bpf: add path_unlink hook

kubernetes-sigs · Jan 16, 2025 · 833df79 · 833df79
1 parent 103776a
commit 833df79
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 1 deletion.
diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c
@@ -373,6 +373,14 @@ int BPF_PROG(path_mkdir, struct path * dir, struct dentry * dentry,
                              true);
 }
 
+SEC("lsm/path_unlink")
+int BPF_PROG(path_unlink, struct path * dir, struct dentry * dentry)
+{
+    // trace_hook("path_unlink");
+    struct path path = make_path(dentry, dir);
+    return register_fs_event(&path, 0, FLAG_READ | FLAG_WRITE, true);
+}
+
 SEC("tracepoint/syscalls/sys_enter_socket")
 int sys_enter_socket(struct trace_event_raw_sys_enter * ctx)
 {

diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64
diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64
diff --git a/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go b/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go
@@ -48,6 +48,7 @@ var appArmorHooks = []string{
 	"file_lock",
 	"mmap_file",
 	"path_mkdir",
+	"path_unlink",
 	"bprm_check_security",
 	"sys_enter_socket",
 	"cap_capable",

diff --git a/test/spoc/demobinary.go b/test/spoc/demobinary.go
@@ -50,6 +50,7 @@ func main() {
 	fileRead := flag.String("file-read", "", "read file (e.g. /dev/null). Multiple files may be separated by comma.")
 	fileSymlink := flag.String("file-symlink", "", "Create symlink using the following syntax: OLD:NEW")
 	dirRead := flag.String("dir-read", "", "read directory (e.g. /dev/). Multiple directories may be separated by comma.")
+	fileRemove := flag.String("file-remove", "", "delete file (e.g. /tmp/test)")
 	dirCreate := flag.String("dir-create", "", "create directory (e.g. /tmp/dir)")
 	netTCP := flag.Bool("net-tcp", false, "spawn a tcp server")
 	netUDP := flag.Bool("net-udp", false, "spawn a udp server")
@@ -121,6 +122,13 @@ func main() {
 			log.Println("✅ Directory read successful:", dir)
 		}
 	}
+	if *fileRemove != "" {
+		err := os.Remove(*fileRemove)
+		if err != nil {
+			log.Fatal("❌ Error deleting file:", err)
+		}
+		log.Println("✅ File deletion successful:", *fileRemove)
+	}
 	if *netTCP {
 		listener, err := net.Listen("tcp", ":0")
 		if err != nil {

diff --git a/test/spoc/e2e_spoc_test.go b/test/spoc/e2e_spoc_test.go
@@ -67,15 +67,26 @@ func recordAppArmorTest(t *testing.T) {
 		if !bpfrecorder.BPFLSMEnabled() {
 			t.Skip("BPF LSM disabled")
 		}
+		fileToRemove, err := os.CreateTemp("/tmp", "spoc-test")
+		require.NoError(t, err)
+		err = fileToRemove.Close()
+		require.NoError(t, err)
 		fileRead := fmt.Sprintf("../../README.md,/proc/1/limits,/proc/%d/limits", os.Getpid())
-		profile := recordAppArmor(t, "./demobinary", "--file-read", fileRead, "--file-write", "/dev/null")
+		profile := recordAppArmor(t,
+			"./demobinary",
+			"--file-read", fileRead,
+			"--file-write", "/dev/null",
+			"--file-remove", fileToRemove.Name(),
+		)
 		readme, err := filepath.Abs("../../README.md")
 		require.NoError(t, err)
 		require.NotNil(t, profile.Filesystem)
 		require.NotNil(t, profile.Filesystem.ReadOnlyPaths)
 		require.NotNil(t, profile.Filesystem.WriteOnlyPaths)
+		require.NotNil(t, profile.Filesystem.ReadWritePaths)
 		require.Contains(t, *profile.Filesystem.ReadOnlyPaths, readme)
 		require.Contains(t, *profile.Filesystem.WriteOnlyPaths, "/dev/null")
+		require.Contains(t, *profile.Filesystem.ReadWritePaths, fileToRemove.Name())
 
 		count := 0
 		for _, s := range *profile.Filesystem.ReadOnlyPaths {