From 5003f1391bb9a27d574118993f6e5323a60d5da2 Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Tue, 2 Jul 2024 19:39:58 +0200 Subject: [PATCH 1/2] pkg/sensors: fix binprm matchArgs test The test was broken in two ways: - First it was using the "In" operator with MatchArgs, which does not exist. "Equal" should be used. It can be confusing because MatchBinaries uses "In". It bypasses validation since it provided the Go object without using the YAML unmarshalling. - Secondly, it was only checking that the event existed without checking that the filtering actually happened. We can check the "lack" of event in addition to the presence of it thanks to the way this test is written, using the perfring.RunTestEvents. This test should have detected the issue fixed by the following patch. Signed-off-by: Mahe Tardy --- pkg/sensors/tracing/kprobe_test.go | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go index 0bc60b81452..9cddc965d60 100644 --- a/pkg/sensors/tracing/kprobe_test.go +++ b/pkg/sensors/tracing/kprobe_test.go @@ -6028,7 +6028,7 @@ func TestLinuxBinprmExtractPath(t *testing.T) { { MatchArgs: []v1alpha1.ArgSelector{ { - Operator: "In", + Operator: "Equal", Index: 0, Values: []string{"/usr/bin/id"}, }, @@ -6043,24 +6043,36 @@ func TestLinuxBinprmExtractPath(t *testing.T) { err := sm.Manager.AddTracingPolicy(ctx, &bprmTracingPolicy) assert.NoError(t, err) - command := exec.Command("/usr/bin/id") + targetCommand := exec.Command("/usr/bin/id") + filteredCommand := exec.Command("/usr/bin/uname") ops := func() { - err = command.Start() + err = targetCommand.Start() + assert.NoError(t, err) + err = filteredCommand.Start() assert.NoError(t, err) - defer command.Process.Kill() + defer targetCommand.Process.Kill() + defer filteredCommand.Process.Kill() } events := perfring.RunTestEvents(t, ctx, ops) + wantedEventExist := false for _, ev := range events { if kprobe, ok := ev.(*tracing.MsgGenericKprobeUnix); ok { - if int(kprobe.Msg.ProcessKey.Pid) == command.Process.Pid && kprobe.FuncName == "security_bprm_check" { - return + if int(kprobe.Msg.ProcessKey.Pid) == targetCommand.Process.Pid { + wantedEventExist = true + continue + } + if int(kprobe.Msg.ProcessKey.Pid) == filteredCommand.Process.Pid { + t.Error("kprobe event triggered by /usr/bin/uname should be filtered by the matchArgs selector") + break } } } - t.Error("bprm error") + if !wantedEventExist { + t.Error("kprobe event triggered by /usr/bin/id should be present, unfiltered by the matchArgs selector") + } } // Test module loading/unloading on Ubuntu From d36c6bb606039082bdea5a32d5d5dea313849c82 Mon Sep 17 00:00:00 2001 From: Andrei Fedotov Date: Tue, 2 Jul 2024 19:10:50 +0300 Subject: [PATCH 2/2] bpf: fix missed linux_binprm_type in selector_arg_offset function Signed-off-by: Andrei Fedotov --- bpf/process/types/basic.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index acb78562a2f..74a0d44c849 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -1686,6 +1686,9 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx, args += 4; case file_ty: case path_ty: +#ifdef __LARGE_BPF_PROG + case linux_binprm_type: +#endif pass &= filter_file_buf(filter, (struct string_buf *)args); break; case string_type: