pref: Use kprobe for process_vm_writev

aquasecurity · yanivagman · Aug 22, 2024 · Aug 18, 2024 · Aug 19, 2024 · Aug 18, 2024
commit ed64efae8267cc7e929bc4b279cb7c1347687b22
diff --git a/pkg/ebpf/c/common/arch.h b/pkg/ebpf/c/common/arch.h
@@ -172,6 +172,7 @@ statfunc struct pt_regs *get_current_task_pt_regs(void)
     #define SYSCALL_SYNCFS                 306
     #define SYSCALL_SENDMMSG               307
     #define SYSCALL_SETNS                  308
+    #define SYSCALL_PROCESS_VM_WRITEV      311
     #define SYSCALL_FINIT_MODULE           313
     #define SYSCALL_EXECVEAT               322
     #define SYSCALL_PREADV2                327
@@ -277,6 +278,7 @@ statfunc struct pt_regs *get_current_task_pt_regs(void)
     #define SYSCALL_SYNCFS                 267
     #define SYSCALL_SETNS                  268
     #define SYSCALL_SENDMMSG               269
+    #define SYSCALL_PROCESS_VM_WRITEV      271
     #define SYSCALL_FINIT_MODULE           273
     #define SYSCALL_EXECVEAT               281
     #define SYSCALL_PREADV2                286

diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -360,6 +360,7 @@ int trace_sys_exit(struct bpf_raw_tracepoint_args *ctx)
 
 // macros for syscall kprobes
 TRACE_SYSCALL(ptrace, SYSCALL_PTRACE)
+TRACE_SYSCALL(process_vm_writev, SYSCALL_PROCESS_VM_WRITEV)
 
 SEC("raw_tracepoint/sys_execve")
 int syscall__execve_enter(void *ctx)

diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go
@@ -226,6 +226,8 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
 		SecuritySettime64:          NewTraceProbe(KProbe, "security_settime64", "trace_security_settime64"),
 		Ptrace:                     NewTraceProbe(SyscallEnter, "ptrace", "trace_ptrace"),
 		PtraceRet:                  NewTraceProbe(SyscallExit, "ptrace", "trace_ret_ptrace"),
+		ProcessVmWritev:            NewTraceProbe(SyscallEnter, "process_vm_writev", "trace_process_vm_writev"),
+		ProcessVmWritevRet:         NewTraceProbe(SyscallExit, "process_vm_writev", "trace_ret_process_vm_writev"),
 
 		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
 		ExecTest:            NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),

diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go
@@ -152,6 +152,8 @@ const (
 	SecuritySettime64
 	Ptrace
 	PtraceRet
+	ProcessVmWritev
+	ProcessVmWritevRet
 )
 
 // Test probe handles

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -7819,14 +7819,8 @@ var CoreEvents = map[ID]Definition{
 		},
 		dependencies: Dependencies{
 			probes: []Probe{
-				{handle: probes.SyscallEnter__Internal, required: true},
-				{handle: probes.SyscallExit__Internal, required: true},
-			},
-			tailCalls: []TailCall{
-				{"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(ProcessVmWritev)}},
-				{"sys_enter_submit_tail", "sys_enter_submit", []uint32{uint32(ProcessVmWritev)}},
-				{"sys_exit_init_tail", "sys_exit_init", []uint32{uint32(ProcessVmWritev)}},
-				{"sys_exit_submit_tail", "sys_exit_submit", []uint32{uint32(ProcessVmWritev)}},
+				{handle: probes.ProcessVmWritev, required: true},
+				{handle: probes.ProcessVmWritevRet, required: true},
 			},
 		},
 	},