Merge pull request #43 from vmware/jw-PSCLNX-7520_rename_events

Handle Basic File Rename Events
vmware-archive · Feb 19, 2021 · 0d36c78 · 0d36c78
2 parents c01cdc1 + 3fbe14f
commit 0d36c78
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 3 deletions.
diff --git a/examples/bcc_sample.go b/examples/bcc_sample.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2020 VMware, Inc.
+// Copyright 2020-20201 VMware, Inc.
 // SPDX-License-Identifier: BSD-2-Clause
 //
 
@@ -94,6 +94,11 @@ var allProbes = []probeMeta{
 		PPCbName:    "on_security_inode_unlink",
 		IsKretProbe: false,
 	},
+	probeMeta{
+		PP:          "security_inode_rename",
+		PPCbName:    "on_security_inode_rename",
+		IsKretProbe: false,
+	},
 
 	//# execve and execveat syscalls
 	probeMeta{

diff --git a/examples/bcc_sample.py b/examples/bcc_sample.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright 2020 VMware, Inc.
+# Copyright 2020-2021 VMware, Inc.
 # SPDX-License-Identifier: BSD-2-Clause
 #
 
@@ -586,6 +586,10 @@ def attach_probes(bcc):
 			pp='security_inode_unlink',
 			pp_cb_name='on_security_inode_unlink',
 		),
+		Probe(
+			pp='security_inode_rename',
+			pp_cb_name='on_security_inode_rename',
+		),
 
 		# execve and execveat syscalls
 		Probe(

diff --git a/src/bcc_sensor.c b/src/bcc_sensor.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2020 VMware, Inc.
+ * Copyright 2019-2021 VMware, Inc.
  * SPDX-License-Identifier: GPL-2.0
  */
 
@@ -953,6 +953,57 @@ int on_security_inode_unlink(struct pt_regs *ctx, struct inode *dir,
 	return 0;
 }
 
+int on_security_inode_rename(struct pt_regs *ctx,
+			     struct inode *old_dir, struct dentry *old_dentry,
+			     struct inode *new_dir, struct dentry *new_dentry,
+			     unsigned int flags)
+{
+	struct data_t data = {};
+	struct super_block *sb = NULL;
+	struct inode *inode = NULL;
+
+	sb = _sb_from_dentry(old_dentry);
+	if (!sb) {
+		goto out;
+	}
+
+	if (__is_special_filesystem(sb)) {
+		goto out;
+	}
+
+	__set_key_entry_data(&data, NULL);
+
+	data.state = PP_ENTRY_POINT;
+	data.type = EVENT_FILE_DELETE;
+	bpf_probe_read(&inode, sizeof(inode), &(old_dentry->d_inode));
+	if (inode) {
+		bpf_probe_read(&data.inode, sizeof(data.inode), &inode->i_ino);
+	}
+
+	struct file_data key = { .device = data.device, .inode = data.inode };
+	file_map.delete(&key);
+
+	__set_device_from_sb(&data, sb);
+	events.perf_submit(ctx, &data, sizeof(data));
+	__do_dentry_path(ctx, old_dentry, &data);
+	events.perf_submit(ctx, &data, sizeof(data));
+
+	inode = NULL;
+	data.state = PP_ENTRY_POINT;
+	data.type = EVENT_FILE_CREATE;
+	bpf_probe_read(&inode, sizeof(inode), &(new_dentry->d_inode));
+	if (inode) {
+		bpf_probe_read(&data.inode, sizeof(data.inode), &inode->i_ino);
+	}
+	__set_device_from_sb(&data, sb);
+	events.perf_submit(ctx, &data, sizeof(data));
+	__do_dentry_path(ctx, new_dentry, &data);
+	events.perf_submit(ctx, &data, sizeof(data));
+
+out:
+	return 0;
+}
+
 int on_wake_up_new_task(struct pt_regs *ctx, struct task_struct *task)
 {
 	struct inode *pinode = NULL;