Skip to content

Commit e488d4a

Browse files
Ayush9026Ayush9026
committed
feat(bpf-lsm): add tty information to telemetry
Signed-off-by: Ayush Gupta <[email protected]>
1 parent 3c18ec1 commit e488d4a

File tree

1 file changed

+25
-13
lines changed

1 file changed

+25
-13
lines changed

KubeArmor/BPF/shared.h

Lines changed: 25 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ char LICENSE[] SEC("license") = "Dual BSD/GPL";
2424
#define AUDIT_POSTURE 140
2525
#define BLOCK_POSTURE 141
2626
#define CAPABLE_KEY 200
27+
#define TTY_LEN 64
2728

2829
enum {
2930
IPPROTO_ICMPV6 = 58
@@ -130,6 +131,7 @@ typedef struct {
130131
s64 retval;
131132

132133
u8 comm[TASK_COMM_LEN];
134+
u8 tty[TTY_LEN];
133135

134136
bufs_k data;
135137
} event;
@@ -324,27 +326,37 @@ static inline void get_outer_key(struct outer_key *pokey,
324326

325327
static __always_inline u32 init_context(event *event_data) {
326328
struct task_struct *task = (struct task_struct *)bpf_get_current_task();
329+
u32 tgid, pid;
330+
u32 uid = bpf_get_current_uid_gid() & 0xffffffff;
327331

328332
event_data->ts = bpf_ktime_get_ns();
329-
333+
event_data->pid_id = get_task_pid_ns_id(task);
334+
event_data->mnt_id = get_task_mnt_ns_id(task);
330335
event_data->host_ppid = get_task_ppid(task);
331336
event_data->host_pid = bpf_get_current_pid_tgid() >> 32;
337+
event_data->ppid = get_task_ns_ppid(task);
338+
event_data->pid = get_task_ns_tgid(task);
339+
event_data->uid = uid;
332340

333-
struct outer_key okey;
334-
get_outer_key(&okey, task);
335-
event_data->pid_id = okey.pid_ns;
336-
event_data->mnt_id = okey.mnt_ns;
337-
338-
event_data->ppid = get_task_ppid(task);
339-
event_data->pid = get_task_ns_tgid(task);
341+
bpf_get_current_comm(&event_data->comm, sizeof(event_data->comm));
340342

341-
event_data->uid = bpf_get_current_uid_gid();
343+
// Get TTY information
344+
struct signal_struct *signal = READ_KERN(task->signal);
345+
if (signal != NULL) {
346+
struct tty_struct *tty = READ_KERN(signal->tty);
347+
if (tty != NULL) {
348+
bpf_probe_read_str(&event_data->tty, TTY_LEN, (void *)tty->name);
349+
} else {
350+
event_data->tty[0] = '\0';
351+
}
352+
} else {
353+
event_data->tty[0] = '\0';
354+
}
342355

343-
// Clearing array to avoid garbage values
344-
__builtin_memset(event_data->comm, 0, sizeof(event_data->comm));
345-
bpf_get_current_comm(&event_data->comm, sizeof(event_data->comm));
356+
struct outer_key okey;
357+
get_outer_key(&okey, task);
346358

347-
return 0;
359+
return okey.pid_ns;
348360
}
349361

350362

0 commit comments

Comments
 (0)