From bb4b1875241741b0329555342f82ab820cf12187 Mon Sep 17 00:00:00 2001 From: zgzxx Date: Sat, 9 Dec 2023 15:29:01 +0800 Subject: createfile check f_mode and fix typo --- include/secDetector_topic.h | 2 +- observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 5 ++++- observer_agent/ebpf/file_ebpf/file_fentry.c | 2 +- observer_agent/ebpf/file_ebpf/test_file_fentry.c | 2 +- observer_agent/ebpf/test_fentry.c | 2 +- observer_agent/service/ebpf_converter.cpp | 2 +- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/include/secDetector_topic.h b/include/secDetector_topic.h index 7320042..93a6872 100644 --- a/include/secDetector_topic.h +++ b/include/secDetector_topic.h @@ -17,7 +17,7 @@ #ifndef SECDETECTOR_TOPIC_H #define SECDETECTOR_TOPIC_H /* file */ -#define CREATFILE 0x00000001 +#define CREATEFILE 0x00000001 #define DELFILE 0x00000002 #define SETFILEATTR 0x00000004 #define WRITEFILE 0x00000008 diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c index f4e7e44..941b785 100644 --- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c +++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c @@ -13,6 +13,7 @@ #define O_CREAT 100 #define LOOKUP_CREATE 0x0200 +#define FMODE_CREATED 0x100000 char LICENSE[] SEC("license") = "Dual BSD/GPL"; @@ -112,12 +113,14 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct return 0; if (!S_ISREG(ret_file->f_inode->i_mode)) return 0; + if (!(ret_file->f_mode & FMODE_CREATED)) + return 0; e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); if (!e) return 0; - e->type = CREATFILE; + e->type = CREATEFILE; struct task_struct *parent = NULL; struct task_struct *task = NULL; diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.c b/observer_agent/ebpf/file_ebpf/file_fentry.c index bf445ab..daec6e3 100644 --- a/observer_agent/ebpf/file_ebpf/file_fentry.c +++ b/observer_agent/ebpf/file_ebpf/file_fentry.c @@ -44,7 +44,7 @@ static void DisableProg(struct bpf_object_skeleton *s, const char *prog_name) static void DisableProgBasedOnMask(struct bpf_object_skeleton *skel, int mask) { - if ((mask & CREATFILE) == 0) { + if ((mask & CREATEFILE) == 0) { DisableProg(skel, "do_filp_open_exit"); } diff --git a/observer_agent/ebpf/file_ebpf/test_file_fentry.c b/observer_agent/ebpf/file_ebpf/test_file_fentry.c index a9ea778..c22d2ef 100644 --- a/observer_agent/ebpf/file_ebpf/test_file_fentry.c +++ b/observer_agent/ebpf/file_ebpf/test_file_fentry.c @@ -9,7 +9,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz) printf("timestamp:%llu event_name:%s exe:%s pid:%u tgid:%u uid:%u gid:%u comm:%s" " sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u", e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,e->pcomm, e->nodename, e->pns, e->root_pns); - if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE)) + if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE)) printf(" filename:%s", e->file_info.filename); if (e->type & SETFILEATTR) printf(" name:%s value:%s old_value:%s", e->file_info.name, e->file_info.value,e->file_info.old_value); diff --git a/observer_agent/ebpf/test_fentry.c b/observer_agent/ebpf/test_fentry.c index 0616958..330e82a 100644 --- a/observer_agent/ebpf/test_fentry.c +++ b/observer_agent/ebpf/test_fentry.c @@ -24,7 +24,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz) " sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u", e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid, e->pcomm, e->nodename, e->pns, e->root_pns); - if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE)) + if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE)) printf(" filename:%s", e->file_info.filename); printf(" exit_code: %u\n", e->process_info.exit_code); return 0; diff --git a/observer_agent/service/ebpf_converter.cpp b/observer_agent/service/ebpf_converter.cpp index 27a2e37..4d8d8ba 100644 --- a/observer_agent/service/ebpf_converter.cpp +++ b/observer_agent/service/ebpf_converter.cpp @@ -158,7 +158,7 @@ static std::map convert_funcs = { {CREATPROCESS, convert_creat_process}, {DESTROYPROCESS, convert_destroy_process}, {SETPROCESSATTR, convert_set_process_attr}, - {CREATFILE, convert_common_file}, + {CREATEFILE, convert_common_file}, {DELFILE, convert_common_file}, {SETFILEATTR, convert_set_file_attr}, {WRITEFILE, convert_common_file}, -- 2.33.0