feat: Include rootfs in the Exec event

vadorovsky · vadorovsky · commit 8e6f61f44084 · 2024-06-12T11:59:07.000+02:00
`image` field of the `Exec` event is relative to the root filesystem
of the process. That makes it hard to determine the location of the
binary if the process is containerized (or, in general, runs inside a
mount namespace).

That's where the new `rootfs` comes with help. It contains the full path
to the root filesystem, which in case of containers has format like:

```
/root/var/lib/docker/btrfs/subvolumes/0991d46b6f686f22f06bddb6948073[...]
```

Using that information, we can still inspect that container layer even
when the process (or even container) are not running anymore.
diff --git a/crates/modules/process-monitor/probes.bpf.c b/crates/modules/process-monitor/probes.bpf.c
@@ -73,6 +73,7 @@ struct exec_event
 {
   uid_t uid;
   struct buffer_index filename;
+  struct buffer_index rootfs;
   int argc;
   struct buffer_index argv;
   struct namespaces namespaces;
@@ -151,6 +152,15 @@ struct
   __uint(max_entries, MAX_PENDING_DEAD_PARENTS);
 } orphans_map SEC(".maps");
 
+static __always_inline struct path make_mnt_path(struct mount *mnt)
+{
+  struct path mnt_path = {
+    .dentry = BPF_CORE_READ(mnt, mnt_mountpoint),
+    .mnt = __builtin_preserve_access_index(&mnt->mnt),
+  };
+  return mnt_path;
+}
+
 /*
 Identifies the container engine and reads the cgroup id of a process
 from its `task_struct` into an given array of character.
@@ -316,10 +326,11 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
 
   u64 uid_gid = bpf_get_current_uid_gid();
 
+  struct mnt_namespace *mnt_ns = BPF_CORE_READ(p, nsproxy, mnt_ns);
   event->exec.uid = uid_gid;
   event->exec.namespaces.uts = BPF_CORE_READ(p, nsproxy, uts_ns, ns.inum);
   event->exec.namespaces.ipc = BPF_CORE_READ(p, nsproxy, ipc_ns, ns.inum);
-  event->exec.namespaces.mnt = BPF_CORE_READ(p, nsproxy, mnt_ns, ns.inum);
+  event->exec.namespaces.mnt = BPF_CORE_READ(mnt_ns, ns.inum);
   event->exec.namespaces.pid = BPF_CORE_READ(p, nsproxy, pid_ns_for_children, ns.inum);
   event->exec.namespaces.net = BPF_CORE_READ(p, nsproxy, net_ns, ns.inum);
   event->exec.namespaces.time = BPF_CORE_READ(p, nsproxy, time_ns, ns.inum);
@@ -383,6 +394,11 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
   // Check target and whitelist
   tracker_check_rules(&GLOBAL_INTEREST_MAP, &m_rules, p, image);
 
+  // Rootfs mount is always the first one.
+  struct mount *root_mnt = BPF_CORE_READ(mnt_ns, root);
+  struct path mnt_path = make_mnt_path(root_mnt);
+  get_path_str(&mnt_path, &event->buffer, &event->exec.rootfs);
+
   struct task_struct *task = (struct task_struct *)bpf_get_current_task();
   struct mm_struct *mm = BPF_CORE_READ(task, mm);
   long start = BPF_CORE_READ(mm, arg_start);
diff --git a/crates/modules/process-monitor/src/lib.rs b/crates/modules/process-monitor/src/lib.rs
@@ -96,6 +96,7 @@ pub enum ProcessEvent {
     Exec {
         uid: Uid,
         filename: BufferIndex<str>,
+        rootfs: BufferIndex<str>,
         argc: u32,
         argv: BufferIndex<str>, // 0 separated strings
         namespaces: Namespaces,
@@ -209,6 +210,7 @@ pub mod pulsar {
                         ref argv,
                         namespaces,
                         ref c_container_id,
+                        ..
                     } => {
                         let argv =
                             extract_parameters(argv.bytes(&event.buffer).unwrap_or_else(|err| {
@@ -295,11 +297,13 @@ pub mod pulsar {
                 },
                 ProcessEvent::Exec {
                     filename,
+                    rootfs,
                     argc,
                     argv,
                     ..
                 } => Payload::Exec {
                     filename: filename.string(&buffer)?,
+                    rootfs: rootfs.string(&buffer)?,
                     argc: argc as usize,
                     argv: extract_parameters(argv.bytes(&buffer)?).into(),
                 },
diff --git a/crates/pulsar-core/src/event.rs b/crates/pulsar-core/src/event.rs
@@ -211,6 +211,7 @@ pub enum Payload {
     },
     Exec {
         filename: String,
+        rootfs: String,
         argc: usize,
         argv: Argv,
     },
@@ -304,7 +305,7 @@ impl fmt::Display for Payload {
             Payload::FileRename { source, destination } => write!(f,"File Rename {{ source: {source}, destination {destination} }}"),
             Payload::ElfOpened { filename, flags } => write!(f,"Elf Opened {{ filename: {filename}, flags: {flags} }}"),
             Payload::Fork { ppid, uid, gid } => write!(f,"Fork {{ ppid: {ppid} uid: {uid} gid: {gid} }}"),
-            Payload::Exec { filename, argc, argv } => write!(f,"Exec {{ filename: {filename}, argc: {argc}, argv: {argv} }}"),
+            Payload::Exec { filename, rootfs, argc, argv } => write!(f,"Exec {{ filename: {filename}, rootfs: {rootfs}, argc: {argc}, argv: {argv} }}"),
             Payload::Exit { exit_code } => write!(f,"Exit {{ exit_code: {exit_code} }}"),
             Payload::ChangeParent { ppid } => write!(f,"Parent changed {{ ppid: {ppid} }}"),
             Payload::CredentialsChange { uid, gid } => write!(f,"Credentials changed {{ uid: {uid} gid: {gid} }}"),
