diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c index 10fefca4c3..755fa7bec8 100644 --- a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c +++ b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c @@ -59,8 +59,8 @@ char LICENSE[] SEC("license") = "Dual BSD/GPL"; #endif // toggle this for additional debug output -#define trace_hook(...) -// #define trace_hook(...) bpf_printk(__VA_ARGS__) +// #define trace_hook(...) +#define trace_hook(...) bpf_printk(__VA_ARGS__) // Keep track of all mount namespaces that should be (temporarily) excluded from // recording. When running in Kubernetes, we generally ignore the host mntns. @@ -262,7 +262,8 @@ static __always_inline int register_fs_event(struct path * filename, pid == _file_event_pid; bool flags_are_subset = (flags | _file_event_flags) == _file_event_flags; if (same_file && flags_are_subset) { - trace_hook("register_file_event skipped"); + // very noisy + // trace_hook("register_file_event skipped"); return 0; } @@ -334,7 +335,8 @@ static __always_inline int register_file_event(struct file * file, u64 flags) SEC("lsm/file_open") int BPF_PROG(file_open, struct file * file) { - trace_hook("file_open"); + // very noisy + // trace_hook("file_open"); u64 flags = 0; if (file->f_mode & FMODE_READ) { flags |= FLAG_READ; @@ -351,7 +353,8 @@ int BPF_PROG(file_open, struct file * file) SEC("lsm/file_lock") int BPF_PROG(file_lock, struct file * file) { - trace_hook("file_lock"); + // very noisy + // trace_hook("file_lock"); return register_file_event(file, FLAG_WRITE); } @@ -410,7 +413,9 @@ SEC("lsm/path_unlink") int BPF_PROG(path_unlink, struct path * dir, struct dentry * dentry) { trace_hook("path_unlink"); + debug_path_d(dir, true); struct path path = make_path(dentry, dir); + debug_path_d(&path, true); return register_fs_event(&path, 0, FLAG_READ | FLAG_WRITE, true); } @@ -506,6 +511,27 @@ int sys_enter_prctl(struct trace_event_raw_sys_enter * ctx) return 0; } +SEC("tracepoint/syscalls/sys_enter_unlink") +int sys_enter_unlink(struct trace_event_raw_sys_enter * ctx) +{ + u32 mntns = get_mntns(); + if (!mntns) + return 0; + trace_hook("sys_enter_unlink %s", ctx->args[0]); + return 0; +} + + +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int sys_enter_unlinkat(struct trace_event_raw_sys_enter * ctx) +{ + u32 mntns = get_mntns(); + if (!mntns) + return 0; + trace_hook("sys_enter_unlinkat %s", ctx->args[1]); + return 0; +} + SEC("tracepoint/sched/sched_process_exec") int sched_process_exec(struct trace_event_raw_sched_process_exec * ctx) { diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 index 0d7796bf30..9e4b8a32b1 100644 Binary files a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 and b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 differ diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 index 32bae870ab..72eaa3fb65 100644 Binary files a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 and b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 differ diff --git a/internal/pkg/daemon/bpfrecorder/bpf_program_collection.go b/internal/pkg/daemon/bpfrecorder/bpf_program_collection.go index 0ed8265d85..caed7acae3 100644 --- a/internal/pkg/daemon/bpfrecorder/bpf_program_collection.go +++ b/internal/pkg/daemon/bpfrecorder/bpf_program_collection.go @@ -67,7 +67,11 @@ func newProgramCollection( func (b *bpfProgramCollection) attachAll(r *BpfRecorder) error { var err error for i := range b.programs { - b.programs[i].link, err = r.AttachGeneric(b.programs[i].prog) + if b.programs[i].name == "path_unlink" { + b.programs[i].link, err = b.programs[i].prog.AttachLSM() + } else { + b.programs[i].link, err = r.AttachGeneric(b.programs[i].prog) + } if err != nil { return fmt.Errorf("attach bpf program %s: %w", b.programs[i].name, err) } diff --git a/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go b/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go index b4fae269ad..a6f5bff1ce 100644 --- a/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go +++ b/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go @@ -51,6 +51,8 @@ var appArmorHooks = []string{ "path_mknod", "path_unlink", "bprm_check_security", + "sys_enter_unlink", + "sys_enter_unlinkat", "sys_enter_socket", "cap_capable", }