Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

file events: add creds info #183

Merged
merged 1 commit into from
Mar 4, 2024
Merged

file events: add creds info #183

merged 1 commit into from
Mar 4, 2024

Conversation

mmat11
Copy link
Contributor

@mmat11 mmat11 commented Mar 1, 2024

Tested manually

➜  ebpf git:(matt/file-creds) ✗ sudo ./artifacts-x86_64/non-GPL/Events/EventsTrace/EventsTrace -i --file-create
{"probes_initialized": true, "features": {"bpf_tramp": true}}
{"event_type":"FILE_CREATE","pids":{"tid":2639926,"tgid":2318768,"ppid":3224,"pgid":3224,"sid":3224,"start_time_ns":538596506094300},"creds":{"ruid":1000,"rgid":1000,"euid":1000,"egid":1000,"suid":1000,"sgid":1000,"cap_permitted": "0","cap_effective": "0"},"mount_namespace":4026531841,"comm":"BgIOThr~ol #233","file_info":{"type":"FILE","inode":56644481,"mode":100644,"size":0,"uid":1000,"gid":1000,"atime":1709316588121009722,"mtime":1709316588121009722,"ctime":1709316588121009722},"path":"/home/matt/.mozilla/firefox/lpqgi4lp.default-release/sessionstore-backups/recovery.jsonlz4.tmp","symlink_target_path":""}
^CReceived SIGINT, exiting...
➜  ebpf git:(matt/file-creds) ✗ sudo ../veristat/src/veristat ./artifacts-x86_64/GPL/Events/EventProbe.bpf.o   
Processing 'EventProbe.bpf.o'...
File              Program                              Verdict  Duration (us)  Insns  States  Peak states
----------------  -----------------------------------  -------  -------------  -----  ------  -----------
EventProbe.bpf.o  fentry__commit_creds                 success            336    740      35           35
EventProbe.bpf.o  fentry__do_renameat2                 success             73     68       4            4
EventProbe.bpf.o  fentry__do_unlinkat                  success             57     50       2            2
EventProbe.bpf.o  fentry__mnt_want_write               success             65     37       3            3
EventProbe.bpf.o  fentry__taskstats_exit               success          21240  26453    1397           78
EventProbe.bpf.o  fentry__tcp_close                    success            315    474      26           26
EventProbe.bpf.o  fentry__tty_write                    success            312    561      25           25
EventProbe.bpf.o  fentry__vfs_rename                   success          42741  79651    3119          405
EventProbe.bpf.o  fentry__vfs_unlink                   success             61     37       3            3
EventProbe.bpf.o  fexit__chmod_common                  success          20273  40498    1607          232
EventProbe.bpf.o  fexit__chown_common                  success          20399  40498    1607          232
EventProbe.bpf.o  fexit__do_filp_open                  success          21687  40563    1581          252
EventProbe.bpf.o  fexit__do_truncate                   success          19951  40521    1609          234
EventProbe.bpf.o  fexit__inet_csk_accept               success            257    419      25           25
EventProbe.bpf.o  fexit__tcp_v4_connect                success            271    422      25           25
EventProbe.bpf.o  fexit__tcp_v6_connect                success            295    422      25           25
EventProbe.bpf.o  fexit__vfs_rename                    success            641   1423      50           50
EventProbe.bpf.o  fexit__vfs_unlink                    success          23231  40534    1579          251
EventProbe.bpf.o  fexit__vfs_write                     success          20329  40499    1608          233
EventProbe.bpf.o  fexit__vfs_writev                    success          20203  40499    1608          233
EventProbe.bpf.o  kprobe__chmod_common                 success             42     43       1            1
EventProbe.bpf.o  kprobe__chown_common                 success             40     41       1            1
EventProbe.bpf.o  kprobe__commit_creds                 success            331    740      35           35
EventProbe.bpf.o  kprobe__do_renameat2                 success             63     68       4            4
EventProbe.bpf.o  kprobe__do_truncate                  success             56     53       2            2
EventProbe.bpf.o  kprobe__do_unlinkat                  success             51     50       2            2
EventProbe.bpf.o  kprobe__mnt_want_write               success             46     37       3            3
EventProbe.bpf.o  kprobe__taskstats_exit               success          21216  26453    1397           78
EventProbe.bpf.o  kprobe__tcp_close                    success            298    474      26           26
EventProbe.bpf.o  kprobe__tcp_v4_connect               success             50     50       2            2
EventProbe.bpf.o  kprobe__tcp_v6_connect               success             54     50       2            2
EventProbe.bpf.o  kprobe__tty_write                    success            296    561      25           25
EventProbe.bpf.o  kprobe__vfs_rename                   success          44090  79648    3120          406
EventProbe.bpf.o  kprobe__vfs_unlink                   success             49     39       4            4
EventProbe.bpf.o  kprobe__vfs_write                    success             38     43       1            1
EventProbe.bpf.o  kprobe__vfs_writev                   success             40     43       1            1
EventProbe.bpf.o  kretprobe__chmod_common              success          20176  40508    1608          233
EventProbe.bpf.o  kretprobe__chown_common              success          20342  40508    1608          233
EventProbe.bpf.o  kretprobe__do_filp_open              success          23539  40563    1581          252
EventProbe.bpf.o  kretprobe__do_truncate               success          20021  40508    1608          233
EventProbe.bpf.o  kretprobe__inet_csk_accept           success            254    419      25           25
EventProbe.bpf.o  kretprobe__tcp_v4_connect            success            263    432      26           26
EventProbe.bpf.o  kretprobe__tcp_v6_connect            success            269    432      26           26
EventProbe.bpf.o  kretprobe__vfs_rename                success            611   1412      49           49
EventProbe.bpf.o  kretprobe__vfs_unlink                success          22675  40523    1578          250
EventProbe.bpf.o  kretprobe__vfs_write                 success          20209  40507    1608          233
EventProbe.bpf.o  kretprobe__vfs_writev                success          20298  40507    1608          233
EventProbe.bpf.o  sched_process_exec                   success          42198  67486    2987          292
EventProbe.bpf.o  sched_process_fork                   success          19213  26868    1416           99
EventProbe.bpf.o  tracepoint_syscalls_sys_exit_setsid  success            151    262      14           14
----------------  -----------------------------------  -------  -------------  -----  ------  -----------
Done. Processed 1 files, 0 programs. Skipped 50 files, 0 programs.

@mmat11 mmat11 requested a review from a team as a code owner March 1, 2024 18:12
@mmat11 mmat11 mentioned this pull request Mar 1, 2024
Merged
@mmat11 mmat11 merged commit 255f129 into main Mar 4, 2024
26 checks passed
@mmat11 mmat11 deleted the matt/file-creds branch March 4, 2024 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haesbaert haesbaert haesbaert approved these changes

@nfritts nfritts nfritts approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mmat11 @haesbaert @nfritts