Skip to content

Commit

Permalink
[CWS] switch auid hooks to fentry (DataDog#28769)
Browse files Browse the repository at this point in the history
  • Loading branch information
paulcacheux authored Nov 29, 2024
1 parent 8c32e54 commit 98b799c
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 14 deletions.
12 changes: 6 additions & 6 deletions pkg/security/ebpf/c/include/hooks/login_uid.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,22 @@

#include "helpers/syscalls.h"

SEC("kprobe/audit_set_loginuid")
int hook_audit_set_loginuid(struct pt_regs *ctx) {
HOOK_ENTRY("audit_set_loginuid")
int hook_audit_set_loginuid(ctx_t *ctx) {
struct syscall_cache_t syscall = {
.type = EVENT_LOGIN_UID_WRITE,
.login_uid = {
.auid = (u32)PT_REGS_PARM1(ctx),
.auid = (u32)CTX_PARM1(ctx),
},
};

cache_syscall(&syscall);
return 0;
}

SEC("kretprobe/audit_set_loginuid")
int rethook_audit_set_loginuid(struct pt_regs *ctx) {
int retval = PT_REGS_RC(ctx);
HOOK_EXIT("audit_set_loginuid")
int rethook_audit_set_loginuid(ctx_t *ctx) {
int retval = CTX_PARMRET(ctx, 1);
if (retval < 0) {
return 0;
}
Expand Down
15 changes: 12 additions & 3 deletions pkg/security/ebpf/kernel/kernel.go
Original file line number Diff line number Diff line change
Expand Up @@ -332,16 +332,15 @@ func (k *Version) HaveLegacyPipeInodeInfoStruct() bool {
return k.Code != 0 && k.Code < Kernel5_5
}

// HaveFentrySupport returns whether the kernel supports fentry probes
func (k *Version) HaveFentrySupport() bool {
func (k *Version) commonFentryCheck(funcName string) bool {
if features.HaveProgramType(ebpf.Tracing) != nil {
return false
}

spec := &ebpf.ProgramSpec{
Type: ebpf.Tracing,
AttachType: ebpf.AttachTraceFEntry,
AttachTo: "vfs_open",
AttachTo: funcName,
Instructions: asm.Instructions{
asm.LoadImm(asm.R0, 0, asm.DWord),
asm.Return(),
Expand All @@ -366,6 +365,16 @@ func (k *Version) HaveFentrySupport() bool {
return true
}

// HaveFentrySupport returns whether the kernel supports fentry probes
func (k *Version) HaveFentrySupport() bool {
return k.commonFentryCheck("vfs_open")
}

// HaveFentrySupportWithStructArgs returns whether the kernel supports fentry probes with struct arguments
func (k *Version) HaveFentrySupportWithStructArgs() bool {
return k.commonFentryCheck("audit_set_loginuid")
}

// SupportBPFSendSignal returns true if the eBPF function bpf_send_signal is available
func (k *Version) SupportBPFSendSignal() bool {
return k.Code != 0 && k.Code >= Kernel5_3
Expand Down
14 changes: 11 additions & 3 deletions pkg/security/probe/probe_ebpf.go
Original file line number Diff line number Diff line change
Expand Up @@ -194,11 +194,19 @@ func (p *EBPFProbe) selectFentryMode() {
return
}

supported := p.kernelVersion.HaveFentrySupport()
if !supported {
if !p.kernelVersion.HaveFentrySupport() {
p.useFentry = false
seclog.Errorf("fentry enabled but not supported, falling back to kprobe mode")
return
}
p.useFentry = supported

if !p.kernelVersion.HaveFentrySupportWithStructArgs() {
p.useFentry = false
seclog.Warnf("fentry enabled but not supported with struct args, falling back to kprobe mode")
return
}

p.useFentry = true
}

func (p *EBPFProbe) isNetworkNotSupported() bool {
Expand Down
2 changes: 0 additions & 2 deletions pkg/security/tests/login_uid_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,6 @@ func TestLoginUID(t *testing.T) {
return err
}

t.Logf("test out: %s\n", string(out))

return nil
}, func(event *model.Event, rule *rules.Rule) {
assert.Equal(t, "exec", event.GetType(), "wrong event type")
Expand Down

0 comments on commit 98b799c

Please sign in to comment.