logging parent process

Signed-off-by: Kohei Morita <[email protected]>
mrtc0 · Nov 8, 2021 · ebd9e27 · ebd9e27
1 parent cb68380
commit ebd9e27
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 13 deletions.
diff --git a/pkg/bpf/bytecode/restricted-network.bpf.o b/pkg/bpf/bytecode/restricted-network.bpf.o
diff --git a/pkg/bpf/c/common.h b/pkg/bpf/c/common.h
@@ -55,6 +55,7 @@ struct audit_event_header {
 	enum audit_event_type type;
 	char nodename[NEW_UTS_LEN + 1];
 	char task[TASK_COMM_LEN];
+	char parent_task[TASK_COMM_LEN];
 };
 
 struct audit_event_blocked_ipv4 {

diff --git a/pkg/bpf/c/restricted-network.bpf.c b/pkg/bpf/c/restricted-network.bpf.c
@@ -57,6 +57,9 @@ static inline void report_ip4_block(void *ctx, u64 cg, enum action action, enum
 	ev.hdr.type = BLOCKED_IPV4;
 	bpf_get_current_comm(&ev.hdr.task, sizeof(ev.hdr.task));
 
+	struct task_struct *parent_task = BPF_CORE_READ(current_task, real_parent);
+	bpf_probe_read_kernel_str(&ev.hdr.parent_task, sizeof(ev.hdr.parent_task), &parent_task->comm);
+
 	ev.dport = __builtin_bswap16(daddr->sin_port);
 	ev.src = src_addr4(sock);
 	ev.dst = BPF_CORE_READ(daddr, sin_addr);

diff --git a/pkg/commands/network/audit.go b/pkg/commands/network/audit.go
@@ -19,12 +19,13 @@ const SRCIP_LEN = 4
 const DSTIP_LEN = 4
 
 type eventHeader struct {
-	CGroupID  uint64
-	PID       uint32
-	EventType int32
-	Nodename  [NEW_UTS_LEN + 1]byte
-	Command   [TASK_COMM_LEN]byte
-	_         [PADDING_LEN]byte
+	CGroupID      uint64
+	PID           uint32
+	EventType     int32
+	Nodename      [NEW_UTS_LEN + 1]byte
+	Command       [TASK_COMM_LEN]byte
+	ParentCommand [TASK_COMM_LEN]byte
+	_             [PADDING_LEN]byte
 }
 
 type eventBlockedIPv4 struct {
@@ -103,13 +104,14 @@ func RunAudit(conf *config.Config) {
 		}
 
 		log.WithFields(logrus.Fields{
-			"Action":   body.ActionResult(),
-			"Hostname": nodename2string(header.Nodename),
-			"PID":      header.PID,
-			"Comm":     comm2string(header.Command),
-			"Addr":     byte2IPv4(body.DstIP),
-			"Port":     body.DstPort,
-			"Protocol": sockTypeToProtocolName(body.SockType),
+			"Action":     body.ActionResult(),
+			"Hostname":   nodename2string(header.Nodename),
+			"PID":        header.PID,
+			"Comm":       comm2string(header.Command),
+			"ParentComm": comm2string(header.ParentCommand),
+			"Addr":       byte2IPv4(body.DstIP),
+			"Port":       body.DstPort,
+			"Protocol":   sockTypeToProtocolName(body.SockType),
 		}).Info("Traffic is trapped in the filter.")
 	}
 }