diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c index 10fefca4c3..1a45af0d7c 100644 --- a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c +++ b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c @@ -59,8 +59,8 @@ char LICENSE[] SEC("license") = "Dual BSD/GPL"; #endif // toggle this for additional debug output -#define trace_hook(...) -// #define trace_hook(...) bpf_printk(__VA_ARGS__) +// #define trace_hook(...) +#define trace_hook(...) bpf_printk(__VA_ARGS__) // Keep track of all mount namespaces that should be (temporarily) excluded from // recording. When running in Kubernetes, we generally ignore the host mntns. @@ -262,7 +262,8 @@ static __always_inline int register_fs_event(struct path * filename, pid == _file_event_pid; bool flags_are_subset = (flags | _file_event_flags) == _file_event_flags; if (same_file && flags_are_subset) { - trace_hook("register_file_event skipped"); + // very noisy + // trace_hook("register_file_event skipped"); return 0; } @@ -334,7 +335,8 @@ static __always_inline int register_file_event(struct file * file, u64 flags) SEC("lsm/file_open") int BPF_PROG(file_open, struct file * file) { - trace_hook("file_open"); + // very noisy + // trace_hook("file_open"); u64 flags = 0; if (file->f_mode & FMODE_READ) { flags |= FLAG_READ; @@ -351,7 +353,8 @@ int BPF_PROG(file_open, struct file * file) SEC("lsm/file_lock") int BPF_PROG(file_lock, struct file * file) { - trace_hook("file_lock"); + // very noisy + // trace_hook("file_lock"); return register_file_event(file, FLAG_WRITE); } @@ -406,10 +409,11 @@ int BPF_PROG(path_mknod, struct path * dir, struct dentry * dentry, return register_fs_event(&path, 0, file_flags, true); } -SEC("lsm/path_unlink") +SEC("lsm.s/path_unlink") int BPF_PROG(path_unlink, struct path * dir, struct dentry * dentry) { trace_hook("path_unlink"); + debug_path_d(dir, true); struct path path = make_path(dentry, dir); return register_fs_event(&path, 0, FLAG_READ | FLAG_WRITE, true); } @@ -485,7 +489,8 @@ int sys_enter_prctl(struct trace_event_raw_sys_enter * ctx) u32 mntns = get_mntns(); if (!mntns) return 0; - trace_hook("sys_enter_prctl"); + // noisy + // trace_hook("sys_enter_prctl"); // Handle runc init. // @@ -506,6 +511,27 @@ int sys_enter_prctl(struct trace_event_raw_sys_enter * ctx) return 0; } +SEC("tracepoint/syscalls/sys_enter_unlink") +int sys_enter_unlink(struct trace_event_raw_sys_enter * ctx) +{ + u32 mntns = get_mntns(); + if (!mntns) + return 0; + trace_hook("sys_enter_unlink %s", ctx->args[0]); + return 0; +} + + +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int sys_enter_unlinkat(struct trace_event_raw_sys_enter * ctx) +{ + u32 mntns = get_mntns(); + if (!mntns) + return 0; + trace_hook("sys_enter_unlinkat %s", ctx->args[1]); + return 0; +} + SEC("tracepoint/sched/sched_process_exec") int sched_process_exec(struct trace_event_raw_sched_process_exec * ctx) { diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 index 0d7796bf30..267d9c96d9 100644 Binary files a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 and b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 differ diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 index 32bae870ab..c1c23044f1 100644 Binary files a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 and b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 differ diff --git a/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go b/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go index b4fae269ad..a6f5bff1ce 100644 --- a/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go +++ b/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go @@ -51,6 +51,8 @@ var appArmorHooks = []string{ "path_mknod", "path_unlink", "bprm_check_security", + "sys_enter_unlink", + "sys_enter_unlinkat", "sys_enter_socket", "cap_capable", }