bpf & pkg: Add selectors for audit ids

This commits introduces the "matchLoginUids" selectors, support
filtering based on the audit id of process.

A process is given an audit ID on user login, that is the loginuid.
This ID set during user authentication and handed down to any child
process started by the initial process of the user, even when the user's
identity changes.

The loginuid is used to track user's activity. For example, the following
matchLoginUids filter allow to follow operation performed by user id 1000.
```
- matchLoginUids:
  - operator: "In"
    values:
    - 1000
```

Signed-off-by: Jianlin Lv <jianlv@ebay.com>

bpf/lib/process.h

@@ -151,7 +151,7 @@
 
 struct msg_execve_key {
 	__u32 pid; // Process TGID
-	__u8 pad[4];
+	__u32 auid;	// loginuid
 	__u64 ktime;
 }; // All fields aligned so no 'packed' attribute.
 

bpf/process/bpf_execve_event.c

@@ -274,6 +274,7 @@ execve_send(struct sched_execve_args *ctx)
 #endif
 		curr->key.pid = p->pid;
 		curr->key.ktime = p->ktime;
+		curr->key.auid = p->auid;
 		curr->nspid = p->nspid;
 		curr->pkey = event->parent;
 		if (curr->flags & EVENT_COMMON_FLAG_CLONE) {

bpf/process/bpf_exit.h

@@ -50,10 +50,7 @@ static inline __attribute__((always_inline)) void event_exit_send(void *ctx, __u
 		exit->common.ktime = ktime_get_ns();
 
 		exit->current.pid = tgid;
-		exit->current.pad[0] = 0;
-		exit->current.pad[1] = 0;
-		exit->current.pad[2] = 0;
-		exit->current.pad[3] = 0;
+		exit->current.auid = enter->key.auid;
 		exit->current.ktime = enter->key.ktime;
 
 		/**

bpf/process/bpf_generic_retkprobe.c

@@ -150,12 +150,9 @@ BPF_KRETPROBE(generic_retkprobe_event, unsigned long ret)
 
 	if (enter) {
 		e->current.pid = enter->key.pid;
+		e->current.auid = enter->key.auid;
 		e->current.ktime = enter->key.ktime;
 	}
-	e->current.pad[0] = 0;
-	e->current.pad[1] = 0;
-	e->current.pad[2] = 0;
-	e->current.pad[3] = 0;
 
 	e->func_id = config->func_id;
 	e->common.size = size;

bpf/process/generic_calls.h

@@ -105,11 +105,6 @@ generic_process_init(struct msg_generic_kprobe *e, u8 op, struct event_config *c
 	e->common.size = 0;
 	e->common.ktime = ktime_get_ns();
 
-	e->current.pad[0] = 0;
-	e->current.pad[1] = 0;
-	e->current.pad[2] = 0;
-	e->current.pad[3] = 0;
-
 	e->action = 0;
 
 	/**

bpf/process/pfilter.h

@@ -135,6 +135,43 @@ process_filter_pid(__u32 i, __u32 off, __u32 *f, __u64 ty, __u64 flags,
 	return __process_filter_pid(ty, flags, sel, pid, enter);
 }
 
+
+
+static inline __attribute__((always_inline)) int
+__process_filter_loginuid(__u32 ty,  __u32 sel, struct execve_map_value *enter)
+{
+	__u32 auid;
+
+	auid = enter->key.auid;
+	if (ty == op_filter_in && sel != auid)
+		return PFILTER_REJECT;
+	else if (ty == op_filter_notin && sel == auid)
+		return PFILTER_REJECT;
+	return PFILTER_ACCEPT;
+}
+
+
+static inline __attribute__((always_inline)) int
+process_filter_loginuid(__u32 i, __u32 off, __u32 *f, __u64 ty, __u64 flags,
+		   struct execve_map_value *enter, struct msg_ns *n,
+		   struct msg_capabilities *c)
+{
+	__u32 sel;
+
+	if (off > 1000)
+		sel = 0;
+	else {
+		__u32 o = off;
+
+		o = o / 4;
+		asm volatile("%[o] &= 0x3ff;\n" ::[o] "+r"(o)
+			     :);
+		sel = f[o];
+	}
+
+	return __process_filter_loginuid(ty, sel, enter);
+}
+
 static inline __attribute__((always_inline)) int
 process_filter_namespace(__u32 i, __u32 off, __u32 *f, __u64 ty, __u64 nsid,
 			 struct execve_map_value *enter, struct msg_ns *n,
@@ -374,6 +411,12 @@ struct nc_filter {
 	u32 value; /* contains all namespaces to monitor (i.e. bit 0 is for ns_uts, bit 1 for ns_ipc etc.) */
 } __attribute__((packed));
 
+struct loginuid_filter {
+	u32 op;
+	u32 len; /* number of values */
+	u32 val[]; /* values */
+} __attribute__((packed));
+
 #define VALUES_MASK 0x1f /* max 4 values with 4 bytes each | 0x1f == 31 */
 
 /* If you update the value of NUM_NS_FILTERS_SMALL below you should
@@ -393,6 +436,7 @@ selector_process_filter(__u32 *f, __u32 index, struct execve_map_value *enter,
 	struct nc_filter *nc;
 #endif
 	struct caps_filter *caps;
+	struct loginuid_filter *loginuid;
 	__u32 len;
 	__u64 i;
 
@@ -513,6 +557,24 @@ selector_process_filter(__u32 *f, __u32 index, struct execve_map_value *enter,
 		return res;
 #endif
 
+	/* matchLoginuids */
+	len = *(__u32 *)((__u64)f +
+			 (index &
+			  INDEX_MASK)); /* (sizeof(LoginUid1) + sizeof(LoginUid2) + ... + 4) */
+	index += 4; /* 4: LoginUid1 header */
+	len -= 4;
+
+	if (len > 0) {
+		loginuid = (struct loginuid_filter *)((u64)f + (index & INDEX_MASK));
+		index += sizeof(struct loginuid_filter); /* 4: op */
+		res = selector_match(f, index, loginuid->op, 0, loginuid->len,
+				     enter, n, c, &process_filter_loginuid);
+		index +=
+			((loginuid->len * sizeof(loginuid->val[0])) &
+			 VALUES_MASK); /* now index points at the end of loginuid filter */
+	}
+	if (res == PFILTER_REJECT)
+		return res;
 	return res;
 }
 

bpf/process/types/basic.h

@@ -1638,6 +1638,8 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx,
 		seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
 		/* skip the matchCapabilityChanges by reading its length */
 		seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
+		/* skip the matchLoginuids by reading its length */
+		seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
 	}
 
 	/* Making binary selectors fixes size helps on some kernels */

docs/content/en/docs/concepts/tracing-policy/selectors.md

@@ -19,6 +19,7 @@ A `TracingPolicy` can contain from 0 to 5 selectors. A selector is composed of
 - [`matchCapabilityChanges`](#capability-changes-filter): filter on Linux capabilities changes.
 - [`matchActions`](#actions-filter): apply an action on selector matching.
 - [`matchReturnActions`](#return-actions-filter): apply an action on return selector matching.
+- [`matchLoginUids`](#auid-filter): filter on audit ID.
 
 ## Arguments filter
 
@@ -1468,3 +1469,21 @@ exist.
 Return actions filters are a list of actions that execute when an return selector
 matches. They are defined under `matchReturnActions` and currently support all
 the [Actions filter](#actions-filter) `action` types.
+
+## Auid filter
+
+Auids filters can be specified under the `matchLoginUids` field and provide filtering
+based on the value of audit id of the process. For example, the following
+`matchLoginUids` filter tells the BPF code that observe only hooks for which the
+audit id is not equal to `-1`:
+
+```yaml
+- matchLoginUids:
+  - operator: "NotIn"
+    values:
+    - 4294967295
+```
+
+The available operators for `matchLoginUids` are:
+- `In`
+- `NotIn`

pkg/api/processapi/processapi.go

@@ -63,7 +63,7 @@ type MsgExec struct {
 
 type MsgExecveKey struct {
 	Pid   uint32 `align:"pid"`
-	Pad   uint32 `align:"pad"`
+	Auid  uint32 `align:"auid"`
 	Ktime uint64 `align:"ktime"`
 }
 

pkg/grpc/exec/exec_test_helper.go

@@ -99,7 +99,7 @@ func CreateEvents[EXEC notify.Message, EXIT notify.Message](Pid uint32, Ktime ui
 			},
 			Parent: tetragonAPI.MsgExecveKey{
 				Pid:   0,
-				Pad:   0,
+				Auid:  0,
 				Ktime: 0,
 			},
 			ParentFlags: 0,
@@ -140,7 +140,7 @@ func CreateEvents[EXEC notify.Message, EXIT notify.Message](Pid uint32, Ktime ui
 			},
 			Parent: tetragonAPI.MsgExecveKey{
 				Pid:   1,
-				Pad:   0,
+				Auid:  0,
 				Ktime: 0,
 			},
 			ParentFlags: 0,
@@ -181,7 +181,7 @@ func CreateEvents[EXEC notify.Message, EXIT notify.Message](Pid uint32, Ktime ui
 			},
 			Parent: tetragonAPI.MsgExecveKey{
 				Pid:   ParentPid,
-				Pad:   0,
+				Auid:  0,
 				Ktime: ParentKtime,
 			},
 			ParentFlags: 0,
@@ -215,7 +215,7 @@ func CreateEvents[EXEC notify.Message, EXIT notify.Message](Pid uint32, Ktime ui
 		},
 		ProcessKey: tetragonAPI.MsgExecveKey{
 			Pid:   Pid,
-			Pad:   0,
+			Auid:  0,
 			Ktime: Ktime,
 		},
 		Info: tetragonAPI.MsgExitInfo{
@@ -241,7 +241,7 @@ func CreateCloneEvents[CLONE notify.Message, EXIT notify.Message](Pid uint32, Kt
 		},
 		Parent: tetragonAPI.MsgExecveKey{
 			Pid:   ParentPid,
-			Pad:   0,
+			Auid:  0,
 			Ktime: ParentKtime,
 		},
 		PID:   Pid,
@@ -263,7 +263,7 @@ func CreateCloneEvents[CLONE notify.Message, EXIT notify.Message](Pid uint32, Kt
 		},
 		ProcessKey: tetragonAPI.MsgExecveKey{
 			Pid:   Pid,
-			Pad:   0,
+			Auid:  0,
 			Ktime: Ktime,
 		},
 		Info: tetragonAPI.MsgExitInfo{

pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml

@@ -461,6 +461,27 @@ spec:
                               - values
                               type: object
                             type: array
+                          matchLoginUids:
+                            description: A list of login uid filters.
+                            items:
+                              properties:
+                                operator:
+                                  description: LoginUid selector operator.
+                                  enum:
+                                  - In
+                                  - NotIn
+                                  type: string
+                                values:
+                                  description: LoginUid to match.
+                                  items:
+                                    format: int32
+                                    type: integer
+                                  type: array
+                              required:
+                              - operator
+                              - values
+                              type: object
+                            type: array
                           matchNamespaceChanges:
                             description: IDs for namespace changes
                             items:
@@ -1114,6 +1135,27 @@ spec:
                               - values
                               type: object
                             type: array
+                          matchLoginUids:
+                            description: A list of login uid filters.
+                            items:
+                              properties:
+                                operator:
+                                  description: LoginUid selector operator.
+                                  enum:
+                                  - In
+                                  - NotIn
+                                  type: string
+                                values:
+                                  description: LoginUid to match.
+                                  items:
+                                    format: int32
+                                    type: integer
+                                  type: array
+                              required:
+                              - operator
+                              - values
+                              type: object
+                            type: array
                           matchNamespaceChanges:
                             description: IDs for namespace changes
                             items:
@@ -1668,6 +1710,27 @@ spec:
                               - values
                               type: object
                             type: array
+                          matchLoginUids:
+                            description: A list of login uid filters.
+                            items:
+                              properties:
+                                operator:
+                                  description: LoginUid selector operator.
+                                  enum:
+                                  - In
+                                  - NotIn
+                                  type: string
+                                values:
+                                  description: LoginUid to match.
+                                  items:
+                                    format: int32
+                                    type: integer
+                                  type: array
+                              required:
+                              - operator
+                              - values
+                              type: object
+                            type: array
                           matchNamespaceChanges:
                             description: IDs for namespace changes
                             items: