[WIP]: Username for process_exec events

Signed-off-by: Andrey Fedotov <[email protected]>
cilium · Apr 24, 2024 · 5d48ea0 · 5d48ea0
1 parent 2101ea1
commit 5d48ea0
Show file tree

Hide file tree

Showing 13 changed files with 1,363 additions and 1,286 deletions.
diff --git a/api/v1/README.md b/api/v1/README.md
diff --git a/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go b/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go
diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto
@@ -259,6 +259,8 @@ message Process {
     ProcessCredentials process_credentials = 17;
     // Executed binary properties. This field is only available on ProcessExec events.
     BinaryProperties binary_properties = 18;
+    // User name associated with process.
+    string username = 19;
 }
 
 message ProcessExec {

diff --git a/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
diff --git a/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md
diff --git a/pkg/api/processapi/processapi.go b/pkg/api/processapi/processapi.go
@@ -178,6 +178,7 @@ type MsgProcess struct {
 	Ktime      uint64
 	Filename   string
 	Args       string
+	Username   string
 }
 
 type MsgExitInfo struct {

diff --git a/pkg/process/process.go b/pkg/process/process.go
@@ -372,6 +372,7 @@ func initProcessInternalExec(
 			Docker:       containerID,
 			ParentExecId: parentExecID,
 			Refcnt:       0,
+			Username:     process.Username,
 		},
 		capabilities:  apiCaps,
 		apiCreds:      apiCreds,

diff --git a/pkg/sensors/exec/exec.go b/pkg/sensors/exec/exec.go
@@ -7,6 +7,8 @@ import (
 	"bytes"
 	"encoding/binary"
 	"fmt"
+	"os/user"
+	"strconv"
 	"unsafe"
 
 	"github.com/cilium/tetragon/pkg/api"
@@ -18,6 +20,7 @@ import (
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/observer"
 	"github.com/cilium/tetragon/pkg/process"
+	"github.com/cilium/tetragon/pkg/reader/namespace"
 	"github.com/cilium/tetragon/pkg/sensors"
 	"github.com/cilium/tetragon/pkg/sensors/exec/procevents"
 	"github.com/cilium/tetragon/pkg/sensors/program"
@@ -68,7 +71,7 @@ func msgToExecveKubeUnix(m *processapi.MsgExecveEvent, exec_id string, filename
 	return kube
 }
 
-func execParse(reader *bytes.Reader) (processapi.MsgProcess, bool, error) {
+func execParse(reader *bytes.Reader, getUsername bool) (processapi.MsgProcess, bool, error) {
 	proc := processapi.MsgProcess{}
 	exec := processapi.MsgExec{}
 
@@ -89,6 +92,12 @@ func execParse(reader *bytes.Reader) (processapi.MsgProcess, bool, error) {
 	proc.Nlink = exec.Nlink
 	proc.Ino = exec.Ino
 
+	if getUsername {
+		if username, err := user.LookupId(strconv.FormatUint(uint64(proc.UID), 10)); err == nil {
+			proc.Username = username.Name
+		}
+	}
+
 	size := exec.Size - processapi.MSG_SIZEOF_EXECVE
 	if size > processapi.MSG_SIZEOF_BUFFER-processapi.MSG_SIZEOF_EXECVE {
 		err := fmt.Errorf("msg exec size larger than argsbuffer")
@@ -182,7 +191,9 @@ func handleExecve(r *bytes.Reader) ([]observer.Event, error) {
 		return nil, err
 	}
 	msgUnix := msgToExecveUnix(&m)
-	msgUnix.Unix.Process, empty, err = execParse(r)
+	getUsername := namespace.GetCurrentNamespace().Mnt.Inum == msgUnix.Unix.Msg.Namespaces.MntInum &&
+		namespace.GetCurrentNamespace().User.Inum == msgUnix.Unix.Msg.Namespaces.UserInum
+	msgUnix.Unix.Process, empty, err = execParse(r, getUsername)
 	if err != nil && empty {
 		msgUnix.Unix.Process = nopMsgProcess()
 	}

diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go