Giter Site home page Giter Site logo

fsprobe's People

Contributors

dependabot[bot] avatar gui774ume avatar mhmxs avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

gadinaor syllogy studysamooh a-palchikov slzdude abelard2008 fengjixuchui 13shivam

fsprobe's Issues

Failed to capture file creation using fsprobe after added another monitor function of security_inode_create

I added another hook function of security_inode_create in fsprobe to testify its extensibility.However, it prompted some permission errors and seems the rootcause is in security_inode_create_ret function. Here is stderr output:

FATAL[2022-09-08T14:34:44Z] couldn't start watching the filesystem: couldn't load eBPF program: program kretprobe/security_inode_create: failed to load program: permission denied: 0: (bf) r6 = r1
1: (85) call bpf_get_current_pid_tgid#14
2: (7b) *(u64 *)(r10 -352) = r0
3: (bf) r2 = r10
4: (07) r2 += -352
5: (18) r1 = 0xffffa024ad16f800
7: (85) call bpf_map_lookup_elem#1
8: (bf) r7 = r0
9: (15) if r7 == 0x0 goto pc+16812
 R0=map_value(id=0,off=0,ks=8,vs=136,imm=0) R6=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=8,vs=136,imm=0) R10=fp0 fp-352=mmmmmmmm
10: (79) r1 = *(u64 *)(r6 +80)
11: (63) *(u32 *)(r7 +88) = r1
 R0=map_value(id=0,off=0,ks=8,vs=136,imm=0) R1_w=inv(id=0) R6=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=8,vs=136,imm=0) R10=fp0 fp-352=mmmmmmmm
12: (79) r3 = *(u64 *)(r7 +104)
 R0=map_value(id=0,off=0,ks=8,vs=136,imm=0) R1_w=inv(id=0) R6=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=8,vs=136,imm=0) R10=fp0 fp-352=mmmmmmmm
13: (07) r3 += 48
14: (bf) r1 = r10
15: (07) r1 += -304
16: (b7) r2 = 8
17: (85) call bpf_probe_read#4
last_idx 17 first_idx 8
regs=4 stack=0 before 16: (b7) r2 = 8
18: (79) r3 = *(u64 *)(r10 -304)
19: (07) r3 += 64
20: (bf) r1 = r10
21: (07) r1 += -288
22: (b7) r2 = 8
23: (85) call bpf_probe_read#4
last_idx 23 first_idx 18
regs=4 stack=0 before 22: (b7) r2 = 8
24: (79) r2 = *(u64 *)(r10 -288)
25: (7b) *(u64 *)(r7 +56) = r2
 R0_w=inv(id=0) R2_w=inv(id=0) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=136,imm=0) R10=fp0 fp-288=mmmmmmmm fp-304=mmmmmmmm fp-352=mmmmmmmm
26: (18) r1 = 0x0
28: (15) if r1 == 0x2 goto pc+10726
last_idx 28 first_idx 18
regs=2 stack=0 before 26: (18) r1 = 0x0
29: (15) if r1 == 0x1 goto pc+78
30: (55) if r1 != 0x0 goto pc+16773
31: (b7) r1 = 0
32: (7b) *(u64 *)(r10 -336) = r1
last_idx 32 first_idx 29
regs=2 stack=0 before 31: (b7) r1 = 0
33: (61) r3 = *(u32 *)(r7 +92)
 R0=inv(id=0) R1_w=invP0 R2=inv(id=0) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=136,imm=0) R10=fp0 fp-288=mmmmmmmm fp-304=mmmmmmmm fp-336_w=00000000 fp-352=mmmmmmmm
34: (18) r4 = 0xfffffffe
36: (5f) r3 &= r4
37: (55) if r3 != 0x2 goto pc+1
 R0=inv(id=0) R1_w=invP0 R2=inv(id=0) R3_w=inv2 R4_w=inv4294967294 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=136,imm=0) R10=fp0 fp-288=mmmmmmmm fp-304=mmmmmmmm fp-336_w=00000000 fp-352=mmmmmmmm
38: (61) r2 = *(u32 *)(r7 +48)
 R0=inv(id=0) R1_w=invP0 R2_w=inv(id=0) R3_w=inv2 R4_w=inv4294967294 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=136,imm=0) R10=fp0 fp-288=mmmmmmmm fp-304=mmmmmmmm fp-336_w=00000000 fp-352=mmmmmmmm
39: (7b) *(u64 *)(r10 -344) = r2
40: (61) r2 = *(u32 *)(r7 +68)
 R0=inv(id=0) R1=invP0 R2_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R3=inv2 R4=inv4294967294 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=136,imm=0) R10=fp0 fp-288=mmmmmmmm fp-304=mmmmmmmm fp-336=00000000 fp-344_w=inv fp-352=mmmmmmmm
41: (63) *(u32 *)(r10 -336) = r2
42: (79) r9 = *(u64 *)(r7 +104)
 R0=inv(id=0) R1=invP0 R2_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R3=inv2 R4=inv4294967294 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=136,imm=0) R10=fp0 fp-288=mmmmmmmm fp-304=mmmmmmmm fp-336=0000mmmm fp-344_w=inv fp-352=mmmmmmmm
43: (7b) *(u64 *)(r10 -24) = r1
44: (7b) *(u64 *)(r10 -32) = r1
45: (7b) *(u64 *)(r10 -40) = r1
46: (7b) *(u64 *)(r10 -48) = r1
47: (7b) *(u64 *)(r10 -56) = r1
48: (7b) *(u64 *)(r10 -64) = r1
49: (7b) *(u64 *)(r10 -72) = r1
50: (7b) *(u64 *)(r10 -80) = r1
51: (7b) *(u64 *)(r10 -88) = r1
52: (7b) *(u64 *)(r10 -96) = r1
53: (7b) *(u64 *)(r10 -104) = r1
54: (7b) *(u64 *)(r10 -112) = r1
55: (7b) *(u64 *)(r10 -120) = r1
56: (7b) *(u64 *)(r10 -128) = r1
57: (7b) *(u64 *)(r10 -136) = r1
58: (7b) *(u64 *)(r10 -144) = r1
59: (7b) *(u64 *)(r10 -152) = r1
60: (7b) *(u64 *)(r10 -160) = r1
61: (7b) *(u64 *)(r10 -168) = r1
62: (7b) *(u64 *)(r10 -176) = r1
63: (7b) *(u64 *)(r10 -184) = r1
64: (7b) *(u64 *)(r10 -192) = r1
65: (7b) *(u64 *)(r10 -200) = r1
66: (7b) *(u64 *)(r10 -208) = r1
67: (7b) *(u64 *)(r10 -216) = r1
68: (7b) *(u64 *)(r10 -224) = r1
69: (7b) *(u64 *)(r10 -232) = r1
70: (7b) *(u64 *)(r10 -240) = r1
71: (7b) *(u64 *)(r10 -248) = r1
72: (7b) *(u64 *)(r10 -256) = r1
73: (7b) *(u64 *)(r10 -264) = r1
74: (7b) *(u64 *)(r10 -272) = r1
75: (7b) *(u64 *)(r10 -280) = r1
76: (7b) *(u64 *)(r10 -288) = r1
77: (79) r1 = *(u64 *)(r10 -336)
78: (7b) *(u64 *)(r10 -296) = r1
79: (79) r1 = *(u64 *)(r10 -344)
80: (7b) *(u64 *)(r10 -304) = r1
81: (bf) r3 = r9
82: (07) r3 += 32
83: (bf) r1 = r10
84: (07) r1 += -320
85: (b7) r2 = 16
86: (85) call bpf_probe_read#4
last_idx 86 first_idx 39
regs=4 stack=0 before 85: (b7) r2 = 16
87: (79) r3 = *(u64 *)(r10 -312)
88: (bf) r8 = r10
89: (07) r8 += -272
90: (bf) r1 = r8
91: (b7) r2 = 255
92: (85) call bpf_probe_read_str#45
last_idx 92 first_idx 39
regs=4 stack=0 before 91: (b7) r2 = 255
93: (bf) r3 = r9
94: (07) r3 += 24
95: (bf) r1 = r10
96: (07) r1 += -8
97: (b7) r2 = 8
98: (85) call bpf_probe_read#4
last_idx 98 first_idx 93
regs=4 stack=0 before 97: (b7) r2 = 8
99: (79) r1 = *(u64 *)(r10 -304)
100: (7b) *(u64 *)(r10 -344) = r1
101: (79) r1 = *(u64 *)(r10 -296)
102: (7b) *(u64 *)(r10 -336) = r1
103: (79) r3 = *(u64 *)(r10 -8)
104: (5d) if r3 != r9 goto pc+116
 R0_w=inv(id=0) R1_w=inv(id=0) R3_w=inv(id=0) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=136,imm=0) R8=fp-272 R9=inv(id=2) R10=fp0 fp-8=mmmmmmmm fp-24=0mmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=mmmmmmmm fp-64=mmmmmmmm fp-72=mmmmmmmm fp-80=mmmmmmmm fp-88=mmmmmmmm fp-96=mmmmmmmm fp-104=mmmmmmmm fp-112=mmmmmmmm fp-120=mmmmmmmm fp-128=mmmmmmmm fp-136=mmmmmmmm fp-144=mmmmmmmm fp-152=mmmmmmmm fp-160=mmmmmmmm fp-168=mmmmmmmm fp-176=mmmmmmmm fp-184=mmmmmmmm fp-192=mmmmmmmm fp-200=mmmmmmmm fp-208=mmmmmmmm fp-216=mmmmmmmm fp-224=mmmmmmmm fp-232=mmmmmmmm fp-240=mmmmmmmm fp-248=mmmmmmmm fp-256=mmmmmmmm fp-264=mmmmmmmm fp-272=mmmmmmmm fp-280=00000000 fp-288=00000000 fp-296=mmmmmmmm fp-304=inv fp-312=mmmmmmmm fp-320=mmmmmmmm fp-336_w=mmmmmmmm fp-344_w=inv fp-352=mmmmmmmm
105: (b7) r1 = 0
106: (7b) *(u64 *)(r10 -304) = r1
last_idx 106 first_idx 93
regs=2 stack=0 before 105: (b7) r1 = 0
107: (05) goto pc+124
232: (71) r1 = *(u8 *)(r10 -272)
233: (15) if r1 == 0x2f goto pc+1
 R0=inv(id=0) R1_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R3=inv(id=0) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=136,imm=0) R8=fp-272 R9=inv(id=2) R10=fp0 fp-8=mmmmmmmm fp-24=0mmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=mmmmmmmm fp-64=mmmmmmmm fp-72=mmmmmmmm fp-80=mmmmmmmm fp-88=mmmmmmmm fp-96=mmmmmmmm fp-104=mmmmmmmm fp-112=mmmmmmmm fp-120=mmmmmmmm fp-128=mmmmmmmm fp-136=mmmmmmmm fp-144=mmmmmmmm fp-152=mmmmmmmm fp-160=mmmmmmmm fp-168=mmmmmmmm fp-176=mmmmmmmm fp-184=mmmmmmmm fp-192=mmmmmmmm fp-200=mmmmmmmm fp-208=mmmmmmmm fp-216=mmmmmmmm fp-224=mmmmmmmm fp-232=mmmmmmmm fp-240=mmmmmmmm fp-248=mmmmmmmm fp-256=mmmmmmmm fp-264=mmmmmmmm fp-272=mmmmmmmm fp-280=00000000 fp-288=00000000 fp-296=mmmmmmmm fp-304=00000000 fp-312=mmmmmmmm fp-320=mmmmmmmm fp-336=mmmmmmmm fp-344=inv fp-352=mmmmmmmm
234: (55) if r1 != 0x0 goto pc+2
 R0=inv(id=0) R1_w=inv0 R3=inv(id=0) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=8,vs=136,imm=0) R8=fp-272 R9=inv(id=2) R10=fp0 fp-8=mmmmmmmm fp-24=0mmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=mmmmmmmm fp-64=mmmmmmmm fp-72=mmmmmmmm fp-80=mmmmmmmm fp-88=mmmmmmmm fp-96=mmmmmmmm fp-104=mmmmmmmm fp-112=mmmmmmmm fp-120=mmmmmmmm fp-128=mmmmmmmm fp-136=mmmmmmmm fp-144=mmmmmmmm fp-152=mmmmmmmm fp-160=mmmmmmmm fp-168=mmmmmmmm fp-176=mmmmmmmm fp-184=mmmmmmmm fp-192=mmmmmmmm fp-200=mmmmmmmm fp-208=mmmmmmmm fp-216=mmmmmmmm fp-224=mmmmmmmm fp-232=mmmmmmmm fp-240=mmmmmmmm fp-248=mmmmmmmm fp-256=mmmmmmmm fp-264=mmmmmmmm fp-272=mmmmmmmm fp-280=00000000 fp-288=00000000 fp-296=mmmmmmmm fp-304=00000000 fp-312=mmmmmmmm fp-320=mmmmmmmm fp-336=mmmmmmmm fp-344=inv fp-352=mmmmmmmm
235: (b7) r1 = 0
236: (7b) *(u64 *)(r10 -304) = r1
last_idx 236 first_idx 232
regs=2 stack=0 before 235: (b7) r1 = 0
237: (79) r1 = *(u64 *)(r10 -296)
238: (7b) *(u64 *)(r10 -280) = r1
239: (79) r1 = *(u64 *)(r10 -304)
240: (7b) *(u64 *)(r10 -288) = r1
241: (bf) r2 = r10
242: (07) r2 += -344
243: (18) r1 = 0x0
245: (85) call bpf_map_lookup_elem#1
R1 type=inv expected=map_ptr
processed 118 insns (limit 1000000) max_states_per_insn 0 total_states 6 peak_states 6 mark_read 5
make: *** [Makefile:28: run] Error 1

I will appreciate any kind of help :)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.