events: combine hooked_seq_ops event output to one event

AsafEitani · rafaeldtinoco · commit 1f67247ef75f · 2022-08-09T16:02:21.000-03:00
Invokes only one event in each triggering instead of
event for each struct checked.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -1754,7 +1754,7 @@ add_u64_elements_to_buf(event_data_t *data, const u64 __user *ptr, int len, u32
 {
     u8 elem_num = 0;
     u8 current_elem_num;
-    #pragma unroll
+#pragma unroll
     for (int i = 0; i < len; i++) {
         void *addr = &(data->submit_p->buf[data->buf_off]);
         if (data->buf_off > MAX_PERCPU_BUFSIZE - sizeof(u64))
@@ -3180,55 +3180,52 @@ int uprobe_syscall_trigger(struct pt_regs *ctx)
     return events_perf_submit(&data, PRINT_SYSCALL_TABLE, 0);
 }
 
-static __always_inline void invoke_fetch_network_seq_operations_event(struct pt_regs *ctx,
-                                                                      unsigned long struct_address)
-{
-    event_data_t data = {};
-    if (!init_event_data(&data, ctx))
-        return;
-
-    struct seq_operations *seq_ops = (struct seq_operations *) struct_address;
-    u64 show_addr = (u64) READ_KERN(seq_ops->show);
-    if (show_addr == 0) {
-        return;
-    }
-
-    u64 start_addr = (u64) READ_KERN(seq_ops->start);
-    if (start_addr == 0) {
-        return;
-    }
-
-    u64 next_addr = (u64) READ_KERN(seq_ops->next);
-    if (next_addr == 0) {
-        return;
-    }
-
-    u64 stop_addr = (u64) READ_KERN(seq_ops->stop);
-    if (stop_addr == 0) {
-        return;
-    }
-    u64 seq_ops_addresses[NET_SEQ_OPS_SIZE + 1] = {
-        (u64) seq_ops, show_addr, start_addr, next_addr, stop_addr};
-    save_u64_arr_to_buf(&data, (const u64 *) seq_ops_addresses, 5, 0);
-    events_perf_submit(&data, PRINT_NET_SEQ_OPS, 0);
-}
-
 SEC("uprobe/trigger_seq_ops_event")
 int uprobe_seq_ops_trigger(struct pt_regs *ctx)
 {
 #if defined(bpf_target_x86)
-    uint64_t *address_array = ((void *) ctx->sp);
+    uint64_t *address_array = ((void *) ctx->sp + 8);
 #elif defined(bpf_target_arm64)
     uint64_t *address_array = ((void *) ctx->sp) + 16;
 #else
     return 0;
 #endif
 
     uint64_t struct_address;
+    event_data_t data = {};
+    if (!init_event_data(&data, ctx))
+        return 0;
+    u32 count_off = data.buf_off + 1;
+    // Init u64 arr with size 0 before adding elements in loop
+    save_u64_arr_to_buf(&data, NULL, 0, 0);
+#pragma unroll
     for (int i = 0; i < NET_SEQ_OPS_TYPES; i++) {
         bpf_probe_read(&struct_address, 8, (address_array + i));
-        invoke_fetch_network_seq_operations_event(ctx, struct_address);
+        struct seq_operations *seq_ops = (struct seq_operations *) struct_address;
+        u64 show_addr = (u64) READ_KERN(seq_ops->show);
+        if (show_addr == 0) {
+            return 0;
+        }
+
+        u64 start_addr = (u64) READ_KERN(seq_ops->start);
+        if (start_addr == 0) {
+            return 0;
+        }
+
+        u64 next_addr = (u64) READ_KERN(seq_ops->next);
+        if (next_addr == 0) {
+            return 0;
+        }
+
+        u64 stop_addr = (u64) READ_KERN(seq_ops->stop);
+        if (stop_addr == 0) {
+            return 0;
+        }
+        u64 seq_ops_addresses[NET_SEQ_OPS_SIZE + 1] = {show_addr, start_addr, next_addr, stop_addr};
+
+        add_u64_elements_to_buf(&data, (const u64 *) seq_ops_addresses, 4, count_off);
     }
+    events_perf_submit(&data, PRINT_NET_SEQ_OPS, 0);
     return 0;
 }
 
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/aquasecurity/tracee/pkg/events/derive"
 	"io"
 	"io/ioutil"
 	"net"
@@ -1108,17 +1109,6 @@ func (t *Tracee) getCapturedIfaceIdx(ifaceName string) (int, bool) {
 	return t.config.Capture.NetIfaces.Find(ifaceName)
 }
 
-// Struct names for the interfaces HookedSeqOpsEventID checks for hooks
-// The show,start,next and stop operation function pointers will be checked for each of those
-var netSeqOps = [6]string{
-	"tcp4_seq_ops",
-	"tcp6_seq_ops",
-	"udp_seq_ops",
-	"udp6_seq_ops",
-	"raw_seq_ops",
-	"raw6_seq_ops",
-}
-
 func (t *Tracee) triggerSyscallsIntegrityCheck() {
 	_, ok := t.events[events.HookedSyscalls]
 	if !ok {
@@ -1137,9 +1127,9 @@ func (t *Tracee) triggerSeqOpsIntegrityCheck() {
 	if !ok {
 		return
 	}
-	var seqOpsPointers [len(netSeqOps)]uint64
-	for i, seq_name := range netSeqOps {
-		seqOpsStruct, err := t.kernelSymbols.GetSymbolByName("system", seq_name)
+	var seqOpsPointers [len(derive.NetSeqOps)]uint64
+	for i, seqName := range derive.NetSeqOps {
+		seqOpsStruct, err := t.kernelSymbols.GetSymbolByName("system", seqName)
 		if err != nil {
 			continue
 		}
@@ -1150,7 +1140,7 @@ func (t *Tracee) triggerSeqOpsIntegrityCheck() {
 
 // triggerSeqOpsIntegrityCheck is used by a Uprobe to trigger an eBPF program that prints the seq ops pointers
 //go:noinline
-func (t *Tracee) triggerSeqOpsIntegrityCheckCall(seqOpsStruct [len(netSeqOps)]uint64) error {
+func (t *Tracee) triggerSeqOpsIntegrityCheckCall(seqOpsStruct [len(derive.NetSeqOps)]uint64) error {
 	return nil
 }
 
diff --git a/pkg/events/derive/hooked_seq_ops.go b/pkg/events/derive/hooked_seq_ops.go
@@ -8,6 +8,24 @@ import (
 	"github.com/aquasecurity/tracee/types/trace"
 )
 
+// Struct names for the interfaces HookedSeqOpsEventID checks for hooks
+// The show,start,next and stop operation function pointers will be checked for each of those
+var NetSeqOps = [6]string{
+	"tcp4_seq_ops",
+	"tcp6_seq_ops",
+	"udp_seq_ops",
+	"udp6_seq_ops",
+	"raw_seq_ops",
+	"raw6_seq_ops",
+}
+
+var NetSeqOpsFuncs = [4]string{
+	"show",
+	"start",
+	"next",
+	"stop",
+}
+
 func HookedSeqOps(kernelSymbols *helpers.KernelSymbolTable) events.DeriveFunction {
 	return singleEventDeriveFunc(events.HookedSeqOps, deriveHookedSeqOpsArgs(kernelSymbols))
 
@@ -19,18 +37,18 @@ func deriveHookedSeqOpsArgs(kernelSymbols *helpers.KernelSymbolTable) deriveArgs
 		if err != nil || len(seqOpsArr) < 1 {
 			return nil, err
 		}
-		seqOpsName := utils.ParseSymbol(seqOpsArr[0], kernelSymbols).Name
-		hookedSeqOps := make([]trace.HookedSymbolData, 0)
-		for _, addr := range seqOpsArr[1:] {
+		hookedSeqOps := make(map[string]trace.HookedSymbolData, 0)
+		for i, addr := range seqOpsArr {
 			inTextSegment, err := kernelSymbols.TextSegmentContains(addr)
 			if err != nil {
 				continue
 			}
 			if !inTextSegment {
 				hookingFunction := utils.ParseSymbol(addr, kernelSymbols)
-				hookedSeqOps = append(hookedSeqOps, trace.HookedSymbolData{SymbolName: hookingFunction.Name, ModuleOwner: hookingFunction.Owner})
+				hookedSeqOps[NetSeqOps[i/4]+"_"+NetSeqOpsFuncs[i%4]] =
+					trace.HookedSymbolData{SymbolName: hookingFunction.Name, ModuleOwner: hookingFunction.Owner}
 			}
 		}
-		return []interface{}{seqOpsName, hookedSeqOps}, nil
+		return []interface{}{hookedSeqOps}, nil
 	}
 }
diff --git a/pkg/events/events.go b/pkg/events/events.go
@@ -5890,7 +5890,6 @@ var Definitions = eventDefinitions{
 			},
 			Sets: []string{},
 			Params: []trace.ArgMeta{
-				{Type: "string", Name: "struct_name"},
 				{Type: "[]helpers.KernelSymbol", Name: "hooked_seq_ops"},
 			},
 		},
