[CWS] replace tracepoint hook with kprobes for mmap event (#26015)

DataDog · May 29, 2024 · 38fc5b1 · 38fc5b1
1 parent 553bb7f
commit 38fc5b1
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 68 deletions.
diff --git a/pkg/security/ebpf/c/include/constants/fentry_macro.h b/pkg/security/ebpf/c/include/constants/fentry_macro.h
@@ -29,6 +29,7 @@ typedef unsigned long long ctx_t;
 #define CTX_PARM2(ctx) (u64)(ctx[1])
 #define CTX_PARM3(ctx) (u64)(ctx[2])
 #define CTX_PARM4(ctx) (u64)(ctx[3])
+#define CTX_PARM5(ctx) (u64)(ctx[4])
 
 #define CTX_PARMRET(ctx, argc) (u64)(ctx[argc])
 #define SYSCALL_PARMRET(ctx) CTX_PARMRET(ctx, 1)
@@ -61,6 +62,7 @@ typedef struct pt_regs ctx_t;
 #define CTX_PARM2(ctx) PT_REGS_PARM2(ctx)
 #define CTX_PARM3(ctx) PT_REGS_PARM3(ctx)
 #define CTX_PARM4(ctx) PT_REGS_PARM4(ctx)
+#define CTX_PARM5(ctx) PT_REGS_PARM5(ctx)
 
 #define CTX_PARMRET(ctx, _argc) PT_REGS_RC(ctx)
 #define SYSCALL_PARMRET(ctx) CTX_PARMRET(ctx, _)

diff --git a/pkg/security/ebpf/c/include/hooks/mmap.h b/pkg/security/ebpf/c/include/hooks/mmap.h
@@ -7,8 +7,12 @@
 #include "helpers/filesystem.h"
 #include "helpers/syscalls.h"
 
-SEC("tracepoint/syscalls/sys_enter_mmap")
-int tracepoint_syscalls_sys_enter_mmap(void *args) {
+HOOK_ENTRY("vm_mmap_pgoff")
+int hook_vm_mmap_pgoff(ctx_t *ctx) {
+    u64 len = CTX_PARM3(ctx);
+    u64 prot = CTX_PARM4(ctx);
+    u64 flags = CTX_PARM5(ctx);
+
     struct policy_t policy = fetch_policy(EVENT_MMAP);
     if (is_discarded_by_process(policy.mode, EVENT_MMAP)) {
         return 0;
@@ -17,23 +21,27 @@ int tracepoint_syscalls_sys_enter_mmap(void *args) {
     struct syscall_cache_t syscall = {
         .type = EVENT_MMAP,
         .policy = policy,
+        .mmap.len = len,
+        .mmap.protection = prot,
+        .mmap.flags = flags,
     };
 
-    u64 sys_enter_mmap_off_offset;
-    LOAD_CONSTANT("sys_enter_mmap_off_offset", sys_enter_mmap_off_offset);
-    u64 sys_enter_mmap_len_offset;
-    LOAD_CONSTANT("sys_enter_mmap_len_offset", sys_enter_mmap_len_offset);
-    u64 sys_enter_mmap_prot_offset;
-    LOAD_CONSTANT("sys_enter_mmap_prot_offset", sys_enter_mmap_prot_offset);
-    u64 sys_enter_mmap_flags_offset;
-    LOAD_CONSTANT("sys_enter_mmap_flags_offset", sys_enter_mmap_flags_offset);
+    cache_syscall(&syscall);
+    return 0;
+}
+
+// we need this hook because it passes the `pgoff` argument in one of the first parameters
+// and not in position 5 or 6 where we cannot read it
+HOOK_ENTRY("get_unmapped_area")
+int hook_get_unmapped_area(ctx_t *ctx) {
+    struct syscall_cache_t *syscall = peek_syscall(EVENT_MMAP);
+    if (!syscall) {
+        return 0;
+    }
 
-    bpf_probe_read(&syscall.mmap.offset, sizeof(u64), args + sys_enter_mmap_off_offset);
-    bpf_probe_read(&syscall.mmap.len, sizeof(u64), args + sys_enter_mmap_len_offset);
-    bpf_probe_read(&syscall.mmap.protection, sizeof(u64), args + sys_enter_mmap_prot_offset);
-    bpf_probe_read(&syscall.mmap.flags, sizeof(u64), args + sys_enter_mmap_flags_offset);
+    u64 offset = CTX_PARM4(ctx);
+    syscall->mmap.offset = offset;
 
-    cache_syscall(&syscall);
     return 0;
 }
 
@@ -77,9 +85,10 @@ int __attribute__((always_inline)) sys_mmap_ret(void *ctx, int retval, u64 addr)
     return 0;
 }
 
-SEC("tracepoint/syscalls/sys_exit_mmap")
-int tracepoint_syscalls_sys_exit_mmap(struct tracepoint_syscalls_sys_exit_mmap_t *args) {
-    return sys_mmap_ret(args, (int)args->ret, (u64)args->ret);
+HOOK_EXIT("vm_mmap_pgoff")
+int rethook_vm_mmap_pgoff(ctx_t *ctx) {
+    u64 ret = CTX_PARMRET(ctx, 6);
+    return sys_mmap_ret(ctx, (int)ret, ret);
 }
 
 HOOK_ENTRY("security_mmap_file")

diff --git a/pkg/security/ebpf/probes/event_types.go b/pkg/security/ebpf/probes/event_types.go
@@ -374,10 +374,14 @@ func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSe
 		// List of probes required to capture mmap events
 		"mmap": {
 			&manager.AllOf{Selectors: []manager.ProbesSelector{
-				&manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFFuncName: "tracepoint_syscalls_sys_enter_mmap"}},
-				&manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFFuncName: "tracepoint_syscalls_sys_exit_mmap"}},
+				kprobeOrFentry("vm_mmap_pgoff"),
+				kretprobeOrFexit("vm_mmap_pgoff"),
 				kprobeOrFentry("security_mmap_file"),
-			}}},
+			}},
+			&manager.BestEffort{Selectors: []manager.ProbesSelector{
+				kprobeOrFentry("get_unmapped_area"),
+			}},
+		},
 
 		// List of probes required to capture mprotect events
 		"mprotect": {

diff --git a/pkg/security/ebpf/probes/mmap.go b/pkg/security/ebpf/probes/mmap.go
@@ -21,13 +21,19 @@ func getMMapProbes() []*manager.Probe {
 		{
 			ProbeIdentificationPair: manager.ProbeIdentificationPair{
 				UID:          SecurityAgentUID,
-				EBPFFuncName: "tracepoint_syscalls_sys_enter_mmap",
+				EBPFFuncName: "hook_vm_mmap_pgoff",
 			},
 		},
 		{
 			ProbeIdentificationPair: manager.ProbeIdentificationPair{
 				UID:          SecurityAgentUID,
-				EBPFFuncName: "tracepoint_syscalls_sys_exit_mmap",
+				EBPFFuncName: "rethook_vm_mmap_pgoff",
+			},
+		},
+		{
+			ProbeIdentificationPair: manager.ProbeIdentificationPair{
+				UID:          SecurityAgentUID,
+				EBPFFuncName: "hook_get_unmapped_area",
 			},
 		},
 	}

diff --git a/pkg/security/probe/constantfetch/constant_names.go b/pkg/security/probe/constantfetch/constant_names.go
@@ -33,10 +33,6 @@ const (
 	// tracepoints
 	OffsetNameSchedProcessForkParentPid = "sched_process_fork_parent_pid_offset"
 	OffsetNameSchedProcessForkChildPid  = "sched_process_fork_child_pid_offset"
-	OffsetNameSysMmapOff                = "sys_enter_mmap_off_offset"
-	OffsetNameSysMmapLen                = "sys_enter_mmap_len_offset"
-	OffsetNameSysMmapProt               = "sys_enter_mmap_prot_offset"
-	OffsetNameSysMmapFlags              = "sys_enter_mmap_flags_offset"
 
 	// bpf offsets
 	OffsetNameBPFMapStructID                  = "bpf_map_id_offset"

diff --git a/pkg/security/probe/constantfetch/quirks.go b/pkg/security/probe/constantfetch/quirks.go
diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -1636,22 +1636,6 @@ func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts, wmeta optional
 			Name:  constantfetch.OffsetNameSchedProcessForkParentPid,
 			Value: constantfetch.ReadTracepointFieldOffsetWithFallback("sched/sched_process_fork", "parent_pid", 24),
 		},
-		manager.ConstantEditor{
-			Name:  constantfetch.OffsetNameSysMmapOff,
-			Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "off", 56) + constantfetch.GetRHEL93MMapDelta(p.kernelVersion),
-		},
-		manager.ConstantEditor{
-			Name:  constantfetch.OffsetNameSysMmapLen,
-			Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "len", 24) + constantfetch.GetRHEL93MMapDelta(p.kernelVersion),
-		},
-		manager.ConstantEditor{
-			Name:  constantfetch.OffsetNameSysMmapProt,
-			Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "prot", 32) + constantfetch.GetRHEL93MMapDelta(p.kernelVersion),
-		},
-		manager.ConstantEditor{
-			Name:  constantfetch.OffsetNameSysMmapFlags,
-			Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "flags", 40) + constantfetch.GetRHEL93MMapDelta(p.kernelVersion),
-		},
 	)
 
 	areCGroupADsEnabled := config.RuntimeSecurity.ActivityDumpTracedCgroupsCount > 0