Merge pull request #1579 from rksharma95/add-tty

feat(monitor): add tty information to kernel events
kubearmor · Jan 12, 2024 · 15b707c · 15b707c
2 parents 440bce1 + 87ff0ce
commit 15b707c
Show file tree

Hide file tree

Showing 8 changed files with 152 additions and 100 deletions.
diff --git a/KubeArmor/BPF/system_monitor.c b/KubeArmor/BPF/system_monitor.c
@@ -65,6 +65,7 @@
 
 #define TASK_COMM_LEN 16
 #define CWD_LEN 80
+#define TTY_LEN 64
 
 #define MAX_BUFFER_SIZE 32768
 #define MAX_STRING_SIZE 4096
@@ -219,6 +220,7 @@ typedef struct __attribute__((__packed__)) sys_context
 
     char comm[TASK_COMM_LEN];
     char cwd[CWD_LEN];
+    char tty[TTY_LEN];
     u32 oid; // owner id
 } sys_context_t;
 
@@ -996,6 +998,17 @@ static __always_inline u32 init_context(sys_context_t *context)
 
     bpf_get_current_comm(&context->comm, sizeof(context->comm));
 
+    // check if tty is attached
+    struct signal_struct *signal;
+    signal = READ_KERN(task->signal);
+    if (signal != NULL){
+        struct tty_struct *tty = READ_KERN(signal->tty);
+        if (tty != NULL){
+            // a tty is attached
+            bpf_probe_read_str(&context->tty, TTY_LEN, (void *)tty->name);
+        }
+    }
+
     // get cwd
     fs = READ_KERN(task->fs);
     struct path path = READ_KERN(fs->pwd);

diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go
@@ -689,6 +689,7 @@ func (fd *Feeder) PushLog(log tp.Log) {
 		}
 
 		pbAlert.Type = log.Type
+		pbAlert.TTY = log.TTY
 		pbAlert.Source = log.Source
 		pbAlert.Operation = log.Operation
 		pbAlert.Resource = strings.ToValidUTF8(log.Resource, "")
@@ -763,6 +764,7 @@ func (fd *Feeder) PushLog(log tp.Log) {
 		pbLog.ProcessName = log.ProcessName
 
 		pbLog.Type = log.Type
+		pbLog.TTY = log.TTY
 		pbLog.Source = log.Source
 		pbLog.Operation = log.Operation
 		pbLog.Resource = strings.ToValidUTF8(log.Resource, "")

diff --git a/KubeArmor/monitor/logUpdate.go b/KubeArmor/monitor/logUpdate.go
@@ -85,6 +85,7 @@ func (mon *SystemMonitor) BuildLogBase(eventID int32, msg ContextCombined) tp.Lo
 	}
 
 	log.Cwd = strings.TrimRight(string(msg.ContextSys.Cwd[:]), "\x00") + "/"
+	log.TTY = strings.TrimRight(string(msg.ContextSys.TTY[:]), "\x00")
 	log.OID = int32(msg.ContextSys.OID)
 
 	log.ParentProcessName = mon.GetExecPath(msg.ContainerID, msg.ContextSys.HostPPID, false)

diff --git a/KubeArmor/monitor/systemMonitor.go b/KubeArmor/monitor/systemMonitor.go
@@ -83,6 +83,7 @@ type SyscallContext struct {
 
 	Comm [16]byte
 	Cwd  [80]byte
+	TTY  [64]byte
 	OID  uint32
 }
 

diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go
@@ -229,6 +229,7 @@ type Log struct {
 	Operation string `json:"operation"`
 	Resource  string `json:"resource"`
 	Cwd       string `json:"cwd"`
+	TTY       string `json:"tty,omitempty"`
 	OID       int32  `json:"oid"`
 	Data      string `json:"data,omitempty"`
 	Action    string `json:"action,omitempty"`

diff --git a/protobuf/kubearmor.pb.go b/protobuf/kubearmor.pb.go
diff --git a/protobuf/kubearmor.proto b/protobuf/kubearmor.proto
@@ -74,6 +74,7 @@ message Alert {
   string Action = 22;
   string Result = 23;
   string Cwd = 32;
+  string TTY = 33;
 }
 
 // log struct
@@ -110,6 +111,7 @@ message Log {
 
   string Result = 18;
   string Cwd = 25;
+  string TTY = 26;
 }
 
 // request message

diff --git a/protobuf/kubearmor_grpc.pb.go b/protobuf/kubearmor_grpc.pb.go