From d26a0fd5ac8734641fc3fd0caea0ae8b8c65f233 Mon Sep 17 00:00:00 2001
From: yuelg <yuelg@chinaunicom.cn>
Date: Tue, 5 Nov 2024 09:59:25 +0000
Subject: [PATCH 1/2] upgrade to go 1.21

Signed-off-by: yuelg <yuelg@chinaunicom.cn>
---
 go.mod | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index dfa7fe1..b55aacc 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,8 @@
 module culinux
 
-go 1.17
+go 1.21
+
+toolchain go1.21.4
 
 require (
 	github.com/aquasecurity/libbpfgo v0.4.6-libbpf-1.1.0
-- 
Gitee


From bf5bf5b868ab1344c89bb43c2632c583db56201e Mon Sep 17 00:00:00 2001
From: yuelg <yuelg@chinaunicom.cn>
Date: Tue, 5 Nov 2024 10:04:39 +0000
Subject: [PATCH 2/2] mount audit ships with module tag

Signed-off-by: yuelg <yuelg@chinaunicom.cn>
---
 pkg/audit/fileaccess/manager.go | 4 +++-
 pkg/audit/mount/audit.go        | 5 ++++-
 pkg/log/logger.go               | 2 ++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/pkg/audit/fileaccess/manager.go b/pkg/audit/fileaccess/manager.go
index 80d0996..2047fb5 100644
--- a/pkg/audit/fileaccess/manager.go
+++ b/pkg/audit/fileaccess/manager.go
@@ -51,7 +51,9 @@ func (m *Manager) Attach() error {
 									"restricted_path_unlink",
 									"restricted_path_rmdir",
 									"restricted_path_rename",
-									"restricted_file_receive"} { //, "restricted_mmap_file", "restricted_file_ioctl"} {
+									"restricted_file_receive"} {
+									//"restricted_mmap_file",
+									//"restricted_file_ioctl"
 		prog, err := m.mod.GetProgram(prog_name)
 		if err != nil {
 			return err
diff --git a/pkg/audit/mount/audit.go b/pkg/audit/mount/audit.go
index e4d268f..39b9356 100644
--- a/pkg/audit/mount/audit.go
+++ b/pkg/audit/mount/audit.go
@@ -21,16 +21,18 @@ import (
 
 const (
 	BPF_OBJECT_NAME  = "restricted-mount"
-	BPF_PROGRAM_NAME = "restricted_mount"
+	MODULE = "module"
 
 	NEW_UTS_LEN   = 64
 	TASK_COMM_LEN = 16
 	PATH_MAX      = 255
 )
+var BPF_PROGRAM_NAME []string = []string{"restricted_mount", "restricted_move_mount"}
 
 type auditLog struct {
 	CGroupID        uint64
 	PID             uint32
+	UID             uint32
 	Ret             int32
 	Nodename        [NEW_UTS_LEN + 1]byte
 	Command         [TASK_COMM_LEN]byte
@@ -112,6 +114,7 @@ func RunAudit(ctx context.Context, wg *sync.WaitGroup, conf *config.Config) erro
 
 func newAuditLog(event auditLog) log.RestrictedMountLog {
 	auditEvent := log.AuditEventLog{
+		Module:     MODULE,
 		Action:     retToaction(event.Ret),
 		Hostname:   helpers.NodenameToString(event.Nodename),
 		PID:        event.PID,
diff --git a/pkg/log/logger.go b/pkg/log/logger.go
index 8df37af..fb93d52 100644
--- a/pkg/log/logger.go
+++ b/pkg/log/logger.go
@@ -113,6 +113,7 @@ type LogLabels struct {
 }
 
 type AuditEventLog struct {
+	Module     string
 	Action     string
 	Hostname   string
 	PID        uint32
@@ -180,6 +181,7 @@ func (l *RestrictedFileAccessLog) Info() {
 
 func (l *RestrictedMountLog) Info() {
 	Logger.WithFields(logrus.Fields{
+		"Module":     l.Module,
 		"Action":     l.Action,
 		"Hostname":   l.Hostname,
 		"PID":        l.PID,
-- 
Gitee