfmt.Errorf("cannot find syscall argument")
+	}
+
+	syscallID, ok := syscallArg.Value.(int32)
+	if !ok {
+		return errfmt.Errorf("cannot convert syscall arg to ID")
+	}
+	syscallDef := events.Core.GetDefinitionByID(events.ID(syscallID))
+	// no need to check for NotValid() since it is syscall only if it's a valid event
+	if !syscallDef.IsSyscall() {
+		return errfmt.Errorf("invalid syscall ID %d", syscallID)
+	}
+
+	syscallArg.Type = "string"
+	syscallArg.Value = syscallDef.GetName()
+
+	return nil
+}
diff --git a/pkg/ebpf/processor_proctree.go b/pkg/ebpf/processor_proctree.go
@@ -197,7 +197,7 @@ func (t *Tracee) procTreeExitProcessor(event *trace.Event) error {
 	defer t.processTree.PutExitFeedInPool(exitFeed)
 
 	// // Exit logic arguments
-	// exitFeed.ExitCode, err = parse.ArgVal[int64](event.Args, "exit_code")
+	// exitFeed.ExitCode, err = parse.ArgVal[int32](event.Args, "exit_code")
 	// if err != nil {
 	// 	return err
 	// }

diff --git a/pkg/ebpf/processor_proctree_bench_test.go b/pkg/ebpf/processor_proctree_bench_test.go
@@ -94,7 +94,8 @@ func Benchmark_procTreeExitProcessor(b *testing.B) {
 
 	event := &trace.Event{
 		Args: []trace.Argument{
-			{ArgMeta: trace.ArgMeta{Name: "exit_code"}, Value: int64(1)},
+			{ArgMeta: trace.ArgMeta{Name: "exit_code"}, Value: int32(1)},
+			{ArgMeta: trace.ArgMeta{Name: "signal_code"}, Value: int32(1)},
 			{ArgMeta: trace.ArgMeta{Name: "process_group_exit"}, Value: true},
 		},
 	}

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -11213,7 +11213,8 @@ var CoreEvents = map[ID]Definition{
 		},
 		sets: []string{"proc", "proc_life"},
 		fields: []trace.ArgMeta{
-			{Type: "long", Name: "exit_code"},
+			{Type: "int", Name: "exit_code"},
+			{Type: "int", Name: "signal_code"},
 			// The field value represents that all threads exited at the event time.
 			// Multiple exits of threads of the same process group at the same time could result that all threads exit
 			// events would have 'true' value in this field altogether.
@@ -13075,7 +13076,7 @@ var CoreEvents = map[ID]Definition{
 		},
 		sets: []string{},
 		fields: []trace.ArgMeta{
-			{Type: "int", Name: "syscall"},
+			{Type: "int", Name: "syscall"}, // converted to syscall name (string) at processing stage
 			{Type: "void*", Name: "ip"},
 			{Type: "char*", Name: "vma_type"},
 			{Type: "void*", Name: "vma_start"},
@@ -13095,7 +13096,7 @@ var CoreEvents = map[ID]Definition{
 		},
 		sets: []string{},
 		fields: []trace.ArgMeta{
-			{Type: "int", Name: "syscall"},
+			{Type: "int", Name: "syscall"}, // converted to syscall name (string) at processing stage
 			{Type: "void*", Name: "sp"},
 			{Type: "char*", Name: "vma_type"},
 			{Type: "void*", Name: "vma_start"},
@@ -13234,7 +13235,8 @@ var CoreEvents = map[ID]Definition{
 			{Type: "u32", Name: "task_hash"},
 			{Type: "u32", Name: "parent_hash"},
 			{Type: "u32", Name: "leader_hash"},
-			{Type: "long", Name: "exit_code"},
+			{Type: "int", Name: "exit_code"},
+			{Type: "int", Name: "signal_code"},
 			{Type: "bool", Name: "process_group_exit"},
 		},
 	},

diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go
@@ -240,16 +240,6 @@ func ParseArgs(event *trace.Event) error {
 			}
 		}
 	case SuspiciousSyscallSource, StackPivot:
-		if syscallArg := GetArg(event, "syscall"); syscallArg != nil {
-			if id, isInt32 := syscallArg.Value.(int32); isInt32 {
-				eventDefinition := Core.GetDefinitionByID(ID(id))
-				// no need to check for NotValid() since it is syscall only if it's a valid event
-				if eventDefinition.IsSyscall() {
-					syscallArg.Value = eventDefinition.GetName()
-					syscallArg.Type = "string"
-				}
-			}
-		}
 		if vmaFlagsArg := GetArg(event, "vma_flags"); vmaFlagsArg != nil {
 			if flags, isUint64 := vmaFlagsArg.Value.(uint64); isUint64 {
 				vmaFlagsArg.Type = "string"

diff --git a/pkg/proctree/proctree_feed.go b/pkg/proctree/proctree_feed.go
@@ -281,7 +281,8 @@ type ExitFeed struct {
 	TaskHash   uint32
 	ParentHash uint32
 	LeaderHash uint32
-	ExitCode   int64
+	ExitCode   int32
+	SignalCode int32
 	Group      bool
 }
 

diff --git a/pkg/server/grpc/event_data_test.go b/pkg/server/grpc/event_data_test.go
@@ -87,15 +87,15 @@ func Test_getEventData(t *testing.T) {
 			args: []trace.Argument{
 				{
 					ArgMeta: trace.ArgMeta{
-						Name: "exit_code",
+						Name: "newmask",
 						Type: "long",
 					},
 					Value: int64(1000),
 				},
 			},
 			expected: []*pb.EventValue{
 				{
-					Name: "exit_code",
+					Name: "newmask",
 					Value: &pb.EventValue_Int64{
 						Int64: 1000,
 					},

diff --git a/tests/e2e-inst-signatures/e2e-stack_pivot.go b/tests/e2e-inst-signatures/e2e-stack_pivot.go
@@ -3,7 +3,6 @@ package main
 import (
 	"fmt"
 
-	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/signatures/helpers"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
@@ -46,7 +45,7 @@ func (sig *e2eStackPivot) OnEvent(event protocol.Event) error {
 
 	switch eventObj.EventName {
 	case "stack_pivot":
-		syscall, err := helpers.ArgVal[int32](eventObj.Args, "syscall")
+		syscall, err := helpers.ArgVal[string](eventObj.Args, "syscall")
 		if err != nil {
 			return err
 		}
@@ -56,7 +55,7 @@ func (sig *e2eStackPivot) OnEvent(event protocol.Event) error {
 		}
 
 		// Make sure this is the exact event we're looking for
-		if eventObj.ProcessName == "stack_pivot" && syscall == int32(events.ExitGroup) && vmaType == "heap" {
+		if eventObj.ProcessName == "stack_pivot" && syscall == "exit_group" && vmaType == "heap" {
 			// Make sure there was no false positive
 			if !sig.falsePositive {
 				m, _ := sig.GetMetadata()

diff --git a/tests/e2e-inst-signatures/e2e-suspicious_syscall_source.go b/tests/e2e-inst-signatures/e2e-suspicious_syscall_source.go
@@ -3,7 +3,6 @@ package main
 import (
 	"fmt"
 
-	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/signatures/helpers"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
@@ -49,7 +48,7 @@ func (sig *e2eSuspiciousSyscallSource) OnEvent(event protocol.Event) error {
 
 	switch eventObj.EventName {
 	case "suspicious_syscall_source":
-		syscall, err := helpers.ArgVal[int32](eventObj.Args, "syscall")
+		syscall, err := helpers.ArgVal[string](eventObj.Args, "syscall")
 		if err != nil {
 			return err
 		}
@@ -60,7 +59,7 @@ func (sig *e2eSuspiciousSyscallSource) OnEvent(event protocol.Event) error {
 
 		// check expected values from test for detection
 
-		if syscall != int32(events.Exit) {
+		if syscall != "exit" {
 			return nil
 		}