Revert "Add new filter for open+create/create with exec permissions (#…

…1637)" This reverts commit 93a0bbb.
draios · May 22, 2020 · 2329916 · 2329916
1 parent 93a0bbb
commit 2329916
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 31 deletions.
diff --git a/driver/flags_table.c b/driver/flags_table.c
@@ -69,7 +69,6 @@ const struct ppm_name_value file_flags[] = {
 	{"O_RDONLY", PPM_O_RDONLY},
 	{"O_CLOEXEC", PPM_O_CLOEXEC},
 	{"O_NONE", PPM_O_NONE},
-	{"O_TMPFILE", PPM_O_TMPFILE},
 	{0, 0},
 };
 

diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
@@ -98,7 +98,6 @@ or GPL2.txt for full copies of the license.
 #define PPM_O_DIRECTORY (1 << 10)
 #define PPM_O_LARGEFILE (1 << 11)
 #define PPM_O_CLOEXEC	(1 << 12)
-#define PPM_O_TMPFILE	(1 << 13)
 
 /*
  * File modes

diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h
@@ -9,10 +9,10 @@ or GPL2.txt for full copies of the license.
 
 #ifndef PPM_FLAG_HELPERS_H_
 #define PPM_FLAG_HELPERS_H_
-#define _GNU_SOURCE
 #include <linux/mman.h>
 #include <linux/futex.h>
 #include <linux/ptrace.h>
+
 #include "ppm.h"
 
 #define PPM_MS_MGC_MSK 0xffff0000
@@ -37,9 +37,6 @@ static __always_inline uint32_t open_flags_to_scap(unsigned long flags)
 	if (flags & O_CREAT)
 		res |= PPM_O_CREAT;
 
-    if (flags & O_TMPFILE)
-		res |= PPM_O_TMPFILE;
-
 	if (flags & O_APPEND)
 		res |= PPM_O_APPEND;
 

diff --git a/userspace/libscap/scap_fds.c b/userspace/libscap/scap_fds.c
@@ -16,7 +16,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 
 */
-#define _GNU_SOURCE
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -777,9 +776,6 @@ static inline uint32_t open_flags_to_scap(unsigned long flags)
 
 	if (flags & O_CREAT)
 		res |= PPM_O_CREAT;
-
-	if (flags & O_TMPFILE)
-		res |= PPM_O_TMPFILE;
 
 	if (flags & O_APPEND)
 		res |= PPM_O_APPEND;

diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
@@ -2856,7 +2856,6 @@ const filtercheck_field_info sinsp_filter_check_event_fields[] =
 	{PT_CHARBUF, EPF_TABLE_ONLY, PF_NA, "evt.infra.docker.container.id", "for docker infrastructure events, the id of the impacted container."},
 	{PT_CHARBUF, EPF_TABLE_ONLY, PF_NA, "evt.infra.docker.container.name", "for docker infrastructure events, the name of the impacted container."},
 	{PT_CHARBUF, EPF_TABLE_ONLY, PF_NA, "evt.infra.docker.container.image", "for docker infrastructure events, the image name of the impacted container."},
-	{PT_BOOL, EPF_NONE, PF_NA, "evt.is_open_exec", "'true' for open/openat or creat events where a file is created with execute permissions"},
 };
 
 sinsp_filter_check_event::sinsp_filter_check_event()
@@ -4387,19 +4386,17 @@ uint8_t* sinsp_filter_check_event::extract(sinsp_evt *evt, OUT uint32_t* len, bo
 		break;
 	case TYPE_ISOPEN_READ:
 	case TYPE_ISOPEN_WRITE:
-	case TYPE_ISOPEN_EXEC:
 		{
 			uint16_t etype = evt->get_type();
 
 			m_u32val = 0;
-			sinsp_evt_param *parinfo;
-			// If any of the exec bits is on, we consider this an open+exec
-			uint32_t is_exec_mask = (PPM_S_IXUSR | PPM_S_IXGRP | PPM_S_IXOTH);
 
 			if(etype == PPME_SYSCALL_OPEN_X ||
 			   etype == PPME_SYSCALL_OPENAT_E ||
 			   etype == PPME_SYSCALL_OPENAT_2_X)
 			{
+				sinsp_evt_param *parinfo;
+
 				// For both OPEN_X and OPENAT_E,
 				// flags is the 3rd argument.
 				parinfo = evt->get_param(etype == PPME_SYSCALL_OPENAT_2_X ? 3 : 2);
@@ -4420,21 +4417,6 @@ uint8_t* sinsp_filter_check_event::extract(sinsp_evt *evt, OUT uint32_t* len, bo
 				{
 					m_u32val = 1;
 				}
-
-				if(m_field_id == TYPE_ISOPEN_EXEC && ((flags & PPM_O_TMPFILE) || (flags & PPM_O_CREAT)))
-				{
-					parinfo = evt->get_param(etype == PPME_SYSCALL_OPENAT_2_X ? 4 : 3);
-					ASSERT(parinfo->m_len == sizeof(uint32_t));
-					uint32_t mode_bits = *(uint32_t *)parinfo->m_val;
-					m_u32val = (mode_bits & is_exec_mask)? 1 : 0;
-				}
-			}
-			else if ((m_field_id == TYPE_ISOPEN_EXEC) && (etype == PPME_SYSCALL_CREAT_X))
-			{
-				parinfo = evt->get_param(2);
-				ASSERT(parinfo->m_len == sizeof(uint32_t));
-				uint32_t mode_bits = *(uint32_t *)parinfo->m_val;
-				m_u32val = (mode_bits & is_exec_mask)? 1 : 0;
 			}
 
 			RETURN_EXTRACT_VAR(m_u32val);

diff --git a/userspace/libsinsp/filterchecks.h b/userspace/libsinsp/filterchecks.h
@@ -446,7 +446,6 @@ class sinsp_filter_check_event : public sinsp_filter_check
 		TYPE_INFRA_DOCKER_CONTAINER_ID = 64,
 		TYPE_INFRA_DOCKER_CONTAINER_NAME = 65,
 		TYPE_INFRA_DOCKER_CONTAINER_IMAGE = 66,
-		TYPE_ISOPEN_EXEC = 67,
 	};
 
 	sinsp_filter_check_event();