Skip to content

Commit

Permalink
new(driver-kmod): add exe ino, ctime, mtime, pidns start ts
Browse files Browse the repository at this point in the history
Signed-off-by: Melissa Kilby <[email protected]>
  • Loading branch information
incertum committed Sep 23, 2022
1 parent 957c4c7 commit a5510e7
Showing 1 changed file with 103 additions and 4 deletions.
107 changes: 103 additions & 4 deletions driver/ppm_fillers.c
Original file line number Diff line number Diff line change
Expand Up @@ -815,6 +815,7 @@ int f_proc_startupdate(struct event_filler_arguments *args)
long swap = 0;
int available = STR_STORAGE_SIZE;
const struct cred *cred;
struct file *exe_file = NULL;

#ifdef __NR_clone3
struct clone_args cl_args;
Expand Down Expand Up @@ -1074,6 +1075,7 @@ int f_proc_startupdate(struct event_filler_arguments *args)
int64_t in_pidns = 0;
#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
struct pid_namespace *pidns = task_active_pid_ns(current);
struct task_struct *child_reaper;
#endif

/*
Expand Down Expand Up @@ -1154,6 +1156,26 @@ int f_proc_startupdate(struct event_filler_arguments *args)
if (unlikely(res != PPM_SUCCESS))
return res;

/*
* pid_namespace init task start_time monotonic time in ns
*/
#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
if (pidns)
{
child_reaper = pidns->child_reaper;
if (child_reaper)
{
val = child_reaper->start_time;
}
}
res = val_to_ring(args, val, 0, false, 0);
#else
/* Not relevant in old kernels */
res = val_to_ring(args, 0, 0, false, 0);
#endif
if (unlikely(res != PPM_SUCCESS))
return res;

} else if (args->event_type == PPME_SYSCALL_EXECVE_19_X ||
args->event_type == PPME_SYSCALL_EXECVEAT_X) {
/*
Expand All @@ -1162,7 +1184,6 @@ int f_proc_startupdate(struct event_filler_arguments *args)
long env_len = 0;
int tty_nr = 0;
bool exe_writable = false;
struct file *exe_file = NULL;
uint32_t flags = 0; // execve additional flags

if (likely(retval >= 0)) {
Expand Down Expand Up @@ -1289,12 +1310,12 @@ int f_proc_startupdate(struct event_filler_arguments *args)
if (unlikely(res != PPM_SUCCESS))
return res;

/*
* capabilities
*/
if(args->event_type == PPME_SYSCALL_EXECVE_19_X ||
args->event_type == PPME_SYSCALL_EXECVEAT_X)
{
/*
* capabilities
*/
cred = get_current_cred();

val = ((uint64_t)cred->cap_inheritable.cap[1] << 32) | cred->cap_inheritable.cap[0];
Expand All @@ -1313,11 +1334,53 @@ int f_proc_startupdate(struct event_filler_arguments *args)
goto out;

put_cred(cred);

/*
* exe ino fields
*/
exe_file = ppm_get_mm_exe_file(mm);

if (exe_file) {
if (file_inode(exe_file)) {

/*
* exe ino
*/
val = file_inode(exe_file)->i_ino;
res = val_to_ring(args, val, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
goto exe_file_out;

/*
* exe_file ctime (last status change time, epoch value in nanoseconds)
*/
val = file_inode(exe_file)->i_ctime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_ctime.tv_nsec;
res = val_to_ring(args, val, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
goto exe_file_out;

/*
* exe_file mtime (last modification time, epoch value in nanoseconds)
*/
val = file_inode(exe_file)->i_mtime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_mtime.tv_nsec;
res = val_to_ring(args, val, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
goto exe_file_out;

}
}

fput(exe_file);

}
}

return add_sentinel(args);

exe_file_out:
fput(exe_file);
return res;

out:
put_cred(cred);
return res;
Expand Down Expand Up @@ -6755,8 +6818,44 @@ int f_sched_prog_exec(struct event_filler_arguments *args)
}

put_cred(cred);

/*
* exe ino fields
*/
exe_file = ppm_get_mm_exe_file(mm);

if (exe_file) {
if (file_inode(exe_file)) {

/* Parameter 24: exe_file ino (type: PT_UINT64) */
val = file_inode(exe_file)->i_ino;
res = val_to_ring(args, val, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
goto exe_file_out;

/* Parameter 25: exe_file ctime (last status change time, epoch value in nanoseconds) (type: PT_ABSTIME) */
val = file_inode(exe_file)->i_ctime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_ctime.tv_nsec;
res = val_to_ring(args, val, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
goto exe_file_out;

/* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */
val = file_inode(exe_file)->i_mtime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_mtime.tv_nsec;
res = val_to_ring(args, val, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
goto exe_file_out;

}
}

fput(exe_file);

return add_sentinel(args);

exe_file_out:
fput(exe_file);
return res;

out:
put_cred(cred);
return res;
Expand Down

0 comments on commit a5510e7

Please sign in to comment.