From bc0768fa81c30afa8a77db5eaf6a0a92676f5a39 Mon Sep 17 00:00:00 2001 From: zgzxx Date: Sat, 9 Dec 2023 15:58:09 +0800 Subject: [PATCH] backport some patches --- ...createfile-check-f_mode-and-fix-typo.patch | 110 ++++++++++++++++++ ...port-creatfile-check-op-intent-value.patch | 33 ++++++ secDetector.spec | 7 +- 3 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 Backport-createfile-check-f_mode-and-fix-typo.patch create mode 100644 Backport-creatfile-check-op-intent-value.patch diff --git a/Backport-createfile-check-f_mode-and-fix-typo.patch b/Backport-createfile-check-f_mode-and-fix-typo.patch new file mode 100644 index 0000000..c4c5d46 --- /dev/null +++ b/Backport-createfile-check-f_mode-and-fix-typo.patch @@ -0,0 +1,110 @@ +From bb4b1875241741b0329555342f82ab820cf12187 Mon Sep 17 00:00:00 2001 +From: zgzxx +Date: Sat, 9 Dec 2023 15:29:01 +0800 +Subject: createfile check f_mode and fix typo + +--- + include/secDetector_topic.h | 2 +- + observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 5 ++++- + observer_agent/ebpf/file_ebpf/file_fentry.c | 2 +- + observer_agent/ebpf/file_ebpf/test_file_fentry.c | 2 +- + observer_agent/ebpf/test_fentry.c | 2 +- + observer_agent/service/ebpf_converter.cpp | 2 +- + 6 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/include/secDetector_topic.h b/include/secDetector_topic.h +index 7320042..93a6872 100644 +--- a/include/secDetector_topic.h ++++ b/include/secDetector_topic.h +@@ -17,7 +17,7 @@ + #ifndef SECDETECTOR_TOPIC_H + #define SECDETECTOR_TOPIC_H + /* file */ +-#define CREATFILE 0x00000001 ++#define CREATEFILE 0x00000001 + #define DELFILE 0x00000002 + #define SETFILEATTR 0x00000004 + #define WRITEFILE 0x00000008 +diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c +index f4e7e44..941b785 100644 +--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c ++++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c +@@ -13,6 +13,7 @@ + + #define O_CREAT 100 + #define LOOKUP_CREATE 0x0200 ++#define FMODE_CREATED 0x100000 + + char LICENSE[] SEC("license") = "Dual BSD/GPL"; + +@@ -112,12 +113,14 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct + return 0; + if (!S_ISREG(ret_file->f_inode->i_mode)) + return 0; ++ if (!(ret_file->f_mode & FMODE_CREATED)) ++ return 0; + + e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); + if (!e) + return 0; + +- e->type = CREATFILE; ++ e->type = CREATEFILE; + + struct task_struct *parent = NULL; + struct task_struct *task = NULL; +diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.c b/observer_agent/ebpf/file_ebpf/file_fentry.c +index bf445ab..daec6e3 100644 +--- a/observer_agent/ebpf/file_ebpf/file_fentry.c ++++ b/observer_agent/ebpf/file_ebpf/file_fentry.c +@@ -44,7 +44,7 @@ static void DisableProg(struct bpf_object_skeleton *s, const char *prog_name) + + static void DisableProgBasedOnMask(struct bpf_object_skeleton *skel, int mask) + { +- if ((mask & CREATFILE) == 0) { ++ if ((mask & CREATEFILE) == 0) { + DisableProg(skel, "do_filp_open_exit"); + } + +diff --git a/observer_agent/ebpf/file_ebpf/test_file_fentry.c b/observer_agent/ebpf/file_ebpf/test_file_fentry.c +index a9ea778..c22d2ef 100644 +--- a/observer_agent/ebpf/file_ebpf/test_file_fentry.c ++++ b/observer_agent/ebpf/file_ebpf/test_file_fentry.c +@@ -9,7 +9,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz) + printf("timestamp:%llu event_name:%s exe:%s pid:%u tgid:%u uid:%u gid:%u comm:%s" + " sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u", + e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,e->pcomm, e->nodename, e->pns, e->root_pns); +- if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE)) ++ if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE)) + printf(" filename:%s", e->file_info.filename); + if (e->type & SETFILEATTR) + printf(" name:%s value:%s old_value:%s", e->file_info.name, e->file_info.value,e->file_info.old_value); +diff --git a/observer_agent/ebpf/test_fentry.c b/observer_agent/ebpf/test_fentry.c +index 0616958..330e82a 100644 +--- a/observer_agent/ebpf/test_fentry.c ++++ b/observer_agent/ebpf/test_fentry.c +@@ -24,7 +24,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz) + " sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u", + e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid, + e->pcomm, e->nodename, e->pns, e->root_pns); +- if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE)) ++ if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE)) + printf(" filename:%s", e->file_info.filename); + printf(" exit_code: %u\n", e->process_info.exit_code); + return 0; +diff --git a/observer_agent/service/ebpf_converter.cpp b/observer_agent/service/ebpf_converter.cpp +index 27a2e37..4d8d8ba 100644 +--- a/observer_agent/service/ebpf_converter.cpp ++++ b/observer_agent/service/ebpf_converter.cpp +@@ -158,7 +158,7 @@ static std::map convert_funcs = { + {CREATPROCESS, convert_creat_process}, + {DESTROYPROCESS, convert_destroy_process}, + {SETPROCESSATTR, convert_set_process_attr}, +- {CREATFILE, convert_common_file}, ++ {CREATEFILE, convert_common_file}, + {DELFILE, convert_common_file}, + {SETFILEATTR, convert_set_file_attr}, + {WRITEFILE, convert_common_file}, +-- +2.33.0 + diff --git a/Backport-creatfile-check-op-intent-value.patch b/Backport-creatfile-check-op-intent-value.patch new file mode 100644 index 0000000..8262b3e --- /dev/null +++ b/Backport-creatfile-check-op-intent-value.patch @@ -0,0 +1,33 @@ +From b3108cabb7ff97f8bb8b8398842cb2e8c623664c Mon Sep 17 00:00:00 2001 +From: zgzxx +Date: Wed, 6 Dec 2023 16:13:13 +0800 +Subject: creatfile check op intent value + +--- + observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c +index 7afb7e2..f4e7e44 100644 +--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c ++++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c +@@ -12,6 +12,7 @@ + #define S_ISREG(m) (((m) & S_IFMT) == S_IFREG) + + #define O_CREAT 100 ++#define LOOKUP_CREATE 0x0200 + + char LICENSE[] SEC("license") = "Dual BSD/GPL"; + +@@ -107,7 +108,7 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct + struct ebpf_event *e = NULL; + RETURN_ZERO_IF_OURSELF(); + +- if (op && !(op->open_flag & O_CREAT)) ++ if (op && (!(op->open_flag & O_CREAT) || !(op->intent & LOOKUP_CREATE))) + return 0; + if (!S_ISREG(ret_file->f_inode->i_mode)) + return 0; +-- +2.33.0 + diff --git a/secDetector.spec b/secDetector.spec index 9122613..44b6549 100644 --- a/secDetector.spec +++ b/secDetector.spec @@ -5,7 +5,7 @@ Name : secDetector Summary : OS Security Intrusion Detection System Version : 1.0 -Release : 8 +Release : 9 License : GPL-2.0 Source0 : %{name}-v%{version}.tar.gz BuildRequires: kernel-devel kernel-headers @@ -32,6 +32,8 @@ Patch0014: Backport-add-handle-cleanup-and-refactor-Subscribe-UnSubscrib.patch Patch0015: Backport-lib-modify-for-unsub.patch Patch0016: Backport-add-nullptr-check-in-Subscribe.patch Patch0017: Backport-modify-for-multiple-sub-in-the-same-process.patch +Patch0018: Backport-creatfile-check-op-intent-value.patch +Patch0019: Backport-createfile-check-f_mode-and-fix-typo.patch %description OS Security Intrusion Detection System @@ -105,6 +107,9 @@ rm -rf %{buildroot} %attr(0644,root,root) /usr/include/secDetector/secDetector_topic.h %changelog +* Sat Dec 9 2023 zhangguangzhi 1.0-9 +- backport some patches + * Tue Dec 05 2023 hurricane618 1.0-8 - backport some patches