feat: add inotify_find_inode event #2794

roikol · 2023-03-02T10:04:51Z

1. Explain what the PR does

Author: RoiKol <roi.kol@aquasec.com>
Date:   Thu Mar 2 11:58:33 2023 +0200

    feat: add inotify_find_inode event
    
    add the inotify_find_inode event to indicate an inotify watch being
    added to a file

2. Explain how to test it

command 1: ./dist/tracee-ebpf -f e=inotify_find_inode
command 2: inotifywatch /tmp/test.txt

3. Other comments

yanivagman · 2023-03-05T08:16:51Z

Looks like kernel 5.4 introduced the security_path_noitfy which would have been a better choice:
https://elixir.bootlin.com/linux/v5.4.234/source/security/security.c#L920
However, since we want to keep support for 4.18 kernels, we can't use it as is. So this is just a note for after we will implement a mechanism to selectively load probes according to the environment (#1653 ).
In the meanwhile, I think you should consider renaming this event to something more abstract (so we can change the probe without renaming the event in the future)

roikol · 2023-03-08T13:33:51Z

Looks like kernel 5.4 introduced the security_path_noitfy which would have been a better choice: https://elixir.bootlin.com/linux/v5.4.234/source/security/security.c#L920 However, since we want to keep support for 4.18 kernels, we can't use it as is. So this is just a note for after we will implement a mechanism to selectively load probes according to the environment (#1653 ). In the meanwhile, I think you should consider renaming this event to something more abstract (so we can change the probe without renaming the event in the future)

yeah i saw this lsm but decided to go with inotify_find_inode to be compatible with all supported kernel versions.
i'll rename to event to inotify_watch, sounds good?

add the inotify_watch event to indicate an inotify watch being added to a file

rafaeldtinoco

LGTM.

rafaeldtinoco · 2023-03-14T21:51:09Z

Im merging now as this is a simple event and comment from Yaniv has already been noticed. Thanks!

roikol self-assigned this Mar 2, 2023

roikol force-pushed the add_inotify_event branch from b653629 to 6151dfe Compare March 2, 2023 10:08

yanivagman added the milestone/v0.13.0 label Mar 5, 2023

roikol force-pushed the add_inotify_event branch from 6151dfe to 46d4b63 Compare March 8, 2023 13:38

feat: add inotify_watch event

07c323f

add the inotify_watch event to indicate an inotify watch being added to a file

roikol force-pushed the add_inotify_event branch from 46d4b63 to 07c323f Compare March 8, 2023 13:43

roikol requested a review from yanivagman March 8, 2023 13:43

rafaeldtinoco approved these changes Mar 14, 2023

View reviewed changes

rafaeldtinoco merged commit 9036cad into aquasecurity:main Mar 14, 2023

yanivagman mentioned this pull request Mar 15, 2023

add event to indicate usage of inotify #2793

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: add inotify_find_inode event #2794

feat: add inotify_find_inode event #2794

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

feat: add inotify_find_inode event #2794

feat: add inotify_find_inode event #2794

Uh oh!

Conversation

1. Explain what the PR does

2. Explain how to test it

3. Other comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!