From 9df499f7e2d6cbc29d15ad0c9d1fa4f299335c94 Mon Sep 17 00:00:00 2001
From: chenjingwen <lhchenjw@gmail.com>
Date: Fri, 17 Nov 2023 23:41:46 +0800
Subject: [PATCH] ebpf: enrich process hook

Signed-off-by: chenjingwen <lhchenjw@gmail.com>
---
 observer_agent/ebpf/ebpf_types.h          |  8 +++++
 observer_agent/ebpf/fentry.bpf.c          | 26 +++++++++++++---
 observer_agent/service/ebpf_converter.cpp | 38 ++++++++++++++++++-----
 3 files changed, 61 insertions(+), 11 deletions(-)

diff --git a/observer_agent/ebpf/ebpf_types.h b/observer_agent/ebpf/ebpf_types.h
index 8baa8bf..0ec60b1 100644
--- a/observer_agent/ebpf/ebpf_types.h
+++ b/observer_agent/ebpf/ebpf_types.h
@@ -32,6 +32,14 @@ struct process_info
     {
         unsigned new_uid;
         unsigned new_gid;
+        unsigned umask;
+        unsigned tracer_pid;
+        unsigned long cgroup_ns;
+        unsigned long ipc_ns;
+        unsigned long mnt_ns;
+        unsigned long user_ns;
+        unsigned long uts_ns;
+        unsigned long time_ns;
     };
     struct
     {
diff --git a/observer_agent/ebpf/fentry.bpf.c b/observer_agent/ebpf/fentry.bpf.c
index f8b8b87..acb1237 100644
--- a/observer_agent/ebpf/fentry.bpf.c
+++ b/observer_agent/ebpf/fentry.bpf.c
@@ -81,6 +81,18 @@ static struct pid_namespace *pid_ns(struct task_struct *task)
     return BPF_CORE_READ(pid, numbers[0].ns);
 }
 
+static void get_namespace(struct ebpf_event *e)
+{
+    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
+
+    e->process_info.cgroup_ns = BPF_CORE_READ(task, nsproxy, cgroup_ns, ns.inum);
+    e->process_info.ipc_ns = BPF_CORE_READ(task, nsproxy, ipc_ns, ns.inum);
+    e->process_info.mnt_ns = BPF_CORE_READ(task, nsproxy, mnt_ns, ns.inum);
+    e->process_info.user_ns = BPF_CORE_READ(task, cred, user_ns, ns.inum);
+    e->process_info.uts_ns = BPF_CORE_READ(task, nsproxy, uts_ns, ns.inum);
+    e->process_info.time_ns = BPF_CORE_READ(task, nsproxy, time_ns, ns.inum);
+}
+
 static void get_common_info(struct ebpf_event *e)
 {
     struct task_struct *parent = NULL;
@@ -106,6 +118,14 @@ static void get_common_info(struct ebpf_event *e)
     e->root_pns = BPF_CORE_READ(pid_ns(find_init_task()), ns.inum);
     BPF_CORE_READ_INTO(&e->pcomm, parent, real_parent, comm);
     BPF_CORE_READ_INTO(&e->nodename, task, nsproxy, uts_ns, name.nodename);
+
+    e->process_info.umask = BPF_CORE_READ(task, fs, umask);
+    if (BPF_CORE_READ(task, ptrace))
+        e->process_info.tracer_pid = BPF_CORE_READ(task, parent, pid);
+    else
+        e->process_info.tracer_pid = 0;
+
+    get_namespace(e);
 }
 
 SEC("tp/sched/sched_process_exec")
@@ -126,11 +146,10 @@ int handle_exec(struct trace_event_raw_sched_process_exec *ctx)
     return 0;
 }
 
-SEC("tp/sched/sched_process_exit")
-int handle_exit(void)
+SEC("fentry/do_exit")
+int BPF_PROG(handle_exit, long exit_code)
 {
     struct ebpf_event *e = NULL;
-    u32 exit_code = 0;
 	RETURN_ZERO_IF_OURSELF();
 
     e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
@@ -140,7 +159,6 @@ int handle_exit(void)
     get_common_info(e);
     e->type = DESTROYPROCESS;
     __builtin_memcpy(e->event_name, "sched_process_exit", sizeof("sched_process_exit"));
-    exit_code = BPF_CORE_READ((struct task_struct *)bpf_get_current_task(), exit_code);
     e->process_info.exit_code = (exit_code >> 8) & 0xff;
     bpf_ringbuf_submit(e, 0);
     return 0;
diff --git a/observer_agent/service/ebpf_converter.cpp b/observer_agent/service/ebpf_converter.cpp
index 9506099..c5b939d 100644
--- a/observer_agent/service/ebpf_converter.cpp
+++ b/observer_agent/service/ebpf_converter.cpp
@@ -52,27 +52,51 @@ static std::string extract_common_info(struct ebpf_event *e)
     return ss.str();
 }
 
+static std::string extract_common_process_info(struct ebpf_event *e)
+{
+    std::ostringstream ss;
+    char umask_str[32] = { 0 };
+
+    snprintf(umask_str, sizeof(umask_str), "%#04o", e->process_info.umask);
+    ss << " umask:" << umask_str << " tracer_pid:" <<  e->process_info.tracer_pid;
+
+    /* read all namespace */
+    ss << " cgroup_ns:" << e->process_info.cgroup_ns;
+    ss << " ipc_ns:" << e->process_info.ipc_ns;
+    ss << " mnt_ns:" << e->process_info.mnt_ns;
+    ss << " user_ns:" << e->process_info.user_ns;
+    ss << " uts_ns:" << e->process_info.uts_ns;
+    ss << " time_ns:" << e->process_info.time_ns;
+
+    return ss.str();
+}
+
+
 static std::string convert_set_process_attr(struct ebpf_event *e)
 {
     std::ostringstream ss;
-    ss << extract_common_info(e) << " new_uid:" << e->process_info.new_uid << " new_gid:" << e->process_info.new_gid;
+    ss << extract_common_info(e) <<  extract_common_process_info(e) <<
+           " new_uid:" << e->process_info.new_uid << " new_gid:" << e->process_info.new_gid;
     return ss.str();
 }
 
 static std::string convert_creat_process(struct ebpf_event *e)
 {
-    std::string text = extract_common_info(e);
+    std::ostringstream ss;
+
+    ss << extract_common_info(e) << extract_common_process_info(e);
     if (e->process_info.have_bprm)
-    {
-        text = text + " bprm_file:" + e->process_info.bprm_file;
-    }
+        ss << " bprm_file:" << e->process_info.bprm_file;
 
-    return text;
+    return ss.str();
 }
 
 static std::string convert_destroy_process(struct ebpf_event *e)
 {
-    return extract_common_info(e);
+    std::ostringstream ss;
+
+    ss << extract_common_info(e) << extract_common_process_info(e) << " exit_code:" << e->process_info.exit_code;
+    return ss.str();
 }
 
 static std::string convert_common_file(struct ebpf_event *e)
-- 
Gitee