Added symlink link connect socket execve syscall helpers

Also added rules is yaml file are triggered Signed-off-by: GLVS Kiriti <[email protected]>
falcosecurity · Aug 19, 2024 · cdf1ffa · cdf1ffa
1 parent 0ecb95a
commit cdf1ffa
Show file tree

Hide file tree

Showing 4 changed files with 124 additions and 1 deletion.
diff --git a/events/exampleyamlfile.yml b/events/exampleyamlfile.yml
@@ -7,9 +7,62 @@ tests:
         args:
           filepath: "/etc/../etc/../etc/shadow"
           flag: 0
-          mode: 0655
+          mode: 0644
+    after: ""
+
+  - rule: ReadSensitiveFileUntrusted
+    runner: HostRunner
+    before: ""
+    steps:
+      - syscall: "open"
+        args:
+          filepath: "/etc/shadow"
+          flag: 0
+          mode: 0644
+    after: ""
+
+  - rule: ReadSensitiveFileTrustedAfterStartup
+    runner: HostRunner
+    before: ""
+    steps:
+      - syscall: "open"
+        args:
+          filepath: "/etc/shadow"
+          flag: 0
+          mode: 0644
     after: ""
 
+  - rule: ClearLogActivities
+    runner: HostRunner
+    before: "mkdir /tmp/created-by-event-generator && touch /tmp/created-by-event-generator/syslog"
+    steps:
+      - syscall: "open"
+        args:
+          filepath: "/tmp/created-by-event-generator/syslog"
+          flag: 513
+          mode: 0644
+    after: "rm -rf /tmp/created-by-event-generator"
+
+  - rule: CreateSymlinkOverSensitiveFiles
+    runner: HostRunner
+    before: "mkdir /created-by-event-generator"
+    steps:
+      - syscall: "symlink"
+        args:
+          oldpath: "/etc"
+          newpath: "/created-by-event-generator/newpath"
+    after: "rm /created-by-event-generator/newpath && rmdir /created-by-event-generator"
+
+  - rule: CreateHardlinkOverSensitiveFiles
+    runner: HostRunner
+    before: "mkdir /created-by-event-generator"
+    steps:
+      - syscall: "link"
+        args:
+          oldpath: "/etc/shadow"
+          newpath: "/created-by-event-generator/newpath"
+    after: "rm /created-by-event-generator/newpath && rmdir /created-by-event-generator"
+
   - rule: LaunchIngressRemoteFileCopyToolsInsideContainer
     runner: ContainerRunner
     before: "wget example.com"

diff --git a/pkg/declarative/helpers.go b/pkg/declarative/helpers.go
@@ -88,3 +88,27 @@ func Openat2Syscall(dirfd int, filepath string, flags int, mode uint32, resolve
 	}
 	return fd, nil
 }
+
+func ExecveSyscall(exepath string, cmnd []string, envv []string) error {
+	return unix.Exec(exepath, cmnd, envv)
+}
+
+func ConnectSyscall(sockfd int, socketAddr unix.Sockaddr) error {
+	return unix.Connect(sockfd, socketAddr)
+}
+
+func SocketSyscall(domain int, socktype int, protocol int) (int, error) {
+	fd, err := unix.Socket(domain, socktype, protocol)
+	if err != nil {
+		return -1, fmt.Errorf("error creating a socket: %v", err)
+	}
+	return fd, nil
+}
+
+func SymlinkSyscall(oldpath string, newpath string) error {
+	return unix.Symlink(oldpath, newpath)
+}
+
+func LinkSyscall(oldpath string, newpath string) error {
+	return unix.Link(oldpath, newpath)
+}
diff --git a/pkg/declarative/host.go b/pkg/declarative/host.go
@@ -50,6 +50,31 @@ func (r *Hostrunner) ExecuteStep(ctx context.Context, test Test) error {
 			if err != nil {
 				return fmt.Errorf("openat2 syscall failed with error: %v", err)
 			}
+		case "execve":
+			err := ExecveSyscall(*step.Args.Exepath, *step.Args.Cmnd, *step.Args.Envv)
+			if err != nil {
+				return fmt.Errorf("execve syscall failed with error: %v", err)
+			}
+		case "connect":
+			err := ConnectSyscall(*step.Args.Sockfd, *step.Args.Sockaddr)
+			if err != nil {
+				return fmt.Errorf("connect syscall failed with error: %v", err)
+			}
+		case "socket":
+			_, err := SocketSyscall(*step.Args.Domain, *step.Args.SockType, *step.Args.Protocol)
+			if err != nil {
+				return fmt.Errorf("socket syscall failed with error: %v", err)
+			}
+		case "symlink":
+			err := SymlinkSyscall(*step.Args.Oldpath, *step.Args.Newpath)
+			if err != nil {
+				return fmt.Errorf("symlink syscall failed with error: %v", err)
+			}
+		case "link":
+			err := LinkSyscall(*step.Args.Oldpath, *step.Args.Newpath)
+			if err != nil {
+				return fmt.Errorf("link syscall failed with error: %v", err)
+			}
 		default:
 			return fmt.Errorf("unsupported syscall: %s", step.Syscall)
 		}

diff --git a/pkg/declarative/yamltypes.go b/pkg/declarative/yamltypes.go
@@ -14,13 +14,34 @@ limitations under the License.
 
 package declarative
 
+import "golang.org/x/sys/unix"
+
 // Yaml file structure
 type Args struct {
+	// For open, openat, openat2 syscalls
 	Dirfd    *int    `yaml:"dirfd,omitempty"`
 	Filepath *string `yaml:"filepath,omitempty"`
 	Flags    *int    `yaml:"flag,omitempty"`
 	Mode     *uint32 `yaml:"mode,omitempty"`
 	Resolve  *uint64 `yaml:"resolve,omitempty"`
+
+	// For execve syscall
+	Exepath *string   `yaml:"exepath,omitempty"`
+	Cmnd    *[]string `yaml:"cmnd,omitempty"`
+	Envv    *[]string `yaml:"envv,omitempty"`
+
+	// For connect syscall
+	Sockfd   *int           `yaml:"sockfd,omitempty"`
+	Sockaddr *unix.Sockaddr `yaml:"sockaddr,omitempty"`
+
+	// For socket syscall
+	Domain   *int `yaml:"domain,omitempty"`
+	SockType *int `yaml:"socktype,omitempty"`
+	Protocol *int `yaml:"protocol,omitempty"`
+
+	// For symlink and link syscalls
+	Oldpath *string `yaml:"oldpath,omitempty"`
+	Newpath *string `yaml:"newpath,omitempty"`
 }
 
 type SyscallStep struct {