add type of stdin in sched_process_exec (aquasecurity#1214)

* add type of stdin in sched_process_exec * change arg name to stdin_type
MattGrol · Dec 6, 2021 · 8f7c296 · 8f7c296
1 parent e1352f8
commit 8f7c296
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/tracee-ebpf/tracee/argprinters.go b/tracee-ebpf/tracee/argprinters.go
@@ -115,6 +115,10 @@ func (t *Tracee) parseArgs(ctx *context, args map[string]interface{}) error {
 				args["type"] = typeIdStr
 			}
 		}
+	case SchedProcessExecEventID:
+		if mode, isUint16 := args["stdin_type"].(uint16); isUint16 {
+			args["stdin_type"] = helpers.ParseInodeMode(uint32(mode))
+		}
 	}
 
 	return nil

diff --git a/tracee-ebpf/tracee/consts.go b/tracee-ebpf/tracee/consts.go
@@ -938,7 +938,7 @@ var EventsIDToParams = map[int32][]external.ArgMeta{
 	SysEnterEventID:               {{Type: "int", Name: "syscall"}},
 	SysExitEventID:                {{Type: "int", Name: "syscall"}},
 	SchedProcessForkEventID:       {{Type: "int", Name: "parent_tid"}, {Type: "int", Name: "parent_ns_tid"}, {Type: "int", Name: "child_tid"}, {Type: "int", Name: "child_ns_tid"}},
-	SchedProcessExecEventID:       {{Type: "const char*", Name: "cmdpath"}, {Type: "const char*", Name: "pathname"}, {Type: "const char**", Name: "argv"}, {Type: "const char**", Name: "env"}, {Type: "dev_t", Name: "dev"}, {Type: "unsigned long", Name: "inode"}, {Type: "int", Name: "invoked_from_kernel"}, {Type: "unsigned long", Name: "ctime"}},
+	SchedProcessExecEventID:       {{Type: "const char*", Name: "cmdpath"}, {Type: "const char*", Name: "pathname"}, {Type: "const char**", Name: "argv"}, {Type: "const char**", Name: "env"}, {Type: "dev_t", Name: "dev"}, {Type: "unsigned long", Name: "inode"}, {Type: "int", Name: "invoked_from_kernel"}, {Type: "unsigned long", Name: "ctime"}, {Type: "umode_t", Name: "stdin_type"}},
 	SchedProcessExitEventID:       {{Type: "long", Name: "exit_code"}},
 	SchedSwitchEventID:            {{Type: "int", Name: "cpu"}, {Type: "int", Name: "prev_tid"}, {Type: "const char*", Name: "prev_comm"}, {Type: "int", Name: "next_tid"}, {Type: "const char*", Name: "next_comm"}},
 	DoExitEventID:                 {},

diff --git a/tracee-ebpf/tracee/tracee.bpf.c b/tracee-ebpf/tracee/tracee.bpf.c
@@ -2454,6 +2454,8 @@ int tracepoint__sched__sched_process_exec(struct bpf_raw_tracepoint_args *ctx)
 
     void *file_path = get_path_str(GET_FIELD_ADDR(file->f_path));
 
+    unsigned short stdin_type = get_inode_mode_from_fd(0) & S_IFMT;
+
     // Note: Starting from kernel 5.9, there are two new interesting fields in
     // bprm that we should consider adding:
     //
@@ -2472,6 +2474,7 @@ int tracepoint__sched__sched_process_exec(struct bpf_raw_tracepoint_args *ctx)
     save_to_submit_buf(&data, &inode_nr, sizeof(unsigned long), 5);
     save_to_submit_buf(&data, &invoked_from_kernel, sizeof(int), 6);
     save_to_submit_buf(&data, &ctime, sizeof(u64), 7);
+    save_to_submit_buf(&data, &stdin_type, sizeof(unsigned short), 8);
 
     return events_perf_submit(&data, SCHED_PROCESS_EXEC, 0);
 }