diff --git a/frontend/app/src/main/java/de/amosproj3/ziofa/api/configuration/LocalConfigurationAccess.kt b/frontend/app/src/main/java/de/amosproj3/ziofa/api/configuration/LocalConfigurationAccess.kt index b167e98d..4ceb0bba 100644 --- a/frontend/app/src/main/java/de/amosproj3/ziofa/api/configuration/LocalConfigurationAccess.kt +++ b/frontend/app/src/main/java/de/amosproj3/ziofa/api/configuration/LocalConfigurationAccess.kt @@ -7,6 +7,7 @@ package de.amosproj3.ziofa.api.configuration import de.amosproj3.ziofa.client.JniReferencesConfig import de.amosproj3.ziofa.client.SysSendmsgConfig +import de.amosproj3.ziofa.client.SysSigquitConfig import de.amosproj3.ziofa.client.UprobeConfig import de.amosproj3.ziofa.client.VfsWriteConfig import kotlinx.coroutines.flow.Flow @@ -35,6 +36,7 @@ interface LocalConfigurationAccess { sendMessageFeature: SysSendmsgConfig? = null, uprobesFeature: List? = listOf(), jniReferencesFeature: JniReferencesConfig? = null, + sysSigquitFeature: SysSigquitConfig? = null, ) /** Submit the local configuration to the backend. */ diff --git a/frontend/app/src/main/java/de/amosproj3/ziofa/bl/configuration/ConfigDiffHelpers.kt b/frontend/app/src/main/java/de/amosproj3/ziofa/bl/configuration/ConfigDiffHelpers.kt index a68a5153..be706de4 100644 --- a/frontend/app/src/main/java/de/amosproj3/ziofa/bl/configuration/ConfigDiffHelpers.kt +++ b/frontend/app/src/main/java/de/amosproj3/ziofa/bl/configuration/ConfigDiffHelpers.kt @@ -6,6 +6,7 @@ package de.amosproj3.ziofa.bl.configuration import de.amosproj3.ziofa.client.JniReferencesConfig import de.amosproj3.ziofa.client.SysSendmsgConfig +import de.amosproj3.ziofa.client.SysSigquitConfig import de.amosproj3.ziofa.client.UprobeConfig import de.amosproj3.ziofa.client.VfsWriteConfig @@ -50,3 +51,11 @@ fun JniReferencesConfig?.updatePIDs( val config = this ?: JniReferencesConfig(listOf()) return config.copy(pids = config.pids.plus(pidsToAdd).minus(pidsToRemove.toSet())) } + +fun SysSigquitConfig?.updatePIDs( + pidsToAdd: List = listOf(), + pidsToRemove: List = listOf(), +): SysSigquitConfig { + val config = this ?: SysSigquitConfig(listOf()) + return config.copy(pids = config.pids.plus(pidsToAdd).minus(pidsToRemove.toSet())) +} diff --git a/frontend/app/src/main/java/de/amosproj3/ziofa/bl/configuration/ConfigurationManager.kt b/frontend/app/src/main/java/de/amosproj3/ziofa/bl/configuration/ConfigurationManager.kt index 85f4f737..5b3fe0c4 100644 --- a/frontend/app/src/main/java/de/amosproj3/ziofa/bl/configuration/ConfigurationManager.kt +++ b/frontend/app/src/main/java/de/amosproj3/ziofa/bl/configuration/ConfigurationManager.kt @@ -14,6 +14,7 @@ import de.amosproj3.ziofa.client.ClientFactory import de.amosproj3.ziofa.client.Configuration import de.amosproj3.ziofa.client.JniReferencesConfig import de.amosproj3.ziofa.client.SysSendmsgConfig +import de.amosproj3.ziofa.client.SysSigquitConfig import de.amosproj3.ziofa.client.UprobeConfig import de.amosproj3.ziofa.client.VfsWriteConfig import de.amosproj3.ziofa.ui.shared.merge @@ -66,6 +67,7 @@ class ConfigurationManager(val clientFactory: ClientFactory) : sendMessageFeature: SysSendmsgConfig?, uprobesFeature: List?, jniReferencesFeature: JniReferencesConfig?, + sysSigquitFeature: SysSigquitConfig?, ) { _localConfiguration.update { prev -> Timber.e("changeFeatureConfigurationForPIDs.prev $prev") @@ -84,6 +86,7 @@ class ConfigurationManager(val clientFactory: ClientFactory) : sysSendmsg = previousConfiguration.merge(sendMessageFeature, enable), uprobes = previousConfiguration.merge(uprobesFeature, enable), jniReferences = previousConfiguration.merge(jniReferencesFeature, enable), + sysSigquit = previousConfiguration.merge(sysSigquitFeature, enable), ) .also { Timber.i("new local configuration = $it") } .let { ConfigurationUpdate.Valid(it) } @@ -102,7 +105,7 @@ class ConfigurationManager(val clientFactory: ClientFactory) : override fun reset() { runBlocking { - client?.setConfiguration(Configuration(null, null, listOf(), null)) + client?.setConfiguration(Configuration(null, null, listOf(), null, null)) updateBothConfigurations(getFromBackend()) } } @@ -129,6 +132,7 @@ class ConfigurationManager(val clientFactory: ClientFactory) : sysSendmsg = null, uprobes = listOf(), jniReferences = null, + sysSigquit = null, ) ) ConfigurationUpdate.Valid(client!!.getConfiguration()) diff --git a/frontend/app/src/main/java/de/amosproj3/ziofa/ui/shared/ConfigurationHelpers.kt b/frontend/app/src/main/java/de/amosproj3/ziofa/ui/shared/ConfigurationHelpers.kt index 3e14752b..479d8a6a 100644 --- a/frontend/app/src/main/java/de/amosproj3/ziofa/ui/shared/ConfigurationHelpers.kt +++ b/frontend/app/src/main/java/de/amosproj3/ziofa/ui/shared/ConfigurationHelpers.kt @@ -9,6 +9,7 @@ import de.amosproj3.ziofa.bl.configuration.updateUProbes import de.amosproj3.ziofa.client.Configuration import de.amosproj3.ziofa.client.JniReferencesConfig import de.amosproj3.ziofa.client.SysSendmsgConfig +import de.amosproj3.ziofa.client.SysSigquitConfig import de.amosproj3.ziofa.client.UprobeConfig import de.amosproj3.ziofa.client.VfsWriteConfig @@ -43,3 +44,11 @@ fun Configuration.merge(jniReferencesConfig: JniReferencesConfig?, enable: Boole pidsToRemove = if (!enable) requestedChanges.pids else listOf(), ) } ?: this.jniReferences + +fun Configuration.merge(sysSigquitConfig: SysSigquitConfig?, enable: Boolean) = + sysSigquitConfig?.let { requestedChanges -> + this.sysSigquit.updatePIDs( + pidsToAdd = if (enable) requestedChanges.pids else listOf(), + pidsToRemove = if (!enable) requestedChanges.pids else listOf(), + ) + } ?: this.sysSigquit diff --git a/frontend/client/src/main/java/de/amosproj3/ziofa/client/Client.kt b/frontend/client/src/main/java/de/amosproj3/ziofa/client/Client.kt index 70e45182..9b3cffbe 100644 --- a/frontend/client/src/main/java/de/amosproj3/ziofa/client/Client.kt +++ b/frontend/client/src/main/java/de/amosproj3/ziofa/client/Client.kt @@ -12,6 +12,7 @@ data class Configuration( val sysSendmsg: SysSendmsgConfig?, val uprobes: List, val jniReferences: JniReferencesConfig?, + val sysSigquit: SysSigquitConfig?, ) data class VfsWriteConfig(val entries: Map) @@ -22,6 +23,8 @@ data class UprobeConfig(val fnName: String, val offset: ULong, var target: Strin data class JniReferencesConfig(val pids: List) +data class SysSigquitConfig(val pids: List) + sealed class Event { data class VfsWrite( val pid: UInt, @@ -52,6 +55,13 @@ sealed class Event { DeleteGlobalRef, } } + + data class SysSigquit( + val pid: UInt, + val tid: UInt, + val timeStamp: ULong, + val targetPid: ULong, + ) : Event() } data class Process(val pid: UInt, val ppid: UInt, val state: String, val cmd: Command?) diff --git a/frontend/client/src/mock/java/de/amosproj3/ziofa/client/RustClient.kt b/frontend/client/src/mock/java/de/amosproj3/ziofa/client/RustClient.kt index 64327c0b..4364c196 100644 --- a/frontend/client/src/mock/java/de/amosproj3/ziofa/client/RustClient.kt +++ b/frontend/client/src/mock/java/de/amosproj3/ziofa/client/RustClient.kt @@ -21,6 +21,7 @@ object RustClient : Client { sysSendmsg = SysSendmsgConfig(mapOf(1234u to 30000u, 43124u to 20000u)), uprobes = listOf(), jniReferences = JniReferencesConfig(pids = listOf()), + sysSigquit = SysSigquitConfig(pids = listOf()), ) override suspend fun serverCount(): Flow = flow { @@ -119,6 +120,16 @@ object RustClient : Client { ) ) } + configuration.sysSigquit?.pids?.forEach { + emit( + Event.SysSigquit( + pid = it, + tid = 1234u, + timeStamp = 12312412u, + targetPid = 12874u, + ) + ) + } } } diff --git a/frontend/client/src/real/java/de.amosproj3.ziofa.client/RustClient.kt b/frontend/client/src/real/java/de.amosproj3.ziofa.client/RustClient.kt index 566803a0..3b75e787 100644 --- a/frontend/client/src/real/java/de.amosproj3.ziofa.client/RustClient.kt +++ b/frontend/client/src/real/java/de.amosproj3.ziofa.client/RustClient.kt @@ -64,6 +64,13 @@ private fun uniffi.shared.Event.into() = JniMethodName.UNDEFINED -> null }, ) + is EventData.SysSigquit -> + Event.SysSigquit( + pid = d.v1.pid, + tid = d.v1.tid, + timeStamp = d.v1.timeStamp, + targetPid = d.v1.targetPid, + ) null -> null } @@ -81,6 +88,7 @@ private fun uniffi.shared.Configuration.into() = ) }, jniReferences = jniReferences?.let { JniReferencesConfig(pids = it.pids) }, + sysSigquit = sysSigquit?.let { SysSigquitConfig(pids = it.pids) }, ) private fun Configuration.into() = @@ -97,6 +105,7 @@ private fun Configuration.into() = ) }, jniReferences = jniReferences?.let { uniffi.shared.JniReferencesConfig(it.pids) }, + sysSigquit = sysSigquit?.let { uniffi.shared.SysSigquitConfig(it.pids) }, ) private fun uniffi.shared.StringResponse.into() = StringResponse(name) diff --git a/rust/backend/daemon/src/collector/mod.rs b/rust/backend/daemon/src/collector/mod.rs index e11eebd6..d25c752d 100644 --- a/rust/backend/daemon/src/collector/mod.rs +++ b/rust/backend/daemon/src/collector/mod.rs @@ -4,10 +4,10 @@ // // SPDX-License-Identifier: MIT -use backend_common::{JNICall, JNIMethodName, SysSendmsgCall, VfsWriteCall}; -use shared::ziofa::{Event, JniReferencesEvent, SysSendmsgEvent, VfsWriteEvent}; -use shared::ziofa::event::{EventData}; -use shared::ziofa::jni_references_event::{JniMethodName}; +use backend_common::{JNICall, JNIMethodName, SysSendmsgCall, VfsWriteCall, SysSigquitCall}; +use shared::ziofa::{Event, JniReferencesEvent, SysSendmsgEvent, VfsWriteEvent, SysSigquitEvent}; +use shared::ziofa::event::EventData; +use shared::ziofa::jni_references_event::JniMethodName; mod ring_buf; mod supervisor; mod event_dipatcher; @@ -63,4 +63,17 @@ impl IntoEvent for JNICall { })) } } +} + +impl IntoEvent for SysSigquitCall { + fn into_event(self) -> Event { + Event { + event_data: Some(EventData::SysSigquit(SysSigquitEvent { + pid: self.pid, + tid: self.tid, + time_stamp: self.time_stamp, + target_pid: self.target_pid, + })) + } + } } \ No newline at end of file diff --git a/rust/backend/daemon/src/collector/supervisor.rs b/rust/backend/daemon/src/collector/supervisor.rs index 6cead8f6..c36ad0e3 100644 --- a/rust/backend/daemon/src/collector/supervisor.rs +++ b/rust/backend/daemon/src/collector/supervisor.rs @@ -21,6 +21,7 @@ enum CollectorT { VfsWrite, SysSendmsg, JniCall, + SysSigquit, } pub struct CollectorSupervisor; @@ -48,7 +49,7 @@ impl CollectorRefs { self.collectors.remove(cell) } async fn start_all(&mut self, registry: &EbpfEventRegistry, event_actor: &ActorRef, supervisor: &ActorCell) -> Result<(), ActorProcessingErr> { - for who in [CollectorT::VfsWrite, CollectorT::SysSendmsg, CollectorT::JniCall] { + for who in [CollectorT::VfsWrite, CollectorT::SysSendmsg, CollectorT::JniCall, CollectorT::SysSigquit] { self.start(who, registry, event_actor, supervisor).await?; } Ok(()) @@ -58,6 +59,7 @@ impl CollectorRefs { CollectorT::VfsWrite => start_collector(registry.vfs_write_events.clone(), event_actor.clone(), supervisor.clone()).await?, CollectorT::SysSendmsg => start_collector(registry.sys_sendmsg_events.clone(), event_actor.clone(), supervisor.clone()).await?, CollectorT::JniCall => start_collector(registry.jni_ref_calls.clone(), event_actor.clone(), supervisor.clone()).await?, + CollectorT::SysSigquit => start_collector(registry.sys_sigquit_events.clone(), event_actor.clone(), supervisor.clone()).await?, }; self.collectors.insert(actor_ref.get_cell(), who); Ok(()) diff --git a/rust/backend/daemon/src/features/mod.rs b/rust/backend/daemon/src/features/mod.rs index 495df57b..d610e4e9 100644 --- a/rust/backend/daemon/src/features/mod.rs +++ b/rust/backend/daemon/src/features/mod.rs @@ -8,12 +8,14 @@ mod jni_reference_feature; mod vfs_write_feature; mod sys_sendmsg_feature; +mod sys_sigquit_feature; use std::collections::BTreeSet; use aya::EbpfError; use jni_reference_feature::JNIReferencesFeature; use shared::config::Configuration; use sys_sendmsg_feature::SysSendmsgFeature; +use sys_sigquit_feature::SysSigquitFeature; use vfs_write_feature::VfsWriteFeature; use crate::registry::{EbpfRegistry, OwnedHashMap, RegistryGuard}; @@ -29,6 +31,7 @@ pub trait Feature { pub struct Features { sys_sendmsg_feature: SysSendmsgFeature, + sys_sigquit_feature: SysSigquitFeature, vfs_write_feature: VfsWriteFeature, jni_reference_feature: JNIReferencesFeature, } @@ -39,11 +42,13 @@ impl Features { let sys_sendmsg_feature = SysSendmsgFeature::init(registry); let vfs_write_feature = VfsWriteFeature::init(registry); let jni_reference_feature = JNIReferencesFeature::init(registry); + let sys_sigquit_feature = SysSigquitFeature::init(registry); Self { sys_sendmsg_feature, vfs_write_feature, jni_reference_feature, + sys_sigquit_feature, } } @@ -56,6 +61,7 @@ impl Features { self.vfs_write_feature.apply(&config.vfs_write)?; self.sys_sendmsg_feature.apply(&config.sys_sendmsg)?; self.jni_reference_feature.apply( &config.jni_references)?; + self.sys_sigquit_feature.apply( &config.sys_sigquit)?; Ok(()) } diff --git a/rust/backend/daemon/src/features/sys_sigquit_feature.rs b/rust/backend/daemon/src/features/sys_sigquit_feature.rs new file mode 100644 index 00000000..fb6c8662 --- /dev/null +++ b/rust/backend/daemon/src/features/sys_sigquit_feature.rs @@ -0,0 +1,77 @@ +// SPDX-FileCopyrightText: 2024 Tom Weisshuhn +// +// SPDX-License-Identifier: MIT + +use aya::EbpfError; +use aya::programs::trace_point::TracePointLink; +use aya::programs::TracePoint; +use shared::config::SysSigquitConfig; +use crate::features::{update_pids, Feature}; +use crate::registry::{EbpfRegistry, OwnedHashMap, RegistryGuard}; + +pub struct SysSigquitFeature { + sys_enter_sigquit: RegistryGuard, + sys_enter_sigquit_link: Option, + trace_sigquit_pids: RegistryGuard>, +} + +impl SysSigquitFeature { + fn create(registry: &EbpfRegistry) -> Self { + Self { + sys_enter_sigquit: registry.program.sys_sigquit.take(), + sys_enter_sigquit_link: None, + trace_sigquit_pids: registry.config.sys_sigquit_pids.take(), + } + } + + fn attach(&mut self) -> Result<(), EbpfError> { + if self.sys_enter_sigquit_link.is_none() { + let link_id = self.sys_enter_sigquit.attach("syscalls","sys_enter_sigquit")?; + self.sys_enter_sigquit_link = Some(self.sys_enter_sigquit.take_link(link_id)?); + } + + Ok(()) + } + + fn detach(&mut self) { + // the TrakePointLinks will be automatically detached when the reference is dropped + let _ = self.sys_enter_sigquit_link.take(); + } + + fn update_pids( + &mut self, + pids: &[u32] + ) -> Result<(), EbpfError> { + + // the general update_pids function for all features works with hashmaps, so the list is converted into a hashmap with keys always being 0 + let pid_0_tuples: Vec<(u32, u64)> = pids.iter().map(|pid| (*pid, 0)).collect(); + let pids_as_hashmap: std::collections::HashMap = std::collections::HashMap::from_iter(pid_0_tuples); + + update_pids(&pids_as_hashmap, &mut self.trace_sigquit_pids) + } +} + +impl Feature for SysSigquitFeature { + type Config = SysSigquitConfig; + fn init(registry: &EbpfRegistry) -> Self { + SysSigquitFeature::create(registry) + } + + fn apply(&mut self, config: &Option) -> Result<(), EbpfError> { + match config { + Some(config) => { + self.attach()?; + self.update_pids(&config.pids)?; + } + None => { + self.detach(); + } + } + Ok(()) + } +} + + + + + diff --git a/rust/backend/daemon/src/registry/mod.rs b/rust/backend/daemon/src/registry/mod.rs index 2575d177..8024450b 100644 --- a/rust/backend/daemon/src/registry/mod.rs +++ b/rust/backend/daemon/src/registry/mod.rs @@ -12,7 +12,7 @@ mod typed_ringbuf; use aya::{maps::{HashMap, MapData, MapError, RingBuf}, programs::{KProbe, ProbeKind, ProgramError, TracePoint, UProbe}, EbpfError, EbpfLoader}; use aya_log::EbpfLogger; -use backend_common::{JNICall, SysSendmsgCall, VfsWriteCall}; +use backend_common::{JNICall, SysSendmsgCall, VfsWriteCall, SysSigquitCall}; use pinning::{LoadAndPin, TryMapFromPin}; pub use typed_ringbuf::TypedRingBuffer; pub use single_owner::{RegistryGuard, RegistryItem}; @@ -32,6 +32,7 @@ pub struct EbpfConfigRegistry { pub vfs_write_pids: RegistryItem>, pub sys_sendmsg_pids: RegistryItem>, pub jni_ref_pids: RegistryItem>, + pub sys_sigquit_pids: RegistryItem>, } #[derive(Clone)] @@ -39,6 +40,7 @@ pub struct EbpfEventRegistry { pub vfs_write_events: RegistryItem>, pub sys_sendmsg_events: RegistryItem>, pub jni_ref_calls: RegistryItem>, + pub sys_sigquit_events: RegistryItem>, } #[derive(Clone)] @@ -51,6 +53,7 @@ pub struct EbpfProgramRegistry { pub trace_del_local: RegistryItem, pub trace_add_global: RegistryItem, pub trace_del_global: RegistryItem, + pub sys_sigquit: RegistryItem, } impl EbpfRegistry { @@ -69,6 +72,7 @@ impl EbpfConfigRegistry { vfs_write_pids: HashMap::<_, u32, u64>::try_from_pin(path("VFS_WRITE_PIDS"))?.into(), sys_sendmsg_pids: HashMap::<_, u32, u64>::try_from_pin(path("SYS_SENDMSG_PIDS"))?.into(), jni_ref_pids: HashMap::<_, u32, u64>::try_from_pin(path("JNI_REF_PIDS"))?.into(), + sys_sigquit_pids: HashMap::<_, u32, u64>::try_from_pin(path("SYS_SIGQUIT_PIDS"))?.into(), }) } } @@ -79,6 +83,7 @@ impl EbpfEventRegistry { vfs_write_events: RingBuf::try_from_pin(path("VFS_WRITE_EVENTS"))?.into(), sys_sendmsg_events: RingBuf::try_from_pin(path("SYS_SENDMSG_EVENTS"))?.into(), jni_ref_calls: RingBuf::try_from_pin(path("JNI_REF_CALLS"))?.into(), + sys_sigquit_events: RingBuf::try_from_pin(path("SYS_SIGQUIT_EVENTS"))?.into(), }) } } @@ -94,6 +99,7 @@ impl EbpfProgramRegistry { trace_del_local: UProbe::from_pin(path("trace_del_local"), ProbeKind::UProbe)?.into(), trace_add_global: UProbe::from_pin(path("trace_add_global"), ProbeKind::UProbe)?.into(), trace_del_global: UProbe::from_pin(path("trace_del_global"), ProbeKind::UProbe)?.into(), + sys_sigquit: TracePoint::from_pin(path("sys_sigquit"))?.into(), }) } } @@ -121,6 +127,7 @@ pub fn load_and_pin() -> Result { ebpf.load_and_pin::("trace_del_local", ZIOFA_EBPF_PATH).unwrap(); ebpf.load_and_pin::("trace_add_global", ZIOFA_EBPF_PATH).unwrap(); ebpf.load_and_pin::("trace_del_global", ZIOFA_EBPF_PATH).unwrap(); + ebpf.load_and_pin::("sys_sigquit", ZIOFA_EBPF_PATH).unwrap(); EbpfRegistry::from_pin() } diff --git a/rust/client/src/bin/cli.rs b/rust/client/src/bin/cli.rs index 5e4e609d..04359853 100644 --- a/rust/client/src/bin/cli.rs +++ b/rust/client/src/bin/cli.rs @@ -7,7 +7,7 @@ use clap::Parser; use clap::Subcommand; use client::Client; use client::ClientError; -use shared::config::{Configuration, SysSendmsgConfig, VfsWriteConfig, JniReferencesConfig}; +use shared::config::{Configuration, SysSendmsgConfig, VfsWriteConfig, JniReferencesConfig, SysSigquitConfig}; use std::collections::HashMap; use tokio_stream::StreamExt; @@ -91,6 +91,7 @@ async fn sendmsg(client: &mut Client, pid: u32) -> Result<()> { entries: HashMap::from([(pid, 0)]), }), jni_references: None, + sys_sigquit: Some(SysSigquitConfig { pids: vec![] }), }) .await?; @@ -114,6 +115,7 @@ async fn set_config(client: &mut Client) -> Result<()> { entries: std::collections::HashMap::new(), }), jni_references: Some(JniReferencesConfig { pids: vec![] }), + sys_sigquit: Some(SysSigquitConfig { pids: vec![] }), }) .await?; println!("Success"); diff --git a/rust/client/tests/base.rs b/rust/client/tests/base.rs index 4a6c5602..b6d740d1 100644 --- a/rust/client/tests/base.rs +++ b/rust/client/tests/base.rs @@ -5,7 +5,7 @@ // SPDX-License-Identifier: MIT use client::Client; -use shared::config::{Configuration, SysSendmsgConfig, VfsWriteConfig}; +use shared::config::{Configuration, SysSendmsgConfig, VfsWriteConfig, SysSigquitConfig}; use shared::ziofa::process::Cmd; // client tests assume daemon is running! @@ -55,6 +55,7 @@ async fn set_get_empty_config() { }), // jni_references: Some(JniReferencesConfig { pids: vec![] }), jni_references: None, + sys_sigquit: Some(SysSigquitConfig { pids: vec![] }), }; client diff --git a/rust/shared/build.rs b/rust/shared/build.rs index 14b2c133..b4c85014 100644 --- a/rust/shared/build.rs +++ b/rust/shared/build.rs @@ -22,12 +22,14 @@ static UNIFFI_RECORDS: LazyLock> = LazyLock::new(|| { "VfsWriteEvent", "SysSendmsgEvent", "JniReferencesEvent", + "SysSigquitEvent", "VfsWriteConfig", "SysSendmsgConfig", "JniReferencesConfig", "StringResponse", "Symbol", "SetConfigurationResponse", + "SysSigquitConfig", ] } else { vec![] diff --git a/rust/shared/proto/config.proto b/rust/shared/proto/config.proto index 74635dcb..d9c9efa0 100644 --- a/rust/shared/proto/config.proto +++ b/rust/shared/proto/config.proto @@ -21,7 +21,8 @@ message Configuration { optional VfsWriteConfig vfs_write = 1; optional SysSendmsgConfig sys_sendmsg = 2; optional JniReferencesConfig jniReferences = 3; - repeated UprobeConfig uprobes = 4; + optional SysSigquitConfig sys_sigquit = 4; + repeated UprobeConfig uprobes = 5; } message VfsWriteConfig { @@ -34,4 +35,8 @@ message SysSendmsgConfig { message JniReferencesConfig { repeated uint32 pids = 1; +} + +message SysSigquitConfig { + repeated uint32 pids = 1; } \ No newline at end of file diff --git a/rust/shared/proto/ziofa.proto b/rust/shared/proto/ziofa.proto index b8556b36..9bb0eb57 100644 --- a/rust/shared/proto/ziofa.proto +++ b/rust/shared/proto/ziofa.proto @@ -70,6 +70,7 @@ message Event { VfsWriteEvent vfs_write = 1; SysSendmsgEvent sys_sendmsg = 2; JniReferencesEvent jni_references = 3; + SysSigquitEvent sys_sigquit = 4; } } @@ -103,3 +104,9 @@ message JniReferencesEvent { JniMethodName jni_method_name = 4; } +message SysSigquitEvent { + uint32 pid = 1; + uint32 tid = 2; + uint64 time_stamp = 3; + uint64 target_pid = 4; +} \ No newline at end of file