pkg/ebpf: add interpreter ctime (aquasecurity#1977)

Pass the ELF interpreter ctime upon execution similar to the executed file.
MattGrol · Jul 20, 2022 · 5153bbc · 5153bbc
1 parent dc946f7
commit 5153bbc
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -651,11 +651,12 @@ typedef struct kmod_data {
     u64 next;
 } kmod_data_t;
 
-typedef struct file_id {
+typedef struct file_info {
     char pathname[MAX_CACHED_PATH_SIZE];
     dev_t device;
     unsigned long inode;
-} file_id_t;
+    u64 ctime;
+} file_info_t;
 
 // KERNEL STRUCTS ----------------------------------------------------------------------------------
 
@@ -700,7 +701,7 @@ struct kprobe {
 // clang-format off
 
 BPF_HASH(kconfig_map, u32, u32, 10240);                 // kernel config variables
-BPF_HASH(interpreter_map, u32, file_id_t, 10240);       // interpreter file used for each process
+BPF_HASH(interpreter_map, u32, file_info_t, 10240);       // interpreter file used for each process
 BPF_HASH(containers_map, u32, u8, 10240);               // map cgroup id to container status {EXISTED, CREATED, STARTED}
 BPF_HASH(args_map, u64, args_t, 1024);                  // persist args between function entry and return
 BPF_HASH(uid_filter, u32, u32, 256);                    // filter events by UID, for specific UIDs either by == or !=
@@ -2887,7 +2888,8 @@ int tracepoint__sched__sched_process_exec(struct bpf_raw_tracepoint_args *ctx)
     // The map of the interpreter will be updated for any loading of an elf, both for the elf and
     // for the interpreter. Because the interpreter is loaded only after the executed elf is loaded,
     // the map value of the executed elf should be overridden by the interpreter.
-    file_id_t *elf_interpreter = bpf_map_lookup_elem(&interpreter_map, &data.context.task.host_tid);
+    file_info_t *elf_interpreter =
+        bpf_map_lookup_elem(&interpreter_map, &data.context.task.host_tid);
 
     unsigned short stdin_type = get_inode_mode_from_fd(0) & S_IFMT;
 
@@ -2918,6 +2920,7 @@ int tracepoint__sched__sched_process_exec(struct bpf_raw_tracepoint_args *ctx)
             save_str_to_buf(&data, &elf_interpreter->pathname, 11);
             save_to_submit_buf(&data, &elf_interpreter->device, sizeof(dev_t), 12);
             save_to_submit_buf(&data, &elf_interpreter->inode, sizeof(unsigned long), 13);
+            save_to_submit_buf(&data, &elf_interpreter->ctime, sizeof(u64), 14);
         }
 
         events_perf_submit(&data, SCHED_PROCESS_EXEC, 0);
@@ -5375,12 +5378,13 @@ int BPF_KPROBE(trace_load_elf_phdrs)
     if (!should_trace((&data)))
         return 0;
 
-    file_id_t elf = {};
+    file_info_t elf = {};
     struct file *loaded_elf = (struct file *) PT_REGS_PARM2(ctx);
     const char *elf_pathname = (char *) get_path_str(GET_FIELD_ADDR(loaded_elf->f_path));
     bpf_probe_read_str(elf.pathname, sizeof(elf.pathname), elf_pathname);
     elf.device = get_dev_from_file(loaded_elf);
     elf.inode = get_inode_nr_from_file(loaded_elf);
+    elf.ctime = get_ctime_nanosec_from_file(loaded_elf);
 
     bpf_map_update_elem(&interpreter_map, &data.context.task.host_tid, &elf, BPF_ANY);
 

diff --git a/pkg/events/events.go b/pkg/events/events.go
@@ -4928,7 +4928,8 @@ var Definitions = eventDefinitions{
 				{Type: "const char*", Name: "interp"},
 				{Type: "const char*", Name: "interpreter_pathname"},
 				{Type: "dev_t", Name: "interpreter_dev"},
-				{Type: "unsigned long", Name: "ineterpreter_inode"},
+				{Type: "unsigned long", Name: "interpreter_inode"},
+				{Type: "unsigned long", Name: "interpreter_ctime"},
 			},
 		},
 		SchedProcessExit: {