feat(driver): add filename parameter to PPME_SYSCALL_EXECVE_19_X

Signed-off-by: Leonardo Di Giovanna <[email protected]>

Author: ekoops

driver/SCHEMA_VERSION

@@ -1 +1 @@
-4.0.1
+4.1.0

driver/bpf/fillers.h

@@ -2856,7 +2856,18 @@ FILLER(execve_extra_tail_2, true) {
 	/* Parameter 30: egid (type: PT_GID) */
 	struct cred *cred = (struct cred *)_READ(task->cred);
 	kgid_t egid = _READ(cred->egid);
-	return bpf_push_u32_to_ring(data, egid.val);
+	res = bpf_push_u32_to_ring(data, egid.val);
+	CHECK_RES(res);
+
+	if(data->state->tail_ctx.evt_type == PPME_SYSCALL_EXECVEAT_X) {
+		return res;
+	}
+
+	/* The following is valid only for PPME_SYSCALL_EXECVE_19_X */
+
+	/* Parameter 31: filename (type: PT_FSPATH) */
+	unsigned long filename_pointer = bpf_syscall_get_argument(data, 0);
+	return bpf_val_to_ring_mem(data, filename_pointer, USER);
 }
 
 FILLER(sys_accept4_x, true) {
@@ -7120,7 +7131,26 @@ FILLER(sched_prog_exec_5, false) {
 	/* Parameter 30: egid (type: PT_GID) */
 	struct cred *cred = (struct cred *)_READ(task->cred);
 	kgid_t egid = _READ(cred->egid);
-	return bpf_push_u32_to_ring(data, egid.val);
+	res = bpf_push_u32_to_ring(data, egid.val);
+	CHECK_RES(res);
+
+	/* Parameter 31: filename (type: PT_FSPATH) */
+	/* note: in the current implementation, this filler is called for both successful execve and
+	 * execveat, and always generates an execve event. We use `bprm->filename` to populate the
+	 * `filename` parameter. `bprm->filename` contains a different thing, depending on the original
+	 * system call type and arguments provided by the user (see
+	 * https://elixir.bootlin.com/linux/v6.17.8/source/fs/exec.c#L1422-L1448).
+	 * At least for execve, it contains the system call's first argument, as provided by the user.
+	 */
+	struct sched_process_exec_args *original_ctx = (struct sched_process_exec_args *)data->ctx;
+#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
+	struct linux_binprm *bprm = original_ctx->bprm;
+	unsigned long filename_pointer = (unsigned long)_READ(bprm->filename);
+#else
+	unsigned long filename_offset = (unsigned long)original_ctx->filename & 0xFFFF;
+	unsigned long filename_pointer = (unsigned long)original_ctx + filename_offset;
+#endif
+	return bpf_val_to_ring_mem(data, filename_pointer, KERNEL);
 }
 
 #ifdef CAPTURE_SCHED_PROC_FORK

driver/bpf/types.h

@@ -154,12 +154,13 @@ struct sched_process_exec_args {
 /* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
  * Taken from `/include/trace/events/sched.h`
  */
+#include <linux/binfmts.h>  // `struct linux_binprm` definition.
 struct sched_process_exec_args {
 	struct task_struct *p;
 	pid_t old_pid;
 	struct linux_binprm *bprm;
 };
-#endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */
+#endif                      /* BPF_SUPPORTS_RAW_TRACEPOINTS */
 
 #ifdef CAPTURE_SCHED_PROC_FORK
 /* TP_PROTO(struct task_struct *parent, struct task_struct *child)

driver/event_table.c

@@ -1981,7 +1981,7 @@ const struct ppm_event_info g_event_info[] = {
         [PPME_SYSCALL_EXECVE_19_X] = {"execve",
                                       EC_PROCESS | EC_SYSCALL,
                                       EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
-                                      30,
+                                      31,
                                       {{"res", PT_ERRNO, PF_DEC},
                                        {"exe", PT_CHARBUF, PF_NA},
                                        {"args", PT_BYTEBUF, PF_NA},
@@ -2011,7 +2011,8 @@ const struct ppm_event_info g_event_info[] = {
                                        {"uid", PT_UID, PF_DEC},
                                        {"trusted_exepath", PT_FSPATH, PF_NA},
                                        {"pgid", PT_PID, PF_NA},
-                                       {"gid", PT_GID, PF_DEC}}},
+                                       {"gid", PT_GID, PF_DEC},
+                                       {"filename", PT_FSPATH, PF_NA}}},
         [PPME_SYSCALL_SETPGID_E] = {"setpgid",
                                     EC_PROCESS | EC_SYSCALL,
                                     EF_OLD_VERSION | EF_CONVERTER_MANAGED,

driver/main.c

@@ -107,16 +107,19 @@ struct event_data_t {
 		} signal_data;
 
 #ifdef CAPTURE_SCHED_PROC_FORK
-		/* Here we save only the child task struct since it is the
-		 * unique parameter we will use in our `f_sched_prog_fork`
-		 * filler. On the other side the `f_sched_prog_exec` filler
-		 * won't need any tracepoint parameter so we don't need a
-		 * internal struct here.
+		/* Here we save only the child task struct since it is the unique parameter we will use in
+		 * our `f_sched_prog_fork` filler.
 		 */
 		struct {
 			struct task_struct *child;
 		} sched_proc_fork_data;
 #endif
+		/* Here we save only the binprm struct since it is the unique parameter we will use in our
+		 * `f_sched_prog_exec` filler.
+		 */
+		struct {
+			struct linux_binprm *bprm;
+		} sched_proc_exec_data;
 
 		struct fault_data_t fault_data;
 	} event_info;
@@ -1820,6 +1823,7 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 		 */
 		switch(event_datap->category) {
 		case PPMC_SCHED_PROC_EXEC:
+			args.sched_proc_exec_bprm = event_datap->event_info.sched_proc_exec_data.bprm;
 			cbres = f_sched_prog_exec(&args);
 			break;
 
@@ -2376,6 +2380,7 @@ TRACEPOINT_PROBE(sched_proc_exec_probe,
 	}
 
 	event_data.category = PPMC_SCHED_PROC_EXEC;
+	event_data.event_info.sched_proc_exec_data.bprm = bprm;
 	record_event_all_consumers(PPME_SYSCALL_EXECVE_19_X,
 	                           UF_NEVER_DROP,
 	                           &event_data,

driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c

@@ -291,7 +291,7 @@ int BPF_PROG(t1_sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux
 }
 
 SEC("tp_btf/sched_process_exec")
-int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) {
+int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret, struct linux_binprm *bprm) {
 	struct auxiliary_map *auxmap = auxmap__get();
 	if(!auxmap) {
 		return 0;
@@ -317,6 +317,21 @@ int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) {
 	extract__egid(task, &egid);
 	auxmap__store_u32_param(auxmap, egid);
 
+	/* Parameter 31: filename (type: PT_FSPATH) */
+	/* note: in the current implementation, this program is called for both execve and execveat, and
+	 * always generates an execve event. We use `bprm->filename` to populate the `filename`
+	 * parameter. `bprm->filename` contains a different thing, depending on the original system call
+	 * type and arguments provided by the user (see
+	 * https://elixir.bootlin.com/linux/v6.17.8/source/fs/exec.c#L1422-L1448).
+	 * At least for execve, it contains the system call's first argument, as provided by the user.
+	 */
+	unsigned long filename_pointer = (unsigned long)BPF_CORE_READ(bprm, filename);
+	if(!filename_pointer) {
+		auxmap__store_empty_param(auxmap);
+	} else {
+		auxmap__store_charbuf_param(auxmap, filename_pointer, MAX_PATH, KERNEL);
+	}
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c

@@ -288,6 +288,10 @@ int BPF_PROG(t2_execve_x, struct pt_regs *regs, long ret) {
 	extract__egid(task, &egid);
 	auxmap__store_u32_param(auxmap, egid);
 
+	/* Parameter 31: filename (type: PT_FSPATH) */
+	unsigned long filename_pointer = extract__syscall_argument(regs, 0);
+	auxmap__store_charbuf_param(auxmap, filename_pointer, MAX_PATH, USER);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/ppm_events.h

@@ -13,11 +13,11 @@ or GPL2.txt for full copies of the license.
 
 /* To know about __NR_socketcall */
 #include <asm/unistd.h>
-#include "ppm_consumer.h"
+#include <linux/binfmts.h>  // `struct linux_binprm` definition.
 #ifdef CONFIG_COMPAT
 #include <linux/compat.h>
 #endif
-
+#include "ppm_consumer.h"
 #include "ppm_events_public.h"
 
 /*
@@ -56,6 +56,7 @@ struct event_filler_arguments {
 #ifdef CAPTURE_SCHED_PROC_FORK
 	struct task_struct *child; /* for sched_process_fork events, this is the child task */
 #endif
+	struct linux_binprm *sched_proc_exec_bprm; /* Only meaningful for sched_process_exec events. */
 
 	char *str_storage; /* String storage. Size is one page. */
 	unsigned long args[6];

driver/ppm_fillers.c

@@ -1344,6 +1344,14 @@ int f_proc_startupdate(struct event_filler_arguments *args) {
 		egid = from_kgid_munged(current_user_ns(), current_egid());
 		res = val_to_ring(args, egid, 0, false, 0);
 		CHECK_RES(res);
+
+		if(args->event_type == PPME_SYSCALL_EXECVE_19_X) {
+			/* Parameter 31: filename (type: PT_FSPATH) */
+			unsigned long filename_pointer;
+			syscall_get_arguments_deprecated(args, 0, 1, &filename_pointer);
+			res = val_to_ring(args, filename_pointer, 0, true, 0);
+			CHECK_RES(res);
+		}
 	}
 	return add_sentinel(args);
 }
@@ -7545,6 +7553,7 @@ int f_sched_prog_exec(struct event_filler_arguments *args) {
 	uint32_t egid = UINT32_MAX;
 	char *buf = (char *)args->str_storage;
 	char *trusted_exepath = NULL;
+	unsigned long filename_pointer = 0;
 
 	/* Parameter 1: res (type: PT_ERRNO) */
 	/* Please note: if this filler is called the execve is correctly
@@ -7865,6 +7874,18 @@ int f_sched_prog_exec(struct event_filler_arguments *args) {
 	res = val_to_ring(args, egid, 0, false, 0);
 	CHECK_RES(res);
 
+	/* Parameter 31: filename (type: PT_FSPATH) */
+	/* note: in the current implementation, this filler is called for both execve and execveat, and
+	 * always generates an execve event. We use `bprm->filename` to populate the `filename`
+	 * parameter. `bprm->filename` contains a different thing, depending on the original system call
+	 * type and arguments provided by the user (see
+	 * https://elixir.bootlin.com/linux/v6.17.8/source/fs/exec.c#L1422-L1448).
+	 * At least for execve, it contains the system call's first argument, as provided by the user.
+	 */
+	filename_pointer = (unsigned long)args->sched_proc_exec_bprm->filename;
+	res = val_to_ring(args, filename_pointer, 0, false, 0);
+	CHECK_RES(res);
+
 	return add_sentinel(args);
 }