feat(ebpf): make mem_prot_alert not rely on sys_enter/exit

OriGlassman · OriGlassman · commit cc67415feead · 2024-08-12T16:09:17.000+03:00
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -3416,18 +3416,16 @@ int BPF_KPROBE(trace_mmap_alert)
     if (!evaluate_scope_filters(&p))
         return 0;
 
-    // Load the arguments given to the mmap syscall (which eventually invokes this function)
-    syscall_data_t *sys = &p.task_info->syscall_data;
-    if (!p.task_info->syscall_traced || sys->id != SYSCALL_MMAP)
+    if (p.event->context.syscall != SYSCALL_MMAP)
         return 0;
 
-    int prot = sys->args.args[2];
-
+    struct pt_regs *task_regs = get_current_task_pt_regs();
+    int prot = get_syscall_arg3(p.event->task, task_regs, false);
     if ((prot & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
         u32 alert = ALERT_MMAP_W_X;
-        int fd = sys->args.args[4];
-        void *addr = (void *) sys->args.args[0];
-        size_t len = sys->args.args[1];
+        void *addr = (void *) get_syscall_arg1(p.event->task, task_regs, false);
+        size_t len = get_syscall_arg2(p.event->task, task_regs, false);
+        int fd = get_syscall_arg5(p.event->task, task_regs, false);
         int prev_prot = 0;
         file_info_t file_info = {.pathname_p = NULL};
         if (fd >= 0) {
@@ -3562,18 +3560,18 @@ int BPF_KPROBE(trace_security_file_mprotect)
     if (!init_program_data(&p, ctx, SECURITY_FILE_MPROTECT))
         return 0;
 
-    // Load the arguments given to the mprotect syscall (which eventually invokes this function)
-    syscall_data_t *sys = &p.task_info->syscall_data;
-    if (!p.task_info->syscall_traced ||
-        (sys->id != SYSCALL_MPROTECT && sys->id != SYSCALL_PKEY_MPROTECT))
+    if (p.event->context.syscall != SYSCALL_MPROTECT &&
+        p.event->context.syscall != SYSCALL_PKEY_MPROTECT)
         return 0;
 
     struct vm_area_struct *vma = (struct vm_area_struct *) PT_REGS_PARM1(ctx);
     unsigned long reqprot = PT_REGS_PARM2(ctx);
     unsigned long prev_prot = get_vma_flags(vma);
     struct file *file = (struct file *) BPF_CORE_READ(vma, vm_file);
-    void *addr = (void *) sys->args.args[0];
-    size_t len = sys->args.args[1];
+
+    struct pt_regs *task_regs = get_current_task_pt_regs();
+    void *addr = (void *) get_syscall_arg1(p.event->task, task_regs, false);
+    size_t len = get_syscall_arg2(p.event->task, task_regs, false);
 
     if (evaluate_scope_filters(&p)) {
         file_info = get_file_info(file);
@@ -3585,8 +3583,8 @@ int BPF_KPROBE(trace_security_file_mprotect)
         save_to_submit_buf(&p.event->args_buf, &addr, sizeof(void *), 4);
         save_to_submit_buf(&p.event->args_buf, &len, sizeof(size_t), 5);
 
-        if (sys->id == SYSCALL_PKEY_MPROTECT) {
-            int pkey = sys->args.args[3];
+        if (p.event->context.syscall == SYSCALL_PKEY_MPROTECT) {
+            int pkey = get_syscall_arg4(p.event->task, task_regs, false);
             save_to_submit_buf(&p.event->args_buf, &pkey, sizeof(int), 6);
         }
 
diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -11347,14 +11347,6 @@ var CoreEvents = map[ID]Definition{
 			probes: []Probe{
 				{handle: probes.SecurityMmapAddr, required: true},
 				{handle: probes.SecurityFileMProtect, required: true},
-				{handle: probes.SyscallEnter__Internal, required: true},
-			},
-			tailCalls: []TailCall{
-				{
-					"sys_enter_init_tail",
-					"sys_enter_init",
-					[]uint32{uint32(Mmap), uint32(Mprotect), uint32(PkeyMprotect)},
-				},
 			},
 		},
 		sets: []string{},
