8000 add user namespace to slim_cred struct by michaelkatch · Pull Request #1137 · aquasecurity/tracee · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

add user namespace to slim_cred struct #1137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 14, 2021
Merged

add user namespace to slim_cred struct #1137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
945acd7
add user namespace to slim_cred struct
moshegol1 Nov 10, 2021
85abde2
Update tracee.bpf.c
michaelkatch Nov 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions tracee-ebpf/external/external.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,8 @@ type SlimCred struct {
Egid uint32 /* effective GID of the task */
Fsuid uint32 /* UID for VFS ops */
Fsgid uint32 /* GID for VFS ops */
UserNamespace uint32 /* User Namespace of the of the event */
SecureBits uint32 /* SUID-less security management */
CapInheritable uint64 /* caps our children can inherit */
CapPermitted uint64 /* caps we're permitted */
CapEffective uint64 /* caps we can actually use */
Expand Down
9 changes: 9 additions & 0 deletions tracee-ebpf/tracee/tracee.bpf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -439,6 +439,8 @@ typedef struct slim_cred {
gid_t egid; /* effective GID of the task */
uid_t fsuid; /* UID for VFS ops */
gid_t fsgid; /* GID for VFS ops */
u32 user_ns; /* User Namespace of the event */
u32 securebits; /* SUID-less security management */
u64 cap_inheritable; /* caps our children can inherit */
u64 cap_permitted; /* caps we're permitted */
u64 cap_effective; /* caps we can actually use */
Expand Down Expand Up @@ -2641,6 +2643,9 @@ int BPF_KPROBE(trace_commit_creds)
slim_cred_t old_slim = {0};
slim_cred_t new_slim = {0};

struct user_namespace* userns_old = READ_KERN(old->user_ns);
struct user_namespace* userns_new = READ_KERN(new->user_ns);

old_slim.uid = READ_KERN(old->uid.val);
old_slim.gid = READ_KERN(old->gid.val);
old_slim.suid = READ_KERN(old->suid.val);
Expand All @@ -2649,6 +2654,8 @@ int BPF_KPROBE(trace_commit_creds)
old_slim.egid = READ_KERN(old->egid.val);
old_slim.fsuid = READ_KERN(old->fsuid.val);
old_slim.fsgid = READ_KERN(old->fsgid.val);
old_slim.user_ns = READ_KERN(userns_old->ns.inum);
old_slim.securebits = READ_KERN(old->securebits);

new_slim.uid = READ_KERN(new->uid.val);
new_slim.gid = READ_KERN(new->gid.val);
Expand All @@ -2658,6 +2665,8 @@ int BPF_KPROBE(trace_commit_creds)
new_slim.egid = READ_KERN(new->egid.val);
new_slim.fsuid = READ_KERN(new->fsuid.val);
new_slim.fsgid = READ_KERN(new->fsgid.val);
new_slim.user_ns = READ_KERN(userns_new->ns.inum);
new_slim.securebits = READ_KERN(new->securebits);

// Currently, (2021), there are ~40 capabilities in the Linux kernel which are stored in an u32 array of length 2.
// This might change in the (not so near) future as more capabilities will be added.
Expand Down
0