on aarch64 send exec events directly to userspace

gustavo-iniguez-goya · gustavo-iniguez-goya · commit d2d89e23592a · 2024-01-26T21:10:56.000+01:00
On 68c2c8a we excluded failed execve* calls from being delivered to userspace, in order to get the binary that was executed and avoid errors/confusion. But on aarch64, it seems that we fail to save the exec event to a map, so the event is never delivered to userspace. So for the time being, send the exec events as soon as they arrive on aarch64, without checking if the call failed. (cherry picked from commit c118058)
diff --git a/ebpf_prog/opensnitch-procs.c b/ebpf_prog/opensnitch-procs.c
@@ -123,6 +123,10 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
     }
 #endif
 
+// FIXME: on aarch64 we fail to save the event to execMap, so send it to userspace here.
+#if defined(__aarch64__)
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
+#else
     // in case of failure adding the item to the map, send it directly
     u64 pid_tgid = bpf_get_current_pid_tgid();
 	if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) {
@@ -132,6 +136,7 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
         // Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors
         bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
     }
+#endif
 
     return 0;
 };
@@ -154,6 +159,9 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
     const char *argp={0};
     data->args_count = 0;
     data->args_partial = INCOMPLETE_ARGS;
+
+// FIXME: on i386 arch, the following code fails with permission denied.
+#if !defined(__arm__) && !defined(__i386__)
     #pragma unroll
     for (int i = 0; i < MAX_ARGS; i++) {
         bpf_probe_read_user(&argp, sizeof(argp), &ctx->argv[i]);
@@ -164,7 +172,12 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
         }
         data->args_count++;
     }
+#endif
 
+// FIXME: on aarch64 we fail to save the event to execMap, so send it to userspace here.
+#if defined(__aarch64__)
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
+#else
     // in case of failure adding the item to the map, send it directly
     u64 pid_tgid = bpf_get_current_pid_tgid();
 	if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) {
@@ -174,6 +187,7 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
         // Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors
         bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
     }
+#endif
 
     return 0;
 };
