Add new filter for open+create/create with exec permissions (draios#1637)

omerazr · web-flow · commit 93a0bbb42c52 · 2020-05-21T19:31:11.000-07:00
* Add new filter for open/create with exec permissions
diff --git a/driver/flags_table.c b/driver/flags_table.c
@@ -69,6 +69,7 @@ const struct ppm_name_value file_flags[] = {
 	{"O_RDONLY", PPM_O_RDONLY},
 	{"O_CLOEXEC", PPM_O_CLOEXEC},
 	{"O_NONE", PPM_O_NONE},
+	{"O_TMPFILE", PPM_O_TMPFILE},
 	{0, 0},
 };
 
diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
@@ -98,6 +98,7 @@ or GPL2.txt for full copies of the license.
 #define PPM_O_DIRECTORY (1 << 10)
 #define PPM_O_LARGEFILE (1 << 11)
 #define PPM_O_CLOEXEC	(1 << 12)
+#define PPM_O_TMPFILE	(1 << 13)
 
 /*
  * File modes
diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h
@@ -9,10 +9,10 @@ or GPL2.txt for full copies of the license.
 
 #ifndef PPM_FLAG_HELPERS_H_
 #define PPM_FLAG_HELPERS_H_
+#define _GNU_SOURCE
 #include <linux/mman.h>
 #include <linux/futex.h>
 #include <linux/ptrace.h>
-
 #include "ppm.h"
 
 #define PPM_MS_MGC_MSK 0xffff0000
@@ -37,6 +37,9 @@ static __always_inline uint32_t open_flags_to_scap(unsigned long flags)
 	if (flags & O_CREAT)
 		res |= PPM_O_CREAT;
 
+    if (flags & O_TMPFILE)
+		res |= PPM_O_TMPFILE;
+
 	if (flags & O_APPEND)
 		res |= PPM_O_APPEND;
 
diff --git a/userspace/libscap/scap_fds.c b/userspace/libscap/scap_fds.c
@@ -16,6 +16,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 
 */
+#define _GNU_SOURCE
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -776,6 +777,9 @@ static inline uint32_t open_flags_to_scap(unsigned long flags)
 
 	if (flags & O_CREAT)
 		res |= PPM_O_CREAT;
+	
+	if (flags & O_TMPFILE)
+		res |= PPM_O_TMPFILE;
 
 	if (flags & O_APPEND)
 		res |= PPM_O_APPEND;
diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
@@ -2856,6 +2856,7 @@ const filtercheck_field_info sinsp_filter_check_event_fields[] =
 	{PT_CHARBUF, EPF_TABLE_ONLY, PF_NA, "evt.infra.docker.container.id", "for docker infrastructure events, the id of the impacted container."},
 	{PT_CHARBUF, EPF_TABLE_ONLY, PF_NA, "evt.infra.docker.container.name", "for docker infrastructure events, the name of the impacted container."},
 	{PT_CHARBUF, EPF_TABLE_ONLY, PF_NA, "evt.infra.docker.container.image", "for docker infrastructure events, the image name of the impacted container."},
+	{PT_BOOL, EPF_NONE, PF_NA, "evt.is_open_exec", "'true' for open/openat or creat events where a file is created with execute permissions"},
 };
 
 sinsp_filter_check_event::sinsp_filter_check_event()
@@ -4386,17 +4387,19 @@ uint8_t* sinsp_filter_check_event::extract(sinsp_evt *evt, OUT uint32_t* len, bo
 		break;
 	case TYPE_ISOPEN_READ:
 	case TYPE_ISOPEN_WRITE:
+	case TYPE_ISOPEN_EXEC:
 		{
 			uint16_t etype = evt->get_type();
 
 			m_u32val = 0;
+			sinsp_evt_param *parinfo;
+			// If any of the exec bits is on, we consider this an open+exec
+			uint32_t is_exec_mask = (PPM_S_IXUSR | PPM_S_IXGRP | PPM_S_IXOTH);
 
 			if(etype == PPME_SYSCALL_OPEN_X ||
 			   etype == PPME_SYSCALL_OPENAT_E ||
 			   etype == PPME_SYSCALL_OPENAT_2_X)
 			{
-				sinsp_evt_param *parinfo;
-
 				// For both OPEN_X and OPENAT_E,
 				// flags is the 3rd argument.
 				parinfo = evt->get_param(etype == PPME_SYSCALL_OPENAT_2_X ? 3 : 2);
@@ -4417,6 +4420,21 @@ uint8_t* sinsp_filter_check_event::extract(sinsp_evt *evt, OUT uint32_t* len, bo
 				{
 					m_u32val = 1;
 				}
+				
+				if(m_field_id == TYPE_ISOPEN_EXEC && ((flags & PPM_O_TMPFILE) || (flags & PPM_O_CREAT)))
+				{
+					parinfo = evt->get_param(etype == PPME_SYSCALL_OPENAT_2_X ? 4 : 3);
+					ASSERT(parinfo->m_len == sizeof(uint32_t));
+					uint32_t mode_bits = *(uint32_t *)parinfo->m_val;
+					m_u32val = (mode_bits & is_exec_mask)? 1 : 0;
+				}
+			}
+			else if ((m_field_id == TYPE_ISOPEN_EXEC) && (etype == PPME_SYSCALL_CREAT_X))
+			{
+				parinfo = evt->get_param(2);
+				ASSERT(parinfo->m_len == sizeof(uint32_t));
+				uint32_t mode_bits = *(uint32_t *)parinfo->m_val;
+				m_u32val = (mode_bits & is_exec_mask)? 1 : 0;
 			}
 
 			RETURN_EXTRACT_VAR(m_u32val);
diff --git a/userspace/libsinsp/filterchecks.h b/userspace/libsinsp/filterchecks.h
@@ -446,6 +446,7 @@ class sinsp_filter_check_event : public sinsp_filter_check
 		TYPE_INFRA_DOCKER_CONTAINER_ID = 64,
 		TYPE_INFRA_DOCKER_CONTAINER_NAME = 65,
 		TYPE_INFRA_DOCKER_CONTAINER_IMAGE = 66,
+		TYPE_ISOPEN_EXEC = 67,
 	};
 
 	sinsp_filter_check_event();
