tracee
tracee copied to clipboard
aquasecurity
feat: extend string data filtering to LSM related events
1. Explain what the PR does
1591fd007 chore: install deps 3eae8ff25 fix: increase timeout for go test 8e8ec5fa5 test: external triggers for integration 6e2f4f1be feat(ebpf): extend string data filtering for LSM events 5a22b3658 feat: allow different field names
3eae8ff25 fix: increase timeout for go test
- Since we have added integration tests and the default Go test
timeout is 10 minutes, we need to increase it otherwise it get panic.
8e8ec5fa5 test: external triggers for integration
- Add external scripts to be triggered in order to test data filter
related to events that uses LSM.
6e2f4f1be feat(ebpf): extend string data filtering for LSM events
- Only for LSM related events.
5a22b3658 feat: allow different field names
- Allow any field name in the in-kernel string filter.
- Currently, only one string-type field name is supported.
- Future support for multiple field names is planned.
- Start with LSM related events.
2. Explain how to test it
3. Other comments
This PR focuses only on LSM hooks and the related tests. Some tests were added to the integration test suite with external C program triggers.
part of #4432
| Event | String Name | Trigger |
|---|---|---|
| ✅ security_bprm_check | pathname |
5 |
| ✅ security_file_open | pathname |
1 (already present) |
| ✅ security_inode_unlink | pathname |
3 |
| ✅ security_sb_mount | path |
6 |
| ✅ security_bpf_map | map_name |
9 |
| ✅ security_kernel_read_file | pathname |
4 |
| ✅ security_inode_mknod | file_name |
7 |
| ✅ security_kernel_post_read_file | pathname |
4 |
| ✅ security_inode_symlink | linkpath |
3 |
| ✅ security_mmap_file | pathname |
2 (already present) |
| ✅ security_file_mprotect | pathname |
5 |
| ✅ security_inode_rename | old_path |
3 |
| ✅ security_bpf_prog | name |
9 |
| ✅ security_path_notify | pathname |
8 |
| ✅ shared_object_loaded | pathname |
5 |
| Trigger | Name |
|---|---|
| 1 | comm: event: data: trace event security_file_open set in multiple policies using multiple filter types |
| 2 | comm: event: data: trace event security_mmap_file using multiple filter types |
| 3 | event: data: trace event security_inode_symlink, security_inode_rename and security_inode_unlink using data filter |
| 4 | event: data: trace event security_kernel_read_file and security_kernel_post_read_file using data filter |
| 5 | comm: event: data: trace event shared_object_loaded, security_file_mprotect and security_bprm_check using data filter |
| 6 | event: data: trace event security_sb_mount using data filter |
| 7 | event: data: trace event security_inode_mknod using data filter |
| 8 | event: data: trace event security_path_notify using data filter |
| 9 | event: data: trace event security_bpf_prog and security_bpf_map using data filter |
