dbg

internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c

@@ -59,8 +59,8 @@ char LICENSE[] SEC("license") = "Dual BSD/GPL";
 #endif
 
 // toggle this for additional debug output
-#define trace_hook(...)
-// #define trace_hook(...) bpf_printk(__VA_ARGS__)
+// #define trace_hook(...)
+#define trace_hook(...) bpf_printk(__VA_ARGS__)
 
 // Keep track of all mount namespaces that should be (temporarily) excluded from
 // recording. When running in Kubernetes, we generally ignore the host mntns.
@@ -262,7 +262,8 @@ static __always_inline int register_fs_event(struct path * filename,
                      pid == _file_event_pid;
     bool flags_are_subset = (flags | _file_event_flags) == _file_event_flags;
     if (same_file && flags_are_subset) {
-        trace_hook("register_file_event skipped");
+        // very noisy
+        // trace_hook("register_file_event skipped");
         return 0;
     }
 
@@ -334,7 +335,8 @@ static __always_inline int register_file_event(struct file * file, u64 flags)
 SEC("lsm/file_open")
 int BPF_PROG(file_open, struct file * file)
 {
-    trace_hook("file_open");
+    // very noisy
+    // trace_hook("file_open");
     u64 flags = 0;
     if (file->f_mode & FMODE_READ) {
         flags |= FLAG_READ;
@@ -351,7 +353,8 @@ int BPF_PROG(file_open, struct file * file)
 SEC("lsm/file_lock")
 int BPF_PROG(file_lock, struct file * file)
 {
-    trace_hook("file_lock");
+    // very noisy
+    // trace_hook("file_lock");
     return register_file_event(file, FLAG_WRITE);
 }
 
@@ -406,10 +409,11 @@ int BPF_PROG(path_mknod, struct path * dir, struct dentry * dentry,
     return register_fs_event(&path, 0, file_flags, true);
 }
 
-SEC("lsm/path_unlink")
+SEC("lsm.s/path_unlink")
 int BPF_PROG(path_unlink, struct path * dir, struct dentry * dentry)
 {
     trace_hook("path_unlink");
+    debug_path_d(dir, true);
     struct path path = make_path(dentry, dir);
     return register_fs_event(&path, 0, FLAG_READ | FLAG_WRITE, true);
 }
@@ -485,7 +489,8 @@ int sys_enter_prctl(struct trace_event_raw_sys_enter * ctx)
     u32 mntns = get_mntns();
     if (!mntns)
         return 0;
-    trace_hook("sys_enter_prctl");
+    // noisy
+    // trace_hook("sys_enter_prctl");
 
     // Handle runc init.
     //
@@ -506,6 +511,27 @@ int sys_enter_prctl(struct trace_event_raw_sys_enter * ctx)
     return 0;
 }
 
+SEC("tracepoint/syscalls/sys_enter_unlink")
+int sys_enter_unlink(struct trace_event_raw_sys_enter * ctx)
+{
+    u32 mntns = get_mntns();
+    if (!mntns)
+        return 0;
+    trace_hook("sys_enter_unlink %s", ctx->args[0]);
+    return 0;
+}
+
+
+SEC("tracepoint/syscalls/sys_enter_unlinkat")
+int sys_enter_unlinkat(struct trace_event_raw_sys_enter * ctx)
+{
+    u32 mntns = get_mntns();
+    if (!mntns)
+        return 0;
+    trace_hook("sys_enter_unlinkat %s", ctx->args[1]);
+    return 0;
+}
+
 SEC("tracepoint/sched/sched_process_exec")
 int sched_process_exec(struct trace_event_raw_sched_process_exec * ctx)
 {

internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go

@@ -51,6 +51,8 @@ var appArmorHooks = []string{
 	"path_mknod",
 	"path_unlink",
 	"bprm_check_security",
+	"sys_enter_unlink",
+	"sys_enter_unlinkat",
 	"sys_enter_socket",
 	"cap_capable",
 }