tracee

tracee copied to clipboard

create event to indicate path rename

Initial Checklist

• [x] There is an issue describing the need for this PR.
• [x] Git log contains summary of the change.
• [x] Git log contains motivation and context of the change.
• [ ] If part of an EPIC, PR git log contains EPIC number.
• [ ] If part of an EPIC, PR was added to EPIC description.

Description (git log)

using security_path_rename to indicate path rename in the system. arguments of this event are: old_path and new path.

Fixes: #2042

Type of change

• [ ] Bug fix (non-breaking change fixing an issue, preferable).
• [ ] Quick fix (minor non-breaking change requiring no issue, use with care)
• [ ] Code refactor (code improvement and/or code removal)
• [x] New feature (non-breaking change adding functionality).
• [ ] Breaking change (cause existing functionality not to work as expected).

How Has This Been Tested?

locally.

Reproduce the test by running:

• command 01: ./dist/tracee-ebpf -t e=security_path_rename
• command 02 (different terminal): nv test test_new

Final Checklist:

Pick "Bug Fix" or "Feature", delete the other and mark appropriate checks.

• [x] I have made corresponding changes to the documentation.
• [x] My code follows the style guidelines (C and Go) of this project.
• [x] I have performed a self-review of my own code.
• [x] I have commented all functions/methods created explaining what they do.
• [x] I have commented my code, particularly in hard-to-understand areas.
• [x] My changes generate no new warnings.
• [ ] I have added tests that prove my fix, or feature, is effective.
• [ ] New and existing unit tests pass locally with my changes.
• [x] Any dependent changes have been merged and published before.

Git Log Checklist:

My commits logs have:

• [x] Subject starts with "subsystem|file: description".
• [x] Do not end the subject line with a period.
• [x] Limit the subject line to 50 characters.
• [x] Separate subject from body with a blank line.
• [x] Use the imperative mood in the subject line.
• [x] Wrap the body at 72 characters.
• [x] Use the body to explain what and why instead of how.

We try to avoid security_path_xxx hooks as these are not compiled into all kernels (gated with CONFIG_SECURITY_PATH). Maybe use security_inode_rename instead?

We try to avoid security_path_xxx hooks as these are not compiled into all kernels (gated with CONFIG_SECURITY_PATH). Maybe use security_inode_rename instead?

thanks @yanivagman

i've now changed it to use security_inode_rename

I tried to fix conflicts by using GitHub UI but, as I have guessed, it didn´t work well, created a fake merge and turned things obscure. I'm picking commit:

commit c790059e Author: RoiKol [email protected] Date: Thu Aug 4 08:48:11 2022

events: add security_inode_rename event

create event to indicate path rename

reviewing it and will merge it from another PR (same credits).

Roi, I committed one of your commits under my name, sorry about that: What happened was this: the conflict resolution from the GH interface made a "merge" and destroyed the tree, so I couldn't rebase and needed to cherry-pick your commit. When I cherry-picked, I needed to resolve the conflict and when I committed it kept my credits instead of yours because of the local changes (I didn´t see orelse I would have changed it back).

d it kept my credits instead of yours because of the local change

no problem Rafael, thank you for merging!