feat: extend string data filtering for other events

aquasecurity · Jan 8, 2025 · 34956a5 · 34956a5
1 parent 22fa7ba
commit 34956a5
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -2209,6 +2209,9 @@ int BPF_KPROBE(trace_security_bprm_check)
     if (p.config->options & OPT_EXEC_ENV)
         save_str_arr_to_buf(&p.event->args_buf, envp, 4);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -2318,6 +2321,9 @@ int BPF_KPROBE(trace_security_inode_unlink)
     save_to_submit_buf(&p.event->args_buf, &unlinked_file_id.device, sizeof(dev_t), 2);
     save_to_submit_buf(&p.event->args_buf, &unlinked_file_id.ctime, sizeof(u64), 3);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -3547,6 +3553,9 @@ int BPF_KPROBE(trace_ret_do_mmap)
     save_to_submit_buf(&p.event->args_buf, &prot, sizeof(unsigned long), 8);
     save_to_submit_buf(&p.event->args_buf, &mmap_flags, sizeof(unsigned long), 9);
 
+    if (!evaluate_data_filters(&p, 1))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -3648,6 +3657,9 @@ int BPF_KPROBE(trace_security_file_mprotect)
             save_to_submit_buf(&p.event->args_buf, &pkey, sizeof(int), 6);
         }
 
+        if (!evaluate_data_filters(&p, 0))
+            return 0;
+
         events_perf_submit(&p, 0);
     }
 
@@ -4086,6 +4098,9 @@ int BPF_KPROBE(trace_security_kernel_read_file)
     save_to_submit_buf(&p.event->args_buf, &type_id, sizeof(int), 3);
     save_to_submit_buf(&p.event->args_buf, &ctime, sizeof(u64), 4);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 
@@ -4110,6 +4125,10 @@ int BPF_KPROBE(trace_security_kernel_post_read_file)
         save_str_to_buf(&p.event->args_buf, file_path, 0);
         save_to_submit_buf(&p.event->args_buf, &size, sizeof(loff_t), 1);
         save_to_submit_buf(&p.event->args_buf, &type_id, sizeof(int), 2);
+
+        if (!evaluate_data_filters(&p, 0))
+            return 0;
+
         events_perf_submit(&p, 0);
     }
 
@@ -5134,6 +5153,9 @@ int BPF_KPROBE(trace_security_path_notify)
     save_to_submit_buf(&p.event->args_buf, &mask, sizeof(u64), 3);
     save_to_submit_buf(&p.event->args_buf, &obj_type, sizeof(unsigned int), 4);
 
+    if (!evaluate_data_filters(&p, 0))
+        return 0;
+
     return events_perf_submit(&p, 0);
 }
 

diff --git a/pkg/filters/data.go b/pkg/filters/data.go
@@ -168,7 +168,14 @@ func (f *DataFilter) Parse(id events.ID, fieldName string, operatorAndValues str
 		switch id {
 		case events.SecurityFileOpen,
 			events.MagicWrite,
-			events.SecurityMmapFile:
+			events.SecurityMmapFile,
+			events.SecurityBprmCheck,
+			events.SecurityKernelReadFile,
+			events.SecurityPostReadFile,
+			events.DoMmap,
+			events.SecurityFileMprotect,
+			events.SecurityPathNotify,
+			events.SecurityInodeUnlink:
 			return f.processKernelFilter(val, fieldName)
 
 		case events.SysEnter,