ebpfpub icon indicating copy to clipboard operation
ebpfpub copied to clipboard
verified publisher icon trailofbits

The `process_file_events` table in osquery can be reimplemented.

Open alessandrogario opened this issue 6 years ago • 0 comments

With kernel headers, reconstructing the path from task_struct->files

  1. Using bound loops, requiring a kernel version >= 5.3
  2. Writing an unrolled loop, with any kernel >= 4.18; the max iteration count will be limited by the program instruction limit. Syscalls with multiple fd are going to have to split the remaining space. Tail calling another BPF program might help.

Without kernel headers

  1. Using the same approach used by the current Audit-based implementation in osquery (i.e. tracing fd changes in each process). This could also be useful for socket events. Missing events will potentially cause lots of issues. Processes opened before the tracer will not have any known fd state (but we can maybe take a snapshot from /proc).
  2. Using the newly proposed bpf_fd2path helper, requiring a kernel version >= 5.x (I don't think this feature has been merged yet)
  3. Using the upcoming BTF information in the kernel + bounds loops (version >= 5.4)

alessandrogario avatar Dec 18 '19 13:12 alessandrogario