tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

[RFE] kprobe security_socket_connect & security_socket_bind get local_addr 、local_port、protocol

Open rockingl opened this issue 3 years ago • 1 comments

Prerequisites

  • [ ] There isn't an issue describing the feature I need.
  • [ ] I don't think opening a discussion thread first is relevant.
  • [ ] I have a use case for the feature I would like to request.

Feature description

hi,i‘m user of tracee. i want to use kprobe security_socket_connect & security_socket_bind hook function, but they has not local_addr 、local_port、protocol fields, so Should i get this? maybe can add this fields.

perhaps can tell me, how to add this feilds. thanks!

this is tracee code, & no local ip fields: ` if (!should_trace(&data.context)) return 0;

struct sockaddr *address = (struct sockaddr *)PT_REGS_PARM2(ctx);
uint addr_len = (uint)PT_REGS_PARM3(ctx);

sa_family_t sa_fam = get_sockaddr_family(address);
if ( (sa_fam != AF_INET) && (sa_fam != AF_INET6) && (sa_fam != AF_UNIX)) {
    return 0;
}

// Load the arguments given to the connect syscall (which eventually invokes this function)
syscall_data_t *sys = bpf_map_lookup_elem(&syscall_data_map, &data.context.host_tid);
if (!sys || sys->id != SYSCALL_CONNECT)
    return 0;

save_to_submit_buf(&data, (void *)&sys->args.args[0], sizeof(u32), 0);

if (sa_fam == AF_INET) {
    save_to_submit_buf(&data, (void *)address, sizeof(struct sockaddr_in), 1);
}
else if (sa_fam == AF_INET6) {
    save_to_submit_buf(&data, (void *)address, sizeof(struct sockaddr_in6), 1);
}

.... `

rockingl avatar May 23 '22 09:05 rockingl

Hello @rockingl In security_socket_bind you only have the local address and port, but not the remote address, as connection didn't happen yet. In addition, as security_socket_connect happens BEFORE the connection took place, the socket is only initialized with the remote address and port. Same problem for security_socket_accept, but with local address+port. We recently added the "socket_accept" event, which should give the combined local+remote addresses of the socket during accept operation. We might do the same for connect, but I think there's no sense in doing it for bind, as no connection happened yet.

yanivagman avatar May 29 '22 12:05 yanivagman