Merge pull request #3 from olcf/execsnoop_argv

Parse environment in execsnoop sensor.
olcf · Apr 22, 2021 · a0b3046 · a0b3046
2 parents 5afd175 + 030a109
commit a0b3046
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 3 deletions.
diff --git a/configs/execsnoop.yaml b/configs/execsnoop.yaml
@@ -0,0 +1,43 @@
+---
+# Variables to set for all program traces
+globals:
+  # Socket to open
+  socketPath: /run/greggd.sock
+  # Format for verbose output
+  verboseFormat: influx
+
+# Hash of all programs to load
+programs:
+  - source: /usr/share/greggd/c/execsnoop.c
+    # Events to bind program to
+    events:
+      - type: kprobe
+        loadFunc: syscall__execve
+        attachTo: __x64_sys_execve
+      - type: kretprobe
+        loadFunc: do_ret_sys_execve
+        attachTo: __x64_sys_execve
+    outputs:
+      - type: BPF_PERF_OUTPUT
+        id: execs
+        format:
+          - name: pid
+            type: u32
+            isTag: true
+          - name: ppid
+            type: u32
+            isTag: true
+          - name: uid
+            type: u32
+            isTag: true
+          - name: comm
+            type: char[16]
+            isTag: true
+          - name: env
+            type: char[12][32]
+          - name: argv
+            type: char[12][32]
+          - name: retval
+            type: int32
+          - name: span_us
+            type: u64
diff --git a/csrc/execsnoop.c b/csrc/execsnoop.c
@@ -21,6 +21,7 @@ struct data_t {
     u32 ppid; // Parent PID as in the userspace term (i.e task->real_parent->tgid in kernel)
     u32 uid;
     char comm[TASK_COMM_LEN];
+    char env[MAX_ARGS][ARGSIZE];
     char argv[MAX_ARGS][ARGSIZE];
     int rc;
     u64 span_us;
@@ -56,9 +57,9 @@ int syscall__execve(struct pt_regs *ctx,
     // We use the get_ppid function as a fallback in those cases. (#1883)
     //data.ppid = task->real_parent->tgid;
     data->ppid = task->real_parent->tgid;
-    int max = sizeof(data->argv[0]) - 1;
 
     const char *argp = NULL;
+    int max = sizeof(data->argv[0]) - 1;
 
     #pragma unroll
     for (int i = 0; i < MAX_ARGS; i++) {
@@ -68,11 +69,29 @@ int syscall__execve(struct pt_regs *ctx,
       {
         bpf_probe_read(&(data->argv[i]), max, argp);
       } else {
-        goto out;
+        goto arg_out;
+      }
+    }
+
+arg_out:;
+
+    // Get max size of what env we can return
+    const char *envp= NULL;
+    int env_max = sizeof(data->env[0]) - 1;
+
+    #pragma unroll
+    for (int i = 0; i < MAX_ARGS; i++) {
+      envp = NULL;
+      bpf_probe_read_str(&envp, sizeof(envp), (void *)&__envp[i]);
+      if (envp)
+      {
+        bpf_probe_read(&(data->env[i]), max, envp);
+      } else {
+        goto env_out;
       }
     }
 
-out:
+env_out:;
 
     if (bpf_get_current_comm(&data->comm, sizeof(data->comm)) == 0) {
         data->rc = 0;