!25 backport some patches

From: @zgzxx Reviewed-by: @zcfsite Signed-off-by: @zcfsite
2023-12-09 08:27:32 +00:00 · 2023-12-09 08:27:32 +00:00 · 942f0a2a53
commit 942f0a2a53
parent 7f5bf7188c bc0768fa81
3 changed files with 149 additions and 1 deletions
--- a/Backport-createfile-check-f_mode-and-fix-typo.patch
+++ b/Backport-createfile-check-f_mode-and-fix-typo.patch
@ -0,0 +1,110 @@
+From bb4b1875241741b0329555342f82ab820cf12187 Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Sat, 9 Dec 2023 15:29:01 +0800
+Subject: createfile check f_mode and fix typo
+
+---
+ include/secDetector_topic.h                      | 2 +-
+ observer_agent/ebpf/file_ebpf/file_fentry.bpf.c  | 5 ++++-
+ observer_agent/ebpf/file_ebpf/file_fentry.c      | 2 +-
+ observer_agent/ebpf/file_ebpf/test_file_fentry.c | 2 +-
+ observer_agent/ebpf/test_fentry.c                | 2 +-
+ observer_agent/service/ebpf_converter.cpp        | 2 +-
+ 6 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/include/secDetector_topic.h b/include/secDetector_topic.h
+index 7320042..93a6872 100644
+--- a/include/secDetector_topic.h
+++ b/include/secDetector_topic.h
+@@ -17,7 +17,7 @@
+ #ifndef SECDETECTOR_TOPIC_H
+ #define SECDETECTOR_TOPIC_H
+ /* file */
+-#define CREATFILE 0x00000001
+#define CREATEFILE 0x00000001
+ #define DELFILE 0x00000002
+ #define SETFILEATTR 0x00000004
+ #define WRITEFILE 0x00000008
+diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+index f4e7e44..941b785 100644
+--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+@@ -13,6 +13,7 @@
+ 
+ #define O_CREAT 100
+ #define LOOKUP_CREATE 0x0200
+#define FMODE_CREATED 0x100000
+ 
+ char LICENSE[] SEC("license") = "Dual BSD/GPL";
+ 
+@@ -112,12 +113,14 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
+ 		return 0;
+ 	if (!S_ISREG(ret_file->f_inode->i_mode))
+ 		return 0;
+	if (!(ret_file->f_mode & FMODE_CREATED))
+		return 0;
+ 
+ 	e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
+ 	if (!e)
+ 		return 0;
+ 
+-	e->type = CREATFILE;
+	e->type = CREATEFILE;
+ 
+ 	struct task_struct *parent = NULL;
+ 	struct task_struct *task = NULL;
+diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.c b/observer_agent/ebpf/file_ebpf/file_fentry.c
+index bf445ab..daec6e3 100644
+--- a/observer_agent/ebpf/file_ebpf/file_fentry.c
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.c
+@@ -44,7 +44,7 @@ static void DisableProg(struct bpf_object_skeleton *s, const char *prog_name)
+ 
+ static void DisableProgBasedOnMask(struct bpf_object_skeleton *skel, int mask)
+ {
+-    if ((mask & CREATFILE) == 0) {
+    if ((mask & CREATEFILE) == 0) {
+         DisableProg(skel, "do_filp_open_exit");
+     }
+ 
+diff --git a/observer_agent/ebpf/file_ebpf/test_file_fentry.c b/observer_agent/ebpf/file_ebpf/test_file_fentry.c
+index a9ea778..c22d2ef 100644
+--- a/observer_agent/ebpf/file_ebpf/test_file_fentry.c
+++ b/observer_agent/ebpf/file_ebpf/test_file_fentry.c
+@@ -9,7 +9,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz)
+ 	printf("timestamp:%llu event_name:%s exe:%s pid:%u tgid:%u uid:%u gid:%u comm:%s"
+ 		" sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u",
+ 		e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,e->pcomm, e->nodename, e->pns, e->root_pns);
+-    	if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
+	if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
+ 		printf(" filename:%s", e->file_info.filename);
+ 	if (e->type & SETFILEATTR)
+ 		printf(" name:%s value:%s old_value:%s", e->file_info.name, e->file_info.value,e->file_info.old_value);
+diff --git a/observer_agent/ebpf/test_fentry.c b/observer_agent/ebpf/test_fentry.c
+index 0616958..330e82a 100644
+--- a/observer_agent/ebpf/test_fentry.c
+++ b/observer_agent/ebpf/test_fentry.c
+@@ -24,7 +24,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz)
+            " sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u",
+            e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,
+            e->pcomm, e->nodename, e->pns, e->root_pns);
+-    if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
+    if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
+ 	    printf(" filename:%s", e->file_info.filename);
+     printf(" exit_code: %u\n", e->process_info.exit_code);
+     return 0;
+diff --git a/observer_agent/service/ebpf_converter.cpp b/observer_agent/service/ebpf_converter.cpp
+index 27a2e37..4d8d8ba 100644
+--- a/observer_agent/service/ebpf_converter.cpp
+++ b/observer_agent/service/ebpf_converter.cpp
+@@ -158,7 +158,7 @@ static std::map<int, convert_func_t> convert_funcs = {
+     {CREATPROCESS, convert_creat_process},
+     {DESTROYPROCESS, convert_destroy_process},
+     {SETPROCESSATTR, convert_set_process_attr},
+-    {CREATFILE, convert_common_file},
+    {CREATEFILE, convert_common_file},
+     {DELFILE, convert_common_file},
+     {SETFILEATTR, convert_set_file_attr},
+     {WRITEFILE, convert_common_file},
+-- 
+2.33.0
+
--- a/Backport-creatfile-check-op-intent-value.patch
+++ b/Backport-creatfile-check-op-intent-value.patch
@ -0,0 +1,33 @@
+From b3108cabb7ff97f8bb8b8398842cb2e8c623664c Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Wed, 6 Dec 2023 16:13:13 +0800
+Subject: creatfile check op intent value
+
+---
+ observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+index 7afb7e2..f4e7e44 100644
+--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+@@ -12,6 +12,7 @@
+ #define S_ISREG(m) (((m) & S_IFMT) == S_IFREG)
+ 
+ #define O_CREAT 100
+#define LOOKUP_CREATE 0x0200
+ 
+ char LICENSE[] SEC("license") = "Dual BSD/GPL";
+ 
+@@ -107,7 +108,7 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
+ 	struct ebpf_event *e = NULL;
+ 	RETURN_ZERO_IF_OURSELF();
+ 
+-	if (op && !(op->open_flag & O_CREAT))
+	if (op && (!(op->open_flag & O_CREAT) || !(op->intent & LOOKUP_CREATE)))
+ 		return 0;
+ 	if (!S_ISREG(ret_file->f_inode->i_mode))
+ 		return 0;
+-- 
+2.33.0
+
--- a/secDetector.spec
+++ b/secDetector.spec
@ -5,7 +5,7 @@
 Name         :  secDetector
 Summary      :  OS Security Intrusion Detection System
 Version      :  1.0
-Release      :  8
+Release      :  9
 License      :  GPL-2.0
 Source0      :  %{name}-v%{version}.tar.gz
 BuildRequires:  kernel-devel kernel-headers
@ -32,6 +32,8 @@ Patch0014: Backport-add-handle-cleanup-and-refactor-Subscribe-UnSubscrib.patch
 Patch0015: Backport-lib-modify-for-unsub.patch
 Patch0016: Backport-add-nullptr-check-in-Subscribe.patch
 Patch0017: Backport-modify-for-multiple-sub-in-the-same-process.patch
+Patch0018: Backport-creatfile-check-op-intent-value.patch
+Patch0019: Backport-createfile-check-f_mode-and-fix-typo.patch

 %description
 OS Security Intrusion Detection System
@ -105,6 +107,9 @@ rm -rf %{buildroot}
 %attr(0644,root,root) /usr/include/secDetector/secDetector_topic.h

 %changelog
+* Sat Dec 9 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-9
+- backport some patches
+
 * Tue Dec 05 2023 hurricane618 <hurricane618@hotmail.com> 1.0-8
 - backport some patches