From 4d5e47de02ff2e1214db1a167e38ba50dd7aa98c Mon Sep 17 00:00:00 2001 From: Nadav Strahilevitz Date: Wed, 29 May 2024 12:06:37 +0000 Subject: [PATCH 1/2] feat(helpers): unparsed flag helpers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit flag helpers previously took a string argument to test against possible flag configurations. New implementation takes the integer form and makes the test with the bit flag directly. Co-authored-by: Geyslan Gregório --- signatures/helpers/go.mod | 7 ++++++- signatures/helpers/go.sum | 16 ++++++++++------ signatures/helpers/helpers.go | 13 +++++++------ 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/signatures/helpers/go.mod b/signatures/helpers/go.mod index 80d479054c46..6eec45116e7b 100644 --- a/signatures/helpers/go.mod +++ b/signatures/helpers/go.mod @@ -4,4 +4,9 @@ go 1.22.0 toolchain go1.22.4 -require github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863 +require ( + github.com/aquasecurity/tracee v0.22.2 + github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863 +) + +require golang.org/x/sys v0.21.0 // indirect diff --git a/signatures/helpers/go.sum b/signatures/helpers/go.sum index c75b3133860a..d17799bdcdea 100644 --- a/signatures/helpers/go.sum +++ b/signatures/helpers/go.sum @@ -1,10 +1,14 @@ +github.com/aquasecurity/tracee v0.22.2 h1:YRUQmGZBMHEaIGEVzokAdvQc/r7b0e0102wzzn5tc5c= +github.com/aquasecurity/tracee v0.22.2/go.mod h1:H5WZzjnNDmgaa4GRJjZUYvQ/QU93iXrMx0RIp+Ol+F0= github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863 h1:domVTTQICTuCvX+ZW5EjvdUBz8EH7FedBj5lRqwpgf4= github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863/go.mod h1:Jwh9OOuiMHXDoGQY12N9ls5YB+j1FlRcXvFMvh1CmIU= -github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/signatures/helpers/helpers.go b/signatures/helpers/helpers.go index f137ec29bc9e..b8b5ac28625c 100644 --- a/signatures/helpers/helpers.go +++ b/signatures/helpers/helpers.go @@ -4,14 +4,15 @@ import ( "fmt" "strings" + "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/types/trace" ) // IsFileWrite returns whether the passed file permissions string contains // o_wronly or o_rdwr -func IsFileWrite(flags string) bool { - flagsLow := strings.ToLower(flags) - if strings.Contains(flagsLow, "o_wronly") || strings.Contains(flagsLow, "o_rdwr") { +func IsFileWrite(flags int) bool { + accessMode := uint64(flags) & parsers.O_ACCMODE.Value() + if accessMode == parsers.O_WRONLY.Value() || accessMode == parsers.O_RDWR.Value() { return true } return false @@ -19,9 +20,9 @@ func IsFileWrite(flags string) bool { // IsFileRead returns whether the passed file permissions string contains // o_rdonly or o_rdwr -func IsFileRead(flags string) bool { - flagsLow := strings.ToLower(flags) - if strings.Contains(flagsLow, "o_rdonly") || strings.Contains(flagsLow, "o_rdwr") { +func IsFileRead(flags int) bool { + accessMode := uint64(flags) & parsers.O_ACCMODE.Value() + if accessMode == parsers.O_RDONLY.Value() || accessMode == parsers.O_RDWR.Value() { return true } return false From 0b23713fa9f98578cb6ea038f145a345298d4e27 Mon Sep 17 00:00:00 2001 From: Nadav Strahilevitz Date: Wed, 29 May 2024 12:12:38 +0000 Subject: [PATCH 2/2] feat(helpers): robust int and uint arg helpers Add a new uint argument helpers, which extracts a data argument from an event by name and returns it if it was one of the uint types. Additionally, add further checks for int64 and int types in the already existing int argument helper. --- signatures/helpers/arguments_helpers.go | 38 +++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/signatures/helpers/arguments_helpers.go b/signatures/helpers/arguments_helpers.go index 7567782b3226..19f3f9bf952f 100644 --- a/signatures/helpers/arguments_helpers.go +++ b/signatures/helpers/arguments_helpers.go @@ -66,12 +66,44 @@ func GetTraceeIntArgumentByName(event trace.Event, argName string) (int, error) if err != nil { return 0, err } - argInt, ok := arg.Value.(int32) + + argInt32, ok := arg.Value.(int32) + if ok { + return int(argInt32), nil + } + argInt64, ok := arg.Value.(int64) + if ok { + return int(argInt64), nil + } + argInt, ok := arg.Value.(int) + if ok { + return argInt, nil + } + + return 0, fmt.Errorf("can't convert argument %v to int (argument is of type %T)", argName, arg.Value) +} + +// GetTraceeUIntArgumentByName gets the argument matching the "argName" given from the event "argv" field, casted as int. +func GetTraceeUintArgumentByName(event trace.Event, argName string) (uint, error) { + arg, err := GetTraceeArgumentByName(event, argName, GetArgOps{DefaultArgs: false}) + if err != nil { + return 0, err + } + + argUint32, ok := arg.Value.(uint32) + if ok { + return uint(argUint32), nil + } + argUint64, ok := arg.Value.(uint64) + if ok { + return uint(argUint64), nil + } + argUint, ok := arg.Value.(uint) if ok { - return int(argInt), nil + return argUint, nil } - return 0, fmt.Errorf("can't convert argument %v to int", argName) + return 0, fmt.Errorf("can't convert argument %v to int (argument is of type %T)", argName, arg.Value) } // GetTraceeSliceStringArgumentByName retrieves the argument from the event's "Args" field