Merge pull request #84 from ehids/bash-filter-by-uid

New feature: #80 event filter by uid
gojue · Jun 17, 2022 · 3215a54 · 3215a54
2 parents 77659a1 + a499344
commit 3215a54
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 7 deletions.
diff --git a/cli/cmd/bash.go b/cli/cmd/bash.go
@@ -61,6 +61,7 @@ func bashCommandFunc(command *cobra.Command, args []string) {
 		os.Exit(1)
 	}
 	bc.Pid = gConf.Pid
+	bc.Uid = gConf.Uid
 	bc.Debug = gConf.Debug
 	bc.IsHex = gConf.IsHex
 

diff --git a/cli/cmd/global.go b/cli/cmd/global.go
@@ -14,6 +14,7 @@ type GlobalFlags struct {
 	IsHex    bool
 	Debug    bool
 	Pid      uint64 // PID
+	Uid      uint64 // UID
 	NoSearch bool   // No lib search
 }
 
@@ -23,6 +24,11 @@ func getGlobalConf(command *cobra.Command) (conf GlobalFlags, err error) {
 		return
 	}
 
+	conf.Uid, err = command.Flags().GetUint64("uid")
+	if err != nil {
+		return
+	}
+
 	conf.Debug, err = command.Flags().GetBool("debug")
 	if err != nil {
 		return

diff --git a/cli/cmd/root.go b/cli/cmd/root.go
@@ -23,6 +23,7 @@ var (
 
 const (
 	defaultPid uint64 = 0
+	defaultUid uint64 = 0
 )
 
 // rootCmd represents the base command when called without any subcommands
@@ -75,4 +76,5 @@ func init() {
 	rootCmd.PersistentFlags().BoolVar(&globalFlags.IsHex, "hex", false, "print byte strings as hex encoded strings")
 	rootCmd.PersistentFlags().BoolVar(&globalFlags.NoSearch, "nosearch", false, "no lib search")
 	rootCmd.PersistentFlags().Uint64VarP(&globalFlags.Pid, "pid", "p", defaultPid, "if pid is 0 then we target all pids")
+	rootCmd.PersistentFlags().Uint64VarP(&globalFlags.Uid, "uid", "u", defaultUid, "if uid is 0 then we target all users")
 }
diff --git a/kern/bash_kern.c b/kern/bash_kern.c
@@ -2,6 +2,7 @@
 
 struct event {
     u32 pid;
+    u32 uid;
     u8 line[MAX_DATA_SIZE_BASH];
     u32 retval;
     char comm[TASK_COMM_LEN];
@@ -22,18 +23,24 @@ const struct event *unused __attribute__((unused));
 
 SEC("uretprobe/bash_readline")
 int uretprobe_bash_readline(struct pt_regs *ctx) {
-    s64 pid_tgid = bpf_get_current_pid_tgid();
-    int pid = pid_tgid >> 32;
+    u64 pid_tgid = bpf_get_current_pid_tgid();
+    u32 pid = pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+            return 0;
+    }
 #endif
 
     struct event event = {};
     event.pid = pid;
+    event.uid = uid;
     // bpf_printk("!! uretprobe_bash_readline pid:%d",target_pid );
     bpf_probe_read(&event.line, sizeof(event.line), (void *)PT_REGS_RC(ctx));
     bpf_get_current_comm(&event.comm, sizeof(event.comm));
@@ -43,15 +50,20 @@ int uretprobe_bash_readline(struct pt_regs *ctx) {
 }
 SEC("uretprobe/bash_retval")
 int uretprobe_bash_retval(struct pt_regs *ctx) {
-    s64 pid_tgid = bpf_get_current_pid_tgid();
-    int pid = pid_tgid >> 32;
+    u64 pid_tgid = bpf_get_current_pid_tgid();
+    u32 pid = pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     int retval = (int)PT_REGS_RC(ctx);
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     struct event *event_p = bpf_map_lookup_elem(&events_t, &pid);

diff --git a/kern/common.h b/kern/common.h
@@ -30,9 +30,9 @@
 // .rodata section bug via : https://github.com/ehids/ecapture/issues/39
 #ifndef KERNEL_LESS_5_2
 const volatile u64 target_pid = 0;
+const volatile u64 target_uid = 0;
 const volatile int target_errno = BASH_ERRNO_DEFAULT;
 #else
-// u64 target_pid = 0;
 #endif
 
 char __license[] SEC("license") = "Dual MIT/GPL";

diff --git a/user/event_bash.go b/user/event_bash.go
@@ -21,6 +21,7 @@ type bashEvent struct {
 	module     IModule
 	event_type EVENT_TYPE
 	Pid        uint32
+	Uid        uint32
 	Line       [MAX_DATA_SIZE_BASH]uint8
 	Retval     uint32
 	Comm       [16]byte
@@ -31,6 +32,9 @@ func (this *bashEvent) Decode(payload []byte) (err error) {
 	if err = binary.Read(buf, binary.LittleEndian, &this.Pid); err != nil {
 		return
 	}
+	if err = binary.Read(buf, binary.LittleEndian, &this.Uid); err != nil {
+		return
+	}
 	if err = binary.Read(buf, binary.LittleEndian, &this.Line); err != nil {
 		return
 	}
@@ -45,12 +49,12 @@ func (this *bashEvent) Decode(payload []byte) (err error) {
 }
 
 func (this *bashEvent) String() string {
-	s := fmt.Sprintf(fmt.Sprintf(" PID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s", this.Pid, this.Comm, this.Retval, unix.ByteSliceToString((this.Line[:]))))
+	s := fmt.Sprintf(fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s", this.Pid, this.Uid, this.Comm, this.Retval, unix.ByteSliceToString((this.Line[:]))))
 	return s
 }
 
 func (this *bashEvent) StringHex() string {
-	s := fmt.Sprintf(fmt.Sprintf(" PID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s,", this.Pid, this.Comm, this.Retval, dumpByteSlice([]byte(unix.ByteSliceToString((this.Line[:]))), "")))
+	s := fmt.Sprintf(fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s,", this.Pid, this.Uid, this.Comm, this.Retval, dumpByteSlice([]byte(unix.ByteSliceToString((this.Line[:]))), "")))
 	return s
 }
 

diff --git a/user/iconfig.go b/user/iconfig.go
@@ -9,10 +9,12 @@ import "ecapture/pkg/util/kernel"
 type IConfig interface {
 	Check() error //检测配置合法性
 	GetPid() uint64
+	GetUid() uint64
 	GetHex() bool
 	GetDebug() bool
 	GetNoSearch() bool
 	SetPid(uint64)
+	SetUid(uint64)
 	SetHex(bool)
 	SetDebug(bool)
 	SetNoSearch(bool)
@@ -21,6 +23,7 @@ type IConfig interface {
 
 type eConfig struct {
 	Pid      uint64
+	Uid      uint64
 	IsHex    bool
 	Debug    bool
 	NoSearch bool
@@ -30,6 +33,10 @@ func (this *eConfig) GetPid() uint64 {
 	return this.Pid
 }
 
+func (this *eConfig) GetUid() uint64 {
+	return this.Uid
+}
+
 func (this *eConfig) GetDebug() bool {
 	return this.Debug
 }
@@ -46,6 +53,10 @@ func (this *eConfig) SetPid(pid uint64) {
 	this.Pid = pid
 }
 
+func (this *eConfig) SetUid(uid uint64) {
+	this.Uid = uid
+}
+
 func (this *eConfig) SetDebug(b bool) {
 	this.Debug = b
 }

diff --git a/user/probe_bash.go b/user/probe_bash.go
@@ -82,6 +82,11 @@ func (this *MBashProbe) constantEditor() []manager.ConstantEditor {
 			Value: uint64(this.conf.GetPid()),
 			//FailOnMissing: true,
 		},
+		{
+			Name:  "target_uid",
+			Value: uint64(this.conf.GetUid()),
+			//FailOnMissing: true,
+		},
 		{
 			Name:  "target_errno",
 			Value: uint32(this.Module.conf.(*BashConfig).ErrNo),
@@ -93,6 +98,13 @@ func (this *MBashProbe) constantEditor() []manager.ConstantEditor {
 	} else {
 		this.logger.Printf("target PID:%d \n", this.conf.GetPid())
 	}
+
+	if this.conf.GetUid() <= 0 {
+		this.logger.Printf("target all users. \n")
+	} else {
+		this.logger.Printf("target UID:%d \n", this.conf.GetUid())
+	}
+
 	return editor
 }