packages/secDetector
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!36 backport patchs to master

Browse Source 
From: @hurricane618 
Reviewed-by: @chenjingwen6, @zcfsite 
Signed-off-by: @zcfsite
This commit is contained in:
openeuler-ci-bot 2024-02-20 12:39:25 +00:00 committed by Gitee
commit 048b57b052
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
35 changed files with 3081 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
Backport-add-handle-cleanup-and-refactor-Subscribe-UnSubscrib.patch Normal file
View File

@ -0,0 +1,166 @@
From aca8d49dea577cac55a6b9704770882f18649fb9 Mon Sep 17 00:00:00 2001
From: hurricane618 <hurricane618@hotmail.com>
Date: Fri, 1 Dec 2023 01:26:18 +0800
Subject: [PATCH 3/6] add handle cleanup and refactor Subscribe/UnSubscribe
1. fix error residue handle
2. refactor Subscribe and UnSubscribe
Signed-off-by: hurricane618 <hurricane618@hotmail.com>
---
observer_agent/grpc_comm/Makefile | 8 +----
observer_agent/grpc_comm/grpc_api.h | 9 ++++-
observer_agent/grpc_comm/server.cpp | 51 +++++++++++++++++++++++++++--
3 files changed, 58 insertions(+), 10 deletions(-)
diff --git a/observer_agent/grpc_comm/Makefile b/observer_agent/grpc_comm/Makefile
index 4dbaa46..3c87ad8 100644
--- a/observer_agent/grpc_comm/Makefile
+++ b/observer_agent/grpc_comm/Makefile
@@ -38,13 +38,7 @@ PROTOS_PATH = ./protos
vpath %.proto $(PROTOS_PATH)
-all: system-check client server client_pub_demo client_sub_demo server_demo
-
-client: comm_api.pb.o comm_api.grpc.pb.o client.o
- @echo "only compile client don't link"
-
-server: comm_api.pb.o comm_api.grpc.pb.o server.o
- @echo "only compile server don't link"
+all: system-check client_pub_demo client_sub_demo server_demo
client_pub_demo: comm_api.pb.o comm_api.grpc.pb.o client.o client_pub_demo.o
$(CXX) $^ $(LDFLAGS) -o $@
diff --git a/observer_agent/grpc_comm/grpc_api.h b/observer_agent/grpc_comm/grpc_api.h
index 7b19552..44d4aa9 100644
--- a/observer_agent/grpc_comm/grpc_api.h
+++ b/observer_agent/grpc_comm/grpc_api.h
@@ -18,6 +18,8 @@ using grpc::ServerBuilder;
using grpc::ServerContext;
using grpc::ServerWriter;
+#define MAX_CONNECTION 5
+
class PubSubServiceImpl final : public SubManager::Service
{
public:
@@ -26,7 +28,12 @@ class PubSubServiceImpl final : public SubManager::Service
grpc::Status UnSubscribe(ServerContext *context, const UnSubscribeRequest *request, Message *response);
private:
- std::unordered_map<int, std::vector<ServerWriter<Message> *>> subscribers_;
+ std::unordered_map<std::string, std::vector<int>> suber_topic_;
+ std::unordered_map<std::string, std::vector<ServerWriter<Message> *>> suber_writer_;
+ std::unordered_map<std::string, std::vector<int>> suber_connection_;
+ std::mutex sub_mutex;
+ int connection_num = 0;
+ bool connect_status[MAX_CONNECTION] = {false};
};
void StopServer();
diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
index 04e8163..54ae66f 100644
--- a/observer_agent/grpc_comm/server.cpp
+++ b/observer_agent/grpc_comm/server.cpp
@@ -28,6 +28,7 @@ using grpc::ServerContext;
using grpc::ServerWriter;
#define MAX_CONNECTION 5
+#define CHECK_TIME 60
class PubSubServiceImpl final : public SubManager::Service
{
@@ -38,6 +39,8 @@ class PubSubServiceImpl final : public SubManager::Service
int cli_topic = request->topic();
std::string cli_name = request->sub_name();
Message msg;
+ Message keepalive_msg;
+ int i = 0, tmp_index;
if (connection_num >= MAX_CONNECTION) {
msg.set_text("over max connection number!");
@@ -65,8 +68,28 @@ class PubSubServiceImpl final : public SubManager::Service
sub_mutex.lock();
+ for (tmp_index = 0; tmp_index < MAX_CONNECTION; tmp_index++)
+ {
+ if (!connect_status[tmp_index])
+ break;
+ }
+
+ if (tmp_index == MAX_CONNECTION)
+ {
+ sub_mutex.unlock();
+ msg.set_text("multi-process max connection number!");
+ if (!writer->Write(msg))
+ {
+ std::cerr << "Failed to write the initial message" << std::endl;
+ return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+ }
+ return grpc::Status(grpc::StatusCode::INTERNAL, "multi-process max connection number, Failed to Subscribe the topic");
+ }
+
suber_topic_[cli_name].push_back(cli_topic);
suber_writer_[cli_name].push_back(writer);
+ suber_connection_[cli_name].push_back(tmp_index);
+ connect_status[tmp_index] = true;
connection_num++;
sub_mutex.unlock();
@@ -78,9 +101,29 @@ class PubSubServiceImpl final : public SubManager::Service
return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
}
- // ToDo: set some condition to break loop
- while (1)
+ keepalive_msg.set_text("keepalive");
+ while (connect_status[tmp_index])
{
+ sleep(CHECK_TIME);
+ if (!writer->Write(keepalive_msg))
+ {
+ for (auto topic_item : suber_topic_[cli_name])
+ {
+ if (topic_item == cli_topic)
+ {
+ sub_mutex.lock();
+ suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
+ suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
+ connect_status[suber_connection_[cli_name].at(i)] = false;
+ suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
+ connection_num--;
+ sub_mutex.unlock();
+ break;
+ }
+ i++;
+ }
+ return grpc::Status(grpc::StatusCode::INTERNAL, "writer is lose!");
+ }
}
return grpc::Status::OK;
}
@@ -136,6 +179,8 @@ class PubSubServiceImpl final : public SubManager::Service
{
suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
+ connect_status[suber_connection_[cli_name].at(i)] = false;
+ suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
connection_num--;
unsub_flag = 1;
break;
@@ -155,8 +200,10 @@ class PubSubServiceImpl final : public SubManager::Service
private:
std::unordered_map<std::string, std::vector<int>> suber_topic_;
std::unordered_map<std::string, std::vector<ServerWriter<Message> *>> suber_writer_;
+ std::unordered_map<std::string, std::vector<int>> suber_connection_;
std::mutex sub_mutex;
int connection_num = 0;
+ bool connect_status[MAX_CONNECTION] = {false};
};
std::unique_ptr<Server> server;
--
2.33.0

48
Backport-add-lock-limit-publish-API.patch Normal file
View File

@ -0,0 +1,48 @@
From b6705fe2d5b4aefdc0db16ae6ec9d75b69e8f421 Mon Sep 17 00:00:00 2001
From: hurricane618 <hurricane618@hotmail.com>
Date: Wed, 6 Dec 2023 22:12:27 +0800
Subject: [PATCH] add lock limit publish API
call publish too quick, so add lock to limit it.
Signed-off-by: hurricane618 <hurricane618@hotmail.com>
---
observer_agent/service/main.cpp | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/observer_agent/service/main.cpp b/observer_agent/service/main.cpp
index bd01690..8c24345 100644
--- a/observer_agent/service/main.cpp
+++ b/observer_agent/service/main.cpp
@@ -80,6 +80,10 @@ static void sig_handler(int sig)
}
static bool debug = false;
+static std::string server_address("unix:///var/run/secDetector.sock");
+PubSubClient client;
+std::mutex pub_mutex;
+
static void push_log(int type, const std::string &content)
{
if ((topic_mask & type) == 0)
@@ -92,8 +96,7 @@ static void push_log(int type, const std::string &content)
}
// push to grpc
- std::string server_address("unix:///var/run/secDetector.sock");
- PubSubClient client(grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials()));
+ std::lock_guard<std::mutex> lock(pub_mutex);
client.Publish(type, content);
}
@@ -179,6 +182,7 @@ int main(int argc, char *argv[])
std::thread thread_grpc = std::thread(RunServer);
std::thread thread_ebpf_process = std::thread(StartProcesseBPFProg, ebpf_cb, ringbuf_size_bytes, topic_mask);
std::thread thread_ebpf_file = std::thread(StartFileBPFProg, ebpf_cb, ringbuf_size_bytes, topic_mask);
+ client.init(grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials()));
while (exiting == 0)
{
--
2.33.0

78
Backport-add-nullptr-check-in-Subscribe.patch Normal file
View File

@ -0,0 +1,78 @@
From ce029db530429609847b38ae7bae2428064e3a27 Mon Sep 17 00:00:00 2001
From: hurricane618 <hurricane618@hotmail.com>
Date: Mon, 4 Dec 2023 10:06:55 +0800
Subject: [PATCH 5/6] add nullptr check in Subscribe
fix leak of nullptr problem
Signed-off-by: hurricane618 <hurricane618@hotmail.com>
---
observer_agent/grpc_comm/client.cpp | 10 ++++++++--
observer_agent/grpc_comm/server.cpp | 15 ++++++++-------
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/observer_agent/grpc_comm/client.cpp b/observer_agent/grpc_comm/client.cpp
index ecb54ae..84b5c96 100644
--- a/observer_agent/grpc_comm/client.cpp
+++ b/observer_agent/grpc_comm/client.cpp
@@ -43,16 +43,22 @@ std::unique_ptr<ClientReader<Message>> PubSubClient::Subscribe(const int topic)
SubscribeRequest request;
request.set_topic(topic);
request.set_sub_name(uuid_str);
+ std::string ret_info;
Message msg;
SubFlag = true;
std::unique_ptr<ClientReader<Message>> reader = stub_->Subscribe(&context, request);
- if (reader == nullptr)
+ ret_info = ReadFrom(reader);
+
+ if (ret_info.substr(0, 6) == "topic:")
+ {
+ std::cout << "Success subscribe." << std::endl;
+ return reader;
+ } else
{
std::cerr << "Failed to subscribe." << std::endl;
return nullptr;
}
- return reader;
}
void PubSubClient::Publish(const int topic, const std::string &content)
diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
index 54ae66f..d53866f 100644
--- a/observer_agent/grpc_comm/server.cpp
+++ b/observer_agent/grpc_comm/server.cpp
@@ -86,6 +86,14 @@ class PubSubServiceImpl final : public SubManager::Service
return grpc::Status(grpc::StatusCode::INTERNAL, "multi-process max connection number, Failed to Subscribe the topic");
}
+ msg.set_text("topic: " + std::to_string(cli_topic) + " Subscribe success!");
+ if (!writer->Write(msg))
+ {
+ std::cerr << "Failed to write the initial message" << std::endl;
+ sub_mutex.unlock();
+ return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+ }
+
suber_topic_[cli_name].push_back(cli_topic);
suber_writer_[cli_name].push_back(writer);
suber_connection_[cli_name].push_back(tmp_index);
@@ -94,13 +102,6 @@ class PubSubServiceImpl final : public SubManager::Service
sub_mutex.unlock();
- msg.set_text("topic: " + std::to_string(cli_topic) + " Subscribe success!");
- if (!writer->Write(msg))
- {
- std::cerr << "Failed to write the initial message" << std::endl;
- return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
- }
-
keepalive_msg.set_text("keepalive");
while (connect_status[tmp_index])
{
--
2.33.0

87
Backport-bug-fix-memory-leak-in-sc-analyze-unit.patch Normal file
View File

@ -0,0 +1,87 @@
From 2ff0256c1ca0bfb1e119fc419d2a9c3e7a48fc22 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Wed, 20 Dec 2023 15:31:22 +0800
Subject: [PATCH] bug fix memory leak in sc analyze unit
---
.../analyze_unit/secDetector_save_check.c | 24 +++++++++++++------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
index 4a5f689..788de3e 100644
--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
+++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
@@ -38,6 +38,11 @@ static int init_analyze_status_data_sc(analyze_status_t *analyze_status_data, in
return 0;
}
analyze_status_data->sc_data.data = kmalloc(sizeof(unsigned long long) * len, GFP_KERNEL);
+ if (analyze_status_data->sc_data.data == NULL) {
+ pr_err("kmalloc failed");
+ return -ENOMEM;
+ }
+ analyze_status_data->sc_data.data_type = ANALYZE_STATUS_SAVE_CHECK;
analyze_status_data->sc_data.len = len;
return 0;
}
@@ -51,6 +56,7 @@ void free_analyze_status_data_sc(analyze_status_t *analyze_status_data)
static int analyze_save_check_init(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data)
{
+ int ret = 0;
int data_index = 0;
struct collect_data *cd;
list_for_each_entry(cd, collect_data_list, list) {
@@ -58,7 +64,9 @@ static int analyze_save_check_init(struct list_head *collect_data_list, analyze_
continue;
data_index++;
}
- init_analyze_status_data_sc(analyze_status_data, data_index);
+ ret = init_analyze_status_data_sc(analyze_status_data, data_index);
+ if (ret < 0)
+ return ret;
data_index = 0;
list_for_each_entry(cd, collect_data_list, list) {
@@ -89,7 +97,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
unsigned long long measure_value;
struct collect_data *cd;
char *timestamp = NULL;
- int timestamp_len;
+ int timestamp_len = 0;
char **response_arrays;
int response_array_index = 0;
char int_str[MAX_DIGITS];
@@ -124,7 +132,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
break;
}
if (measure_value != analyze_status_data->sc_data.data[data_index]) {
- pr_warn("[save_check]%s: original: %llu; now: %llu.!\n",
+ pr_debug("[save_check]%s: original: %llu; now: %llu.!\n",
cd->name, analyze_status_data->sc_data.data[data_index], measure_value);
response_arrays[response_array_index] = kzalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
if (response_arrays[response_array_index] == NULL) {
@@ -162,15 +170,17 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
ret = -ENOMEM;
goto end;
}
- if (timestamp_len > 0) {
- strncat(response_data->report_data.text, timestamp, timestamp_len);
- kfree(timestamp);
- }
+
for (i = 0; i < response_array_index; i++)
strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i]));
strcat(response_data->report_data.text, "\n");
}
+
end:
+ if (timestamp_len > 0) {
+ strncat(response_data->report_data.text, timestamp, timestamp_len);
+ kfree(timestamp);
+}
for (i = 0; i < response_array_index; i++)
kfree(response_arrays[i]);
kfree(response_arrays);
--
2.33.0

50
Backport-check-value-for-topic.patch Normal file
View File

@ -0,0 +1,50 @@
From 585ac671ed21faa9d84cbab1609f2557857e5204 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Tue, 21 Nov 2023 21:21:26 +0800
Subject: [PATCH] check value for topic
---
lib/secDetector_sdk.cpp | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
index 208f4ac..ee76079 100644
--- a/lib/secDetector_sdk.cpp
+++ b/lib/secDetector_sdk.cpp
@@ -18,7 +18,7 @@
#include <iostream>
#include "../observer_agent/grpc_comm/grpc_api.h"
-#define ALLTOPIC 0x008FFFFF
+#define ALLTOPIC 0x00FFFFFF
using namespace std;
static string server_address("unix:///var/run/secDetector.sock");
static PubSubClient g_client(grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials()));
@@ -32,8 +32,10 @@ extern "C" {
void *secSub(const int topic)
{
- if (!(topic & ALLTOPIC))
+ if (topic <= 0 || topic > ALLTOPIC) {
+ printf("secSub failed, topic:%d is error\n", topic);
return NULL;
+ }
unique_ptr<ClientReader<Message>> reader = g_client.Subscribe(topic);
@@ -47,8 +49,10 @@ void *secSub(const int topic)
void secUnsub(const int topic, void *reader)
{
- if (!(topic & ALLTOPIC))
- return;
+ if (topic <= 0 || topic > ALLTOPIC) {
+ printf("secUnsub failed, topic:%d is error\n", topic);
+ return;
+ }
if (!reader)
return;
--
2.33.0

110
Backport-createfile-check-f_mode-and-fix-typo.patch Normal file
View File

@ -0,0 +1,110 @@
From bb4b1875241741b0329555342f82ab820cf12187 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Sat, 9 Dec 2023 15:29:01 +0800
Subject: createfile check f_mode and fix typo
---
include/secDetector_topic.h | 2 +-
observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 5 ++++-
observer_agent/ebpf/file_ebpf/file_fentry.c | 2 +-
observer_agent/ebpf/file_ebpf/test_file_fentry.c | 2 +-
observer_agent/ebpf/test_fentry.c | 2 +-
observer_agent/service/ebpf_converter.cpp | 2 +-
6 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/include/secDetector_topic.h b/include/secDetector_topic.h
index 7320042..93a6872 100644
--- a/include/secDetector_topic.h
+++ b/include/secDetector_topic.h
@@ -17,7 +17,7 @@
#ifndef SECDETECTOR_TOPIC_H
#define SECDETECTOR_TOPIC_H
/* file */
-#define CREATFILE 0x00000001
+#define CREATEFILE 0x00000001
#define DELFILE 0x00000002
#define SETFILEATTR 0x00000004
#define WRITEFILE 0x00000008
diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
index f4e7e44..941b785 100644
--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
@@ -13,6 +13,7 @@
#define O_CREAT 100
#define LOOKUP_CREATE 0x0200
+#define FMODE_CREATED 0x100000
char LICENSE[] SEC("license") = "Dual BSD/GPL";
@@ -112,12 +113,14 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
return 0;
if (!S_ISREG(ret_file->f_inode->i_mode))
return 0;
+ if (!(ret_file->f_mode & FMODE_CREATED))
+ return 0;
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
if (!e)
return 0;
- e->type = CREATFILE;
+ e->type = CREATEFILE;
struct task_struct *parent = NULL;
struct task_struct *task = NULL;
diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.c b/observer_agent/ebpf/file_ebpf/file_fentry.c
index bf445ab..daec6e3 100644
--- a/observer_agent/ebpf/file_ebpf/file_fentry.c
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.c
@@ -44,7 +44,7 @@ static void DisableProg(struct bpf_object_skeleton *s, const char *prog_name)
static void DisableProgBasedOnMask(struct bpf_object_skeleton *skel, int mask)
{
- if ((mask & CREATFILE) == 0) {
+ if ((mask & CREATEFILE) == 0) {
DisableProg(skel, "do_filp_open_exit");
}
diff --git a/observer_agent/ebpf/file_ebpf/test_file_fentry.c b/observer_agent/ebpf/file_ebpf/test_file_fentry.c
index a9ea778..c22d2ef 100644
--- a/observer_agent/ebpf/file_ebpf/test_file_fentry.c
+++ b/observer_agent/ebpf/file_ebpf/test_file_fentry.c
@@ -9,7 +9,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz)
printf("timestamp:%llu event_name:%s exe:%s pid:%u tgid:%u uid:%u gid:%u comm:%s"
" sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u",
e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,e->pcomm, e->nodename, e->pns, e->root_pns);
- if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
+ if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
printf(" filename:%s", e->file_info.filename);
if (e->type & SETFILEATTR)
printf(" name:%s value:%s old_value:%s", e->file_info.name, e->file_info.value,e->file_info.old_value);
diff --git a/observer_agent/ebpf/test_fentry.c b/observer_agent/ebpf/test_fentry.c
index 0616958..330e82a 100644
--- a/observer_agent/ebpf/test_fentry.c
+++ b/observer_agent/ebpf/test_fentry.c
@@ -24,7 +24,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz)
" sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u",
e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,
e->pcomm, e->nodename, e->pns, e->root_pns);
- if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
+ if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
printf(" filename:%s", e->file_info.filename);
printf(" exit_code: %u\n", e->process_info.exit_code);
return 0;
diff --git a/observer_agent/service/ebpf_converter.cpp b/observer_agent/service/ebpf_converter.cpp
index 27a2e37..4d8d8ba 100644
--- a/observer_agent/service/ebpf_converter.cpp
+++ b/observer_agent/service/ebpf_converter.cpp
@@ -158,7 +158,7 @@ static std::map<int, convert_func_t> convert_funcs = {
{CREATPROCESS, convert_creat_process},
{DESTROYPROCESS, convert_destroy_process},
{SETPROCESSATTR, convert_set_process_attr},
- {CREATFILE, convert_common_file},
+ {CREATEFILE, convert_common_file},
{DELFILE, convert_common_file},
{SETFILEATTR, convert_set_file_attr},
{WRITEFILE, convert_common_file},
--
2.33.0

33
Backport-creatfile-check-op-intent-value.patch Normal file
View File

@ -0,0 +1,33 @@
From b3108cabb7ff97f8bb8b8398842cb2e8c623664c Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Wed, 6 Dec 2023 16:13:13 +0800
Subject: creatfile check op intent value
---
observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
index 7afb7e2..f4e7e44 100644
--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
@@ -12,6 +12,7 @@
#define S_ISREG(m) (((m) & S_IFMT) == S_IFREG)
#define O_CREAT 100
+#define LOOKUP_CREATE 0x0200
char LICENSE[] SEC("license") = "Dual BSD/GPL";
@@ -107,7 +108,7 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
struct ebpf_event *e = NULL;
RETURN_ZERO_IF_OURSELF();
- if (op && !(op->open_flag & O_CREAT))
+ if (op && (!(op->open_flag & O_CREAT) || !(op->intent & LOOKUP_CREATE)))
return 0;
if (!S_ISREG(ret_file->f_inode->i_mode))
return 0;
--
2.33.0

37
Backport-del-useless-code-for-timestamp.patch Normal file
View File

@ -0,0 +1,37 @@
From 8798032e6dafed4730c51fb796347fb7b5092d7c Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Wed, 29 Nov 2023 10:15:00 +0800
Subject: del useless code for timestamp
---
.../kmodule_baseline/secDetector_mc_kmodule_baseline.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
index 6a7edda..cff1ff5 100644
--- a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
+++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
@@ -17,7 +17,6 @@
#define MODULE_LIST_MAXSIZE 0x10000
#define NAME_LEN 4096
-#define HEADER_MSG_LEN 128
#define KMODULE_BASELINE_TYPE 0x00800000
typedef struct chkrkatt_module {
@@ -79,12 +78,6 @@ static void report_kmodule_baseline(void)
pr_err("module_name_all kzalloc failed\n");
return;
}
- header_msg = (char *)kzalloc(HEADER_MSG_LEN, GFP_ATOMIC);
- if (header_msg == NULL) {
- pr_err("hearder_msg kzalloc failed\n");
- kfree(module_name_all);
- return;
- }
header_msg_len = get_timestamp_str(&header_msg);
if (header_msg_len <= 0)
--
2.33.0

268
Backport-fix-6.x-kernel-compile-error.patch Normal file
View File

@ -0,0 +1,268 @@
From 0583e13c466bf0be32ccbfbb854e4aff41fb32ff Mon Sep 17 00:00:00 2001
From: hurricane618 <hurricane618@hotmail.com>
Date: Mon, 19 Feb 2024 23:31:59 +0800
Subject: [PATCH] fix 6.x kernel compile error
---
kerneldriver/cases/Makefile | 2 +
.../secDetector_mc_kmodule_baseline.c | 5 ++
.../secDetector_program_action.c | 41 +++++++++++++
.../response_unit/secDetector_ringbuffer.c | 12 +++-
observer_agent/CMakeLists.txt | 4 +-
observer_agent/grpc_comm/Makefile | 59 +------------------
6 files changed, 63 insertions(+), 60 deletions(-)
diff --git a/kerneldriver/cases/Makefile b/kerneldriver/cases/Makefile
index 5a94e50..146fbee 100644
--- a/kerneldriver/cases/Makefile
+++ b/kerneldriver/cases/Makefile
@@ -26,8 +26,10 @@ ifndef KDIR
KDIR=$(KERNEL_SRC)
endif
+ifneq ($(VERSION), 6)
KBUILD_EXTRA_SYMBOLS += $(PWD)/../core/Module.symvers
export KBUILD_EXTRA_SYMBOLS
+endif
all:
$(MAKE) -C $(KERNEL_SRC) M=$(PWD) modules KCPPFLAGS="${cflags-y}"
diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
index 9a051ca..b799f9f 100644
--- a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
+++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
@@ -10,6 +10,7 @@
#include <linux/list.h>
#include <linux/spinlock.h>
#include <linux/slab.h>
+#include <linux/version.h>
#include <time.h>
#include "secDetector_mc_kmodule_baseline.h"
#include "secDetector_response.h"
@@ -123,7 +124,9 @@ void check_kmodule_baseline(void)
if (module_kset == NULL)
return;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 0, 0)
mutex_lock(&module_mutex);
+#endif
spin_lock(&module_kset->list_lock);
list_for_each_entry(k, &module_kset->list, entry) {
if (k->name == NULL)
@@ -137,7 +140,9 @@ void check_kmodule_baseline(void)
break;
}
spin_unlock(&module_kset->list_lock);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 0, 0)
mutex_unlock(&module_mutex);
+#endif
report_kmodule_baseline();
free_kmodule_baseline();
diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
index f571c08..facd3b2 100644
--- a/kerneldriver/cases/program_action/secDetector_program_action.c
+++ b/kerneldriver/cases/program_action/secDetector_program_action.c
@@ -38,6 +38,7 @@
#include <linux/ctype.h>
#include <linux/cred.h>
#include <linux/kthread.h>
+#include <linux/version.h>
#include <string.h>
#include "secDetector_manager.h"
@@ -84,6 +85,46 @@ struct process_info {
int umask;
};
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 0, 0)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0)
+struct file *get_mm_exe_file(struct mm_struct *mm)
+{
+ struct file *exe_file;
+
+ rcu_read_lock();
+ exe_file = get_file_rcu(&mm->exe_file);
+ rcu_read_unlock();
+ return exe_file;
+}
+#else
+struct file *get_mm_exe_file(struct mm_struct *mm)
+{
+ struct file *exe_file;
+
+ rcu_read_lock();
+ exe_file = rcu_dereference(mm->exe_file);
+ if (exe_file && !get_file_rcu(exe_file))
+ exe_file = NULL;
+ rcu_read_unlock();
+ return exe_file;
+}
+#endif
+struct file *get_task_exe_file(struct task_struct *task)
+{
+ struct file *exe_file = NULL;
+ struct mm_struct *mm;
+
+ spin_lock(&task->alloc_lock);
+ mm = task->mm;
+ if (mm) {
+ if (!(task->flags & PF_KTHREAD))
+ exe_file = get_mm_exe_file(mm);
+ }
+ spin_unlock(&task->alloc_lock);
+ return exe_file;
+}
+#endif
+
char *get_process_path(struct task_struct *p, char *pathname, int len)
{
char *process_path = NULL;
diff --git a/kerneldriver/core/response_unit/secDetector_ringbuffer.c b/kerneldriver/core/response_unit/secDetector_ringbuffer.c
index b367d74..27e8640 100644
--- a/kerneldriver/core/response_unit/secDetector_ringbuffer.c
+++ b/kerneldriver/core/response_unit/secDetector_ringbuffer.c
@@ -17,6 +17,7 @@
#include <linux/module.h>
#include <linux/kmemleak.h>
#include <linux/fs.h>
+#include <linux/version.h>
static unsigned long rb_datasz;
static unsigned long rb_mask;
@@ -287,7 +288,11 @@ static int ringbuffer_mmap(struct file *flip, struct vm_area_struct *vma)
vma->vm_end - vma->vm_start != PAGE_SIZE)
return -EPERM;
} else {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 0, 0)
+ vm_flags_clear(vma, VM_MAYWRITE);
+#else
vma->vm_flags &= ~VM_MAYWRITE;
+#endif
}
/* remap_vmalloc_range() checks size and offset */
return remap_vmalloc_range(vma, g_rb, vma->vm_pgoff + RINGBUF_PGOFF);
@@ -366,8 +371,11 @@ int __init secDetector_ringbuf_dev_init(unsigned int rb_sz)
ret = major;
goto error_free;
}
-
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 0, 0)
+ class = class_create(MODULE_DEVICE);
+#else
class = class_create(THIS_MODULE, MODULE_DEVICE);
+#endif
if (IS_ERR(class)) {
ret = PTR_ERR(class);
goto error_class_create;
@@ -398,4 +406,4 @@ void __exit secDetector_ringbuf_dev_exit(void)
class_destroy(class);
unregister_chrdev(major, MODULE_DEVICE);
ringbuf_free(g_rb);
-}
\ No newline at end of file
+}
diff --git a/observer_agent/CMakeLists.txt b/observer_agent/CMakeLists.txt
index f110b49..297fcc0 100644
--- a/observer_agent/CMakeLists.txt
+++ b/observer_agent/CMakeLists.txt
@@ -1,7 +1,7 @@
cmake_minimum_required(VERSION 3.22)
add_subdirectory(ebpf)
-set(CMAKE_CXX_STANDARD 11)
+set(CMAKE_CXX_STANDARD 17)
project(observer_agent VERSION 1.0 LANGUAGES CXX)
set(GRPC_PATH ${CMAKE_CURRENT_SOURCE_DIR}/grpc_comm)
add_custom_target(grpc_demo ALL
@@ -16,5 +16,5 @@ target_include_directories(secDetectord PUBLIC service grpc_comm ${CMAKE_SOURCE_
target_link_libraries(secDetectord ${CMAKE_CURRENT_BINARY_DIR}/ebpf/.output/fentry.o)
target_link_libraries(secDetectord ${CMAKE_CURRENT_BINARY_DIR}/ebpf/file_ebpf/.output/file_fentry.o)
target_link_libraries(secDetectord ${GRPC_PATH}/comm_api.pb.o ${GRPC_PATH}/comm_api.grpc.pb.o)
-target_link_libraries(secDetectord protobuf grpc++ grpc absl_synchronization uuid)
+target_link_libraries(secDetectord protobuf grpc++ grpc absl_synchronization absl_log_internal_message absl_log_internal_check_op absl_cord absl_cordz_info absl_cordz_functions absl_cordz_handle gpr uuid)
target_link_libraries(secDetectord z elf bpf)
diff --git a/observer_agent/grpc_comm/Makefile b/observer_agent/grpc_comm/Makefile
index 3c87ad8..0556a16 100644
--- a/observer_agent/grpc_comm/Makefile
+++ b/observer_agent/grpc_comm/Makefile
@@ -17,8 +17,8 @@
HOST_SYSTEM = $(shell uname | cut -f 1 -d_)
SYSTEM ?= $(HOST_SYSTEM)
CXX = g++
-CPPFLAGS += `pkg-config --cflags protobuf grpc`
-CXXFLAGS += -std=c++11 -fPIC
+CPPFLAGS += `pkg-config --cflags protobuf grpc` -std=c++17
+CXXFLAGS += -fPIC
ifeq ($(SYSTEM),Darwin)
LDFLAGS += -L/usr/local/lib `pkg-config --libs protobuf grpc++`\
-pthread\
@@ -38,7 +38,7 @@ PROTOS_PATH = ./protos
vpath %.proto $(PROTOS_PATH)
-all: system-check client_pub_demo client_sub_demo server_demo
+all: client_pub_demo client_sub_demo server_demo
client_pub_demo: comm_api.pb.o comm_api.grpc.pb.o client.o client_pub_demo.o
$(CXX) $^ $(LDFLAGS) -o $@
@@ -58,56 +58,3 @@ server_demo: comm_api.pb.o comm_api.grpc.pb.o server.o server_demo.o
clean:
rm -f *.o *.pb.cc *.pb.h server_demo client_sub_demo client_pub_demo
-
-# The following is to test your system and ensure a smoother experience.
-# They are by no means necessary to actually compile a grpc-enabled software.
-
-PROTOC_CMD = which $(PROTOC)
-PROTOC_CHECK_CMD = $(PROTOC) --version | grep -q libprotoc.3
-PLUGIN_CHECK_CMD = which $(GRPC_CPP_PLUGIN)
-HAS_PROTOC = $(shell $(PROTOC_CMD) > /dev/null && echo true || echo false)
-ifeq ($(HAS_PROTOC),true)
-HAS_VALID_PROTOC = $(shell $(PROTOC_CHECK_CMD) 2> /dev/null && echo true || echo false)
-endif
-HAS_PLUGIN = $(shell $(PLUGIN_CHECK_CMD) > /dev/null && echo true || echo false)
-
-SYSTEM_OK = false
-ifeq ($(HAS_VALID_PROTOC),true)
-ifeq ($(HAS_PLUGIN),true)
-SYSTEM_OK = true
-endif
-endif
-
-system-check:
-ifneq ($(HAS_VALID_PROTOC),true)
- @echo " DEPENDENCY ERROR"
- @echo
- @echo "You don't have protoc 3.0.0 installed in your path."
- @echo "Please install Google protocol buffers 3.0.0 and its compiler."
- @echo "You can find it here:"
- @echo
- @echo " https://github.com/protocolbuffers/protobuf/releases/tag/v3.0.0"
- @echo
- @echo "Here is what I get when trying to evaluate your version of protoc:"
- @echo
- -$(PROTOC) --version
- @echo
- @echo
-endif
-ifneq ($(HAS_PLUGIN),true)
- @echo " DEPENDENCY ERROR"
- @echo
- @echo "You don't have the grpc c++ protobuf plugin installed in your path."
- @echo "Please install grpc. You can find it here:"
- @echo
- @echo " https://github.com/grpc/grpc"
- @echo
- @echo "Here is what I get when trying to detect if you have the plugin:"
- @echo
- -which $(GRPC_CPP_PLUGIN)
- @echo
- @echo
-endif
-ifneq ($(SYSTEM_OK),true)
- @false
-endif
--
2.21.0

24
Backport-fix-bug-of-mc-case-not-collect-data.patch Normal file
View File

@ -0,0 +1,24 @@
From b1689ab1e8e79f7e8125adb2c8f8614d90eb3209 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Tue, 28 Nov 2023 10:49:35 +0800
Subject: fix bug of mc case not collect data
---
.../cases/memory_corruption/secDetector_memory_corruption.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
index 5b487ac..c9e9868 100644
--- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
+++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
@@ -43,6 +43,7 @@ static struct secDetector_workflow workflow_array[] = {
.workflow_type = WORKFLOW_PRESET,
.hook_type = SECDETECTOR_TIMER,
.collect_array = collect_array,
+ .collect_array_len = ARRAY_SIZE(collect_array),
.analyze_type = ANALYZE_PRESET_SAVE_CHECK,
.interval = TIME_INTERVAL,
.enabled = ATOMIC_INIT(true)
--
2.33.0

63
Backport-fix-invalid-TUF-8-data-in-memory-corruption-module.patch Normal file
View File

@ -0,0 +1,63 @@
From b1a7122cfd360a9a3012555bc7e5821e1fbe7a34 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Thu, 14 Dec 2023 17:02:34 +0800
Subject: [PATCH 4/4] fix invalid TUF-8 data in memory corruption module
---
.../analyze_unit/secDetector_save_check.c | 22 +++++++++----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
index 72c4948..0ab40ce 100644
--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
+++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
@@ -124,25 +124,25 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
break;
}
if (measure_value != analyze_status_data->sc_data.data[data_index]) {
- pr_debug("[save_check]%s: original: %llx; now: %llx.!\n",
+ pr_debug("[save_check]%s: original: %lld; now: %lld.!\n",
cd->name, analyze_status_data->sc_data.data[data_index], measure_value);
- response_arrays[response_array_index] = kmalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
+ response_arrays[response_array_index] = kzalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
if (response_arrays[response_array_index] == NULL) {
- pr_err("kmalloc failed");
+ pr_err("kzalloc failed");
ret = -ENOMEM;
goto end;
}
- strcpy(response_arrays[response_array_index], "[save_check]");
+ strcpy(response_arrays[response_array_index], " secswitch_name=");
//应该有 workflow的名字
strncat(response_arrays[response_array_index], cd->name, strlen(cd->name));
- strcat(response_arrays[response_array_index],": original: ");
- sprintf(int_str, "%llx", analyze_status_data->sc_data.data[data_index]);
+ strcat(response_arrays[response_array_index]," old_value=");
+ sprintf(int_str, "%lld", analyze_status_data->sc_data.data[data_index]);
strncat(response_arrays[response_array_index], int_str, strlen(int_str));
- strcat(response_arrays[response_array_index],"; now: ");
- sprintf(int_str, "%llx", measure_value);
+ strcat(response_arrays[response_array_index]," new_value=");
+ sprintf(int_str, "%lld", measure_value);
strncat(response_arrays[response_array_index], int_str, strlen(int_str));
- strcat(response_arrays[response_array_index],".!\n");
+ strcat(response_arrays[response_array_index],".\n");
response_data_char_len += strlen(response_arrays[response_array_index]);
ret = RESPONSE_REPORT;
@@ -156,9 +156,9 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
timestamp_len = get_timestamp_str(&timestamp);
response_data->report_data.type = event_type;
response_data->report_data.len = response_data_char_len + timestamp_len;
- response_data->report_data.text = kmalloc(response_data->report_data.len + 1, GFP_KERNEL);
+ response_data->report_data.text = kzalloc(response_data->report_data.len + 1, GFP_KERNEL);
if (response_data->report_data.text == NULL) {
- pr_err("kmalloc failed");
+ pr_err("kzalloc failed");
ret = -ENOMEM;
goto end;
}
--
2.33.0

127
Backport-fix-memleak-bug-in-secDetector_program_action.patch Normal file
View File

@ -0,0 +1,127 @@
From a4b7e62a1a24948a8f436ba3b5763317315e081a Mon Sep 17 00:00:00 2001
From: hurricane618 <hurricane618@hotmail.com>
Date: Wed, 29 Nov 2023 23:13:39 +0800
Subject: [PATCH 1/6] fix memleak bug in secDetector_program_action
fix memleak
Signed-off-by: hurricane618 <hurricane618@hotmail.com>
---
.../secDetector_program_action.c | 52 +++++--------------
1 file changed, 13 insertions(+), 39 deletions(-)
diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
index 4f8a555..504a36d 100644
--- a/kerneldriver/cases/program_action/secDetector_program_action.c
+++ b/kerneldriver/cases/program_action/secDetector_program_action.c
@@ -42,6 +42,7 @@
#include "secDetector_manager.h"
#include "secDetector_response.h"
+#include "secDetector_analyze.h"
#include <secDetector_module_type.h>
#define PATH_LEN 512
@@ -83,43 +84,6 @@ struct process_info {
int umask;
};
-int get_timestamp_str(char **ret_str)
-{
- struct timespec64 ts;
- struct tm stm;
- char *stm_str;
- int stm_str_len = 0;
-
- ktime_get_real_ts64(&ts);
- time64_to_tm(ts.tv_sec, 0, &stm);
-
- stm_str = (char *)kzalloc(TIME_STR_MAX_LEN, GFP_ATOMIC);
- if (stm_str == NULL) {
- pr_err("kzalloc failed\n");
- *ret_str = NULL;
- return 0;
- }
-
- stm_str_len = scnprintf(stm_str, TIME_STR_MAX_LEN,
- "timestamp=%04ld%02d%02d.%02d:%02d:%02d ",
- stm.tm_year + 1900, stm.tm_mon + 1, stm.tm_mday, stm.tm_hour, stm.tm_min, stm.tm_sec);
- if (stm_str_len <= 0) {
- pr_err("scnprintf failed\n");
- kfree(stm_str);
- *ret_str = NULL;
- return 0;
- }
-
- *ret_str = kstrdup(stm_str, GFP_KERNEL);
- if (*ret_str == NULL) {
- pr_err("kstrdup failed\n");
- stm_str_len = 0;
- }
-
- kfree(stm_str);
- return stm_str_len;
-}
-
char *get_process_path(struct task_struct *p, char *pathname, int len)
{
char *process_path = NULL;
@@ -276,7 +240,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
response_data_t log;
if (!pi) {
- pr_warn("get_common_process_info by fork failed\n");
+ pr_err("get_common_process_info by fork failed\n");
return 0;
}
@@ -302,6 +266,10 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
log.report_data.type = 0x00000800;
log.report_data.len = BUF_SIZE;
log.report_data.text = kzalloc(BUF_SIZE, GFP_ATOMIC);
+ if (!log.report_data.text) {
+ pr_err("log.report_data.text kzalloc failed!\n");
+ return 0;
+ }
snprintf(log.report_data.text, BUF_SIZE,
"%s event_type=call_api uid=%d exe=%s pid=%d comm=%s tgid=%d ppid=%d pcomm=%s pgid=%d sid=%d nodename=%s pns=%u root_pns=%u api_name=%s api_arg=[attach_task_pid=%d cur_task_pid=%d request=%ld addr=%lu flags=%lu]\n",
timestamp, pi->uid, pi->exe, pi->pid, pi->comm, pi->tgid, pi->ppid, pi->pcomm, pi->pgid, pi->sid, pi->nodename, pi->pns, pi->root_pns,
@@ -309,6 +277,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
secDetector_report(&log);
kfree(log.report_data.text);
+ kfree(timestamp);
put_common_process_info(pi);
return 0;
@@ -323,7 +292,7 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
response_data_t log;
if (!pi) {
- pr_warn("get_common_process_info by fork failed\n");
+ pr_err("get_common_process_info by fork failed\n");
return 0;
}
timestamp_len = get_timestamp_str(&timestamp);
@@ -331,6 +300,10 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
log.report_data.type = 0x00000200;
log.report_data.len = BUF_SIZE;
log.report_data.text = kzalloc(BUF_SIZE, GFP_ATOMIC);
+ if (!log.report_data.text) {
+ pr_err("log.report_data.text kzalloc failed!\n");
+ return 0;
+ }
snprintf(log.report_data.text, BUF_SIZE,
"%s event_type=createpipe uid=%d exe=%s pid=%d comm=%s tgid=%d ppid=%d pcomm=%s pgid=%d sid=%d nodename=%s pns=%u root_pns=%u dfd= pipe_name=%s\n",
timestamp, pi->uid, pi->exe, pi->pid, pi->comm, pi->tgid, pi->ppid, pi->pcomm, pi->pgid, pi->sid, pi->nodename, pi->pns, pi->root_pns,
@@ -338,6 +311,7 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
secDetector_report(&log);
kfree(log.report_data.text);
+ kfree(timestamp);
put_common_process_info(pi);
return 0;
--
2.33.0

68
Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch Normal file
View File

@ -0,0 +1,68 @@
From 6d1833b44b7cdea6c8459df8c431f1779afa2ab8 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Mon, 27 Nov 2023 15:29:30 +0800
Subject: fix memory leak bug in sc analyze unit
---
README.md | 2 +-
.../core/analyze_unit/secDetector_save_check.c | 15 +++++++++------
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/README.md b/README.md
index a2b7726..9658879 100644
--- a/README.md
+++ b/README.md
@@ -68,7 +68,7 @@ secDetector在架构上分为四个部分SDK、Service、检测特性集合ca
检测框架core是以一个cases依赖的基础框架提供case的管理和workflow所需的通用的基础功能单元。内核异常信息检测框架会以内核模块ko的形态承载。一个检测特性case可以将自己注册到框架中或者从框架中去注册。框架还可以提供特定的交互接口以满足外部的动态请求。一个workflow被定义为有四类功能单元组成事件发生器、信息采集器、事件分析器、响应单元。
-
+Driver分为两类kerneldriver 和 usrdriver。顾名思义kerneldriver是部署在内核态中的以内核模块的形式承载。usrdriver是部署在用户态中的直接被部署为Service中的一个模块。从逻辑上usrdriver是在Service之下的但是在运行中为了降低通信成本usrdriver被直接集成在Service程序中。
## 安装教程
- kerneldriver
diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
index 101a028..72c4948 100644
--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
+++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
@@ -129,7 +129,8 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
response_arrays[response_array_index] = kmalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
if (response_arrays[response_array_index] == NULL) {
pr_err("kmalloc failed");
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto end;
}
strcpy(response_arrays[response_array_index], "[save_check]");
@@ -155,20 +156,22 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
timestamp_len = get_timestamp_str(&timestamp);
response_data->report_data.type = event_type;
response_data->report_data.len = response_data_char_len + timestamp_len;
- response_data->report_data.text = kmalloc(response_data_char_len + 1, GFP_KERNEL);
+ response_data->report_data.text = kmalloc(response_data->report_data.len + 1, GFP_KERNEL);
if (response_data->report_data.text == NULL) {
pr_err("kmalloc failed");
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto end;
}
if (timestamp_len > 0) {
strncat(response_data->report_data.text, timestamp, timestamp_len);
kfree(timestamp);
}
- for (i = 0; i < response_array_index; i++) {
+ for (i = 0; i < response_array_index; i++)
strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i]));
- kfree(response_arrays[i]);
- }
}
+end:
+ for (i = 0; i < response_array_index; i++)
+ kfree(response_arrays[i]);
kfree(response_arrays);
return ret;
--
2.33.0

64
Backport-fix-memory-leak-in-program_action.patch Normal file
View File

@ -0,0 +1,64 @@
From aaed2290507cac0878c93aa550664875d5875a6b Mon Sep 17 00:00:00 2001
From: hurricane618 <hurricane618@hotmail.com>
Date: Wed, 20 Dec 2023 20:17:33 +0800
Subject: [PATCH] fix memory leak in program_action
1. free path data
2. free pi in error branch
Signed-off-by: hurricane618 <hurricane618@hotmail.com>
---
.../cases/program_action/secDetector_program_action.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
index 1f0749a..f571c08 100644
--- a/kerneldriver/cases/program_action/secDetector_program_action.c
+++ b/kerneldriver/cases/program_action/secDetector_program_action.c
@@ -177,6 +177,9 @@ static struct process_info *get_common_process_info(struct task_struct *tsk, str
if (get_task_root(tsk, &root) == 0) {
pi->root = d_path(&root, pi->rootbuf, PATH_LEN);
}
+
+ path_put(&root);
+
if (IS_ERR_OR_NULL(pi->root)) {
pi->root = "invalid";
}
@@ -184,6 +187,9 @@ static struct process_info *get_common_process_info(struct task_struct *tsk, str
if (get_task_cwd(tsk, &cwd) == 0) {
pi->cwd = d_path(&cwd, pi->cwdbuf, PATH_LEN);
}
+
+ path_put(&cwd);
+
if (IS_ERR_OR_NULL(pi->cwd)) {
pi->cwd = "invalid";
}
@@ -258,6 +264,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
#endif
if (!attach_task) {
pr_err("ptrace_attach input task_struct error or arch don't support\n");
+ put_common_process_info(pi);
return 0;
}
@@ -269,6 +276,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
if (!log.report_data.text) {
pr_err("log.report_data.text kzalloc failed!\n");
kfree(timestamp);
+ put_common_process_info(pi);
return 0;
}
snprintf(log.report_data.text, BUF_SIZE,
@@ -304,6 +312,7 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
if (!log.report_data.text) {
pr_err("log.report_data.text kzalloc failed!\n");
kfree(timestamp);
+ put_common_process_info(pi);
return 0;
}
snprintf(log.report_data.text, BUF_SIZE,
--
2.33.0

26
Backport-fix-printf-error-in-main.cpp.patch Normal file
View File

@ -0,0 +1,26 @@
From ac917ecc5abc25a69821ab6a9be323ed1dd39172 Mon Sep 17 00:00:00 2001
From: lihengwei <lihengwei@uniontech.com>
Date: Tue, 21 Nov 2023 14:57:34 +0800
Subject: [PATCH 1/4] fix printf error in main.cpp
Signed-off-by: lihengwei <lihengwei@uniontech.com>
---
observer_agent/service/main.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/observer_agent/service/main.cpp b/observer_agent/service/main.cpp
index f177645..bd01690 100644
--- a/observer_agent/service/main.cpp
+++ b/observer_agent/service/main.cpp
@@ -164,7 +164,7 @@ int main(int argc, char *argv[])
r = daemon(0, 0);
if (r == -1)
{
- printf("daemon failed, r:%d\n");
+ printf("daemon failed, r:%d\n", r);
exit(EXIT_FAILURE);
}
}
--
2.33.0

40
Backport-fix-register-kpobe-mutiple-times.patch Normal file
View File

@ -0,0 +1,40 @@
From 7db0bbb70c7b4148eafa9d44b8b04c80e6b7e78e Mon Sep 17 00:00:00 2001
From: zcfsite <zhchf2010@126.com>
Date: Sat, 25 Nov 2023 17:58:26 +0800
Subject: [PATCH 4/4] fix register kpobe mutiple times
---
kerneldriver/core/hook_unit/secDetector_hook_kprobe.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/kerneldriver/core/hook_unit/secDetector_hook_kprobe.c b/kerneldriver/core/hook_unit/secDetector_hook_kprobe.c
index fb6de05..5acce03 100644
--- a/kerneldriver/core/hook_unit/secDetector_hook_kprobe.c
+++ b/kerneldriver/core/hook_unit/secDetector_hook_kprobe.c
@@ -77,6 +77,8 @@ int insert_kprobe_hook(struct secDetector_workflow *workflow)
int delete_kprobe_hook(struct secDetector_workflow *workflow)
{
struct kprobe *kp = NULL;
+ const char *tmp_sym = NULL;
+ kprobe_pre_handler_t tmp_handler;
if (workflow == NULL)
return -1;
@@ -94,7 +96,14 @@ int delete_kprobe_hook(struct secDetector_workflow *workflow)
if (!kp)
return -1;
+ tmp_sym = kp->symbol_name;
+ tmp_handler = kp->pre_handler;
+
unregister_kprobe(kp);
+ //register mutiple times
+ memset(kp, 0, sizeof(struct kprobe));
+ kp->symbol_name = tmp_sym;
+ kp->pre_handler = tmp_handler;
}
return 0;
--
2.33.0

41
Backport-fix-report-api-function.patch Normal file
View File

@ -0,0 +1,41 @@
From d9313a0248bcff9d5655d070ada674972d0c6ff8 Mon Sep 17 00:00:00 2001
From: hurricane618 <hurricane618@hotmail.com>
Date: Sun, 19 Nov 2023 14:21:12 +0800
Subject: [PATCH] fix report api function and memory leak
1. proc_report function change to report
2. free pi struct
Signed-off-by: hurricane618 <hurricane618@hotmail.com>
---
.../cases/program_action/secDetector_program_action.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
index 4421e43..4f8a555 100644
--- a/kerneldriver/cases/program_action/secDetector_program_action.c
+++ b/kerneldriver/cases/program_action/secDetector_program_action.c
@@ -307,8 +307,9 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
timestamp, pi->uid, pi->exe, pi->pid, pi->comm, pi->tgid, pi->ppid, pi->pcomm, pi->pgid, pi->sid, pi->nodename, pi->pns, pi->root_pns,
"ptrace_attach", attach_task->pid, current->pid, request, addr, flags);
- secDetector_proc_report(&log);
+ secDetector_report(&log);
kfree(log.report_data.text);
+ put_common_process_info(pi);
return 0;
}
@@ -335,8 +336,9 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
timestamp, pi->uid, pi->exe, pi->pid, pi->comm, pi->tgid, pi->ppid, pi->pcomm, pi->pgid, pi->sid, pi->nodename, pi->pns, pi->root_pns,
"");
- secDetector_proc_report(&log);
+ secDetector_report(&log);
kfree(log.report_data.text);
+ put_common_process_info(pi);
return 0;
}
--
2.33.0

85
Backport-fix-system-crash-caused-by-registration-exception.patch Normal file
View File

@ -0,0 +1,85 @@
From 4b28444ed29d730de3b2e145dbd43d9d508deb41 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Thu, 23 Nov 2023 14:40:02 +0800
Subject: fix system crash caused by registration exception
---
.../core/analyze_unit/secDetector_analyze.c | 1 +
kerneldriver/core/secDetector_manager.c | 17 +++++++++++++----
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/kerneldriver/core/analyze_unit/secDetector_analyze.c b/kerneldriver/core/analyze_unit/secDetector_analyze.c
index 688a5e0..226e245 100644
--- a/kerneldriver/core/analyze_unit/secDetector_analyze.c
+++ b/kerneldriver/core/analyze_unit/secDetector_analyze.c
@@ -17,6 +17,7 @@ analyze_func_t analyze_units[NR_ANALYZE] = {
[ANALYZE_PRESET_SAVE_CHECK] = analyze_save_check,
};
+// 不使用analyze_status_data的时候data_type 为0因此free_analyze_status_data不处理对应的 ANALYZE_STATUS。
void free_analyze_status_data(analyze_status_t *analyze_status_data)
{
switch (analyze_status_data->data.data_type) {
diff --git a/kerneldriver/core/secDetector_manager.c b/kerneldriver/core/secDetector_manager.c
index 9304877..4c88386 100644
--- a/kerneldriver/core/secDetector_manager.c
+++ b/kerneldriver/core/secDetector_manager.c
@@ -35,12 +35,14 @@ void secDetector_module_unregister(struct secDetector_module *module)
mutex_lock(&g_hook_list_array_mutex);
ret_id = idr_remove(&g_module_idr, (unsigned long)module->id);
if (ret_id == NULL) {
+ pr_err("[secDetector] remove module id failed\n");
goto error;
}
for (i = 0, wf = module->workflow_array; i < module->workflow_array_len;
i++, wf++) {
if (wf == NULL) {
+ pr_err("[secDetector] invalid workflow\n");
goto error;
}
ret = delete_callback(wf);
@@ -48,15 +50,20 @@ void secDetector_module_unregister(struct secDetector_module *module)
pr_err("[secDetector] delete callback failed, return %d\n", ret);
goto error;
}
- // workflow在被卸载的时候需要释放analyze status等申请的内存,特别是使用默认的response list。
- free_analyze_status_data(&wf->analyze_status);
- if (wf->response_array_len == 0) {
+ if (wf->workflow_type == WORKFLOW_PRESET) {
+ // workflow在被卸载的时候需要释放analyze status等申请的内存,特别是使用默认的response list。
+ free_analyze_status_data(&wf->analyze_status);
+ if (wf->response_array_len == 0) {
kfree(wf->response_array);
+ }
}
}
error:
- list_del_rcu(&module->list);
+ //secDetector_module_unregister 的执行流可能来源于 失败的register因此module此时还未被list_add_rcu
+ if ((module->list.next != NULL) && (module->list.prev != NULL) &&
+ ((module->list.next != &module->list) || (module->list.prev != &module->list)))
+ list_del_rcu(&module->list);
synchronize_rcu();
mutex_unlock(&g_hook_list_array_mutex);
@@ -125,6 +132,7 @@ int secDetector_module_register(struct secDetector_module *module)
for (i = 0, wf = module->workflow_array; i < module->workflow_array_len;
i++, wf++) {
if (wf == NULL) {
+ pr_err("[secDetector] invalid workflow\n");
ret = -EINVAL;
goto error;
}
@@ -148,6 +156,7 @@ int secDetector_module_register(struct secDetector_module *module)
param->proc_ops, param->data);
if (!param->entry) {
pr_err("[secDetector] create proc failed\n");
+ ret = -EINVAL;
goto error;
}
}
--
2.33.0

65
Backport-fix-the-memory-leak-in-collect-unit.patch Normal file
View File

@ -0,0 +1,65 @@
From fb0b9eeccc697b2b8935ed5a643ef30efaad19f7 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Mon, 18 Dec 2023 09:28:15 +0800
Subject: [PATCH] fix the memory leak in collect unit
---
.../core/analyze_unit/secDetector_save_check.c | 13 +++++++------
.../core/collect_unit/secDetector_collect.c | 1 +
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
index 0ab40ce..4a5f689 100644
--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
+++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
@@ -124,7 +124,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
break;
}
if (measure_value != analyze_status_data->sc_data.data[data_index]) {
- pr_debug("[save_check]%s: original: %lld; now: %lld.!\n",
+ pr_warn("[save_check]%s: original: %llu; now: %llu.!\n",
cd->name, analyze_status_data->sc_data.data[data_index], measure_value);
response_arrays[response_array_index] = kzalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
if (response_arrays[response_array_index] == NULL) {
@@ -136,13 +136,13 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
strcpy(response_arrays[response_array_index], " secswitch_name=");
//应该有 workflow的名字
strncat(response_arrays[response_array_index], cd->name, strlen(cd->name));
- strcat(response_arrays[response_array_index]," old_value=");
- sprintf(int_str, "%lld", analyze_status_data->sc_data.data[data_index]);
+ strcat(response_arrays[response_array_index], " old_value=");
+ sprintf(int_str, "%llu", analyze_status_data->sc_data.data[data_index]);
strncat(response_arrays[response_array_index], int_str, strlen(int_str));
- strcat(response_arrays[response_array_index]," new_value=");
- sprintf(int_str, "%lld", measure_value);
+ strcat(response_arrays[response_array_index], " new_value=");
+ sprintf(int_str, "%llu", measure_value);
strncat(response_arrays[response_array_index], int_str, strlen(int_str));
- strcat(response_arrays[response_array_index],".\n");
+ strcat(response_arrays[response_array_index], ".");
response_data_char_len += strlen(response_arrays[response_array_index]);
ret = RESPONSE_REPORT;
@@ -168,6 +168,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
}
for (i = 0; i < response_array_index; i++)
strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i]));
+ strcat(response_data->report_data.text, "\n");
}
end:
for (i = 0; i < response_array_index; i++)
diff --git a/kerneldriver/core/collect_unit/secDetector_collect.c b/kerneldriver/core/collect_unit/secDetector_collect.c
index c04dd33..2240577 100644
--- a/kerneldriver/core/collect_unit/secDetector_collect.c
+++ b/kerneldriver/core/collect_unit/secDetector_collect.c
@@ -32,6 +32,7 @@ struct collect_data *init_collect_data(const char *name)
cd->name = kmalloc(nl + 1, GFP_KERNEL);
if (cd->name == NULL) {
pr_err("kmalloc failed");
+ kfree(cd);
return NULL;
}
strncpy(cd->name, name, nl);
--
2.33.0

35
Backport-fix-timestamp-memleak.patch Normal file
View File

@ -0,0 +1,35 @@
From 859b4a40626e870f83dda00e2e3ba40bf0558224 Mon Sep 17 00:00:00 2001
From: hurricane618 <hurricane618@hotmail.com>
Date: Thu, 30 Nov 2023 11:31:24 +0800
Subject: [PATCH 2/6] fix timestamp memleak
timestamp need to free in error process
Signed-off-by: hurricane618 <hurricane618@hotmail.com>
---
kerneldriver/cases/program_action/secDetector_program_action.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
index 504a36d..1f0749a 100644
--- a/kerneldriver/cases/program_action/secDetector_program_action.c
+++ b/kerneldriver/cases/program_action/secDetector_program_action.c
@@ -268,6 +268,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
log.report_data.text = kzalloc(BUF_SIZE, GFP_ATOMIC);
if (!log.report_data.text) {
pr_err("log.report_data.text kzalloc failed!\n");
+ kfree(timestamp);
return 0;
}
snprintf(log.report_data.text, BUF_SIZE,
@@ -302,6 +303,7 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
log.report_data.text = kzalloc(BUF_SIZE, GFP_ATOMIC);
if (!log.report_data.text) {
pr_err("log.report_data.text kzalloc failed!\n");
+ kfree(timestamp);
return 0;
}
snprintf(log.report_data.text, BUF_SIZE,
--
2.33.0

265
Backport-grpc-fix-coredump-in-Publish.patch Normal file
View File

@ -0,0 +1,265 @@
From 8dd0f6984ef002e30f3d7aa133a1a439fc5d0f95 Mon Sep 17 00:00:00 2001
From: chenjingwen <lhchenjw@gmail.com>
Date: Thu, 14 Dec 2023 21:55:10 +0800
Subject: [PATCH] grpc: fix coredump in Publish
fix coredump in Publish
Signed-off-by: chenjingwen <lhchenjw@gmail.com>
---
observer_agent/grpc_comm/server.cpp | 165 +++++++++++-----------------
1 file changed, 62 insertions(+), 103 deletions(-)
diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
index 938d09c..b858853 100644
--- a/observer_agent/grpc_comm/server.cpp
+++ b/observer_agent/grpc_comm/server.cpp
@@ -33,16 +33,21 @@ using grpc::ServerWriter;
static bool killed = false;
+class Subscribers {
+public:
+ int topic;
+ ServerWriter<Message> *writer;
+
+ Subscribers(int t, ServerWriter<Message> *w) : topic(t), writer(w) {}
+ Subscribers() : topic(0), writer(nullptr) {}
+};
+
class PubSubServiceImpl final : public SubManager::Service
{
public:
void CloseAllConnection(void)
{
- std::lock_guard<std::mutex> lk(wait_mutex);
-
- for (int i = 0; i < MAX_CONNECTION; i++) {
- connect_status[i] = false;
- }
+ std::lock_guard<std::mutex> lk(wait_mutex);
killed = true;
cv.notify_all();
@@ -55,50 +60,21 @@ class PubSubServiceImpl final : public SubManager::Service
std::string cli_name = request->sub_name();
Message msg;
Message keepalive_msg;
- int i = 0, tmp_index;
+ sub_mutex.lock();
if (connection_num >= MAX_CONNECTION) {
msg.set_text("over max connection number!");
- if (!writer->Write(msg))
- {
- std::cerr << "Failed to write the initial message" << std::endl;
- return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
- }
- return grpc::Status(grpc::StatusCode::INTERNAL, "over max connection number, Failed to Subscribe the topic");
- }
-
- for (auto iter = suber_topic_[cli_name].begin(); iter != suber_topic_[cli_name].end(); iter++)
- {
- if ((*iter & cli_topic) != 0)
- {
- msg.set_text("this client name already subscribe the topic");
- if (!writer->Write(msg))
- {
- std::cerr << "Failed to write the initial message" << std::endl;
- return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
- }
- return grpc::Status(grpc::StatusCode::INTERNAL, "this client name already subscribe the topic");
- }
- }
-
- sub_mutex.lock();
-
- for (tmp_index = 0; tmp_index < MAX_CONNECTION; tmp_index++)
- {
- if (!connect_status[tmp_index])
- break;
+ writer->Write(msg);
+ sub_mutex.unlock();
+ return grpc::Status(grpc::StatusCode::INTERNAL, "over max connection number");
}
- if (tmp_index == MAX_CONNECTION)
- {
+ auto iter = suber_topic_.find(cli_name);
+ if (iter != suber_topic_.end()) {
+ msg.set_text("this client name already subscribe the topic");
+ writer->Write(msg);
sub_mutex.unlock();
- msg.set_text("multi-process max connection number!");
- if (!writer->Write(msg))
- {
- std::cerr << "Failed to write the initial message" << std::endl;
- return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
- }
- return grpc::Status(grpc::StatusCode::INTERNAL, "multi-process max connection number, Failed to Subscribe the topic");
+ return grpc::Status(grpc::StatusCode::INTERNAL, "this client name already subscribe the topic");
}
msg.set_text("topic: " + std::to_string(cli_topic) + " Subscribe success!");
@@ -109,65 +85,50 @@ class PubSubServiceImpl final : public SubManager::Service
return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
}
- suber_topic_[cli_name].push_back(cli_topic);
- suber_writer_[cli_name].push_back(writer);
- suber_connection_[cli_name].push_back(tmp_index);
- connect_status[tmp_index] = true;
+ std::cout << "Subscribe " << cli_name << " ok" << std::endl;
+ suber_topic_[cli_name] = Subscribers(cli_topic, writer);
connection_num++;
-
sub_mutex.unlock();
- keepalive_msg.set_text("keepalive");
- while (connect_status[tmp_index])
+ /* loop until connot write */
+ while (!killed)
{
- if (!writer->Write(keepalive_msg))
- {
- for (auto topic_item : suber_topic_[cli_name])
- {
- if (topic_item == cli_topic)
- {
- sub_mutex.lock();
- suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
- suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
- connect_status[suber_connection_[cli_name].at(i)] = false;
- suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
- connection_num--;
- sub_mutex.unlock();
- break;
- }
- i++;
- }
+ sub_mutex.lock();
+ if (suber_topic_.count(cli_name) == 0) {
+ sub_mutex.unlock();
+ return grpc::Status::OK;
+ }
+
+ keepalive_msg.set_text("keepalive");
+ if (!writer->Write(keepalive_msg)) {
+ DeleteSubscriberByCliName(cli_name);
+ sub_mutex.unlock();
return grpc::Status(grpc::StatusCode::INTERNAL, "writer is lose!");
}
+ sub_mutex.unlock();
WaitKeeplive();
}
+
+ std::cout << cli_name << " is dead" << std::endl;
return grpc::Status::OK;
}
grpc::Status Publish(ServerContext *context, const PublishRequest *request, Message *response) override
{
+ std::lock_guard<std::mutex> lock(sub_mutex);
int cli_topic = request->topic();
std::string cli_data = request->data();
- int i = 0;
Message msg;
msg.set_text(cli_data);
for (auto iter = suber_topic_.begin(); iter != suber_topic_.end(); iter++)
{
- i = 0;
- for (auto topic_item : iter->second)
- {
- if ((topic_item & cli_topic) != 0)
- {
- auto &subscriber = suber_writer_[iter->first][i];
- if (!subscriber->Write(msg))
- {
- std::cerr << "Failed to write to a subscriber" << std::endl;
- return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
- }
- break;
+ Subscribers subscriber = iter->second;
+ if ((subscriber.topic & cli_topic) != 0) {
+ if (!subscriber.writer->Write(msg)) {
+ std::cerr << "Failed to write to a subscriber: " << iter->first << std::endl;
+ return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
}
- i++;
}
}
@@ -177,8 +138,7 @@ class PubSubServiceImpl final : public SubManager::Service
grpc::Status UnSubscribe(ServerContext *context, const UnSubscribeRequest *request, Message *response) override
{
std::string cli_name = request->sub_name();
- int i = 0;
- int unsub_flag = 0;
+ std::lock_guard<std::mutex> lock(sub_mutex);
if (connection_num <= 0) {
response->set_text("connection_num <= 0, don't UnSubscribe!");
@@ -186,20 +146,7 @@ class PubSubServiceImpl final : public SubManager::Service
return grpc::Status(grpc::StatusCode::INTERNAL, "connection_num <= 0, Failed to UnSubscribe topic!");
}
- std::lock_guard<std::mutex> lock(sub_mutex);
-
- std::unordered_map<std::string, std::vector<int>>::iterator iter = suber_topic_.find(cli_name);
- if (iter != suber_topic_.end())
- {
- suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
- suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
- connect_status[suber_connection_[cli_name].at(i)] = false;
- suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
- connection_num--;
- unsub_flag = 1;
- }
-
- if (!unsub_flag)
+ if (!DeleteSubscriberByCliName(cli_name))
{
response->set_text("don't exist the reader");
return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to UnSubscribe reader!");
@@ -209,19 +156,31 @@ class PubSubServiceImpl final : public SubManager::Service
}
private:
- std::unordered_map<std::string, std::vector<int>> suber_topic_;
- std::unordered_map<std::string, std::vector<ServerWriter<Message> *>> suber_writer_;
- std::unordered_map<std::string, std::vector<int>> suber_connection_;
+ std::unordered_map<std::string, Subscribers> suber_topic_;
std::mutex sub_mutex;
std::mutex wait_mutex;
std::condition_variable cv;
int connection_num = 0;
- bool connect_status[MAX_CONNECTION] = {false};
void WaitKeeplive(void)
{
- std::unique_lock<std::mutex> lk(wait_mutex);
- cv.wait_for(lk, std::chrono::seconds(CHECK_TIME), []{ return killed; });
+ std::unique_lock<std::mutex> lk(wait_mutex);
+ cv.wait_for(lk, std::chrono::seconds(CHECK_TIME), []{ return killed; });
+ }
+
+ /* Must called with sub_mutex */
+ bool DeleteSubscriberByCliName(std::string &cli_name)
+ {
+ bool exist = false;
+ std::cout << "UnSubscribe " << cli_name << " ok" << std::endl;
+
+ auto it = suber_topic_.find(cli_name);
+ if (it != suber_topic_.end()) {
+ suber_topic_.erase(it);
+ connection_num--;
+ exist = true;
+ }
+ return exist;
}
};
--
2.33.0

120
Backport-lib-modify-for-unsub.patch Normal file
View File

@ -0,0 +1,120 @@
From d9a4c1cf011ab3d26b88229b5072ebbf6017893a Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Fri, 1 Dec 2023 17:36:11 +0800
Subject: [PATCH 4/6] lib modify for unsub
---
examples/python/client.py | 10 ++++++----
lib/secDetector_sdk.cpp | 19 +++++++++++++------
observer_agent/grpc_comm/server.cpp | 2 +-
3 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/examples/python/client.py b/examples/python/client.py
index d6dd7aa..312384d 100644
--- a/examples/python/client.py
+++ b/examples/python/client.py
@@ -36,9 +36,11 @@ secDetectorsdklib.secUnsub.restype = None
secDetectorsdklib.secReadFrom.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int]
secDetectorsdklib.secReadFrom.restype = None
+g_read_flag = True
def thread_func_sub_and_read(num=0):
global g_cli_reader
+ global g_read_flag
cli_reader = secDetectorsdklib.secSub(1)
g_cli_reader_lock.acquire()
@@ -50,10 +52,7 @@ def thread_func_sub_and_read(num=0):
secDetectorsdklib.secReadFrom(cli_reader, data, data_len)
print("client read data:{}".format(data.value.decode()))
- while True:
- if data.value.decode() == 'end':
- print("client received end")
- break
+ while g_read_flag:
time.sleep(3)
secDetectorsdklib.secReadFrom(cli_reader, data, data_len)
print("client while read data:{}".format(data.value.decode()))
@@ -62,8 +61,11 @@ def thread_func_sub_and_read(num=0):
def thread_func_unsub(num=0):
global g_cli_reader
+ global g_read_flag
+
g_cli_reader_lock.acquire()
try:
+ g_read_flag = False
secDetectorsdklib.secUnsub(1, g_cli_reader)
finally:
g_cli_reader_lock.release()
diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
index ee76079..847dd2f 100644
--- a/lib/secDetector_sdk.cpp
+++ b/lib/secDetector_sdk.cpp
@@ -55,14 +55,14 @@ void secUnsub(const int topic, void *reader)
}
if (!reader)
- return;
+ return;
- g_client.Publish(topic, "end");
g_client.UnSubscribe(topic);
Readmap::iterator iter = g_reader_map.find(reader);
if (iter != g_reader_map.end()) {
g_reader_map.erase(iter);
+ reader = NULL;
}
}
@@ -70,13 +70,20 @@ void secReadFrom(void *reader, char *data, int data_len)
{
string msg("");
- if (!reader || !data || data_len <= 1)
- return;
+ if (!data || data_len <= 1)
+ return
+
+ memset(data, 0, data_len);
+
+ if (!reader)
+ return;
Readmap::iterator iter = g_reader_map.find(reader);
- if (iter != g_reader_map.end()) {
+ if (iter != g_reader_map.end()) {
msg = g_client.ReadFrom(iter->second);
- }
+ if (msg == "keepalive")
+ return;
+ }
strncpy(data, msg.c_str(), data_len - 1);
}
diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
index 54ae66f..3340dfa 100644
--- a/observer_agent/grpc_comm/server.cpp
+++ b/observer_agent/grpc_comm/server.cpp
@@ -104,7 +104,6 @@ class PubSubServiceImpl final : public SubManager::Service
keepalive_msg.set_text("keepalive");
while (connect_status[tmp_index])
{
- sleep(CHECK_TIME);
if (!writer->Write(keepalive_msg))
{
for (auto topic_item : suber_topic_[cli_name])
@@ -124,6 +123,7 @@ class PubSubServiceImpl final : public SubManager::Service
}
return grpc::Status(grpc::StatusCode::INTERNAL, "writer is lose!");
}
+ sleep(CHECK_TIME);
}
return grpc::Status::OK;
}
--
2.33.0

224
Backport-modify-for-code-review.patch Normal file
View File

@ -0,0 +1,224 @@
From ea375b56fb92a954fcf16901773b3b8442128a5c Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Wed, 13 Dec 2023 15:34:53 +0800
Subject: [PATCH 2/4] modify for code review
---
.../cases/file_block/secDetector_file_block.c | 16 ++++++++--------
.../secDetector_kmodule_baseline.c | 5 ++++-
.../secDetector_mc_kmodule_baseline.c | 4 ++--
.../cases/task_block/secDetector_task_block.c | 16 ++++++++--------
.../core/analyze_unit/secDetector_analyze.c | 4 ++--
kerneldriver/core/secDetector_manager.c | 4 +++-
lib/secDetector_sdk.cpp | 6 +++---
7 files changed, 30 insertions(+), 25 deletions(-)
diff --git a/kerneldriver/cases/file_block/secDetector_file_block.c b/kerneldriver/cases/file_block/secDetector_file_block.c
index 7e0963d..b4972ee 100644
--- a/kerneldriver/cases/file_block/secDetector_file_block.c
+++ b/kerneldriver/cases/file_block/secDetector_file_block.c
@@ -35,7 +35,7 @@ static int file_write_check(struct secDetector_workflow *wf, struct file *file)
char *pathname = NULL;
response_data_t log;
bool matched = false;
- struct file_block_rules_item *item;
+ struct file_block_rules_item *item = NULL;
int ret = 0;
buf = kzalloc(BUF_SIZE, GFP_ATOMIC);
@@ -87,7 +87,7 @@ static struct secDetector_workflow workflow_array[] = {
static int proc_show(struct seq_file *m, void *v)
{
- struct file_block_rules_item *item;
+ struct file_block_rules_item *item = NULL;
mutex_lock(&rules_mutex);
list_for_each_entry (item, &file_block_rule_list, list) {
@@ -104,8 +104,8 @@ static int proc_open(struct inode *inode, struct file *file)
static void clear_file_rule_list(void)
{
- struct file_block_rules_item *item;
- struct file_block_rules_item *tmp;
+ struct file_block_rules_item *item = NULL;
+ struct file_block_rules_item *tmp = NULL;
mutex_lock(&rules_mutex);
list_for_each_entry_safe (item, tmp, &file_block_rule_list, list) {
@@ -121,10 +121,10 @@ static void clear_file_rule_list(void)
static ssize_t proc_write(struct file *file, const char __user *buffer,
size_t len, loff_t *offset)
{
- char *data;
- char *str;
- char *rule;
- struct file_block_rules_item *item;
+ char *data = NULL;
+ char *str = NULL;
+ char *rule = NULL;
+ struct file_block_rules_item *item = NULL;
ssize_t r = -EINVAL;
data = memdup_user_nul(buffer, len);
diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c
index 85411c0..4f59c14 100644
--- a/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c
+++ b/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c
@@ -17,7 +17,10 @@ DEFINE_MUTEX(case_kmodule_mutex);
static void check_watching_kmodule(void)
{
- mutex_lock(&case_kmodule_mutex);
+ if (mutex_trylock(&case_kmodule_mutex) == 0) {
+ pr_warn("[secDetector case kmodule baseline] check cann't getlock, ret\n");
+ return;
+ }
check_kmodule_baseline();
mutex_unlock(&case_kmodule_mutex);
}
diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
index cff1ff5..9a051ca 100644
--- a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
+++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
@@ -43,7 +43,7 @@ static int add_kmodule_baseline_name(const char *name)
return -1;
}
- name_len = strlen(name) < NAME_LEN ? strlen(name) : NAME_LEN;
+ name_len = strlen(name) < NAME_LEN ? strlen(name) : NAME_LEN - 1;
memcpy(module->module_name, name, name_len);
list_add(&module->list, &chkrkatt_module_list);
return 0;
@@ -86,7 +86,7 @@ static void report_kmodule_baseline(void)
list_for_each_entry_safe(get_module_name, get_module_name_next, &chkrkatt_module_list, list) {
if (get_module_name != NULL && get_module_name_next != NULL) {
/* 2: ', ' */
- if(sizeof(module_name_all) + sizeof(get_module_name->module_name) < NAME_LEN - 2 - header_msg_len) {
+ if(strlen(module_name_all) + strlen(get_module_name->module_name) < NAME_LEN - 2 - header_msg_len) {
strcat(module_name_all, get_module_name->module_name);
strcat(module_name_all, strtmp);
}
diff --git a/kerneldriver/cases/task_block/secDetector_task_block.c b/kerneldriver/cases/task_block/secDetector_task_block.c
index 94859e4..a46c5f5 100644
--- a/kerneldriver/cases/task_block/secDetector_task_block.c
+++ b/kerneldriver/cases/task_block/secDetector_task_block.c
@@ -37,7 +37,7 @@ static int task_bprm_check(struct secDetector_workflow *wf,
char *pathname = NULL;
response_data_t log;
bool matched = false;
- struct task_block_rules_item *item;
+ struct task_block_rules_item *item = NULL;
int ret = 0;
buf = kzalloc(BUF_SIZE, GFP_ATOMIC);
@@ -88,7 +88,7 @@ static struct secDetector_workflow workflow_array[] = {
static int proc_show(struct seq_file *m, void *v)
{
- struct task_block_rules_item *item;
+ struct task_block_rules_item *item = NULL;
mutex_lock(&rules_mutex);
list_for_each_entry (item, &task_block_rule_list, list) {
@@ -105,8 +105,8 @@ static int proc_open(struct inode *inode, struct file *file)
static void clear_task_rule_list(void)
{
- struct task_block_rules_item *item;
- struct task_block_rules_item *tmp;
+ struct task_block_rules_item *item = NULL;
+ struct task_block_rules_item *tmp = NULL;
mutex_lock(&rules_mutex);
list_for_each_entry_safe (item, tmp, &task_block_rule_list, list) {
@@ -122,10 +122,10 @@ static void clear_task_rule_list(void)
static ssize_t proc_write(struct file *file, const char __user *buffer,
size_t len, loff_t *offset)
{
- char *data;
- char *str;
- char *rule;
- struct task_block_rules_item *item;
+ char *data = NULL;
+ char *str = NULL;
+ char *rule = NULL;
+ struct task_block_rules_item *item = NULL;
ssize_t r = -EINVAL;
data = memdup_user_nul(buffer, len);
diff --git a/kerneldriver/core/analyze_unit/secDetector_analyze.c b/kerneldriver/core/analyze_unit/secDetector_analyze.c
index 226e245..f345412 100644
--- a/kerneldriver/core/analyze_unit/secDetector_analyze.c
+++ b/kerneldriver/core/analyze_unit/secDetector_analyze.c
@@ -33,7 +33,7 @@ int get_timestamp_str(char **ret_str)
{
struct timespec64 ts;
struct tm stm;
- char *stm_str;
+ char *stm_str = NULL;
int stm_str_len = 0;
ktime_get_real_ts64(&ts);
@@ -65,4 +65,4 @@ int get_timestamp_str(char **ret_str)
kfree(stm_str);
return stm_str_len;
}
-EXPORT_SYMBOL_GPL(get_timestamp_str);
\ No newline at end of file
+EXPORT_SYMBOL_GPL(get_timestamp_str);
diff --git a/kerneldriver/core/secDetector_manager.c b/kerneldriver/core/secDetector_manager.c
index 4c88386..07b45d8 100644
--- a/kerneldriver/core/secDetector_manager.c
+++ b/kerneldriver/core/secDetector_manager.c
@@ -115,13 +115,15 @@ int secDetector_module_register(struct secDetector_module *module)
int i;
int module_id;
unsigned int callback_id = 0;
- struct secDetector_parameter *param = module->parameter;
+ struct secDetector_parameter *param = NULL;
if (module == NULL) {
pr_err("[secDetector] register module is null\n");
return -EINVAL;
}
+ param = module->parameter;
+
module_id = idr_alloc(&g_module_idr, module, 0, INT_MAX, GFP_KERNEL);
if (module_id < 0) {
pr_err("[secDetector] alloc module id failed\n");
diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
index 6b00953..a431377 100644
--- a/lib/secDetector_sdk.cpp
+++ b/lib/secDetector_sdk.cpp
@@ -34,7 +34,7 @@ extern "C" {
void *secSub(const int topic)
{
- PubSubClient *cur_client;
+ PubSubClient *cur_client = nullptr;
if (topic <= 0 || topic > ALLTOPIC) {
printf("lib secSub failed, topic:%d is error\n", topic);
return NULL;
@@ -64,7 +64,7 @@ void *secSub(const int topic)
void secUnsub(void *reader)
{
- PubSubClient *cur_client;
+ PubSubClient *cur_client = nullptr;
if (!reader)
return;
@@ -84,7 +84,7 @@ void secUnsub(void *reader)
void secReadFrom(void *reader, char *data, int data_len)
{
string msg("");
- PubSubClient *cur_client;
+ PubSubClient *cur_client = nullptr;
if (!data || data_len <= 1)
return
--
2.33.0

49
Backport-modify-for-getting-common-info-in-createfile.patch Normal file
View File

@ -0,0 +1,49 @@
From 7eadc69ff955e57de06b2d9be1ad8d74f3189047 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Wed, 29 Nov 2023 18:35:53 +0800
Subject: modify for getting common info in createfile
---
.../ebpf/file_ebpf/file_fentry.bpf.c | 26 ++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
index 0b3d3ad..7afb7e2 100644
--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
@@ -117,7 +117,31 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
return 0;
e->type = CREATFILE;
- get_common_info(e);
+
+ struct task_struct *parent = NULL;
+ struct task_struct *task = NULL;
+
+ e->timestamp = bpf_ktime_get_ns();
+ e->pid = bpf_get_current_pid_tgid() >> 32;
+ e->pgid = e->tgid = bpf_get_current_pid_tgid() >> 32;
+ e->uid = bpf_get_current_uid_gid();
+ e->gid = bpf_get_current_uid_gid() >> 32;
+ bpf_get_current_comm(&e->comm, sizeof(e->comm));
+ /*
+ * exe path is diffcult to get in ebpf, we can get it from userspace
+ */
+ bpf_get_current_comm(&e->exe, sizeof(e->exe));
+
+ task = (struct task_struct *)bpf_get_current_task();
+ parent = (struct task_struct *)BPF_CORE_READ(task, real_parent);
+
+ e->ppid = BPF_CORE_READ(parent, pid);
+ e->sid = get_task_sid(task);
+ e->pns = BPF_CORE_READ(pid_ns(task), ns.inum);
+ e->root_pns = BPF_CORE_READ(pid_ns(find_init_task()), ns.inum);
+ BPF_CORE_READ_INTO(&e->pcomm, parent, real_parent, comm);
+ BPF_CORE_READ_INTO(&e->nodename, task, nsproxy, uts_ns, name.nodename);
+ //get_common_info(e);
__builtin_memcpy(e->event_name, "createfile", sizeof("createfile"));
bpf_probe_read(e->file_info.filename, MAX_TEXT_SIZE, pathname->name);
bpf_ringbuf_submit(e, 0);
--
2.33.0

178
Backport-modify-for-multiple-sub-in-the-same-process.patch Normal file
View File

@ -0,0 +1,178 @@
From 511ad1d3ce2c9e44621c9b508b3e44d3d5098f0e Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Mon, 4 Dec 2023 15:31:22 +0800
Subject: [PATCH 6/6] modify for multiple sub in the same process
---
lib/secDetector_sdk.cpp | 54 +++++++++++++++++++++--------
observer_agent/grpc_comm/client.cpp | 12 +++++++
observer_agent/grpc_comm/grpc_api.h | 2 ++
3 files changed, 53 insertions(+), 15 deletions(-)
diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
index 847dd2f..6f47f41 100644
--- a/lib/secDetector_sdk.cpp
+++ b/lib/secDetector_sdk.cpp
@@ -16,15 +16,17 @@
#include <string>
#include <iostream>
+#include <list>
+#include <mutex>
#include "../observer_agent/grpc_comm/grpc_api.h"
#define ALLTOPIC 0x00FFFFFF
using namespace std;
static string server_address("unix:///var/run/secDetector.sock");
-static PubSubClient g_client(grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials()));
-using Readmap = map<void *, unique_ptr<ClientReader<Message>>>;
+using Readmap = map<void *, std::pair<unique_ptr<ClientReader<Message>>, PubSubClient *>>;
static Readmap g_reader_map;
+static mutex g_connect_mtx;
#ifdef __cplusplus
extern "C" {
@@ -32,60 +34,82 @@ extern "C" {
void *secSub(const int topic)
{
+ PubSubClient *cur_client;
if (topic <= 0 || topic > ALLTOPIC) {
- printf("secSub failed, topic:%d is error\n", topic);
+ printf("lib secSub failed, topic:%d is error\n", topic);
return NULL;
}
+ g_connect_mtx.lock();
+ std::shared_ptr<Channel> channel = grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials());
+ cur_client = new(PubSubClient);
+ if (cur_client == nullptr) {
+ g_connect_mtx.unlock();
+ return NULL;
+ }
+ cur_client->init(channel);
+ unique_ptr<ClientReader<Message>> reader = cur_client->Subscribe(topic);
- unique_ptr<ClientReader<Message>> reader = g_client.Subscribe(topic);
-
- if (!reader)
+ if (!reader) {
+ printf("lib secSub failed, get reader null\n");
+ delete cur_client;
+ g_connect_mtx.unlock();
return NULL;
+ }
void * ret_reader = static_cast<void *>(reader.get());
- g_reader_map.insert(Readmap::value_type(ret_reader, move(reader)));
+ g_reader_map.insert(Readmap::value_type(ret_reader, std::make_pair(move(reader), cur_client)));
+ g_connect_mtx.unlock();
return ret_reader;
}
void secUnsub(const int topic, void *reader)
{
+ PubSubClient *cur_client;
if (topic <= 0 || topic > ALLTOPIC) {
- printf("secUnsub failed, topic:%d is error\n", topic);
+ printf("lib secUnsub failed, topic:%d is error\n", topic);
return;
}
if (!reader)
return;
- g_client.UnSubscribe(topic);
-
+ g_connect_mtx.lock();
Readmap::iterator iter = g_reader_map.find(reader);
if (iter != g_reader_map.end()) {
+ cur_client = iter->second.second;
+ cur_client->UnSubscribe(topic);
g_reader_map.erase(iter);
reader = NULL;
+ delete cur_client;
}
+ g_connect_mtx.unlock();
}
void secReadFrom(void *reader, char *data, int data_len)
{
string msg("");
+ PubSubClient *cur_client;
if (!data || data_len <= 1)
return
- memset(data, 0, data_len);
+ (void)memset(data, 0, data_len);
if (!reader)
return;
+ g_connect_mtx.lock();
Readmap::iterator iter = g_reader_map.find(reader);
if (iter != g_reader_map.end()) {
- msg = g_client.ReadFrom(iter->second);
- if (msg == "keepalive")
+ cur_client = iter->second.second;
+ msg = cur_client->ReadFrom(iter->second.first);
+ if (msg == "keepalive") {
+ g_connect_mtx.unlock();
return;
+ }
+ strncpy(data, msg.c_str(), data_len - 1);
}
-
- strncpy(data, msg.c_str(), data_len - 1);
+ g_connect_mtx.unlock();
}
#ifdef __cplusplus
diff --git a/observer_agent/grpc_comm/client.cpp b/observer_agent/grpc_comm/client.cpp
index ecb54ae..d4b0948 100644
--- a/observer_agent/grpc_comm/client.cpp
+++ b/observer_agent/grpc_comm/client.cpp
@@ -29,6 +29,8 @@ using grpc::ClientReader;
#define BUF_NUM 1024
+PubSubClient::PubSubClient() {}
+
PubSubClient::PubSubClient(std::shared_ptr<Channel> channel) : stub_(SubManager::NewStub(channel))
{
uuid_t uuid;
@@ -38,6 +40,16 @@ PubSubClient::PubSubClient(std::shared_ptr<Channel> channel) : stub_(SubManager:
uuid_str = std::string(uuid_temp);
}
+void PubSubClient::init(std::shared_ptr<Channel> channel)
+{
+ uuid_t uuid;
+ char uuid_temp[37];
+ uuid_generate(uuid);
+ uuid_unparse(uuid, uuid_temp);
+ uuid_str = std::string(uuid_temp);
+ stub_ = SubManager::NewStub(channel);
+}
+
std::unique_ptr<ClientReader<Message>> PubSubClient::Subscribe(const int topic)
{
SubscribeRequest request;
diff --git a/observer_agent/grpc_comm/grpc_api.h b/observer_agent/grpc_comm/grpc_api.h
index 44d4aa9..4bde109 100644
--- a/observer_agent/grpc_comm/grpc_api.h
+++ b/observer_agent/grpc_comm/grpc_api.h
@@ -42,7 +42,9 @@ void RunServer();
class PubSubClient
{
public:
+ PubSubClient();
PubSubClient(std::shared_ptr<Channel> channel);
+ void init(std::shared_ptr<Channel> channel);
std::unique_ptr<ClientReader<Message>> Subscribe(const int topic);
void Publish(const int topic, const std::string &content);
void UnSubscribe(const int topic);
--
2.33.0

29
Backport-modify-for-secReadFrom-error.patch Normal file
View File

@ -0,0 +1,29 @@
From 2ed3096cab89564b1e7b95318260517b51573709 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Thu, 14 Dec 2023 18:21:30 +0800
Subject: [PATCH 3/4] modify for secReadFrom error
---
lib/secDetector_sdk.cpp | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
index a431377..5bc189e 100644
--- a/lib/secDetector_sdk.cpp
+++ b/lib/secDetector_sdk.cpp
@@ -86,8 +86,10 @@ void secReadFrom(void *reader, char *data, int data_len)
string msg("");
PubSubClient *cur_client = nullptr;
- if (!data || data_len <= 1)
- return
+ if (!data || data_len <= 1) {
+ printf("lib secReadFrom data or data_len error\n");
+ return;
+ }
(void)memset(data, 0, data_len);
--
2.33.0

165
Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch Normal file
View File

@ -0,0 +1,165 @@
From 71409081fc4c642412d7b7fb1812bee12b6af6b9 Mon Sep 17 00:00:00 2001
From: zcfsite <zhchf2010@126.com>
Date: Mon, 27 Nov 2023 22:27:06 +0800
Subject: rm kmodule_list in mc and fix param ringbuf desc
---
kerneldriver/cases/Makefile | 2 +-
.../secDetector_mc_kmodule_list.c | 55 -------------------
.../secDetector_mc_kmodule_list.h | 12 ----
.../secDetector_memory_corruption.c | 16 ------
kerneldriver/core/secDetector_main.c | 2 +-
5 files changed, 2 insertions(+), 85 deletions(-)
delete mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
delete mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
diff --git a/kerneldriver/cases/Makefile b/kerneldriver/cases/Makefile
index 0af72ba..5a94e50 100644
--- a/kerneldriver/cases/Makefile
+++ b/kerneldriver/cases/Makefile
@@ -8,7 +8,7 @@ obj-m += secDetector_kmodule_baseline.o
# obj-m += secDetector_lsm_example.o
obj-m += secDetector_program_action.o
-secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o memory_corruption/secDetector_mc_kmodule_list.o
+secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o
#secDetector_task_block-objs := task_block/secDetector_task_block.o
#secDetector_file_block-objs := file_block/secDetector_file_block.o
secDetector_kmodule_baseline-objs := kmodule_baseline/secDetector_kmodule_baseline.o kmodule_baseline/secDetector_mc_kmodule_baseline.o
diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
deleted file mode 100644
index 283590b..0000000
--- a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * SPDX-License-Identifier: GPL-2.0
- *
- * Author: yieux
- * create: 2023-09-28
- * Description: the main implement of the kmodule list corruption.
- */
-#include <linux/module.h>
-#include <linux/list.h>
-#include <linux/spinlock.h>
-#include "secDetector_mc_kmodule_list.h"
-#include "secDetector_response.h"
-#include <linux/slab.h>
-
-#define MODULE_LIST_MAXSIZE 0x10000
-#define MC_KMODULE_REPORT_WORD_LEN 55
-
-// 3 ways for get kernel module list.
-// struct module->list
-// struct module->mkobj->kobj->entry
-// struct module->mkobj->kobj->kset
-void check_kmodule_list(void)
-{
- struct module_kobject *mobj = NULL;
- struct kobject *k = NULL;
- struct module *m = NULL;
- struct kset *module_kset = __this_module.mkobj.kobj.kset;
- response_data_t log;
-
- if (module_kset == NULL)
- return;
-
- spin_lock(&module_kset->list_lock);
- list_for_each_entry(k, &module_kset->list, entry) {
- if (k->name == NULL)
- continue;
- mobj = container_of(k, struct module_kobject, kobj);
- if (mobj == NULL || mobj->mod == NULL || (unsigned long)mobj->mod->name < MODULE_LIST_MAXSIZE)
- continue;
-
- mutex_lock(&module_mutex);
- m = find_module(k->name);
- if (m == NULL) {
- pr_err("[secDetector] mc kmoudle list find! module_name=%s.\n", k->name);
- log.report_data.len = MC_KMODULE_REPORT_WORD_LEN + strlen(k->name);
- log.report_data.text = kmalloc(log.report_data.len, GFP_KERNEL);
- sprintf(log.report_data.text, "[secDetector] mc kmoudle list find! module_name=%s.\n", k->name);
- secDetector_report(&log);
- kfree(log.report_data.text);
- }
- mutex_unlock(&module_mutex);
- }
- spin_unlock(&module_kset->list_lock);
- return;
-}
\ No newline at end of file
diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
deleted file mode 100644
index 737ca47..0000000
--- a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
+++ /dev/null
@@ -1,12 +0,0 @@
-/*
- * SPDX-License-Identifier: GPL-2.0
- *
- * Author: yieux
- * create: 2023-09-28
- * Description: the kmodule list corruption head file.
- */
- #ifndef SECDETECTOR_MC_KMODULE_LIST_H
- #define SECDETECTOR_MC_KMODULE_LIST_H
-
-void check_kmodule_list(void);
- #endif
\ No newline at end of file
diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
index 5b487ac..f4a1c9f 100644
--- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
+++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
@@ -10,35 +10,19 @@
#include <linux/seq_file.h>
#include "secDetector_manager.h"
#include <secDetector_module_type.h>
-#include "secDetector_mc_kmodule_list.h"
#define TIME_INTERVAL 10
DEFINE_MUTEX(case_mc_mutex);
#define KERNELKEYDATATAMPER 0x00008000
-static void check_all_watching_memory(void)
-{
- mutex_lock(&case_mc_mutex);
- check_kmodule_list();
- mutex_unlock(&case_mc_mutex);
-}
-
static struct secDetector_collect collect_array[] = {
{
.collect_type = COLLECT_GLOBAL_FUNCTION_SWITCH,
},
};
-
static struct secDetector_workflow workflow_array[] = {
- {
- .workflow_type = WORKFLOW_CUSTOMIZATION,
- .workflow_func.func = check_all_watching_memory,
- .hook_type = SECDETECTOR_TIMER,
- .interval = TIME_INTERVAL,
- .enabled = ATOMIC_INIT(true)
- },
{
.workflow_type = WORKFLOW_PRESET,
.hook_type = SECDETECTOR_TIMER,
diff --git a/kerneldriver/core/secDetector_main.c b/kerneldriver/core/secDetector_main.c
index 878d4a3..3931229 100644
--- a/kerneldriver/core/secDetector_main.c
+++ b/kerneldriver/core/secDetector_main.c
@@ -22,7 +22,7 @@ MODULE_PARM_DESC(log_size, "log size");
static unsigned int ringbuf_size = MIN_RINGBUF_SIZE; /* unit is Mb */
static unsigned int ringbuf_size_bytes; /* unit is bytes */
module_param(ringbuf_size, uint, 0400);
-MODULE_PARM_DESC(log_size, "ringbuffer size");
+MODULE_PARM_DESC(ringbuf_size, "ringbuffer size");
static bool ringbuf_size_check(void)
{
--
2.33.0

107
Backport-secDetectord-fix-a-grpc-hang-bug.patch Normal file
View File

@ -0,0 +1,107 @@
From f531f56ee36aecd3bb9eae527551eb8eff8c9457 Mon Sep 17 00:00:00 2001
From: chenjingwen <lhchenjw@gmail.com>
Date: Mon, 11 Dec 2023 19:52:42 +0800
Subject: [PATCH 2/2] secDetectord: fix a grpc hang bug
break connection loop before shutdown
so that shutdown won't hang.
Signed-off-by: chenjingwen <lhchenjw@gmail.com>
---
observer_agent/grpc_comm/grpc_api.h | 1 +
observer_agent/grpc_comm/server.cpp | 30 ++++++++++++++++++++++++++---
2 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/observer_agent/grpc_comm/grpc_api.h b/observer_agent/grpc_comm/grpc_api.h
index 4bde109..27a9139 100644
--- a/observer_agent/grpc_comm/grpc_api.h
+++ b/observer_agent/grpc_comm/grpc_api.h
@@ -26,6 +26,7 @@ class PubSubServiceImpl final : public SubManager::Service
grpc::Status Subscribe(ServerContext *context, const SubscribeRequest *request, ServerWriter<Message> *writer);
grpc::Status Publish(ServerContext *context, const PublishRequest *request, Message *response);
grpc::Status UnSubscribe(ServerContext *context, const UnSubscribeRequest *request, Message *response);
+ void CloseAllConnection(void);
private:
std::unordered_map<std::string, std::vector<int>> suber_topic_;
diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
index cce5131..b47b1aa 100644
--- a/observer_agent/grpc_comm/server.cpp
+++ b/observer_agent/grpc_comm/server.cpp
@@ -16,6 +16,7 @@
#include "comm_api.grpc.pb.h"
#include <grpcpp/grpcpp.h>
#include <sys/stat.h>
+#include <condition_variable>
using data_comm::Message;
using data_comm::PublishRequest;
@@ -30,9 +31,23 @@ using grpc::ServerWriter;
#define MAX_CONNECTION 5
#define CHECK_TIME 60
+static bool killed = false;
+
class PubSubServiceImpl final : public SubManager::Service
{
public:
+ void CloseAllConnection(void)
+ {
+ std::lock_guard<std::mutex> lk(wait_mutex);
+
+ for (int i = 0; i < MAX_CONNECTION; i++) {
+ connect_status[i] = false;
+ }
+
+ killed = true;
+ cv.notify_all();
+ }
+
grpc::Status Subscribe(ServerContext *context, const SubscribeRequest *request,
ServerWriter<Message> *writer) override
{
@@ -124,7 +139,7 @@ class PubSubServiceImpl final : public SubManager::Service
}
return grpc::Status(grpc::StatusCode::INTERNAL, "writer is lose!");
}
- sleep(CHECK_TIME);
+ WaitKeeplive();
}
return grpc::Status::OK;
}
@@ -203,21 +218,30 @@ class PubSubServiceImpl final : public SubManager::Service
std::unordered_map<std::string, std::vector<ServerWriter<Message> *>> suber_writer_;
std::unordered_map<std::string, std::vector<int>> suber_connection_;
std::mutex sub_mutex;
+ std::mutex wait_mutex;
+ std::condition_variable cv;
int connection_num = 0;
bool connect_status[MAX_CONNECTION] = {false};
+
+ void WaitKeeplive(void)
+ {
+ std::unique_lock<std::mutex> lk(wait_mutex);
+ cv.wait_for(lk, std::chrono::seconds(CHECK_TIME), []{ return killed; });
+ }
};
-std::unique_ptr<Server> server;
+static std::unique_ptr<Server> server;
+static PubSubServiceImpl service;
void StopServer()
{
+ service.CloseAllConnection();
server->Shutdown();
}
void RunServer()
{
std::string server_address("unix:///var/run/secDetector.sock");
- PubSubServiceImpl service;
ServerBuilder builder;
builder.AddListeningPort(server_address, grpc::InsecureServerCredentials());
--
2.33.0

31
Backport-secUnsub-del-topic-in-README.patch Normal file
View File

@ -0,0 +1,31 @@
From afb0176a27e64325de49155348cf3e189685a960 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Mon, 11 Dec 2023 21:12:52 +0800
Subject: [PATCH] secUnsub del topic in README
---
README.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 9658879..6a06586 100644
--- a/README.md
+++ b/README.md
@@ -109,11 +109,11 @@ secDetectord 默认会在后台运行,从探针中取得数据并转发给订
参数 “topic”:注册的事件类型,具体可见” /usr/include/secDetector/secDetector_sdk.h”中定义
输出 返回读取事件的指针
-接口名称 void secUnsub(const int topic, void *reader)
+接口名称 void secUnsub(void *reader)
接口描述 注销订阅接口
-参数 “topic”:注销的事件类型, “reader”:注销的读事件指针
+参数 “reader”:注销的读事件指针
输出 无
-注意事项 当前会全部取消不支持指定reader取消
+注意事项 当前会取消reader的全部订阅
接口名称 void secReadFrom(void *reader, char *data, int data_len)
接口描述 读事件信息接口
--
2.33.0

189
Backport-secUnsub-del-topic.patch Normal file
View File

@ -0,0 +1,189 @@
From 4a58573122e2c677c427cb43bb02e6f055fdf391 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Mon, 11 Dec 2023 20:57:58 +0800
Subject: [PATCH] secUnsub del topic
---
examples/python/client.py | 4 +--
lib/secDetector_sdk.cpp | 8 ++----
lib/secDetector_sdk.h | 2 +-
observer_agent/grpc_comm/client.cpp | 3 +--
observer_agent/grpc_comm/client_sub_demo.cpp | 2 +-
observer_agent/grpc_comm/grpc_api.h | 2 +-
.../grpc_comm/protos/comm_api.proto | 3 +--
observer_agent/grpc_comm/server.cpp | 27 ++++++++-----------
8 files changed, 20 insertions(+), 31 deletions(-)
diff --git a/examples/python/client.py b/examples/python/client.py
index 312384d..3fb95b4 100644
--- a/examples/python/client.py
+++ b/examples/python/client.py
@@ -31,7 +31,7 @@ g_cli_reader_lock = threading.Lock()
secDetectorsdklib.secSub.argtypes = [ctypes.c_int]
secDetectorsdklib.secSub.restype = ctypes.c_void_p
-secDetectorsdklib.secUnsub.argtypes = [ctypes.c_int, ctypes.c_void_p]
+secDetectorsdklib.secUnsub.argtypes = [ctypes.c_void_p]
secDetectorsdklib.secUnsub.restype = None
secDetectorsdklib.secReadFrom.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int]
secDetectorsdklib.secReadFrom.restype = None
@@ -66,7 +66,7 @@ def thread_func_unsub(num=0):
g_cli_reader_lock.acquire()
try:
g_read_flag = False
- secDetectorsdklib.secUnsub(1, g_cli_reader)
+ secDetectorsdklib.secUnsub(g_cli_reader)
finally:
g_cli_reader_lock.release()
print("client thread_func_unsub end")
diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
index 6f47f41..6b00953 100644
--- a/lib/secDetector_sdk.cpp
+++ b/lib/secDetector_sdk.cpp
@@ -62,13 +62,9 @@ void *secSub(const int topic)
return ret_reader;
}
-void secUnsub(const int topic, void *reader)
+void secUnsub(void *reader)
{
PubSubClient *cur_client;
- if (topic <= 0 || topic > ALLTOPIC) {
- printf("lib secUnsub failed, topic:%d is error\n", topic);
- return;
- }
if (!reader)
return;
@@ -77,7 +73,7 @@ void secUnsub(const int topic, void *reader)
Readmap::iterator iter = g_reader_map.find(reader);
if (iter != g_reader_map.end()) {
cur_client = iter->second.second;
- cur_client->UnSubscribe(topic);
+ cur_client->UnSubscribe();
g_reader_map.erase(iter);
reader = NULL;
delete cur_client;
diff --git a/lib/secDetector_sdk.h b/lib/secDetector_sdk.h
index abf112b..92ef5b4 100644
--- a/lib/secDetector_sdk.h
+++ b/lib/secDetector_sdk.h
@@ -18,7 +18,7 @@
#define SECDETECTOR_SDK_H
void *secSub(const int topic);
-void secUnsub(const int topic, void *reader);
+void secUnsub(void *reader);
void secReadFrom(void *reader, char *data, int data_len);
#endif
diff --git a/observer_agent/grpc_comm/client.cpp b/observer_agent/grpc_comm/client.cpp
index 0dd02f9..5cf8cf2 100644
--- a/observer_agent/grpc_comm/client.cpp
+++ b/observer_agent/grpc_comm/client.cpp
@@ -87,10 +87,9 @@ void PubSubClient::Publish(const int topic, const std::string &content)
}
}
-void PubSubClient::UnSubscribe(const int topic)
+void PubSubClient::UnSubscribe(void)
{
UnSubscribeRequest request;
- request.set_topic(topic);
request.set_sub_name(uuid_str);
ClientContext unsub_context;
diff --git a/observer_agent/grpc_comm/client_sub_demo.cpp b/observer_agent/grpc_comm/client_sub_demo.cpp
index fbf27ad..550b503 100644
--- a/observer_agent/grpc_comm/client_sub_demo.cpp
+++ b/observer_agent/grpc_comm/client_sub_demo.cpp
@@ -34,7 +34,7 @@ int main(int argc, char **argv)
some_data = client.ReadFrom(cli_reader);
std::cout << "loop whz: " << some_data << std::endl;
}
- client.UnSubscribe(std::stoi(argv[1]));
+ client.UnSubscribe();
return 0;
}
diff --git a/observer_agent/grpc_comm/grpc_api.h b/observer_agent/grpc_comm/grpc_api.h
index 27a9139..c5b43cc 100644
--- a/observer_agent/grpc_comm/grpc_api.h
+++ b/observer_agent/grpc_comm/grpc_api.h
@@ -48,7 +48,7 @@ class PubSubClient
void init(std::shared_ptr<Channel> channel);
std::unique_ptr<ClientReader<Message>> Subscribe(const int topic);
void Publish(const int topic, const std::string &content);
- void UnSubscribe(const int topic);
+ void UnSubscribe(void);
std::string ReadFrom(std::unique_ptr<ClientReader<Message>> &reader);
private:
diff --git a/observer_agent/grpc_comm/protos/comm_api.proto b/observer_agent/grpc_comm/protos/comm_api.proto
index 6c84865..cf1e445 100644
--- a/observer_agent/grpc_comm/protos/comm_api.proto
+++ b/observer_agent/grpc_comm/protos/comm_api.proto
@@ -13,8 +13,7 @@ message SubscribeRequest {
}
message UnSubscribeRequest {
- int32 topic = 1;
- string sub_name = 2;
+ string sub_name = 1;
}
message PublishRequest {
diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
index b47b1aa..938d09c 100644
--- a/observer_agent/grpc_comm/server.cpp
+++ b/observer_agent/grpc_comm/server.cpp
@@ -176,7 +176,6 @@ class PubSubServiceImpl final : public SubManager::Service
grpc::Status UnSubscribe(ServerContext *context, const UnSubscribeRequest *request, Message *response) override
{
- int cli_topic = request->topic();
std::string cli_name = request->sub_name();
int i = 0;
int unsub_flag = 0;
@@ -189,27 +188,23 @@ class PubSubServiceImpl final : public SubManager::Service
std::lock_guard<std::mutex> lock(sub_mutex);
- for (auto topic_item : suber_topic_[cli_name])
+ std::unordered_map<std::string, std::vector<int>>::iterator iter = suber_topic_.find(cli_name);
+ if (iter != suber_topic_.end())
{
- if (topic_item == cli_topic)
- {
- suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
- suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
- connect_status[suber_connection_[cli_name].at(i)] = false;
- suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
- connection_num--;
- unsub_flag = 1;
- break;
- }
- i++;
+ suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
+ suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
+ connect_status[suber_connection_[cli_name].at(i)] = false;
+ suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
+ connection_num--;
+ unsub_flag = 1;
}
if (!unsub_flag)
{
- response->set_text("don't exist the topic: " + std::to_string(cli_topic));
- return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to UnSubscribe topic!");
+ response->set_text("don't exist the reader");
+ return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to UnSubscribe reader!");
}
- response->set_text("topic: " + std::to_string(cli_topic) + " UnSubscribe success!");
+ response->set_text("UnSubscribe success!");
return grpc::Status::OK;
}
--
2.33.0

28
Backport-service-fix-power_of_2-bug.patch Normal file
View File

@ -0,0 +1,28 @@
From 2ddd09ee581829e482d55db70b0cc92724b23c8d Mon Sep 17 00:00:00 2001
From: chenjingwen <lhchenjw@gmail.com>
Date: Mon, 20 Nov 2023 10:48:18 +0800
Subject: [PATCH 2/2] service: fix power_of_2 bug
fix a bug
Signed-off-by: chenjingwen <lhchenjw@gmail.com>
---
observer_agent/service/main.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/observer_agent/service/main.cpp b/observer_agent/service/main.cpp
index 940cf83..f177645 100644
--- a/observer_agent/service/main.cpp
+++ b/observer_agent/service/main.cpp
@@ -51,7 +51,7 @@ static bool power_of_2(unsigned int num)
{
if (num == 0)
return false;
- if (num & (num - 1) != 0)
+ if ((num & (num - 1)) != 0)
return false;
return true;
}
--
2.33.0

68
Backport-set-cmake-minimum-required-to-VERSION-3.22.patch Normal file
View File

@ -0,0 +1,68 @@
From 0a89d59f076bd9de9e997f76fd5088cf600bb685 Mon Sep 17 00:00:00 2001
From: zcfsite <zhchf2010@126.com>
Date: Wed, 6 Dec 2023 10:14:56 +0800
Subject: [PATCH 1/4] set cmake minimum required to VERSION 3.22
---
CMakeLists.txt | 2 +-
lib/CMakeLists.txt | 2 +-
observer_agent/CMakeLists.txt | 2 +-
observer_agent/ebpf/CMakeLists.txt | 2 +-
observer_agent/ebpf/file_ebpf/CMakeLists.txt | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1f44e4a..56c31c9 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.1)
+cmake_minimum_required(VERSION 3.22)
project(secDetector)
add_subdirectory(observer_agent)
add_subdirectory(lib)
diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt
index b3f61f1..6b1ee78 100644
--- a/lib/CMakeLists.txt
+++ b/lib/CMakeLists.txt
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.14.1)
+cmake_minimum_required(VERSION 3.22)
project(secDetector_sdk)
diff --git a/observer_agent/CMakeLists.txt b/observer_agent/CMakeLists.txt
index 8465044..f110b49 100644
--- a/observer_agent/CMakeLists.txt
+++ b/observer_agent/CMakeLists.txt
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.1)
+cmake_minimum_required(VERSION 3.22)
add_subdirectory(ebpf)
set(CMAKE_CXX_STANDARD 11)
diff --git a/observer_agent/ebpf/CMakeLists.txt b/observer_agent/ebpf/CMakeLists.txt
index 6b97de4..a5c9bbe 100644
--- a/observer_agent/ebpf/CMakeLists.txt
+++ b/observer_agent/ebpf/CMakeLists.txt
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.16)
+cmake_minimum_required(VERSION 3.22)
project(ebpf)
add_subdirectory(file_ebpf)
add_custom_target(ebpf
diff --git a/observer_agent/ebpf/file_ebpf/CMakeLists.txt b/observer_agent/ebpf/file_ebpf/CMakeLists.txt
index 9517832..e9e073a 100644
--- a/observer_agent/ebpf/file_ebpf/CMakeLists.txt
+++ b/observer_agent/ebpf/file_ebpf/CMakeLists.txt
@@ -1,6 +1,6 @@
# SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
-cmake_minimum_required(VERSION 3.16)
+cmake_minimum_required(VERSION 3.22)
project(file_ebpf)
add_custom_target(file_ebpf
COMMAND mkdir -p ${CMAKE_CURRENT_BINARY_DIR}/.output
--
2.33.0

BIN
secDetector-v0.9.tar.gz
View File

Binary file not shown.

BIN
secDetector-v1.0.tar.gz Normal file
View File

Binary file not shown.

116
secDetector.spec
View File

@ -1,20 +1,62 @@
%global debug_package %{nil}
%define kernel_version %(ver=`rpm -qa|grep kernel-devel`;echo ${ver#*kernel-devel-})
Name : secDetector
Summary : OS Security Intrusion Detection System
Version : 0.9
Release : 1
Version : 1.0
Release : 14
License : GPL-2.0
URL : https://gitee.com/openeuler/secDetector
Source0 : %{name}-v%{version}.tar.gz
BuildRequires: kernel-devel kernel-headers
BuildRequires: gcc gcc-c++ clang cmake make
BuildRequires: libbpf-devel bpftool
BuildRequires: grpc-devel grpc-plugins protobuf-devel c-ares-devel libuuid-devel
Requires : kernel
Requires : protobuf grpc libuuid libbpf
Patch0001: Backport-fix-report-api-function.patch
Patch0002: Backport-service-fix-power_of_2-bug.patch
Patch0003: Backport-check-value-for-topic.patch
Patch0004: Backport-fix-printf-error-in-main.cpp.patch
Patch0005: Backport-fix-system-crash-caused-by-registration-exception.patch
Patch0006: Backport-fix-register-kpobe-mutiple-times.patch
Patch0007: Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch
Patch0008: Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch
Patch0009: Backport-fix-bug-of-mc-case-not-collect-data.patch
Patch0010: Backport-del-useless-code-for-timestamp.patch
Patch0011: Backport-modify-for-getting-common-info-in-createfile.patch
Patch0012: Backport-fix-memleak-bug-in-secDetector_program_action.patch
Patch0013: Backport-fix-timestamp-memleak.patch
Patch0014: Backport-add-handle-cleanup-and-refactor-Subscribe-UnSubscrib.patch
Patch0015: Backport-lib-modify-for-unsub.patch
Patch0016: Backport-add-nullptr-check-in-Subscribe.patch
Patch0017: Backport-modify-for-multiple-sub-in-the-same-process.patch
Patch0018: Backport-creatfile-check-op-intent-value.patch
Patch0019: Backport-createfile-check-f_mode-and-fix-typo.patch
Patch0021: Backport-add-lock-limit-publish-API.patch
Patch0022: Backport-secDetectord-fix-a-grpc-hang-bug.patch
Patch0023: Backport-secUnsub-del-topic.patch
Patch0024: Backport-secUnsub-del-topic-in-README.patch
Patch0025: Backport-modify-for-code-review.patch
Patch0026: Backport-modify-for-secReadFrom-error.patch
Patch0027: Backport-fix-invalid-TUF-8-data-in-memory-corruption-module.patch
Patch0028: Backport-set-cmake-minimum-required-to-VERSION-3.22.patch
Patch0029: Backport-grpc-fix-coredump-in-Publish.patch
Patch0030: Backport-fix-the-memory-leak-in-collect-unit.patch
Patch0031: Backport-fix-memory-leak-in-program_action.patch
Patch0032: Backport-bug-fix-memory-leak-in-sc-analyze-unit.patch
Patch0033: Backport-fix-6.x-kernel-compile-error.patch
%description
OS Security Intrusion Detection System
%package devel
Summary : Files for development
%description devel
The secDetector-devel package contains header file for development
%prep
%autosetup -n %{name}-v%{version} -p1
@ -26,12 +68,27 @@ cd ../cases
sed -i 's#/lib/modules/$(shell uname -r)/build#/lib/modules/%{kernel_version}/build#' Makefile
make
cd ../../
mkdir -p build
cd build
cmake .. && make
%install
mkdir -p $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
install -m 600 ./kerneldriver/core/secDetector_core.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
install -m 600 ./kerneldriver/cases/secDetector_kmodule_baseline.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
install -m 600 ./kerneldriver/cases/secDetector_memory_corruption.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
install -m 600 ./kerneldriver/cases/secDetector_program_action.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
mkdir -p $RPM_BUILD_ROOT/usr/bin
install -m 700 ./build/observer_agent/secDetectord $RPM_BUILD_ROOT/usr/bin/secDetectord
mkdir -p $RPM_BUILD_ROOT/usr/lib64/secDetector
install -m 700 ./build/lib/libsecDetectorsdk.so $RPM_BUILD_ROOT/usr/lib64/secDetector
mkdir -p $RPM_BUILD_ROOT/usr/include/secDetector
install -m 644 ./lib/secDetector_sdk.h $RPM_BUILD_ROOT/usr/include/secDetector
install -m 644 ./include/secDetector_topic.h $RPM_BUILD_ROOT/usr/include/secDetector
%pre
@ -53,7 +110,60 @@ rm -rf %{buildroot}
%attr(0400,root,root) /lib/modules/%{kernel_version}/extra/secDetector/secDetector_core.ko
%attr(0400,root,root) /lib/modules/%{kernel_version}/extra/secDetector/secDetector_kmodule_baseline.ko
%attr(0400,root,root) /lib/modules/%{kernel_version}/extra/secDetector/secDetector_memory_corruption.ko
%attr(0400,root,root) /lib/modules/%{kernel_version}/extra/secDetector/secDetector_program_action.ko
%attr(0700,root,root) /usr/bin/secDetectord
%attr(0500,root,root) /usr/lib64/secDetector/libsecDetectorsdk.so
%files devel
%defattr(-,root,root)
%attr(0644,root,root) /usr/include/secDetector/secDetector_sdk.h
%attr(0644,root,root) /usr/include/secDetector/secDetector_topic.h
%changelog
* Tue Feb 20 2024 hurricane618 <hurricane618@hotmail.com> 1.0-14
- backport patch to fix compile error in v6.6 kernel
* Thu Dec 21 2023 hurricane618 <hurricane618@hotmail.com> 1.0-13
- backport patchs to fix memory
* Thu Dec 14 2023 zcfsite <zhchf2010@126.com> 1.0-12
- fix secReadFrom error,invalid TUF-8 data in mc module,publish coredump
* Mon Dec 11 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-11
- backport patch
* Mon Dec 11 2023 chenjingwen6 <lhchenjw@gmail.com> 1.0-10
- backport some patches to fix issue such as grpc hangs
* Sat Dec 9 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-9
- backport some patches
* Tue Dec 05 2023 hurricane618 <hurricane618@hotmail.com> 1.0-8
- backport some patches
* Wed Nov 29 2023 hurricane618 <hurricane618@hotmail.com> 1.0-7
- fix backport patch0001
* Wed Nov 29 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-6
- backport some patches
* Mon Nov 27 2023 zcfsite <zhchf2010@126.com> 1.0-5
- fix some kerneldriver error
* Wed Nov 22 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-4
- add patch to check value for topic
* Tue Nov 21 2023 chenjingwen6 <lhchenjw@gmail.com> 1.0-3
- add patch to fix power_of_2 bug
* Sun Nov 19 2023 hurricane618 <hurricane618@hotmail.com> 1.0-2
- add fix patch
* Sat Nov 18 2023 zcfsite <zhchf2010@126.com> 1.0-1
- release v1.0
* Wed Nov 15 2023 zcfsite <zhchf2010@126.com> 0.9-2
- add devel package
* Tue Nov 14 2023 zcfsite <zhchf2010@126.com> 0.9-1
- Init package