tetragon: setup to let match binary names use args as well

Setting up ability to match args as well as binary names. This is useful for matching 'java beaches.jar' or 'python palmTree.py' where the binary itself is an interpretor and the actual thing being called is what matters. Signed-off-by: John Fastabend <[email protected]>
cilium · Dec 10, 2024 · 340ee2e · 340ee2e
1 parent 98c71ef
commit 340ee2e
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 6 deletions.
diff --git a/bpf/lib/process.h b/bpf/lib/process.h
@@ -277,6 +277,8 @@ struct heap_exe {
 	char end[STRING_POSTFIX_MAX_LENGTH];
 	__u32 len;
 	__u32 error;
+	__u32 arg_len;
+	__u32 arg_start;
 }; // All fields aligned so no 'packed' attribute.
 
 struct msg_execve_event {
@@ -326,6 +328,10 @@ struct binary {
 	// NB: everything after and including ->mb_bitset will not be zeroed on a new exec. See
 	// binary_reset().
 	mbset_t mb_bitset;
+	// length of the args stored in args
+	__s64 args_length;
+	// args for the binary
+	char args[MAXARGLENGTH];
 }; // All fields aligned so no 'packed' attribute
 
 FUNC_INLINE void

diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
@@ -91,6 +91,9 @@ read_args(void *ctx, struct msg_execve_event *event)
 
 	size = p->size & 0x1ff /* 2*MAXARGLENGTH - 1*/;
 	args = (char *)p + size;
+#ifdef __LARGE_BPF_PROG
+	event->exe.arg_start = size;
+#endif
 
 	if (args >= (char *)&event->process + BUFFER)
 		return 0;
@@ -116,6 +119,9 @@ read_args(void *ctx, struct msg_execve_event *event)
 		if (size > 0)
 			p->flags |= EVENT_DATA_ARGS;
 	}
+#ifdef __LARGE_BPF_PROG
+	event->exe.arg_len = size;
+#endif
 	return size;
 }
 
@@ -388,6 +394,8 @@ execve_send(void *ctx __arg_ctx)
 		/* zero out previous paths in ->bin */
 		binary_reset(&curr->bin);
 #ifdef __LARGE_BPF_PROG
+		__u32 nullone, nulltwo, off, len;
+
 		// read from proc exe stored at execve time
 		if (event->exe.len <= BINARY_PATH_MAX_LEN) {
 			curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.buf);
@@ -399,6 +407,15 @@ execve_send(void *ctx __arg_ctx)
 				revlen = STRING_POSTFIX_MAX_LENGTH - 1;
 			probe_read(curr->bin.end, revlen, event->exe.end);
 		}
+
+		off = event->exe.arg_start & 0xff;
+		len = event->exe.arg_len & 0xff;
+		probe_read(curr->bin.args, len, (char *)&event->process + off);
+
+		nullone = len + 1;
+		nulltwo = len + 2;
+		curr->bin.args[nullone & 0xff] = 0x00; // null terminate string
+		curr->bin.args[nulltwo & 0xff] = 0x00; // null terminate string
 #else
 		// reuse p->args first string that contains the filename, this can't be
 		// above 256 in size (otherwise the complete will be send via data msg)

diff --git a/pkg/api/processapi/processapi.go b/pkg/api/processapi/processapi.go
@@ -46,6 +46,7 @@ const (
 	MSG_COMMON_FLAG_IMA_HASH          = 0x8
 
 	BINARY_PATH_MAX_LEN = 256
+	MAX_ARG_LENGTH      = 256
 
 	STRING_POSTFIX_MAX_LENGTH = 128
 )
@@ -153,12 +154,14 @@ type MsgCapabilities struct {
 }
 
 type Binary struct {
-	PathLength int32
-	Reversed   uint32
-	Path       [BINARY_PATH_MAX_LEN]byte
-	End        [STRING_POSTFIX_MAX_LENGTH]byte
-	End_r      [STRING_POSTFIX_MAX_LENGTH]byte
-	MBSet      uint64
+	PathLength  int32
+	Reversed    uint32
+	Path        [BINARY_PATH_MAX_LEN]byte
+	End         [STRING_POSTFIX_MAX_LENGTH]byte
+	End_r       [STRING_POSTFIX_MAX_LENGTH]byte
+	MBSet       uint64
+	Args_length int64
+	Args        [MAX_ARG_LENGTH]byte
 }
 
 type MsgNamespaces struct {