agent: Collect build ID of the instrumented shared libraries

It would be useful to know from which crypto library an auditing event is generated. eBPF provides a facility to do this through the .note.gnu.build-id obtained through bpf_get_stack helper. This patch propagates this information from the agent to the log-parser. Signed-off-by: Daiki Ueno <[email protected]>
latchset · Aug 8, 2023 · 11063f3 · 11063f3
1 parent 1d7a2bc
commit 11063f3
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 2 deletions.
diff --git a/agent/src/bpf/audit.bpf.c b/agent/src/bpf/audit.bpf.c
@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 
 #include "vmlinux.h"
+#include <bpf/bpf_core_read.h>
 #include <bpf/usdt.bpf.h>
 #include "audit.h"
 
@@ -37,6 +38,13 @@ record_new_context (struct pt_regs *ctx)
   if (err < 0)
     return err;
 
+  unsigned char buf[sizeof(struct bpf_stack_build_id) + MAX_BUILD_ID_SIZE];
+  struct bpf_stack_build_id *build_id = (struct bpf_stack_build_id *)buf;
+  err = bpf_get_stack (ctx, buf, bpf_core_type_size(struct bpf_stack_build_id),
+		       BPF_F_USER_STACK | BPF_F_USER_BUILD_ID);
+  if (err < 0)
+    return err;
+
   struct audit_new_context_event_st *event =
     bpf_ringbuf_reserve (&ringbuf,
 			 sizeof(struct audit_new_context_event_st),
@@ -50,6 +58,12 @@ record_new_context (struct pt_regs *ctx)
 			 context);
   event->parent = parent;
 
+  if (BPF_CORE_READ_BITFIELD(build_id, status) & BPF_STACK_BUILD_ID_VALID)
+    {
+      event->origin_size = bpf_core_field_size (build_id->build_id);
+      bpf_core_read (event->origin, event->origin_size, &build_id->build_id);
+    }
+
   bpf_ringbuf_submit (event, 0);
   return 0;
 

diff --git a/agent/src/bpf/audit.h b/agent/src/bpf/audit.h
@@ -30,10 +30,14 @@ struct audit_event_header_st
   unsigned long int ktime;	/* u64 */
 };
 
+#define MAX_BUILD_ID_SIZE 64
+
 struct audit_new_context_event_st
 {
   struct audit_event_header_st header;
   long parent;
+  unsigned char origin[MAX_BUILD_ID_SIZE];
+  unsigned long int origin_size;
 };
 
 struct audit_data_event_st

diff --git a/crypto-auditing/src/types.rs b/crypto-auditing/src/types.rs
@@ -27,6 +27,8 @@ pub enum Event {
     NewContext {
         #[serde_as(as = "serde_with::Bytes")]
         parent: ContextID,
+        #[serde_as(as = "serde_with::Bytes")]
+        origin: Vec<u8>,
     },
     Data {
         key: String,
@@ -87,7 +89,7 @@ impl EventGroup {
     {
         f(&mut self.context)?;
 
-        if let Some(Event::NewContext { ref mut parent }) = self.events.last_mut() {
+        if let Some(Event::NewContext { ref mut parent, .. }) = self.events.last_mut() {
             f(parent)?;
         }
         Ok(())
@@ -124,11 +126,14 @@ impl EventGroup {
                 let raw_new_context = bytes.as_ptr() as *mut audit_new_context_event_st;
                 let parent =
                     unsafe { format_context((*header).pid_tgid, (*raw_new_context).parent) };
+                let origin = unsafe {
+                    (*raw_new_context).origin[..(*raw_new_context).origin_size as usize].to_vec()
+                };
                 EventGroup {
                     context,
                     start: ktime,
                     end: ktime,
-                    events: vec![Event::NewContext { parent }],
+                    events: vec![Event::NewContext { parent, origin }],
                 }
             }
             audit_event_type_t::AUDIT_EVENT_DATA => unsafe {

diff --git a/dist/audit.cddl b/dist/audit.cddl
@@ -2,6 +2,7 @@ LogEntry = EventGroup
 
 EventGroup = {
   context: ContextID
+  origin: BuildID
   start: time
   end: time
   events: [+ Event]
@@ -10,10 +11,12 @@ EventGroup = {
 Event = NewContext / Data
 
 ContextID = bstr .size 16
+BuildID = bstr .size (20..64)
 
 NewContext = {
   NewContext: {
     parent: ContextID
+    origin: BuildID
   }
 }
 

diff --git a/fixtures/normal/input.cborseq b/fixtures/normal/input.cborseq
diff --git a/fixtures/normal/output.cborseq b/fixtures/normal/output.cborseq
diff --git a/log-parser/src/main.rs b/log-parser/src/main.rs
@@ -31,6 +31,8 @@ where
 struct Context {
     #[serde_as(as = "Hex")]
     context: ContextID,
+    #[serde_as(as = "Hex")]
+    origin: Vec<u8>,
     #[serde_as(as = "serde_with::DurationNanoSeconds<u64>")]
     start: Duration,
     #[serde_as(as = "serde_with::DurationNanoSeconds<u64>")]
@@ -61,9 +63,11 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             match event {
                 Event::NewContext {
                     parent: parent_context,
+                    origin,
                 } => {
                     let context = Rc::new(RefCell::new(Context {
                         context: *group.context(),
+                        origin: origin.to_owned(),
                         start: group.start(),
                         end: group.end(),
                         ..Default::default()