Merge branch 'aquasecurity:main' into newServerFlag

aquasecurity · Jan 7, 2025 · d6cff8f · d6cff8f
2 parents 9179f50 + 0c2a414
commit d6cff8f
Show file tree

Hide file tree

Showing 49 changed files with 157 additions and 187 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -285,6 +285,10 @@ jobs:
               ["Noble 6.8 aarch64"]="0f5260685b3ec2293 aarch64"
               ["Noble 6.10 x86_64"]="0ae23eabda70efc60 x86_64"
               ["Noble 6.10 aarch64"]="01ce0f71400b5ff38 aarch64"
+              ["Noble 6.11 x86_64"]="0ce1f88aa63091921 x86_64"
+              ["Noble 6.11 aarch64"]="0123508488affb578 aarch64"
+              ["Noble 6.12 x86_64"]="0e38f3caba1b4234d x86_64"
+              ["Noble 6.12 aarch64"]="0547f429681dc1f2a aarch64"
               # expand as needed
           )
           for num in 01; do

diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca
 	github.com/aquasecurity/tracee/api v0.0.0-20241203172838-1f796cb64289
-	github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241127122336-d1a65073b12d
+	github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241225084355-5b8f456dae7b
 	github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863
 	github.com/containerd/containerd v1.7.21
 	github.com/docker/docker v26.1.5+incompatible

diff --git a/go.sum b/go.sum
@@ -404,8 +404,8 @@ github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca
 github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca/go.mod h1:UpO6kTehEgAGGKR2twztBxvzjTiLiV/cb2xmlYb+TfE=
 github.com/aquasecurity/tracee/api v0.0.0-20241203172838-1f796cb64289 h1:mr7+agMcMRwn9vRwc44MaEFTUZnw0pvIbhteyANG38I=
 github.com/aquasecurity/tracee/api v0.0.0-20241203172838-1f796cb64289/go.mod h1:Gn6xVkaBkVe1pOQ0++uuHl+lMMClv0TPY8mCQ6j88aA=
-github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241127122336-d1a65073b12d h1:DRHCyvgCuLNg8cSKKEhPFMCTFqlqOa9bffOPL6Wx0TI=
-github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241127122336-d1a65073b12d/go.mod h1:/eGxScU8+vnxYhchZ72Y0lv1HqTSooLvtGCt9x7450I=
+github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241225084355-5b8f456dae7b h1:eTIrU0vdn49P0LhtEypnSdGgoRzLvNPAGivGHPnCBXg=
+github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241225084355-5b8f456dae7b/go.mod h1:DL+Q2DxyS7dpJGt4NVj26XbPiE2bjRK4vwqrmImr6Go=
 github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863 h1:domVTTQICTuCvX+ZW5EjvdUBz8EH7FedBj5lRqwpgf4=
 github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863/go.mod h1:Jwh9OOuiMHXDoGQY12N9ls5YB+j1FlRcXvFMvh1CmIU=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

diff --git a/pkg/ebpf/signature_engine.go b/pkg/ebpf/signature_engine.go
@@ -82,16 +82,28 @@ func (t *Tracee) engineEvents(ctx context.Context, in <-chan *trace.Event) (<-ch
 			// arguments parsing) can affect engine stage.
 			eventCopy := *event
 
+			// if t.config.Output.ParseArguments {
+			// 	// shallow clone the event arguments before parsing them (new slice is created),
+			// 	// to keep the eventCopy with raw arguments.
+			// 	eventCopy.Args = slices.Clone(event.Args)
+
+			// 	err := t.parseArguments(event)
+			// 	if err != nil {
+			// 		t.handleError(err)
+			// 		return
+			// 	}
+			// }
+
+			// This is a workaround to keep working with parsed arguments in the engine stage.
+			// Once fully migrated, this should be reverted to the commented code above
+			eventCopy.Args = slices.Clone(event.Args)
+			err := t.parseArguments(&eventCopy)
+			if err != nil {
+				t.handleError(err)
+				return
+			}
 			if t.config.Output.ParseArguments {
-				// shallow clone the event arguments before parsing them (new slice is created),
-				// to keep the eventCopy with raw arguments.
-				eventCopy.Args = slices.Clone(event.Args)
-
-				err := t.parseArguments(event)
-				if err != nil {
-					t.handleError(err)
-					return
-				}
+				event.Args = slices.Clone(eventCopy.Args)
 			}
 
 			// pass the event to the sink stage, if the event is also marked as emit

diff --git a/pkg/signatures/benchmark/signature/golang/anti_debugging.go b/pkg/signatures/benchmark/signature/golang/anti_debugging.go
@@ -3,7 +3,6 @@ package golang
 import (
 	"fmt"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/helpers"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
@@ -13,7 +12,6 @@ import (
 type antiDebugging struct {
 	cb       detect.SignatureHandler
 	metadata detect.SignatureMetadata
-	logger   detect.Logger
 }
 
 func NewAntiDebuggingSignature() (detect.Signature, error) {
@@ -32,7 +30,6 @@ func NewAntiDebuggingSignature() (detect.Signature, error) {
 
 func (sig *antiDebugging) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
-	sig.logger = ctx.Logger
 	return nil
 }
 
@@ -55,30 +52,22 @@ func (sig *antiDebugging) OnEvent(event protocol.Event) error {
 	if ee.EventName != "ptrace" {
 		return nil
 	}
-	requestArg, err := helpers.GetTraceeIntArgumentByName(ee, "request")
+	request, err := helpers.GetTraceeArgumentByName(ee, "request", helpers.GetArgOps{DefaultArgs: false})
 	if err != nil {
 		return err
 	}
-
-	if uint64(requestArg) != parsers.PTRACE_TRACEME.Value() {
-		return nil
+	requestString, ok := request.Value.(string)
+	if !ok {
+		return fmt.Errorf("failed to cast request's value")
 	}
-
-	var ptraceRequestData string
-	requestString, err := parsers.ParsePtraceRequestArgument(uint64(requestArg))
-
-	if err != nil {
-		ptraceRequestData = fmt.Sprint(requestArg)
-		sig.logger.Debugw("anti_debugging sig: failed to parse ptrace request argument: %v", err)
-	} else {
-		ptraceRequestData = requestString.String()
+	if requestString != "PTRACE_TRACEME" {
+		return nil
 	}
-
 	sig.cb(&detect.Finding{
 		SigMetadata: sig.metadata,
 		Event:       event,
 		Data: map[string]interface{}{
-			"ptrace request": ptraceRequestData,
+			"ptrace request": requestString,
 		},
 	})
 	return nil

diff --git a/pkg/signatures/benchmark/signature/golang/code_injection.go b/pkg/signatures/benchmark/signature/golang/code_injection.go
@@ -65,11 +65,11 @@ func (sig *codeInjection) OnEvent(event protocol.Event) error {
 	}
 	switch ee.EventName {
 	case "open", "openat":
-		flags, err := helpers.GetTraceeIntArgumentByName(ee, "flags")
+		flags, err := helpers.GetTraceeArgumentByName(ee, "flags", helpers.GetArgOps{DefaultArgs: false})
 		if err != nil {
 			return fmt.Errorf("%v %#v", err, ee)
 		}
-		if helpers.IsFileWrite(flags) {
+		if helpers.IsFileWrite(flags.Value.(string)) {
 			pathname, err := helpers.GetTraceeArgumentByName(ee, "pathname", helpers.GetArgOps{DefaultArgs: false})
 			if err != nil {
 				return err

diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go
@@ -3,7 +3,6 @@ package main
 import (
 	"fmt"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/helpers"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
@@ -12,12 +11,12 @@ import (
 
 type AntiDebuggingPtraceme struct {
 	cb            detect.SignatureHandler
-	ptraceTraceMe int
+	ptraceTraceMe string
 }
 
 func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
-	sig.ptraceTraceMe = int(parsers.PTRACE_TRACEME.Value())
+	sig.ptraceTraceMe = "PTRACE_TRACEME"
 	return nil
 }
 
@@ -53,7 +52,7 @@ func (sig *AntiDebuggingPtraceme) OnEvent(event protocol.Event) error {
 
 	switch eventObj.EventName {
 	case "ptrace":
-		requestArg, err := helpers.GetTraceeIntArgumentByName(eventObj, "request")
+		requestArg, err := helpers.GetTraceeStringArgumentByName(eventObj, "request")
 		if err != nil {
 			return err
 		}

diff --git a/signatures/golang/anti_debugging_ptraceme_test.go b/signatures/golang/anti_debugging_ptraceme_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/signaturestest"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -30,7 +29,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "request",
 							},
-							Value: interface{}(int64(parsers.PTRACE_TRACEME.Value())),
+							Value: interface{}("PTRACE_TRACEME"),
 						},
 					},
 				},
@@ -45,7 +44,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 								ArgMeta: trace.ArgMeta{
 									Name: "request",
 								},
-								Value: interface{}(int64(parsers.PTRACE_TRACEME.Value())),
+								Value: interface{}("PTRACE_TRACEME"),
 							},
 						},
 					}.ToProtocol(),
@@ -77,7 +76,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "request",
 							},
-							Value: interface{}(int64(parsers.PTRACE_PEEKTEXT.Value())),
+							Value: interface{}("PTRACE_PEEKTEXT"),
 						},
 					},
 				},

diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go
@@ -57,7 +57,7 @@ func (sig *AslrInspection) OnEvent(event protocol.Event) error {
 			return err
 		}
 
-		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
 		if err != nil {
 			return err
 		}

diff --git a/signatures/golang/aslr_inspection_test.go b/signatures/golang/aslr_inspection_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/signaturestest"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -30,7 +29,7 @@ func TestAslrInspection(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+							Value: interface{}("O_RDONLY"),
 						},
 						{
 							ArgMeta: trace.ArgMeta{
@@ -51,7 +50,7 @@ func TestAslrInspection(t *testing.T) {
 								ArgMeta: trace.ArgMeta{
 									Name: "flags",
 								},
-								Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+								Value: interface{}("O_RDONLY"),
 							},
 							{
 								ArgMeta: trace.ArgMeta{
@@ -95,7 +94,7 @@ func TestAslrInspection(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},
@@ -112,7 +111,7 @@ func TestAslrInspection(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+							Value: interface{}("O_RDONLY"),
 						},
 						{
 							ArgMeta: trace.ArgMeta{

diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go
@@ -59,7 +59,7 @@ func (sig *CgroupNotifyOnReleaseModification) OnEvent(event protocol.Event) erro
 		}
 		basename := path.Base(pathname)
 
-		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
 		if err != nil {
 			return err
 		}

diff --git a/signatures/golang/cgroup_notify_on_release_modification_test.go b/signatures/golang/cgroup_notify_on_release_modification_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/signaturestest"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -36,7 +35,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},
@@ -57,7 +56,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 								ArgMeta: trace.ArgMeta{
 									Name: "flags",
 								},
-								Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+								Value: interface{}("O_WRONLY"),
 							},
 						},
 					}.ToProtocol(),
@@ -95,7 +94,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+							Value: interface{}("O_RDONLY"),
 						},
 					},
 				},
@@ -118,7 +117,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},

diff --git a/signatures/golang/cgroup_release_agent_modification.go b/signatures/golang/cgroup_release_agent_modification.go
@@ -56,7 +56,7 @@ func (sig *CgroupReleaseAgentModification) OnEvent(event protocol.Event) error {
 
 	switch eventObj.EventName {
 	case "security_file_open":
-		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
 		if err != nil {
 			return err
 		}

diff --git a/signatures/golang/cgroup_release_agent_modification_test.go b/signatures/golang/cgroup_release_agent_modification_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/signaturestest"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -36,7 +35,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},
@@ -57,7 +56,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 								ArgMeta: trace.ArgMeta{
 									Name: "flags",
 								},
-								Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+								Value: interface{}("O_WRONLY"),
 							},
 						},
 					}.ToProtocol(),
@@ -142,7 +141,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+							Value: interface{}("O_RDONLY"),
 						},
 					},
 				},
@@ -165,7 +164,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},

diff --git a/signatures/golang/core_pattern_modification.go b/signatures/golang/core_pattern_modification.go
@@ -58,7 +58,7 @@ func (sig *CorePatternModification) OnEvent(event protocol.Event) error {
 			return err
 		}
 
-		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
 		if err != nil {
 			return err
 		}