111 lines
4.7 KiB
Diff
111 lines
4.7 KiB
Diff
From bb4b1875241741b0329555342f82ab820cf12187 Mon Sep 17 00:00:00 2001
|
|
From: zgzxx <zhangguangzhi3@huawei.com>
|
|
Date: Sat, 9 Dec 2023 15:29:01 +0800
|
|
Subject: createfile check f_mode and fix typo
|
|
|
|
---
|
|
include/secDetector_topic.h | 2 +-
|
|
observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 5 ++++-
|
|
observer_agent/ebpf/file_ebpf/file_fentry.c | 2 +-
|
|
observer_agent/ebpf/file_ebpf/test_file_fentry.c | 2 +-
|
|
observer_agent/ebpf/test_fentry.c | 2 +-
|
|
observer_agent/service/ebpf_converter.cpp | 2 +-
|
|
6 files changed, 9 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/include/secDetector_topic.h b/include/secDetector_topic.h
|
|
index 7320042..93a6872 100644
|
|
--- a/include/secDetector_topic.h
|
|
+++ b/include/secDetector_topic.h
|
|
@@ -17,7 +17,7 @@
|
|
#ifndef SECDETECTOR_TOPIC_H
|
|
#define SECDETECTOR_TOPIC_H
|
|
/* file */
|
|
-#define CREATFILE 0x00000001
|
|
+#define CREATEFILE 0x00000001
|
|
#define DELFILE 0x00000002
|
|
#define SETFILEATTR 0x00000004
|
|
#define WRITEFILE 0x00000008
|
|
diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
|
|
index f4e7e44..941b785 100644
|
|
--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
|
|
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
|
|
@@ -13,6 +13,7 @@
|
|
|
|
#define O_CREAT 100
|
|
#define LOOKUP_CREATE 0x0200
|
|
+#define FMODE_CREATED 0x100000
|
|
|
|
char LICENSE[] SEC("license") = "Dual BSD/GPL";
|
|
|
|
@@ -112,12 +113,14 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
|
|
return 0;
|
|
if (!S_ISREG(ret_file->f_inode->i_mode))
|
|
return 0;
|
|
+ if (!(ret_file->f_mode & FMODE_CREATED))
|
|
+ return 0;
|
|
|
|
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
|
|
if (!e)
|
|
return 0;
|
|
|
|
- e->type = CREATFILE;
|
|
+ e->type = CREATEFILE;
|
|
|
|
struct task_struct *parent = NULL;
|
|
struct task_struct *task = NULL;
|
|
diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.c b/observer_agent/ebpf/file_ebpf/file_fentry.c
|
|
index bf445ab..daec6e3 100644
|
|
--- a/observer_agent/ebpf/file_ebpf/file_fentry.c
|
|
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.c
|
|
@@ -44,7 +44,7 @@ static void DisableProg(struct bpf_object_skeleton *s, const char *prog_name)
|
|
|
|
static void DisableProgBasedOnMask(struct bpf_object_skeleton *skel, int mask)
|
|
{
|
|
- if ((mask & CREATFILE) == 0) {
|
|
+ if ((mask & CREATEFILE) == 0) {
|
|
DisableProg(skel, "do_filp_open_exit");
|
|
}
|
|
|
|
diff --git a/observer_agent/ebpf/file_ebpf/test_file_fentry.c b/observer_agent/ebpf/file_ebpf/test_file_fentry.c
|
|
index a9ea778..c22d2ef 100644
|
|
--- a/observer_agent/ebpf/file_ebpf/test_file_fentry.c
|
|
+++ b/observer_agent/ebpf/file_ebpf/test_file_fentry.c
|
|
@@ -9,7 +9,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz)
|
|
printf("timestamp:%llu event_name:%s exe:%s pid:%u tgid:%u uid:%u gid:%u comm:%s"
|
|
" sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u",
|
|
e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,e->pcomm, e->nodename, e->pns, e->root_pns);
|
|
- if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
|
|
+ if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
|
|
printf(" filename:%s", e->file_info.filename);
|
|
if (e->type & SETFILEATTR)
|
|
printf(" name:%s value:%s old_value:%s", e->file_info.name, e->file_info.value,e->file_info.old_value);
|
|
diff --git a/observer_agent/ebpf/test_fentry.c b/observer_agent/ebpf/test_fentry.c
|
|
index 0616958..330e82a 100644
|
|
--- a/observer_agent/ebpf/test_fentry.c
|
|
+++ b/observer_agent/ebpf/test_fentry.c
|
|
@@ -24,7 +24,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz)
|
|
" sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u",
|
|
e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,
|
|
e->pcomm, e->nodename, e->pns, e->root_pns);
|
|
- if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
|
|
+ if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
|
|
printf(" filename:%s", e->file_info.filename);
|
|
printf(" exit_code: %u\n", e->process_info.exit_code);
|
|
return 0;
|
|
diff --git a/observer_agent/service/ebpf_converter.cpp b/observer_agent/service/ebpf_converter.cpp
|
|
index 27a2e37..4d8d8ba 100644
|
|
--- a/observer_agent/service/ebpf_converter.cpp
|
|
+++ b/observer_agent/service/ebpf_converter.cpp
|
|
@@ -158,7 +158,7 @@ static std::map<int, convert_func_t> convert_funcs = {
|
|
{CREATPROCESS, convert_creat_process},
|
|
{DESTROYPROCESS, convert_destroy_process},
|
|
{SETPROCESSATTR, convert_set_process_attr},
|
|
- {CREATFILE, convert_common_file},
|
|
+ {CREATEFILE, convert_common_file},
|
|
{DELFILE, convert_common_file},
|
|
{SETFILEATTR, convert_set_file_attr},
|
|
{WRITEFILE, convert_common_file},
|
|
--
|
|
2.33.0
|
|
|