tetragon: setup to let match binary names use args as well

Setting up ability to match args as well as binary names. This is useful for matching 'java beaches.jar' or 'python palmTree.py' where the binary itself is an interpretor and the actual thing being called is what matters. Signed-off-by: John Fastabend <[email protected]>
cilium · Dec 11, 2024 · 93db38d · 93db38d
1 parent 1ec1ba7
commit 93db38d
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/bpf/lib/process.h b/bpf/lib/process.h
@@ -278,6 +278,8 @@ struct heap_exe {
 	char end[STRING_POSTFIX_MAX_LENGTH];
 	__u32 len;
 	__u32 error;
+	__u32 arg_len;
+	__u32 arg_start;
 }; // All fields aligned so no 'packed' attribute.
 
 struct msg_execve_event {
@@ -323,6 +325,8 @@ struct binary {
 	char end[STRING_POSTFIX_MAX_LENGTH];
 	// STRING_POSTFIX_MAX_LENGTH reversed last bytes of the path
 	char end_r[STRING_POSTFIX_MAX_LENGTH];
+	// args for the binary
+	char args[MAXARGLENGTH];
 	// matchBinary bitset for binary
 	// NB: everything after and including ->mb_bitset will not be zeroed on a new exec. See
 	// binary_reset().

diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
@@ -92,6 +92,9 @@ read_args(void *ctx, struct msg_execve_event *event)
 
 	size = p->size & 0x1ff /* 2*MAXARGLENGTH - 1*/;
 	args = (char *)p + size;
+#ifdef __LARGE_BPF_PROG
+	event->exe.arg_start = size;
+#endif
 
 	if (args >= (char *)&event->process + BUFFER)
 		return 0;
@@ -117,6 +120,9 @@ read_args(void *ctx, struct msg_execve_event *event)
 		if (size > 0)
 			p->flags |= EVENT_DATA_ARGS;
 	}
+#ifdef __LARGE_BPF_PROG
+	event->exe.arg_len = size;
+#endif
 	return size;
 }
 
@@ -395,6 +401,8 @@ execve_send(void *ctx __arg_ctx)
 		/* zero out previous paths in ->bin */
 		binary_reset(&curr->bin);
 #ifdef __LARGE_BPF_PROG
+		__u32 nullone, nulltwo, off, len;
+
 		// read from proc exe stored at execve time
 		if (event->exe.len <= BINARY_PATH_MAX_LEN) {
 			curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.buf);
@@ -406,6 +414,15 @@ execve_send(void *ctx __arg_ctx)
 				revlen = STRING_POSTFIX_MAX_LENGTH - 1;
 			probe_read(curr->bin.end, revlen, event->exe.end);
 		}
+
+		off = event->exe.arg_start & 0xff;
+		len = event->exe.arg_len & 0xff;
+		probe_read(curr->bin.args, len, (char *)&event->process + off);
+
+		nullone = len + 1;
+		nulltwo = len + 2;
+		curr->bin.args[nullone & 0xff] = 0x00; // null terminate string
+		curr->bin.args[nulltwo & 0xff] = 0x00; // null terminate string
 #else
 		// reuse p->args first string that contains the filename, this can't be
 		// above 256 in size (otherwise the complete will be send via data msg)

diff --git a/pkg/api/processapi/processapi.go b/pkg/api/processapi/processapi.go
@@ -46,6 +46,7 @@ const (
 	MSG_COMMON_FLAG_IMA_HASH          = 0x8
 
 	BINARY_PATH_MAX_LEN = 256
+	MAX_ARG_LENGTH      = 256
 
 	STRING_POSTFIX_MAX_LENGTH = 128
 )
@@ -158,6 +159,7 @@ type Binary struct {
 	Path       [BINARY_PATH_MAX_LEN]byte
 	End        [STRING_POSTFIX_MAX_LENGTH]byte
 	End_r      [STRING_POSTFIX_MAX_LENGTH]byte
+	Args       [MAX_ARG_LENGTH]byte
 	MBSet      uint64
 }