tracee-ebpf: introduce capture events

Introudce capture events to take care of capture dependencies (probes and tail-calls) automatically.
MattGrol · May 9, 2022 · d73ed3e · d73ed3e
1 parent 127875d
commit d73ed3e
Show file tree

Hide file tree

Showing 2 changed files with 99 additions and 26 deletions.
diff --git a/pkg/ebpf/events_definitions.go b/pkg/ebpf/events_definitions.go
@@ -136,6 +136,15 @@ const (
 	DebugNetTcpConnect
 )
 
+const (
+	CaptureFileWriteEventID int32 = iota + 6000
+	CaptureExecEventID
+	CaptureModuleEventID
+	CaptureMemEventID
+	CaptureProfileEventID
+	CapturePcapEventID
+)
+
 var EventsDefinitions = map[int32]EventDefinition{
 	ReadEventID: {
 		ID32Bit: sys32read,
@@ -776,7 +785,7 @@ var EventsDefinitions = map[int32]EventDefinition{
 				{mapName: "sys_enter_tails", mapIdx: uint32(ExecveEventID), progName: "syscall__execve"},
 			},
 		},
-		Sets:    []string{"default", "syscalls", "proc", "proc_life"},
+		Sets: []string{"default", "syscalls", "proc", "proc_life"},
 		Params: []trace.ArgMeta{
 			{Type: "const char*", Name: "pathname"},
 			{Type: "const char*const*", Name: "argv"},
@@ -3531,7 +3540,7 @@ var EventsDefinitions = map[int32]EventDefinition{
 				{mapName: "sys_enter_tails", mapIdx: uint32(ExecveatEventID), progName: "syscall__execveat"},
 			},
 		},
-		Sets:    []string{"default", "syscalls", "proc", "proc_life"},
+		Sets: []string{"default", "syscalls", "proc", "proc_life"},
 		Params: []trace.ArgMeta{
 			{Type: "int", Name: "dirfd"},
 			{Type: "const char*", Name: "pathname"},
@@ -5565,4 +5574,81 @@ var EventsDefinitions = map[int32]EventDefinition{
 			{Type: "unsigned long", Name: "ctime"},
 		},
 	},
+	CaptureFileWriteEventID: {
+		ID32Bit:  sys32undefined,
+		Name:     "capture_file_write",
+		Internal: true,
+		Probes: []probe{
+			{event: "vfs_write", attach: kprobe, fn: "trace_vfs_write"},
+			{event: "vfs_write", attach: kretprobe, fn: "trace_ret_vfs_write"},
+			{event: "vfs_writev", attach: kprobe, fn: "trace_vfs_writev"},
+			{event: "vfs_writev", attach: kretprobe, fn: "trace_ret_vfs_writev"},
+			{event: "__kernel_write", attach: kprobe, fn: "trace_kernel_write"},
+			{event: "__kernel_write", attach: kretprobe, fn: "trace_ret_kernel_write"},
+		},
+		Dependencies: dependencies{
+			tailCalls: []tailCall{
+				{mapName: "prog_array", mapIdx: tailVfsWrite, progName: "trace_ret_vfs_write_tail"},
+				{mapName: "prog_array", mapIdx: tailVfsWritev, progName: "trace_ret_vfs_writev_tail"},
+				{mapName: "prog_array", mapIdx: tailKernelWrite, progName: "trace_ret_kernel_write_tail"},
+				{mapName: "prog_array", mapIdx: tailSendBin, progName: "send_bin"},
+			},
+		},
+	},
+	CaptureExecEventID: {
+		ID32Bit:  sys32undefined,
+		Name:     "capture_exec",
+		Internal: true,
+		Probes:   []probe{},
+		Dependencies: dependencies{
+			events: []eventDependency{{eventID: SchedProcessExecEventID}},
+		},
+	},
+	CaptureModuleEventID: {
+		ID32Bit:  sys32undefined,
+		Name:     "capture_module",
+		Internal: true,
+		Probes: []probe{
+			{event: "raw_syscalls:sys_enter", attach: rawTracepoint, fn: "tracepoint__raw_syscalls__sys_enter"},
+			{event: "raw_syscalls:sys_exit", attach: rawTracepoint, fn: "tracepoint__raw_syscalls__sys_exit"},
+			{event: "security_kernel_post_read_file", attach: kprobe, fn: "trace_security_kernel_post_read_file"},
+		},
+		Dependencies: dependencies{
+			events: []eventDependency{{eventID: SchedProcessExecEventID}},
+			tailCalls: []tailCall{
+				{mapName: "sys_enter_tails", mapIdx: uint32(InitModuleEventID), progName: "syscall__init_module"},
+				{mapName: "prog_array_tp", mapIdx: tailSendBinTP, progName: "send_bin_tp"},
+				{mapName: "prog_array", mapIdx: tailSendBin, progName: "send_bin"},
+			},
+		},
+	},
+	CaptureMemEventID: {
+		ID32Bit:  sys32undefined,
+		Name:     "capture_mem",
+		Internal: true,
+		Probes:   []probe{},
+		Dependencies: dependencies{
+			tailCalls: []tailCall{
+				{mapName: "prog_array", mapIdx: tailSendBin, progName: "send_bin"},
+			},
+		},
+	},
+	CaptureProfileEventID: {
+		ID32Bit:  sys32undefined,
+		Name:     "capture_profile",
+		Internal: true,
+		Probes:   []probe{},
+		Dependencies: dependencies{
+			events: []eventDependency{{eventID: SchedProcessExecEventID}},
+		},
+	},
+	CapturePcapEventID: {
+		ID32Bit:  sys32undefined,
+		Name:     "capture_pcap",
+		Internal: true,
+		Probes:   []probe{},
+		Dependencies: dependencies{
+			events: []eventDependency{{eventID: SecuritySocketBindEventID}},
+		},
+	},
 }
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -264,23 +264,24 @@ func New(cfg Config) (*Tracee, error) {
 
 	// Set events used to capture data
 	if t.config.Capture.Exec {
-		t.events[SchedProcessExecEventID] = eventConfig{submit: true}
+		t.events[CaptureExecEventID] = eventConfig{}
 	}
 	if t.config.Capture.FileWrite {
-		t.events[VfsWriteEventID] = eventConfig{}
-		t.events[VfsWritevEventID] = eventConfig{}
-		t.events[__KernelWriteEventID] = eventConfig{}
+		t.events[CaptureFileWriteEventID] = eventConfig{}
 	}
 	if t.config.Capture.Module {
-		t.events[SecurityPostReadFileEventID] = eventConfig{}
-		t.events[InitModuleEventID] = eventConfig{}
+		t.events[CaptureModuleEventID] = eventConfig{}
 	}
 	if t.config.Capture.Mem {
-		t.events[MmapEventID] = eventConfig{}
-		t.events[MprotectEventID] = eventConfig{}
-		t.events[MemProtAlertEventID] = eventConfig{}
+		t.events[CaptureMemEventID] = eventConfig{}
 	}
-	if t.config.Capture.NetIfaces != nil || len(t.config.Filter.NetFilter.InterfacesToTrace) > 0 || cfg.Debug {
+	if t.config.Capture.Profile {
+		t.events[CaptureProfileEventID] = eventConfig{}
+	}
+	if t.config.Capture.NetIfaces != nil {
+		t.events[CapturePcapEventID] = eventConfig{}
+	}
+	if len(t.config.Filter.NetFilter.InterfacesToTrace) > 0 || cfg.Debug {
 		t.events[SecuritySocketBindEventID] = eventConfig{}
 	}
 
@@ -772,20 +773,6 @@ func (t *Tracee) populateBPFMaps() error {
 
 	// Initialize tail call dependencies
 	tailCalls := make(map[tailCall]bool)
-	if t.config.Capture.FileWrite {
-		tailCalls[tailCall{mapName: "prog_array", mapIdx: tailVfsWrite, progName: "trace_ret_vfs_write_tail"}] = true
-		tailCalls[tailCall{mapName: "prog_array", mapIdx: tailVfsWritev, progName: "trace_ret_vfs_writev_tail"}] = true
-		tailCalls[tailCall{mapName: "prog_array", mapIdx: tailKernelWrite, progName: "trace_ret_kernel_write_tail"}] = true
-		tailCalls[tailCall{mapName: "prog_array", mapIdx: tailSendBin, progName: "send_bin"}] = true
-	}
-	if t.config.Capture.Module {
-		tailCalls[tailCall{mapName: "sys_enter_tails", mapIdx: uint32(InitModuleEventID), progName: "syscall__init_module"}] = true
-		tailCalls[tailCall{mapName: "prog_array_tp", mapIdx: tailSendBinTP, progName: "send_bin_tp"}] = true
-		tailCalls[tailCall{mapName: "prog_array", mapIdx: tailSendBin, progName: "send_bin"}] = true
-	}
-	if t.config.Capture.Mem {
-		tailCalls[tailCall{mapName: "prog_array", mapIdx: tailSendBin, progName: "send_bin"}] = true
-	}
 	for e := range t.events {
 		for _, tailCall := range EventsDefinitions[e].Dependencies.tailCalls {
 			tailCalls[tailCall] = true