dbg

mhils · Jan 21, 2025 · 9608d62 · 9608d62
1 parent 9d32627
commit 9608d62
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 6 deletions.
diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c
@@ -59,8 +59,8 @@ char LICENSE[] SEC("license") = "Dual BSD/GPL";
 #endif
 
 // toggle this for additional debug output
-#define trace_hook(...)
-// #define trace_hook(...) bpf_printk(__VA_ARGS__)
+// #define trace_hook(...)
+#define trace_hook(...) bpf_printk(__VA_ARGS__)
 
 // Keep track of all mount namespaces that should be (temporarily) excluded from
 // recording. When running in Kubernetes, we generally ignore the host mntns.
@@ -262,7 +262,8 @@ static __always_inline int register_fs_event(struct path * filename,
                      pid == _file_event_pid;
     bool flags_are_subset = (flags | _file_event_flags) == _file_event_flags;
     if (same_file && flags_are_subset) {
-        trace_hook("register_file_event skipped");
+        // very noisy
+        // trace_hook("register_file_event skipped");
         return 0;
     }
 
@@ -334,7 +335,8 @@ static __always_inline int register_file_event(struct file * file, u64 flags)
 SEC("lsm/file_open")
 int BPF_PROG(file_open, struct file * file)
 {
-    trace_hook("file_open");
+    // very noisy
+    // trace_hook("file_open");
     u64 flags = 0;
     if (file->f_mode & FMODE_READ) {
         flags |= FLAG_READ;
@@ -351,7 +353,8 @@ int BPF_PROG(file_open, struct file * file)
 SEC("lsm/file_lock")
 int BPF_PROG(file_lock, struct file * file)
 {
-    trace_hook("file_lock");
+    // very noisy
+    // trace_hook("file_lock");
     return register_file_event(file, FLAG_WRITE);
 }
 
@@ -410,7 +413,9 @@ SEC("lsm/path_unlink")
 int BPF_PROG(path_unlink, struct path * dir, struct dentry * dentry)
 {
     trace_hook("path_unlink");
+    debug_path_d(dir, true);
     struct path path = make_path(dentry, dir);
+    debug_path_d(&path, true);
     return register_fs_event(&path, 0, FLAG_READ | FLAG_WRITE, true);
 }
 
@@ -506,6 +511,27 @@ int sys_enter_prctl(struct trace_event_raw_sys_enter * ctx)
     return 0;
 }
 
+SEC("tracepoint/syscalls/sys_enter_unlink")
+int sys_enter_unlink(struct trace_event_raw_sys_enter * ctx)
+{
+    u32 mntns = get_mntns();
+    if (!mntns)
+        return 0;
+    trace_hook("sys_enter_unlink %s", ctx->args[0]);
+    return 0;
+}
+
+
+SEC("tracepoint/syscalls/sys_enter_unlinkat")
+int sys_enter_unlinkat(struct trace_event_raw_sys_enter * ctx)
+{
+    u32 mntns = get_mntns();
+    if (!mntns)
+        return 0;
+    trace_hook("sys_enter_unlinkat %s", ctx->args[1]);
+    return 0;
+}
+
 SEC("tracepoint/sched/sched_process_exec")
 int sched_process_exec(struct trace_event_raw_sched_process_exec * ctx)
 {

diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64
diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64
diff --git a/internal/pkg/daemon/bpfrecorder/bpf_program_collection.go b/internal/pkg/daemon/bpfrecorder/bpf_program_collection.go
@@ -67,7 +67,11 @@ func newProgramCollection(
 func (b *bpfProgramCollection) attachAll(r *BpfRecorder) error {
 	var err error
 	for i := range b.programs {
-		b.programs[i].link, err = r.AttachGeneric(b.programs[i].prog)
+		if b.programs[i].name == "path_unlink" {
+			b.programs[i].link, err = b.programs[i].prog.AttachLSM()
+		} else {
+			b.programs[i].link, err = r.AttachGeneric(b.programs[i].prog)
+		}
 		if err != nil {
 			return fmt.Errorf("attach bpf program %s: %w", b.programs[i].name, err)
 		}

diff --git a/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go b/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go
@@ -51,6 +51,8 @@ var appArmorHooks = []string{
 	"path_mknod",
 	"path_unlink",
 	"bprm_check_security",
+	"sys_enter_unlink",
+	"sys_enter_unlinkat",
 	"sys_enter_socket",
 	"cap_capable",
 }