8000 helpers/btfinfo: renamed to osinfo and improved, syncing by rafaeldtinoco · Pull Request #981 · aquasecurity/tracee · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

helpers/btfinfo: renamed to osinfo and improved, syncing #981

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Sep 3, 2021
Merged

helpers/btfinfo: renamed to osinfo and improved, syncing #981

merged 11 commits into from
Sep 3, 2021

Conversation

rafaeldtinoco
Copy link
Contributor

Reference: aquasecurity/libbpfgo#60

Needs aquasecurity/libbpfgo#67 merged first.

itaysk
itaysk reviewed Sep 2, 2021
View reviewed changes
grantseltzer
grantseltzer reviewed Sep 2, 2021
View reviewed changes
@yanivagman
Copy link
Collaborator

Can we remove the UnameRelease() and KernelIsAtLeast() functions from tracee.go after the libbpfgo PR is merged?

@rafaeldtinoco
Copy link
Contributor Author

This will only work after aquasecurity/libbpfgo#70 is reviewed and merged AND we bump libbpfgo dependency to that commit. Tests at: aquasecurity/libbpfgo#61 (comment)

@rafaeldtinoco rafaeldtinoco mentioned this pull request Sep 3, 2021
Merged
@rafaeldtinoco
Copy link
Contributor Author
rafaeldtinoco commented Sep 3, 2021
edited
Loading

Maybe we should consider that... if no kconfig file was found the kconfig variable CONFIG_ARCH_HAS_SYSCALL_WRAPPER is yes ? Most of the times it will be, no ?

image

Same test using an existing kconfig file:

image

it sets CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y because of the kconfig file.

grantseltzer
grantseltzer reviewed Sep 3, 2021
View reviewed changes
@rafaeldtinoco

This comment has been minimized.

Sign in to view
@rafaeldtinoco
Copy link
Contributor Author

All tests are good but now I'm failing if no kconfig file exists from tracee side (because I need the CONFIG_ARCH_HAS_SYSCALL_WRAPPER value). I'll have to define as TRUE or FALSE by default if no kconfig file is found @yanivagman. Is that ok ? This way we can fully get rid of kconfig if there is none provided AND none in the OS.

@rafaeldtinoco
Copy link
Contributor Author
rafaeldtinoco commented Sep 3, 2021
edited
Loading

regular call

$ sudo ./dist/tracee-ebpf --debug --trace uid=1000 --trace pid=new --trace event=execve --trace event=cap_capable --output option:detect-syscall
OSInfo: ID_LIKE: debian
OSInfo: PRETTY_NAME: "Ubuntu 21.04"
OSInfo: VERSION_ID: "21.04"
OSInfo: VERSION_CODENAME: hirsute
OSInfo: KERNEL_RELEASE: 5.11.0-31-generic
OSInfo: VERSION: "21.04 (Hirsute Hippo)"
OSInfo: ID: ubuntu
BTF: bpfenv = false, btfenv = false, vmlinux = true
BPF: using embedded BPF object
unpacked CO:RE bpf object file into memory
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876186
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876182
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876184
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876186
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876182
16:50:31:118904  1000   bash             765133  765133  0                execve               pathname: /bin/exa, argv: [exa --color=auto]
16:50:31:128992
8000
  1000   bash             765136  765136  0                execve               pathname: /home/rafaeldtinoco/scripts/git, argv: [git branch]
16:50:31:129741  1000   bash             765137  765137  0                execve               pathname: /bin/sed, argv: [sed -e /^[^*]/d -e s/* \(.*\)/\1/]
16:50:31:133130  1000   git              765136  765136  0                execve               pathname: /usr/bin/git, argv: [/usr/bin/git branch]

End of events stream
Stats: {EventCount:4 ErrorCount:0 LostEvCount:0 LostWrCount:0 LostNtCount:0}

regular external files:

$ sudo LIBBPFGO_OSRELEASE_FILE=/etc/os-release LIBBPFGO_KCONFIG_FILE=/boot/config-$(uname -r) ./dist/tracee-ebpf --debug --trace uid=1000 --trace pid=new --trace event=execve --trace event=cap_capable --output option:detect-syscall
OSInfo: KERNEL_RELEASE: 5.11.0-31-generic
OSInfo: VERSION: "21.04 (Hirsute Hippo)"
OSInfo: ID: ubuntu
OSInfo: ID_LIKE: debian
OSInfo: PRETTY_NAME: "Ubuntu 21.04"
OSInfo: VERSION_ID: "21.04"
OSInfo: VERSION_CODENAME: hirsute
BTF: bpfenv = false, btfenv = false, vmlinux = true
BPF: using embedded BPF object
unpacked CO:RE bpf object file into memory
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876186
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876182
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876184
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876186
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876182
16:50:59:091511  1000   bash             771084  771084  0                execve               pathname: /bin/exa, argv: [exa --color=auto]
16:50:59:100976  1000   bash             771087  771087  0                execve               pathname: /home/rafaeldtinoco/scripts/git, argv: [git branch]
16:50:59:101706  1000   bash             771088  771088  0                execve               pathname: /bin/sed, argv: [sed -e /^[^*]/d -e s/* \(.*\)/\1/]
16:50:59:106542  1000   git              771087  771087  0                execve               pathname: /usr/bin/git, argv: [/usr/bin/git branch]

End of events stream
Stats: {EventCount:4 ErrorCount:0 LostEvCount:0 LostWrCount:0 LostNtCount:0}

no os-release file, try to continue:

$ sudo LIBBPFGO_OSRELEASE_FILE=NOFILE LIBBPFGO_KCONFIG_FILE=/boot/config-$(uname -r) ./dist/tracee-ebpf --debug --trace uid=1000 --trace pid=new --trace event=execve --trace event=cap_capable --output option:detect-syscall
OSInfo: KERNEL_RELEASE: 5.11.0-31-generic
OSInfo: warning: os-release file could be found
(could not open LIBBPFGO_OSRELEASE_FILE NOFILE)
BTF: bpfenv = false, btfenv = false, vmlinux = true
BPF: using embedded BPF object
unpacked CO:RE bpf object file into memory
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876186
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876182
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876184
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876186
Running container = 5e539daad7d5bf83f6f1819570c3766a75d9f488598d17fed58c7a93ecb8ded4 pid = 876182
16:51:37:896163  1000   bash             774394  774394  0                execve               pathname: /bin/exa, argv: [exa --color=auto]
16:51:37:905983  1000   bash             774397  774397  0                execve               pathname: /home/rafaeldtinoco/scripts/git, argv: [git branch]
16:51:37:906384  1000   bash             774398  774398  0                execve               pathname: /bin/sed, argv: [sed -e /^[^*]/d -e s/* \(.*\)/\1/]
16:51:37:909142  1000   git              774397  774397  0                execve               pathname: /usr/bin/git, argv: [/usr/bin/git branch]

End of events stream
Stats: {EventCount:4 ErrorCount:0 LostEvCount:0 LostWrCount:0 LostNtCount:0}

No os-release NOR kconfig files. Tracee assumes CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y.

$ sudo LIBBPFGO_OSRELEASE_FILE=/etc/os-release LIBBPFGO_KCONFIG_FILE=NOFILE ./dist/tracee-ebpf --debug --trace uid=1000 --trace pid=new --trace event=execve --trace event=cap_capable --output option:detect-syscall
KConfig: warning: could not check enabled kconfig features
(could not open LIBBPFGO_KCONFIG_FILE NOFILE)
OSInfo: KERNEL_RELEASE: 5.14.0-rc5+
OSInfo: warning: os-release file could be found
(could not open LIBBPFGO_OSRELEASE_FILE /etc/os-release)
BTF: bpfenv = false, btfenv = false, vmlinux = true
BPF: using embedded BPF object
unpacked CO:RE bpf object file into memory
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
19:52:06:661000  1000   bash             12112   12112   0                execve               pathname: /bin/ls, argv: [ls --color=auto]

End of events stream
Stats: {EventCount:1 ErrorCount:0 LostEvCount:0 LostWrCount:0 LostNtCount:0}

Check if given kconfig in environment with no kconfig is good for libbpf:

$ ls /etc/os-release
ls: cannot access '/etc/os-release': No such file or directory

$ ls /boot/config-$(uname -r)
ls: cannot access '/boot/config-5.14.0-rc5+': No such file or directory

$ sudo ./dist/tracee-ebpf --debug --trace uid=1000 --trace pid=new --trace event=execve --trace event=cap_capable --output option:detect-syscall
KConfig: warning: could not check enabled kconfig features
(could not read /boot/config-5.14.0-rc5+: stat /boot/config-5.14.0-rc5+: no such file or directory)
OSInfo: KERNEL_RELEASE: 5.14.0-rc5+
OSInfo: warning: os-release file could be found
(open /etc/os-release: no such file or directory)
BTF: bpfenv = false, btfenv = false, vmlinux = true
BPF: using embedded BPF object
unpacked CO:RE bpf object file into memory
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
19:53:35:871855  1000   bash             12201   12201   0                execve               pathname: /bin/ls, argv: [ls --color=auto]

End of events stream
Stats: {EventCount:1 ErrorCount:0 LostEvCount:0 LostWrCount:0 LostNtCount:0}

If we manually remove CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y from the given kconfig file, for testing purposes, we have to break the arguments:

$ sudo LIBBPFGO_KCONFIG_FILE=/boot/config-5.14.0-rc5+.orig ./dist/tracee-ebpf -debug --trace uid=1000 --trace pid=new --trace event=execve --trace event=cap_capable --output option:detect-syscall
OSInfo: KERNEL_RELEASE: 5.14.0-rc5+
OSInfo: warning: os-release file could be found
(open /etc/os-release: no such file or directory)
BTF: bpfenv = false, btfenv = false, vmlinux = true
BPF: using embedded BPF object
unpacked CO:RE bpf object file into memory
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
19:56:20:463406  1000   bash             12248   12248   0                execve               pathname:  , argv: []

End of events stream
Stats: {EventCount:1 ErrorCount:0 LostEvCount:0 LostWrCount:0 LostNtCount:0}

And if I put it back on (=y):

$ sudo LIBBPFGO_KCONFIG_FILE=/boot/config-5.14.0-rc5+.orig ./dist/tracee-ebpf -debug --trace uid=1000 --trace pid=new --trace event=execve --trace event=cap_capable --output option:detect-syscall
OSInfo: KERNEL_RELEASE: 5.14.0-rc5+
OSInfo: warning: os-release file could be found
(open /etc/os-release: no such file or directory)
BTF: bpfenv = false, btfenv = false, vmlinux = true
BPF: using embedded BPF object
unpacked CO:RE bpf object file into memory
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
20:02:58:949046  1000   bash             12313   12313   0                execve               pathname: /bin/ls, argv: [ls --color=auto]

End of events stream
Stats: {EventCount:1 ErrorCount:0 LostEvCount:0 LostWrCount:0 LostNtCount:0}

Everything seems to be working as expected.

@rafaeldtinoco rafaeldtinoco requested review from grantseltzer and removed request for yanivagman September 3, 2021 20:17
@grantseltzer
Update go.mod and go.sum to new version of libbpfgo
e3aead4 
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
grantseltzer
grantseltzer approved these changes Sep 3, 2021
View reviewed changes
Copy link
Contributor 8000
@grantseltzer grantseltzer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@grantseltzer grantseltzer merged commit bcf7153 into aquasecurity:main Sep 3, 2021
@grantseltzer
Copy link
Contributor
grantseltzer commented Sep 4, 2021 via email

@rafaeldtinoco
Copy link
Contributor Author

FTR, I've got some minor continuation of this at: #999

@rafaeldtinoco rafaeldtinoco deleted the osinfonew branch November 6, 2021 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itaysk itaysk itaysk left review comments

@yanivagman yanivagman yanivagman left review comments

@grantseltzer grantseltzer grantseltzer approved these changes

Assignees
No one assigned
Labels
area/ebpf
Projects
None yet
Milestone
No milestone
Development
< 39FC p>Successfully merging this pull request may close these issues.
4 participants
@rafaeldtinoco @yanivagman @grantseltzer @itaysk
0