feat(ebpf): add security_sb_umount event

docs/docs/events/builtin/extra/security_sb_umount.md

@@ -0,0 +1,55 @@
+# security_sb_umount
+
+## Intro
+
+security_sb_umount - An event capturing the details when a file system is unmounted.
+
+## Description
+
+The event gets triggered whenever a file system is unmounted in the system, which
+could be a significant action from both a system administration and security
+perspective.
+
+By hooking into the kernel's `security_sb_umount` function, this eBPF program
+captures details such as the device name, the path that is being umounted, the type of the file system,
+and the flags provided for the umount operation.
+
+Monitoring such umount events can provide a deep understanding of system
+operations and potential anomalies.
+
+## Arguments
+
+1. **dev_name** (`const char*`): The name of the device being mounted.
+2. **path** (`const char*`): The destination path in the file system where the device will be mounted.
+3. **type** (`const char*`): The type of the file system being mounted (e.g., `ext4`, `nfs`, etc.).
+4. **flags** (`unsigned long`): The flags that specify the mount options. 
+
+## Hooks
+
+### trace_security_sb_umount
+
+#### Type
+
+Kprobe (using `kprobe/security_sb_umount`).
+
+#### Purpose
+
+To observe and gather data whenever a file system is unmounted. The captured
+details include the device name, mounting path, file system type, and flags. All
+this information is saved into a buffer and is then submitted to user-space for
+further analysis or logging.
+
+## Example Use Case
+
+By tracking the `security_sb_umount` event, system administrators can gain
+insights about what devices or file systems are being unmounted, ensuring that
+only authorized actions are taken and detecting unexpected umounts, which could
+be a potential sign of malicious activity or system misconfiguration.
+
+## Related Events
+
+To get a more comprehensive view of system operations related to storage, it's
+beneficial to monitor this event in conjunction with others, like file system
+mounting or device initialization events.
+
+> Note: This document was generated by OpenAI with a human review process.

mkdocs.yml

@@ -97,6 +97,7 @@ nav:
                             - security_file_mprotect: docs/events/builtin/extra/security_file_mprotect.md
                             - security_inode_unlink: docs/events/builtin/extra/security_inode_unlink.md
                             - security_sb_mount: docs/events/builtin/extra/security_sb_mount.md
+                            - security_sb_umount: docs/events/builtin/extra/security_sb_umount.md
                             - security_task_setrlimit: docs/events/builtin/extra/security_task_setrlimit.md
                             - security_socket_accept: docs/events/builtin/extra/security_socket_accept.md
                             - security_socket_bind: docs/events/builtin/extra/security_socket_bind.md

pkg/ebpf/c/tracee.bpf.c

@@ -5458,6 +5458,32 @@ int BPF_KPROBE(syscall_checker)
     return 0;
 }
 
+SEC("kprobe/security_sb_umount")
+int BPF_KPROBE(trace_security_sb_umount)
+{
+    program_data_t p = {};
+    if (!init_program_data(&p, ctx, SECURITY_SB_UMOUNT))
+        return 0;
+
+    if (!evaluate_scope_filters(&p))
+        return 0;
+
+    struct vfsmount *vfsmnt = (struct vfsmount *) PT_REGS_PARM1(ctx);
+    int flags = PT_REGS_PARM2(ctx);
+
+    const char *type = BPF_CORE_READ(vfsmnt, mnt_sb, s_type, name);
+
+    struct mount *m = real_mount(vfsmnt);
+    struct dentry *mnt_mountpoint = BPF_CORE_READ(m, mnt_mountpoint);
+    void *path_str = get_dentry_path_str(mnt_mountpoint);
+
+    save_str_to_buf(&p.event->args_buf, path_str, 0);
+    save_str_to_buf(&p.event->args_buf, (void *) type, 1);
+    save_to_submit_buf(&p.event->args_buf, &flags, sizeof(int), 2);
+
+    return events_perf_submit(&p, 0);
+}
+
 // clang-format off
 
 // Network Packets (works from ~5.2 and beyond)

pkg/ebpf/c/types.h

@@ -134,6 +134,7 @@ enum event_id_e
     SECURITY_TASK_SETRLIMIT,
     SECURITY_SETTIME64,
     CHMOD_COMMON,
+    SECURITY_SB_UMOUNT,
     MAX_EVENT_ID,
     NO_EVENT_SUBMIT,
 

pkg/ebpf/c/vmlinux.h

@@ -687,9 +687,15 @@ struct inode {
     struct file_operations *i_fop;
 };
 
+struct file_system_type {
+    const char *name;
+};
+
 struct super_block {
     dev_t s_dev;
+    struct file_system_type *s_type;
     unsigned long s_magic;
+    char s_id[32];
 };
 
 struct rb_root {
@@ -712,6 +718,7 @@ struct mm_struct {
 
 struct vfsmount {
     struct dentry *mnt_root;
+    struct super_block *mnt_sb;
 };
 
 struct mount {

pkg/ebpf/probes/probe_group.go

@@ -257,6 +257,7 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
 		Dup3:                       NewTraceProbe(SyscallEnter, "dup3", "trace_dup3"),
 		Dup3Ret:                    NewTraceProbe(SyscallExit, "dup3", "trace_ret_dup3"),
 		ChmodCommon:                NewTraceProbe(KProbe, "chmod_common", "trace_chmod_common"),
+		SecuritySbUmount:           NewTraceProbe(KProbe, "security_sb_umount", "trace_security_sb_umount"),
 
 		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
 		ExecTest:            NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),

pkg/ebpf/probes/probes.go

@@ -162,6 +162,7 @@ const (
 	Dup3
 	Dup3Ret
 	ChmodCommon
+	SecuritySbUmount
 )
 
 // Test probe handles

pkg/events/core.go

@@ -116,6 +116,7 @@ const (
 	SecurityTaskSetrlimit
 	SecuritySettime64
 	ChmodCommon
+	SecuritySbUmount
 	MaxCommonID
 )
 
@@ -13104,6 +13105,22 @@ var CoreEvents = map[ID]Definition{
 			{Type: "unsigned long", Name: "vma_flags"},
 		},
 	},
+	SecuritySbUmount: {
+		id:      SecuritySbUmount,
+		id32Bit: Sys32Undefined,
+		name:    "security_sb_umount",
+		dependencies: Dependencies{
+			probes: []Probe{
+				{handle: probes.SecuritySbUmount, required: true},
+			},
+		},
+		sets: []string{"default", "lsm_hooks", "fs"},
+		fields: []trace.ArgMeta{
+			{Type: "const char*", Name: "mountpoint"},
+			{Type: "const char*", Name: "type"},
+			{Type: "int", Name: "flags"},
+		},
+	},
 	//
 	// Begin of Signal Events (Control Plane)
 	//