├── .github └── workflows │ ├── bandit.yml │ ├── gitleaks.yml │ └── semgrep.yml ├── .gitignore ├── Dockerfile ├── README.md ├── charts └── seccomp-diff │ ├── Chart.yaml │ ├── files │ ├── allow.json │ ├── custom.json │ ├── default-no-chmod.json │ ├── default.json │ ├── hello-world.json │ ├── random.json │ ├── random1.json │ ├── random2.json │ ├── random3.json │ └── seccomp.json │ ├── templates │ ├── demo-deployments.yaml │ ├── deployment.yaml │ ├── namespace.yml │ ├── seccomp_profiles.yaml │ └── service.yaml │ └── values.yaml ├── common ├── __init__.py ├── bcc │ ├── __init__.py │ ├── containers.py │ ├── disassembler.py │ ├── libbcc.py │ ├── perf.py │ ├── syscall.py │ ├── table.py │ ├── tcp.py │ ├── usdt.py │ ├── utils.py │ └── version.py ├── bcc_test.py ├── containerd.py ├── default.byte ├── default.py ├── diff.py ├── docker.py ├── import_default.py ├── output.py ├── output.txt ├── ptrace.py ├── seccomp.py └── sockfilter.py ├── examples ├── Dockerfile.seccomptools ├── chrome.json ├── default.diff2 ├── demo2.webm ├── deploy.yaml ├── docker.sh ├── happy_shmoocon.cast ├── happy_shmoocon.gif ├── happy_shmoocon.json ├── happy_shmoocon2.cast ├── happy_shmoocon_web.png ├── hello_world ├── hello_world.diff1 ├── hello_world.go ├── seccomp_diff.cast ├── seccomp_diff.gif ├── seccomp_example.yaml ├── tools-test.yml └── web.json ├── lib ├── __init__.py ├── containerd │ ├── __init__.py │ ├── events │ │ ├── __init__.py │ │ ├── container_pb2.py │ │ ├── container_pb2_grpc.py │ │ ├── content_pb2.py │ │ ├── content_pb2_grpc.py │ │ ├── image_pb2.py │ │ ├── image_pb2_grpc.py │ │ ├── namespace_pb2.py │ │ ├── namespace_pb2_grpc.py │ │ ├── snapshot_pb2.py │ │ ├── snapshot_pb2_grpc.py │ │ ├── task_pb2.py │ │ └── task_pb2_grpc.py │ ├── protobuf │ │ ├── __init__.py │ │ └── plugin │ │ │ ├── __init__.py │ │ │ ├── fieldpath_pb2.py │ │ │ └── fieldpath_pb2_grpc.py │ ├── services │ │ ├── __init__.py │ │ ├── containers │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── containers_pb2.py │ │ │ │ └── containers_pb2_grpc.py │ │ ├── content │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── content_pb2.py │ │ │ │ └── content_pb2_grpc.py │ │ ├── diff │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── diff_pb2.py │ │ │ │ └── diff_pb2_grpc.py │ │ ├── events │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── events_pb2.py │ │ │ │ └── events_pb2_grpc.py │ │ ├── images │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── images_pb2.py │ │ │ │ └── images_pb2_grpc.py │ │ ├── introspection │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── introspection_pb2.py │ │ │ │ └── introspection_pb2_grpc.py │ │ ├── leases │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── leases_pb2.py │ │ │ │ └── leases_pb2_grpc.py │ │ ├── namespaces │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── namespace_pb2.py │ │ │ │ └── namespace_pb2_grpc.py │ │ ├── snapshots │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── snapshots_pb2.py │ │ │ │ └── snapshots_pb2_grpc.py │ │ ├── tasks │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── tasks_pb2.py │ │ │ │ └── tasks_pb2_grpc.py │ │ ├── ttrpc │ │ │ ├── __init__.py │ │ │ └── events │ │ │ │ ├── __init__.py │ │ │ │ └── v1 │ │ │ │ ├── __init__.py │ │ │ │ ├── events_pb2.py │ │ │ │ └── events_pb2_grpc.py │ │ └── version │ │ │ ├── __init__.py │ │ │ └── v1 │ │ │ ├── __init__.py │ │ │ ├── version_pb2.py │ │ │ └── version_pb2_grpc.py │ ├── types │ │ ├── __init__.py │ │ ├── descriptor_pb2.py │ │ ├── descriptor_pb2_grpc.py │ │ ├── metrics_pb2.py │ │ ├── metrics_pb2_grpc.py │ │ ├── mount_pb2.py │ │ ├── mount_pb2_grpc.py │ │ ├── platform_pb2.py │ │ ├── platform_pb2_grpc.py │ │ └── task │ │ │ ├── __init__.py │ │ │ ├── task_pb2.py │ │ │ └── task_pb2_grpc.py │ └── vendor │ │ ├── __init__.py │ │ └── gogoproto │ │ ├── __init__.py │ │ ├── gogo_pb2.py │ │ └── gogo_pb2_grpc.py ├── pybpf │ ├── __init__.py │ ├── assembler.py │ ├── common.py │ ├── disassembler.py │ ├── executor.py │ ├── main.py │ ├── pcap.py │ └── reader.py └── syscalls │ ├── __init__.py │ ├── mips.py │ └── x86_64.py ├── requirements.txt ├── seccomp-diff.code-workspace ├── seccomp_diff.py ├── seccomp_dump.py ├── tests ├── __init__.py └── test_seccomp.py ├── tools └── cluster-setup.sh ├── web.py └── web ├── static ├── css │ └── style.css ├── fonts │ ├── VisbyBold Italic.otf │ ├── VisbyBold.otf │ ├── VisbyExtrabold Italic.otf │ ├── VisbyExtrabold.otf │ ├── VisbyExtrabold.woff2 │ ├── VisbyHeavy Italic.otf │ ├── VisbyHeavy.otf │ ├── VisbyHeavy.woff2 │ ├── VisbyItalic.otf │ ├── VisbyLight Italic.otf │ ├── VisbyLight.otf │ ├── VisbyLight.woff2 │ ├── VisbyMedium Italic.otf │ ├── VisbyMedium.otf │ ├── VisbyMedium.woff2 │ ├── VisbyRegular.otf │ ├── VisbyRegular.woff2 │ ├── VisbySemibold Italic.otf │ ├── VisbySemibold.otf │ ├── VisbySemibold.woff2 │ ├── VisbyThin Italic.otf │ ├── VisbyThin.otf │ └── VisbyThin.woff2 ├── images │ ├── docker-icon.png │ └── kubernetes-icon.png ├── js │ ├── seccompdiff.js │ └── ui.js └── syscalls │ ├── accept.md │ ├── accept4.md │ ├── access.md │ ├── acct.md │ ├── add_key.md │ ├── adjtimex.md │ ├── afs.md │ ├── afs_syscall.md │ ├── alarm.md │ ├── arch_prctl.md │ ├── bdflush.md │ ├── bind.md │ ├── bpf.md │ ├── break.md │ ├── brk.md │ ├── capget.md │ ├── capset.md │ ├── chdir.md │ ├── chmod.md │ ├── chown.md │ ├── chown16.md │ ├── chroot.md │ ├── clock_adjtime.md │ ├── clock_adjtime64.md │ ├── clock_getres.md │ ├── clock_getres_time32.md │ ├── clock_gettime.md │ ├── clock_gettime32.md │ ├── clock_nanosleep.md │ ├── clock_nanosleep_time32.md │ ├── clock_settime.md │ ├── clock_settime32.md │ ├── clone.md │ ├── clone3.md │ ├── close.md │ ├── close_range.md │ ├── connect.md │ ├── copy_file_range.md │ ├── creat.md │ ├── create_module.md │ ├── delete_module.md │ ├── dup.md │ ├── dup2.md │ ├── dup3.md │ ├── epoll_create.md │ ├── epoll_create1.md │ ├── epoll_ctl.md │ ├── epoll_ctl_old.md │ ├── epoll_pwait.md │ ├── epoll_pwait2.md │ ├── epoll_wait.md │ ├── epoll_wait_old.md │ ├── eventfd.md │ ├── eventfd2.md │ ├── execve.md │ ├── execveat.md │ ├── exit.md │ ├── exit_group.md │ ├── faccessat.md │ ├── faccessat2.md │ ├── fadvise64.md │ ├── fadvise64_64.md │ ├── fallocate.md │ ├── fanotify_init.md │ ├── fanotify_mark.md │ ├── fchdir.md │ ├── fchmod.md │ ├── fchmodat.md │ ├── fchown.md │ ├── fchown16.md │ ├── fchownat.md │ ├── fcntl.md │ ├── fcntl64.md │ ├── fdatasync.md │ ├── fgetxattr.md │ ├── finit_module.md │ ├── flistxattr.md │ ├── flock.md │ ├── fork.md │ ├── fremovexattr.md │ ├── fsconfig.md │ ├── fsetxattr.md │ ├── fsmount.md │ ├── fsopen.md │ ├── fspick.md │ ├── fstat.md │ ├── fstat64.md │ ├── fstatfs.md │ ├── fstatfs64.md │ ├── fsync.md │ ├── ftime.md │ ├── ftruncate.md │ ├── ftruncate64.md │ ├── futex.md │ ├── futex_time32.md │ ├── futimesat.md │ ├── get_kernel_syms.md │ ├── get_mempolicy.md │ ├── get_robust_list.md │ ├── get_thread_area.md │ ├── getcpu.md │ ├── getcwd.md │ ├── getdents.md │ ├── getdents64.md │ ├── getegid.md │ ├── getegid16.md │ ├── geteuid.md │ ├── geteuid16.md │ ├── getgid.md │ ├── getgid16.md │ ├── getgroups.md │ ├── getgroups16.md │ ├── getitimer.md │ ├── getpeername.md │ ├── getpgid.md │ ├── getpgrp.md │ ├── getpid.md │ ├── getpmsg.md │ ├── getppid.md │ ├── getpriority.md │ ├── getrandom.md │ ├── getresgid.md │ ├── getresgid16.md │ ├── getresuid.md │ ├── getresuid16.md │ ├── getrlimit.md │ ├── getrusage.md │ ├── getsid.md │ ├── getsockname.md │ ├── getsockopt.md │ ├── gettid.md │ ├── gettimeofday.md │ ├── getuid.md │ ├── getuid16.md │ ├── getxattr.md │ ├── gtty.md │ ├── idle.md │ ├── index.md │ ├── init_module.md │ ├── inotify_add_watch.md │ ├── inotify_init.md │ ├── inotify_init1.md │ ├── inotify_rm_watch.md │ ├── io_cancel.md │ ├── io_destroy.md │ ├── io_getevents.md │ ├── io_pgetevents.md │ ├── io_pgetevents_time32.md │ ├── io_setup.md │ ├── io_submit.md │ ├── io_uring_enter.md │ ├── io_uring_register.md │ ├── io_uring_setup.md │ ├── ioctl.md │ ├── ioperm.md │ ├── iopl.md │ ├── ioprio_get.md │ ├── ioprio_set.md │ ├── ipc.md │ ├── kcmp.md │ ├── kexec_file_load.md │ ├── kexec_load.md │ ├── keyctl.md │ ├── kill.md │ ├── landlock_add_rule.md │ ├── landlock_create_ruleset.md │ ├── landlock_restrict_self.md │ ├── lchown.md │ ├── lchown16.md │ ├── lgetxattr.md │ ├── link.md │ ├── linkat.md │ ├── listen.md │ ├── listxattr.md │ ├── llistxattr.md │ ├── llseek.md │ ├── lock.md │ ├── lookup_dcookie.md │ ├── lremovexattr.md │ ├── lseek.md │ ├── lsetxattr.md │ ├── lstat.md │ ├── lstat64.md │ ├── madvise.md │ ├── mbind.md │ ├── membarrier.md │ ├── memfd_create.md │ ├── memfd_secret.md │ ├── migrate_pages.md │ ├── mincore.md │ ├── mkdir.md │ ├── mkdirat.md │ ├── mknod.md │ ├── mknodat.md │ ├── mlock.md │ ├── mlock2.md │ ├── mlockall.md │ ├── mmap.md │ ├── mmap2.md │ ├── modify_ldt.md │ ├── mount.md │ ├── mount_setattr.md │ ├── move_mount.md │ ├── move_pages.md │ ├── mprotect.md │ ├── mpx.md │ ├── mq_getsetattr.md │ ├── mq_notify.md │ ├── mq_open.md │ ├── mq_timedreceive.md │ ├── mq_timedreceive_time32.md │ ├── mq_timedsend.md │ ├── mq_timedsend_time32.md │ ├── mq_unlink.md │ ├── mremap.md │ ├── msgctl.md │ ├── msgget.md │ ├── msgrcv.md │ ├── msgsnd.md │ ├── msync.md │ ├── munlock.md │ ├── munlockall.md │ ├── munmap.md │ ├── name_to_handle_at.md │ ├── nanosleep.md │ ├── newfstatat.md │ ├── nfsservctl.md │ ├── nice.md │ ├── old_getrlimit.md │ ├── old_select.md │ ├── oldfstat.md │ ├── oldlstat.md │ ├── oldolduname.md │ ├── oldstat.md │ ├── olduname.md │ ├── open.md │ ├── open_by_handle_at.md │ ├── open_tree.md │ ├── openat.md │ ├── openat2.md │ ├── pause.md │ ├── perf_event_open.md │ ├── personality.md │ ├── pidfd_getfd.md │ ├── pidfd_open.md │ ├── pidfd_send_signal.md │ ├── pipe.md │ ├── pipe2.md │ ├── pivot_root.md │ ├── pkey_alloc.md │ ├── pkey_free.md │ ├── pkey_mprotect.md │ ├── poll.md │ ├── ppoll.md │ ├── ppoll_time32.md │ ├── prctl.md │ ├── pread64.md │ ├── preadv.md │ ├── preadv2.md │ ├── prlimit64.md │ ├── process_madvise.md │ ├── process_mrelease.md │ ├── process_vm_readv.md │ ├── process_vm_writev.md │ ├── prof.md │ ├── profil.md │ ├── pselect6.md │ ├── pselect6_time32.md │ ├── ptrace.md │ ├── putpmsg.md │ ├── pwrite64.md │ ├── pwritev.md │ ├── pwritev2.md │ ├── query_module.md │ ├── quotactl.md │ ├── quotactl_fd.md │ ├── read.md │ ├── readahead.md │ ├── readdir.md │ ├── readlink.md │ ├── readlinkat.md │ ├── readv.md │ ├── reboot.md │ ├── recvfrom.md │ ├── recvmmsg.md │ ├── recvmmsg_time32.md │ ├── recvmsg.md │ ├── remap_file_pages.md │ ├── removexattr.md │ ├── rename.md │ ├── renameat.md │ ├── renameat2.md │ ├── request_key.md │ ├── restart_syscall.md │ ├── rmdir.md │ ├── rseq.md │ ├── rt_sigaction.md │ ├── rt_sigpending.md │ ├── rt_sigprocmask.md │ ├── rt_sigqueueinfo.md │ ├── rt_sigreturn.md │ ├── rt_sigsuspend.md │ ├── rt_sigtimedwait.md │ ├── rt_sigtimedwait_time32.md │ ├── rt_tgsigqueueinfo.md │ ├── sched_get_priority_max.md │ ├── sched_get_priority_min.md │ ├── sched_getaffinity.md │ ├── sched_getattr.md │ ├── sched_getparam.md │ ├── sched_getscheduler.md │ ├── sched_rr_get_interval.md │ ├── sched_rr_get_interval_time32.md │ ├── sched_setaffinity.md │ ├── sched_setattr.md │ ├── sched_setparam.md │ ├── sched_setscheduler.md │ ├── sched_yield.md │ ├── seccomp.md │ ├── security.md │ ├── select.md │ ├── semctl.md │ ├── semget.md │ ├── semop.md │ ├── semtimedop.md │ ├── sendfile.md │ ├── sendfile32.md │ ├── sendmmsg.md │ ├── sendmsg.md │ ├── sendto.md │ ├── set_mempolicy.md │ ├── set_robust_list.md │ ├── set_thread_area.md │ ├── set_tid_address.md │ ├── setdomainname.md │ ├── setfsgid.md │ ├── setfsgid16.md │ ├── setfsuid.md │ ├── setfsuid16.md │ ├── setgid.md │ ├── setgid16.md │ ├── setgroups.md │ ├── setgroups16.md │ ├── sethostname.md │ ├── setitimer.md │ ├── setns.md │ ├── setpgid.md │ ├── setpriority.md │ ├── setregid.md │ ├── setregid16.md │ ├── setresgid.md │ ├── setresgid16.md │ ├── setresuid.md │ ├── setresuid16.md │ ├── setreuid.md │ ├── setreuid16.md │ ├── setrlimit.md │ ├── setsid.md │ ├── setsockopt.md │ ├── settimeofday.md │ ├── setuid.md │ ├── setuid16.md │ ├── setxattr.md │ ├── sgetmask.md │ ├── shmat.md │ ├── shmctl.md │ ├── shmdt.md │ ├── shmget.md │ ├── shutdown.md │ ├── sigaction.md │ ├── sigaltstack.md │ ├── signal.md │ ├── signalfd.md │ ├── signalfd4.md │ ├── sigpending.md │ ├── sigprocmask.md │ ├── sigreturn.md │ ├── sigsuspend.md │ ├── socket.md │ ├── socketcall.md │ ├── socketpair.md │ ├── splice.md │ ├── ssetmask.md │ ├── stat.md │ ├── stat64.md │ ├── statfs.md │ ├── statfs64.md │ ├── statx.md │ ├── stime.md │ ├── stty.md │ ├── swapoff.md │ ├── swapon.md │ ├── symlink.md │ ├── symlinkat.md │ ├── sync.md │ ├── sync_file_range.md │ ├── syncfs.md │ ├── sysctl.md │ ├── sysfs.md │ ├── sysinfo.md │ ├── syslog.md │ ├── tee.md │ ├── tgkill.md │ ├── time.md │ ├── timer_create.md │ ├── timer_delete.md │ ├── timer_getoverrun.md │ ├── timer_gettime.md │ ├── timer_gettime32.md │ ├── timer_settime.md │ ├── timer_settime32.md │ ├── timerfd_create.md │ ├── timerfd_gettime.md │ ├── timerfd_gettime32.md │ ├── timerfd_settime.md │ ├── timerfd_settime32.md │ ├── times.md │ ├── tkill.md │ ├── truncate.md │ ├── truncate64.md │ ├── tuxcall.md │ ├── ulimit.md │ ├── umask.md │ ├── umount.md │ ├── umount2.md │ ├── uname.md │ ├── unlink.md │ ├── unlinkat.md │ ├── unshare.md │ ├── uselib.md │ ├── userfaultfd.md │ ├── ustat.md │ ├── utime.md │ ├── utimensat.md │ ├── utimensat_time32.md │ ├── utimes.md │ ├── vfork.md │ ├── vhangup.md │ ├── vm86.md │ ├── vm86old.md │ ├── vmsplice.md │ ├── vserver.md │ ├── wait4.md │ ├── waitid.md │ ├── waitpid.md │ ├── write.md │ └── writev.md └── templates └── index.html /.github/workflows/bandit.yml: -------------------------------------------------------------------------------- 1 | name: Bandit Scan 2 | 3 | on: 4 | pull_request: 5 | branches: [ main ] 6 | 7 | jobs: 8 | bandit: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v3 12 | 13 | - name: Set up Python 14 | uses: actions/setup-python@v4 15 | with: 16 | python-version: '3.x' 17 | 18 | - name: Install Bandit 19 | run: pip install bandit 20 | 21 | - name: Run Bandit 22 | run: bandit -r . 23 | 24 | -------------------------------------------------------------------------------- /.github/workflows/gitleaks.yml: -------------------------------------------------------------------------------- 1 | name: Gitleaks Secrets Scan 2 | 3 | on: 4 | pull_request: 5 | branches: [ main ] 6 | 7 | jobs: 8 | gitleaks: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Checkout 12 | uses: actions/checkout@v3 13 | 14 | - name: Run Gitleaks 15 | uses: gitleaks/gitleaks-action@v2 16 | with: 17 | args: "--verbose" 18 | 19 | -------------------------------------------------------------------------------- /.github/workflows/semgrep.yml: -------------------------------------------------------------------------------- 1 | name: Semgrep 2 | 3 | on: 4 | pull_request: 5 | types: [opened, synchronize, reopened] 6 | branches: [ "**" ] # All branches 7 | 8 | jobs: 9 | semgrep: 10 | runs-on: ubuntu-latest 11 | permissions: 12 | contents: read 13 | pull-requests: write # Needed for PR comments 14 | 15 | steps: 16 | - name: Checkout code 17 | uses: actions/checkout@v3 18 | 19 | - name: Run Semgrep 20 | uses: returntocorp/semgrep-action@v1 21 | with: 22 | config: auto # or use p/ci or a custom ruleset 23 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | venv 2 | _todelete 3 | *.pyc 4 | __pycache__ 5 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # Use an official lightweight Python base image 2 | FROM python:3.9-slim as base 3 | 4 | # Set working directory 5 | WORKDIR /app 6 | 7 | # Install essential tools and dependencies 8 | RUN apt-get update && apt-get install -y --no-install-recommends \ 9 | gcc \ 10 | libseccomp-dev \ 11 | vim \ 12 | containerd \ 13 | && rm -rf /var/lib/apt/lists/* 14 | 15 | # Copy requirements first for caching 16 | COPY requirements.txt /app/ 17 | 18 | # Install Python dependencies 19 | RUN pip install --no-cache-dir --upgrade pip && \ 20 | pip install --no-cache-dir -r requirements.txt 21 | 22 | # Copy application files 23 | COPY common /app/common 24 | COPY lib /app/lib 25 | COPY web /app/web 26 | COPY ./*.py /app/ 27 | 28 | # Set Flask environment variables 29 | ENV FLASK_APP=web.py 30 | ENV FLASK_RUN_HOST=0.0.0.0 31 | ENV FLASK_ENV=development 32 | 33 | # Expose Flask's port 34 | EXPOSE 5000 35 | 36 | # Final cleanup for a smaller image 37 | RUN apt-get purge -y gcc && apt-get autoremove -y && rm -rf /var/lib/apt/lists/* 38 | 39 | # Command to run the Flask app 40 | CMD ["flask", "run", "--debug"] 41 | -------------------------------------------------------------------------------- /charts/seccomp-diff/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: seccomp-diff 3 | description: A Helm chart for deploying the seccomp-diff web service 4 | type: application 5 | version: 0.1.0 6 | appVersion: 1.0.0 -------------------------------------------------------------------------------- /charts/seccomp-diff/files/allow.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ALLOW", 3 | "architectures": [ 4 | "SCMP_ARCH_X86_64" 5 | ], 6 | "syscalls": [ 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /charts/seccomp-diff/files/custom.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "archMap": [ 4 | { 5 | "architecture": "SCMP_ARCH_X86_64", 6 | "subArchitectures": ["SCMP_ARCH_X86", "SCMP_ARCH_X32"] 7 | } 8 | ], 9 | "syscalls": [ 10 | { 11 | "names": ["read", "write", "exit", "sigreturn"], 12 | "action": "SCMP_ACT_ALLOW" 13 | } 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /charts/seccomp-diff/files/hello-world.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "architectures": [ 4 | "SCMP_ARCH_X86_64" 5 | ], 6 | "syscalls": [ 7 | { 8 | "names": [ 9 | "futex", 10 | "rt_sigaction", 11 | "rt_sigprocmask", 12 | "mmap", 13 | "clone3", 14 | "rt_sigreturn", 15 | "mprotect", 16 | "fcntl", 17 | "newfstatat", 18 | "read", 19 | "sigaltstack", 20 | "madvise", 21 | "close", 22 | "statfs", 23 | "gettid", 24 | "getrlimit", 25 | "getpid", 26 | "fstat", 27 | "munmap", 28 | "brk", 29 | "pread64", 30 | "access", 31 | "execve", 32 | "arch_prctl", 33 | "sched_getaffinity", 34 | "set_tid_address", 35 | "epoll_ctl", 36 | "openat", 37 | "readlinkat", 38 | "set_robust_list", 39 | "epoll_create1", 40 | "pipe2", 41 | "prlimit64", 42 | "getrandom", 43 | "rseq" 44 | ], 45 | "action": "SCMP_ACT_ALLOW" 46 | } 47 | ] 48 | } 49 | -------------------------------------------------------------------------------- /charts/seccomp-diff/files/random.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ALLOW", 3 | "syscalls": [ 4 | { 5 | "name": "execve", 6 | "action": "SCMP_ACT_LOG", 7 | "args": [ 8 | { 9 | "index": 0, 10 | "op": "SCMP_CMP_EQ", 11 | "value": 3 12 | }, 13 | { 14 | "index": 2, 15 | "op": "SCMP_CMP_EQ", 16 | "value": 4 17 | } 18 | ] 19 | }] 20 | } -------------------------------------------------------------------------------- /charts/seccomp-diff/files/random1.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_LOG", 3 | "architectures": [ 4 | "SCMP_ARCH_X86_64" 5 | ], 6 | "syscalls": [ 7 | { 8 | "names": [ 9 | "ptrace", 10 | "bpf", 11 | "reboot", 12 | "chroot", 13 | "setns" 14 | ], 15 | "action": "SCMP_ACT_ERRNO", 16 | "errnoRet": 99 17 | }, 18 | { 19 | "names": [ 20 | "perf_event_open", 21 | "init_module", 22 | "delete_module" 23 | ], 24 | "action": "SCMP_ACT_ERRNO", 25 | "errnoRet": 42 26 | } 27 | ] 28 | } 29 | -------------------------------------------------------------------------------- /charts/seccomp-diff/files/random2.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_LOG", 3 | "architectures": [ 4 | "SCMP_ARCH_X86_64" 5 | ], 6 | "syscalls": [ 7 | { 8 | "names": [ 9 | "mount", 10 | "umount2", 11 | "pivot_root", 12 | "unshare", 13 | "settimeofday" 14 | ], 15 | "action": "SCMP_ACT_ERRNO", 16 | "errnoRet": 1 17 | }, 18 | { 19 | "names": [ 20 | "mlockall", 21 | "modify_ldt", 22 | "iopl", 23 | "ioperm" 24 | ], 25 | "action": "SCMP_ACT_ERRNO", 26 | "errnoRet": 1 27 | } 28 | ] 29 | } 30 | -------------------------------------------------------------------------------- /charts/seccomp-diff/files/random3.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_LOG", 3 | "architectures": [ 4 | "SCMP_ARCH_X86_64" 5 | ], 6 | "syscalls": [ 7 | { 8 | "names": [ 9 | "ptrace", 10 | "bpf", 11 | "reboot", 12 | "delete_module" 13 | ], 14 | "action": "SCMP_ACT_ERRNO", 15 | "errnoRet": 1 16 | }, 17 | { 18 | "names": [ 19 | "mount", 20 | "umount2", 21 | "pivot_root", 22 | "unshare" 23 | ], 24 | "action": "SCMP_ACT_ERRNO", 25 | "errnoRet": 1 26 | }, 27 | { 28 | "names": [ 29 | "socket", 30 | "bind", 31 | "connect", 32 | "setsockopt", 33 | "getsockopt", 34 | "listen", 35 | "accept", 36 | "accept4" 37 | ], 38 | "action": "SCMP_ACT_ALLOW", 39 | "includes": { 40 | "caps": [ 41 | "CAP_NET_ADMIN" 42 | ] 43 | } 44 | } 45 | ] 46 | } 47 | -------------------------------------------------------------------------------- /charts/seccomp-diff/templates/demo-deployments.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.demos.enabled }} 2 | {{- range .Values.demos.deployments }} 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: {{ .name }} 8 | namespace: {{ $.Values.namespace }} # Dynamically set the namespace 9 | labels: 10 | app: {{ .name }} 11 | spec: 12 | replicas: 1 13 | selector: 14 | matchLabels: 15 | app: {{ .name }} 16 | template: 17 | metadata: 18 | labels: 19 | app: {{ .name }} 20 | spec: 21 | {{- if $.Values.nodename }} 22 | affinity: 23 | podAffinity: 24 | requiredDuringSchedulingIgnoredDuringExecution: 25 | - labelSelector: 26 | matchExpressions: 27 | - key: app 28 | operator: In 29 | values: 30 | - {{ $.Values.nodename }} 31 | topologyKey: "kubernetes.io/hostname" 32 | {{- end }} 33 | containers: 34 | - name: {{ .name }} 35 | image: {{ .image }} 36 | {{- if .command }} 37 | command: {{ .command }} 38 | {{- end }} 39 | resources: 40 | limits: 41 | cpu: 100m 42 | memory: 64Mi 43 | requests: 44 | cpu: 50m 45 | memory: 32Mi 46 | securityContext: 47 | seccompProfile: 48 | {{- if .type }} 49 | type: {{ .type }} 50 | {{- else }} 51 | type: Localhost 52 | localhostProfile: operator/{{ $.Values.namespace }}/{{ .seccompProfile }} 53 | {{- end }} 54 | {{- if .capabilities }} 55 | capabilities: 56 | add: 57 | {{- range .capabilities }} 58 | - {{ . | quote }} 59 | {{- end }} 60 | {{- end }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /charts/seccomp-diff/templates/namespace.yml: -------------------------------------------------------------------------------- 1 | {{- if .Values.namespace }} 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: {{ .Values.namespace }} 6 | labels: 7 | app: seccomp-diff 8 | {{- end }} -------------------------------------------------------------------------------- /charts/seccomp-diff/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: seccomp-diff 5 | labels: 6 | app: seccomp-diff 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: 5000 12 | protocol: TCP 13 | name: http 14 | selector: 15 | app: seccomp-diff -------------------------------------------------------------------------------- /charts/seccomp-diff/values.yaml: -------------------------------------------------------------------------------- 1 | namespace: seccomp-diff 2 | # nodename: shmoocon-cluster-v129cillium-controlplane 3 | 4 | image: 5 | repository: antitree/seccomp-diff 6 | tag: latest 7 | pullPolicy: Always 8 | 9 | service: 10 | type: ClusterIP 11 | port: 5000 12 | 13 | resources: 14 | limits: 15 | cpu: 500m 16 | memory: 256Mi 17 | requests: 18 | cpu: 250m 19 | memory: 128Mi 20 | 21 | nodeSelector: {} 22 | tolerations: [] 23 | affinity: {} 24 | 25 | ## Custom profiles supported by default: 26 | # profile-block-all.json (Warning!! will likely not let you start a container) 27 | # profile-complain-unsafe.json 28 | # profile-allow-unsafe.json 29 | # profile-complain-block-high-risk.json 30 | # profile-runc-default.json 31 | # profile-hello-shmoo.json 32 | # unconfined - none applied at all 33 | # RuntimeDefault - uses base runtime config 34 | 35 | demos: 36 | enabled: true 37 | deployments: 38 | - name: happyshmoocon-default 39 | image: antitree/happyshmoocon:latest 40 | type: RuntimeDefault 41 | - name: happyshmoocon-custom 42 | image: antitree/happyshmoocon:latest 43 | seccompProfile: "profile-happy-shmoocon.json" 44 | - name: demo4 45 | image: nginx:latest 46 | seccompProfile: "profile-complain-unsafe.json" 47 | - name: demo6 48 | image: nginx:latest 49 | type: RuntimeDefault -------------------------------------------------------------------------------- /common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/common/__init__.py -------------------------------------------------------------------------------- /common/bcc/tcp.py: -------------------------------------------------------------------------------- 1 | # Copyright 2018 Netflix, Inc. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # from include/net/tcp_states.h: 16 | tcpstate = {} 17 | tcpstate[1] = 'ESTABLISHED' 18 | tcpstate[2] = 'SYN_SENT' 19 | tcpstate[3] = 'SYN_RECV' 20 | tcpstate[4] = 'FIN_WAIT1' 21 | tcpstate[5] = 'FIN_WAIT2' 22 | tcpstate[6] = 'TIME_WAIT' 23 | tcpstate[7] = 'CLOSE' 24 | tcpstate[8] = 'CLOSE_WAIT' 25 | tcpstate[9] = 'LAST_ACK' 26 | tcpstate[10] = 'LISTEN' 27 | tcpstate[11] = 'CLOSING' 28 | tcpstate[12] = 'NEW_SYN_RECV' 29 | 30 | # from include/net/tcp.h: 31 | TCPHDR_FIN = 0x01 32 | TCPHDR_SYN = 0x02 33 | TCPHDR_RST = 0x04 34 | TCPHDR_PSH = 0x08 35 | TCPHDR_ACK = 0x10 36 | TCPHDR_URG = 0x20 37 | TCPHDR_ECE = 0x40 38 | TCPHDR_CWR = 0x80 39 | 40 | def flags2str(flags): 41 | arr = [] 42 | if flags & TCPHDR_FIN: 43 | arr.append("FIN") 44 | if flags & TCPHDR_SYN: 45 | arr.append("SYN") 46 | if flags & TCPHDR_RST: 47 | arr.append("RST") 48 | if flags & TCPHDR_PSH: 49 | arr.append("PSH") 50 | if flags & TCPHDR_ACK: 51 | arr.append("ACK") 52 | if flags & TCPHDR_URG: 53 | arr.append("URG") 54 | if flags & TCPHDR_ECE: 55 | arr.append("ECE") 56 | if flags & TCPHDR_CWR: 57 | arr.append("CWR") 58 | return "|".join(arr) 59 | -------------------------------------------------------------------------------- /common/bcc/version.py: -------------------------------------------------------------------------------- 1 | __version__ = '0.32.0+3845f7f6' 2 | -------------------------------------------------------------------------------- /common/bcc_test.py: -------------------------------------------------------------------------------- 1 | import bcc 2 | from sockfilter import SockFilter, SockFprog, RUNTIMEDEFAULT 3 | #import default 4 | 5 | d = bcc.disassembler.BPFDecoder() 6 | print(dir(d)) 7 | yolo = bcc.disassemble_prog(RUNTIMEDEFAULT) 8 | print(yolo) -------------------------------------------------------------------------------- /common/import_default.py: -------------------------------------------------------------------------------- 1 | input_file = "default.byte" 2 | output_file = "default.py" 3 | 4 | # Read and update lines 5 | with open(input_file, "r") as infile: 6 | lines = infile.readlines() 7 | 8 | updated_lines = [line.rstrip("\n") + ",\n" for line in lines] 9 | 10 | # Write the updated lines back to a new file 11 | with open(output_file, "w") as outfile: 12 | outfile.writelines(updated_lines) -------------------------------------------------------------------------------- /common/output.py: -------------------------------------------------------------------------------- 1 | from rich.table import Table 2 | from rich.table import Row 3 | 4 | class CustomTable(Table): 5 | def __init__(self, *args, **kwargs): 6 | super().__init__(*args, **kwargs) 7 | self._custom_rows = [] 8 | 9 | def add_custom_row(self, *args, **kwargs): 10 | row = CustomRow(*args) 11 | self._custom_rows.append(row) 12 | super().add_row(*args, **kwargs) 13 | 14 | def get_custom_row(self, index): 15 | return self._custom_rows[index] 16 | 17 | 18 | class Cell: 19 | def __init__(self, text): 20 | self.text = text 21 | 22 | class CustomRow(Row): 23 | def __init__(self, *cells, **kwargs): 24 | #super().__init__(*cells, **kwargs) 25 | self.cells = [Cell(cell) for cell in cells] 26 | 27 | def __getitem__(self, index): 28 | return self.cells[index] 29 | 30 | def __len__(self): 31 | return len(self.cells) # Optional: for len(row) -------------------------------------------------------------------------------- /common/output.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/common/output.txt -------------------------------------------------------------------------------- /common/seccomp.py: -------------------------------------------------------------------------------- 1 | # list seccomp pids 2 | import os 3 | 4 | FILTER = True 5 | 6 | # Iterate through all the folders in /proc 7 | print("PID Seccomp Mode") 8 | for pid in os.listdir('/proc'): 9 | if pid.isdigit(): 10 | # Get the command of the pid 11 | # cmdline_path = f"/proc/{pid}/cmdline" 12 | # if os.path.isfile(cmdline_path): 13 | # with open(cmdline_path, 'r') as cmdline_file: 14 | # cmd = cmdline_file.readlines() 15 | # print(cmd) 16 | 17 | status_path = f"/proc/{pid}/status" 18 | # Check if the status file exists for this PID 19 | cmd = "Unknown" 20 | if os.path.isfile(status_path): 21 | with open(status_path, 'r') as status_file: 22 | for line in status_file: 23 | if line.startswith("Name:"): 24 | cmd = line.split()[1] 25 | if line.startswith("Seccomp:"): 26 | seccomp_mode = line.split()[1] 27 | if FILTER and int(seccomp_mode) == 0: 28 | break 29 | else: 30 | # Print the PID and the seccomp value 31 | print(f"{cmd}({pid}) {seccomp_mode}") 32 | break 33 | 34 | -------------------------------------------------------------------------------- /examples/Dockerfile.seccomptools: -------------------------------------------------------------------------------- 1 | # Use a base image with Ruby pre-installed 2 | FROM ruby:latest 3 | 4 | # Set working directory 5 | WORKDIR /app 6 | 7 | # Install the seccomp-tools gem 8 | RUN gem install seccomp-tools 9 | 10 | # Verify installation 11 | RUN seccomp-tools --version 12 | 13 | # Set the default command 14 | CMD ["irb"] 15 | 16 | -------------------------------------------------------------------------------- /examples/demo2.webm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/examples/demo2.webm -------------------------------------------------------------------------------- /examples/deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: seccomp-diff 5 | labels: 6 | app: seccomp-diff 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: seccomp-diff 12 | template: 13 | metadata: 14 | labels: 15 | app: seccomp-diff 16 | spec: 17 | hostPID: true 18 | containers: 19 | - name: seccomp-diff 20 | image: antitree/seccomp-diff:latest 21 | securityContext: 22 | privileged: true 23 | capabilities: 24 | add: 25 | - SYS_PTRACE 26 | volumeMounts: 27 | - name: host-proc 28 | mountPath: /host/proc 29 | readOnly: true 30 | - name: docker-socket 31 | mountPath: /var/run/docker.sock # OPTIONAL for Docker 32 | - name: containerd-socket 33 | mountPath: /var/run/containerd/containerd.sock 34 | env: 35 | - name: PROC_PATH 36 | value: "/host/proc" 37 | command: ["flask"] 38 | args: ["run", "--debug"] 39 | volumes: 40 | - name: host-proc 41 | hostPath: 42 | path: /proc 43 | - name: docker-socket 44 | hostPath: 45 | path: /var/run/docker.sock # Host path for Docker socket 46 | - name: containerd-socket 47 | hostPath: 48 | path: /var/run/containerd/containerd.sock # Host path for Docker socket 49 | -------------------------------------------------------------------------------- /examples/docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Bash script to run the seccomp inspector container 4 | 5 | # Check if a PID was provided 6 | if [ -z "$1" ]; then 7 | echo "No PID provided. Please provide a PID to inspect." 8 | echo "Here are some example commands to list running processes and their PIDs:" 9 | echo " ps aux" # Lists all running processes with their PIDs 10 | echo " pstree -p" # Visualizes the process tree with PIDs 11 | echo " top" # Interactive view of running processes with PIDs 12 | exit 1 13 | fi 14 | 15 | PID=$1 16 | 17 | # Check if the provided PID exists 18 | if [ ! -e "/proc/$PID" ]; then 19 | echo "Error: PID $PID does not exist on the host." 20 | exit 1 21 | fi 22 | 23 | # Define the image name 24 | IMAGE_NAME="seccomp-dumper" 25 | 26 | # Run the Docker container with necessary permissions and arguments 27 | docker run --rm -it \ 28 | --pid=host \ 29 | --privileged \ 30 | --security-opt seccomp=unconfined \ 31 | --cap-add=SYS_PTRACE \ 32 | -v /proc:/host/proc:ro \ 33 | $IMAGE_NAME \ 34 | --summary $PID 35 | 36 | -------------------------------------------------------------------------------- /examples/happy_shmoocon.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/examples/happy_shmoocon.gif -------------------------------------------------------------------------------- /examples/happy_shmoocon.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultAction": "SCMP_ACT_ERRNO", 3 | "architectures": [ 4 | "SCMP_ARCH_X86_64", 5 | "SCMP_ARCH_X86", 6 | "SCMP_ARCH_X32" 7 | ], 8 | "syscalls": [ 9 | { 10 | "name": "", 11 | "action": "SCMP_ACT_ALLOW", 12 | "args": [], 13 | "names": [ 14 | "stat", 15 | "exit_group", 16 | "fork", 17 | "nanosleep", 18 | "rseq", 19 | "rt_sigprocmask", 20 | "rt_sigreturn", 21 | "sendmsg", 22 | "tkill", 23 | "uname", 24 | "close_range", 25 | "epoll_ctl", 26 | "faccessat2", 27 | "fcntl", 28 | "fstatfs", 29 | "read", 30 | "tgkill", 31 | "epoll_ctl", 32 | "fstatfs", 33 | "fstat", 34 | "wait4", 35 | "mprotect", 36 | "write", 37 | "newfstatat", 38 | "brk", 39 | "getrandom", 40 | "readlink", 41 | "prlimit64", 42 | "set_robust_list", 43 | "set_tid_address", 44 | "arch_prctl", 45 | "execve", 46 | "rt_sigaction", 47 | "getcwd", 48 | "mmap", 49 | "getuid", 50 | "close", 51 | "bpf", 52 | "sendto", 53 | "setgroups", 54 | "setuid", 55 | "chdir", 56 | "prctl", 57 | "capset", 58 | "getdents64", 59 | "futex", 60 | "lstat", 61 | "openat", 62 | "capget", 63 | "fchown", 64 | "setgid", 65 | "getpid", 66 | "getppid" 67 | ] 68 | } 69 | ] 70 | } -------------------------------------------------------------------------------- /examples/happy_shmoocon_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/examples/happy_shmoocon_web.png -------------------------------------------------------------------------------- /examples/hello_world: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/examples/hello_world -------------------------------------------------------------------------------- /examples/hello_world.diff1: -------------------------------------------------------------------------------- 1 | "accept4", 2 | "access", 3 | "arch_prctl", 4 | "bind", 5 | "brk", 6 | "capget", 7 | "capset", 8 | "chdir", 9 | "chmod", 10 | "chown", 11 | "clone", 12 | "close", 13 | "connect", 14 | "dup", 15 | "dup2", 16 | "epoll_create", 17 | "epoll_create1", 18 | "epoll_ctl", 19 | "epoll_pwait", 20 | "epoll_wait", 21 | "eventfd2", 22 | "execve", 23 | "exit", 24 | "exit_group", 25 | "faccessat2", 26 | "fchmodat", 27 | "fchownat", 28 | "fcntl", 29 | "fstat", 30 | "fstatfs", 31 | "futex", 32 | "getcwd", 33 | "getdents64", 34 | "getegid", 35 | "geteuid", 36 | "getgid", 37 | "getpid", 38 | "getppid", 39 | "getrandom", 40 | "getsockname", 41 | "getsockopt", 42 | "gettid", 43 | "getuid", 44 | "io_setup", 45 | "ioctl", 46 | "link", 47 | "linkat", 48 | "listen", 49 | "lseek", 50 | "lstat", 51 | "madvise", 52 | "mkdir", 53 | "mkdirat", 54 | "mknodat", 55 | "mmap", 56 | "mount", 57 | "mprotect", 58 | "mremap", 59 | "munmap", 60 | "nanosleep", 61 | "newfstatat", 62 | "openat", 63 | "openat2", 64 | "pipe", 65 | "pipe2", 66 | "pivot_root", 67 | "poll", 68 | "prctl", 69 | "pread64", 70 | "prlimit64", 71 | "pwrite64", 72 | "read", 73 | "readlink", 74 | "recvfrom", 75 | "rt_sigaction", 76 | "rt_sigprocmask", 77 | "rt_sigreturn", 78 | "rt_sigsuspend", 79 | "sched_yield", 80 | "set_robust_list", 81 | "set_tid_address", 82 | "setgid", 83 | "setgroups", 84 | "setpgid", 85 | "setsockopt", 86 | "setuid", 87 | "sigaltstack", 88 | "socket", 89 | "socketpair", 90 | "stat", 91 | "symlinkat", 92 | "sysinfo", 93 | "tgkill", 94 | "umount2", 95 | "uname", 96 | "unlink", 97 | "unlinkat", 98 | "utimensat", 99 | "vfork", 100 | "wait4", 101 | "write", 102 | "writev" -------------------------------------------------------------------------------- /examples/hello_world.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "fmt" 4 | 5 | func main() { 6 | fmt.Println("hello world") 7 | } 8 | -------------------------------------------------------------------------------- /examples/seccomp_diff.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/examples/seccomp_diff.gif -------------------------------------------------------------------------------- /examples/seccomp_example.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nginx-seccomp 5 | labels: 6 | app: nginx-seccomp 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: nginx-seccomp 12 | template: 13 | metadata: 14 | labels: 15 | app: nginx-seccomp 16 | spec: 17 | containers: 18 | - name: nginx 19 | image: nginx:latest 20 | securityContext: 21 | seccompProfile: 22 | type: RuntimeDefault # Use the default seccomp profile 23 | ports: 24 | - containerPort: 80 25 | --- 26 | apiVersion: apps/v1 27 | kind: Deployment 28 | metadata: 29 | name: nginx-seccomp2 30 | labels: 31 | app: nginx-seccomp2 32 | spec: 33 | replicas: 1 34 | selector: 35 | matchLabels: 36 | app: nginx-seccomp2 37 | template: 38 | metadata: 39 | labels: 40 | app: nginx-seccomp2 41 | spec: 42 | containers: 43 | - name: nginx 44 | image: nginx:latest 45 | securityContext: 46 | capabilities: 47 | add: ["SYS_TIME", "NET_ADMIN"] 48 | seccompProfile: 49 | type: RuntimeDefault # Use the default seccomp profile 50 | ports: 51 | - containerPort: 80 52 | --- 53 | apiVersion: apps/v1 54 | kind: Deployment 55 | metadata: 56 | name: nginx-seccomp3 57 | labels: 58 | app: nginx-seccomp3 59 | spec: 60 | replicas: 1 61 | selector: 62 | matchLabels: 63 | app: nginx-seccomp3 64 | template: 65 | metadata: 66 | labels: 67 | app: nginx-seccomp3 68 | spec: 69 | containers: 70 | - name: nginx 71 | image: nginx:latest 72 | securityContext: 73 | capabilities: 74 | add: ["SYS_ADMIN"] 75 | seccompProfile: 76 | type: RuntimeDefault # Use the default seccomp profile 77 | ports: 78 | - containerPort: 80 79 | -------------------------------------------------------------------------------- /examples/tools-test.yml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: seccomptools 5 | labels: 6 | app: seccomptools 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: seccomptools 12 | template: 13 | metadata: 14 | labels: 15 | app: seccomptools 16 | spec: 17 | hostPID: true 18 | containers: 19 | - name: seccomptools 20 | image: antitree/seccomptools:latest 21 | securityContext: 22 | privileged: true # Grant full root privileges 23 | runAsUser: 0 # Run the container as root 24 | command: ["tail"] 25 | args: ["-f", "/dev/null"] # Keeps the container running indefinitely 26 | volumeMounts: 27 | - name: host-proc 28 | mountPath: /host/proc 29 | readOnly: true 30 | volumes: 31 | - name: host-proc 32 | hostPath: 33 | path: /proc 34 | -------------------------------------------------------------------------------- /lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/__init__.py -------------------------------------------------------------------------------- /lib/containerd/__init__.py: -------------------------------------------------------------------------------- 1 | # library/package semantic version 2 | __api_version__ = '1.5' 3 | __generation__ = 3 4 | -------------------------------------------------------------------------------- /lib/containerd/events/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/events/__init__.py -------------------------------------------------------------------------------- /lib/containerd/events/container_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/events/content_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/events/image_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/events/namespace_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/events/snapshot_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/events/task_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/protobuf/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/protobuf/__init__.py -------------------------------------------------------------------------------- /lib/containerd/protobuf/plugin/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/protobuf/plugin/__init__.py -------------------------------------------------------------------------------- /lib/containerd/protobuf/plugin/fieldpath_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/services/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/containers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/containers/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/containers/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/containers/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/content/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/content/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/content/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/content/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/diff/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/diff/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/diff/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/diff/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/events/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/events/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/events/v1/__init__.py: -------------------------------------------------------------------------------- 1 | import importlib 2 | import google.protobuf.symbol_database 3 | # use "from ... import ... as ..." instead of "import ... as ..." for backwards 4 | # compatibility with Python 3.6-, see also https://stackoverflow.com/a/24968941 5 | from containerd.services.events.v1 import events_pb2 as eventsv1 6 | 7 | # Loads all containerd.events.xxx modules, so they will register their message 8 | # classes with their corresponding type URLs. Only then we can then later look 9 | # them up from protobuf's default symbol database. Please note that this here 10 | # is the only place where we pull in modules when loading a package, and on 11 | # purpose: this allows users to unwrap all existing events from their 12 | # envelopes when watching events without having to import all necessary 13 | # containerd.event.xxx modules explicitly by themselves. 14 | for evmod in ('container', 'content', 'image', 'namespace', 'snapshot', 'task'): 15 | importlib.import_module("containerd.events.{}_pb2".format(evmod)) 16 | sdb = google.protobuf.symbol_database.Default() 17 | 18 | # Returns the event message object from inside an event envelope. 19 | def unwrap(envelope): 20 | if not isinstance(envelope, eventsv1.Envelope): 21 | raise TypeError('requires an object of class Envelope, not ' + type(envelope).__name__) 22 | try: 23 | return sdb.GetSymbol(envelope.event.type_url).FromString(envelope.event.value) 24 | except KeyError: 25 | # Keep silent if the event message inside the envelope cannot be 26 | # unwrapped, because the event's type_url is unknown to us. Then 27 | # simply return None. 28 | pass 29 | return None 30 | -------------------------------------------------------------------------------- /lib/containerd/services/images/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/images/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/images/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/images/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/introspection/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/introspection/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/introspection/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/introspection/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/leases/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/leases/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/leases/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/leases/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/namespaces/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/namespaces/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/namespaces/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/namespaces/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/snapshots/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/snapshots/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/snapshots/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/snapshots/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/tasks/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/tasks/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/tasks/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/tasks/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/ttrpc/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/ttrpc/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/ttrpc/events/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/ttrpc/events/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/ttrpc/events/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/ttrpc/events/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/version/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/version/__init__.py -------------------------------------------------------------------------------- /lib/containerd/services/version/v1/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/services/version/v1/__init__.py -------------------------------------------------------------------------------- /lib/containerd/types/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/types/__init__.py -------------------------------------------------------------------------------- /lib/containerd/types/descriptor_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/types/metrics_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/types/mount_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/types/platform_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/types/task/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/types/task/__init__.py -------------------------------------------------------------------------------- /lib/containerd/types/task/task_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/containerd/vendor/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/vendor/__init__.py -------------------------------------------------------------------------------- /lib/containerd/vendor/gogoproto/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/containerd/vendor/gogoproto/__init__.py -------------------------------------------------------------------------------- /lib/containerd/vendor/gogoproto/gogo_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | """Client and server classes corresponding to protobuf-defined services.""" 3 | import grpc 4 | 5 | -------------------------------------------------------------------------------- /lib/pybpf/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/pybpf/__init__.py -------------------------------------------------------------------------------- /lib/pybpf/common.py: -------------------------------------------------------------------------------- 1 | class BPFConstants(object): 2 | BPF_LD = 0x00 3 | BPF_LDX = 0x01 4 | BPF_ST = 0x02 5 | BPF_STX = 0x03 6 | BPF_ALU = 0x04 7 | BPF_JMP = 0x05 8 | BPF_RET = 0x06 9 | BPF_MISC = 0x07 10 | 11 | # ld/ldx fields 12 | BPF_W = 0x00 13 | BPF_H = 0x08 14 | BPF_B = 0x10 15 | 16 | BPF_IMM = 0x00 17 | BPF_ABS = 0x20 18 | BPF_IND = 0x40 19 | BPF_MEM = 0x60 20 | BPF_LEN = 0x80 21 | BPF_MSH = 0xa0 22 | 23 | # alu fields 24 | BPF_ADD = 0x00 25 | BPF_SUB = 0x10 26 | BPF_MUL = 0x20 27 | BPF_DIV = 0x30 28 | BPF_OR = 0x40 29 | BPF_AND = 0x50 30 | BPF_LSH = 0x60 31 | BPF_RSH = 0x70 32 | BPF_NEG = 0x80 33 | BPF_MOD = 0x90 34 | BPF_XOR = 0xa0 35 | 36 | # jmp fields 37 | BPF_JA = 0x00 38 | BPF_JEQ = 0x10 39 | BPF_JGT = 0x20 40 | BPF_JGE = 0x30 41 | BPF_JSET = 0x40 42 | 43 | BPF_K = 0x00 44 | BPF_X = 0x08 45 | 46 | # ret - BPF_K and BPF_X also apply */ 47 | BPF_A = 0x10 48 | 49 | # misc 50 | BPF_TAX = 0x00 51 | BPF_TXA = 0x80 52 | -------------------------------------------------------------------------------- /lib/pybpf/pcap.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | TCPDUMP_MAGIC = 0xa1b2c3d4L 4 | TCPDUMP_MAGIC_NANO = 0xa1b23c4d 5 | # Magic backwards 6 | PMUDPCT_MAGIC = 0xd4c3b2a1L 7 | PMUDPCT_MAGIC_NANO = 0x4d3cb2a1 8 | 9 | FILEHDR = "IHHIIII" 10 | FILEHDR_SIZE = struct.calcsize("=" + FILEHDR) 11 | PKTHDR = "IIII" 12 | PKTHDR_SIZE = struct.calcsize("=" + PKTHDR) 13 | 14 | 15 | # Very simple PCAP reader 16 | class PCAPReader(object): 17 | def __init__(self, fh): 18 | self.fh = fh 19 | 20 | hdr_bytes = fh.read(FILEHDR_SIZE) 21 | 22 | hdr = struct.unpack("<" + FILEHDR, hdr_bytes) 23 | if hdr[0] in (TCPDUMP_MAGIC, TCPDUMP_MAGIC_NANO): 24 | self.order = "<" 25 | elif hdr[0] in (PMUDPCT_MAGIC, PMUDPCT_MAGIC_NANO): 26 | self.order = ">" 27 | else: 28 | raise Exception("Not a tcpdump file") 29 | 30 | self.header = struct.unpack(self.order + FILEHDR, hdr_bytes) 31 | 32 | self.ts_div = 1000000.0 if hdr[0] == TCPDUMP_MAGIC else 1000000000.0 33 | 34 | def __iter__(self): 35 | return self 36 | 37 | def next(self): 38 | pkthdr_bytes = self.fh.read(PKTHDR_SIZE) 39 | if len(pkthdr_bytes) < PKTHDR_SIZE: 40 | raise StopIteration 41 | 42 | pkthdr = struct.unpack(self.order + PKTHDR, pkthdr_bytes) 43 | 44 | pkt_bytes = self.fh.read(pkthdr[2]) 45 | if len(pkthdr_bytes) < PKTHDR_SIZE: 46 | raise StopIteration 47 | 48 | return pkthdr[0] + pkthdr[1]/self.ts_div, pkthdr[3], pkt_bytes 49 | -------------------------------------------------------------------------------- /lib/syscalls/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/lib/syscalls/__init__.py -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | blinker==1.9.0 2 | certifi==2024.12.14 3 | charset-normalizer==3.4.1 4 | click==8.1.8 5 | docker==7.1.0 6 | Flask==3.1.0 7 | idna==3.10 8 | importlib_metadata==8.5.0 9 | itsdangerous==2.2.0 10 | Jinja2==3.1.6 11 | Markdown==3.7 12 | markdown-it-py==3.0.0 13 | MarkupSafe==3.0.2 14 | mdurl==0.1.2 15 | Pygments==2.18.0 16 | requests==2.32.3 17 | rich==13.9.4 18 | termcolor==2.5.0 19 | typing_extensions==4.12.2 20 | urllib3==2.3.0 21 | Werkzeug==3.1.3 22 | zipp==3.21.0 23 | protobuf==3.20.2 24 | grpcio 25 | grpcio-tools 26 | containerd 27 | -------------------------------------------------------------------------------- /seccomp-diff.code-workspace: -------------------------------------------------------------------------------- 1 | { 2 | "folders": [ 3 | { 4 | "path": "." 5 | } 6 | ] 7 | } -------------------------------------------------------------------------------- /seccomp_dump.py: -------------------------------------------------------------------------------- 1 | import common.ptrace as ptrace 2 | import argparse 3 | from rich.console import Console 4 | 5 | 6 | def main(): 7 | """Entry point for the script.""" 8 | parser = argparse.ArgumentParser(description="Inspect seccomp profiles for a given PID.") 9 | parser.add_argument("pid", type=int, nargs="?", help="PID of the process to inspect") 10 | parser.add_argument("--dump", action="store_true", help="Dump the raw seccomp filters") 11 | parser.add_argument("--summary", action="store_true", help="Display a summary of the seccomp filters") 12 | parser.add_argument("--list", action="store_true", help="Display a list of pids with seccomp filters") 13 | parser.add_argument("--allarch", action="store_true", help="Search for all syscalls across any architecture") 14 | 15 | args = parser.parse_args() 16 | 17 | if not args.list and args.pid is None: 18 | parser.error("PID is required unless --list is specified.") 19 | 20 | # If PID is provided and no other options are set, assume --dump 21 | if args.pid is not None and not (args.dump or args.summary or args.list or args.allarch): 22 | args.dump = True 23 | 24 | if args.list: 25 | table = ptrace.list_seccomp_pids() 26 | c = Console() 27 | c.print(table) 28 | else: 29 | ptrace.list_seccomp_filters(args.pid, dump=args.dump, summary=args.summary, allarch=args.allarch) 30 | 31 | if __name__ == "__main__": 32 | main() -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/tests/__init__.py -------------------------------------------------------------------------------- /tools/cluster-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check if the Kubernetes cluster is accessible 4 | if ! kubectl cluster-info > /dev/null 2>&1; then 5 | echo "Error: Kubernetes cluster is not accessible. Please ensure you are connected to a cluster and try again." 6 | exit 1 7 | fi 8 | 9 | echo "Installing cert manager" 10 | kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.yaml 11 | 12 | echo "Waiting for cert manager..." 13 | kubectl --namespace cert-manager wait --for condition=ready pod -l app.kubernetes.io/instance=cert-manager 14 | 15 | echo "Installing security profiles operator" 16 | kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/main/deploy/operator.yaml 17 | 18 | # Optional installation of operator framework 19 | curl -L https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.30.0/install.sh -o install.sh 20 | chmod +x ./install.sh 21 | ./install.sh v0.30.0 22 | 23 | echo "Setup complete. Ready to deploy seccomp-diff demos!" 24 | 25 | rm ./install.sh 26 | -------------------------------------------------------------------------------- /web/static/fonts/VisbyBold Italic.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyBold Italic.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyBold.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyBold.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyExtrabold Italic.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyExtrabold Italic.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyExtrabold.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyExtrabold.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyExtrabold.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyExtrabold.woff2 -------------------------------------------------------------------------------- /web/static/fonts/VisbyHeavy Italic.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyHeavy Italic.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyHeavy.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyHeavy.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyHeavy.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyHeavy.woff2 -------------------------------------------------------------------------------- /web/static/fonts/VisbyItalic.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyItalic.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyLight Italic.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyLight Italic.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyLight.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyLight.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyLight.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyLight.woff2 -------------------------------------------------------------------------------- /web/static/fonts/VisbyMedium Italic.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyMedium Italic.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyMedium.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyMedium.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyMedium.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyMedium.woff2 -------------------------------------------------------------------------------- /web/static/fonts/VisbyRegular.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyRegular.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyRegular.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyRegular.woff2 -------------------------------------------------------------------------------- /web/static/fonts/VisbySemibold Italic.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbySemibold Italic.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbySemibold.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbySemibold.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbySemibold.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbySemibold.woff2 -------------------------------------------------------------------------------- /web/static/fonts/VisbyThin Italic.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyThin Italic.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyThin.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyThin.otf -------------------------------------------------------------------------------- /web/static/fonts/VisbyThin.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/fonts/VisbyThin.woff2 -------------------------------------------------------------------------------- /web/static/images/docker-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/images/docker-icon.png -------------------------------------------------------------------------------- /web/static/images/kubernetes-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antitree/seccomp-diff/f61d5ff7bcbd614ee2d21f910310ee5a177cafb3/web/static/images/kubernetes-icon.png -------------------------------------------------------------------------------- /web/static/syscalls/adjtimex.md: -------------------------------------------------------------------------------- 1 | 2 | # adjtimex 3 | 4 | ## Intro 5 | adjtimex - adjust timekeeping variables with the aim of improving accuracy 6 | 7 | ## Description 8 | The `adjtimex` syscall is used to make adjustments to system clock variables. This syscall provides access to the Linux kernel time variables, making it possible to adjust the kernel’s clock frequency and phase, as well as the system time offset. 9 | 10 | When using `adjtimex`, it is important to remember that this syscall can modify important system variables. It may lead to side effects like clock desynchronization or even time rollbacks, making it important to be aware of the adjustments being performed to the system’s time variables. 11 | 12 | ## Arguments 13 | * `buf`: `struct timex*`[K] - a pointer to a `struct timex`. This argument contains the adjtimex settings. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | 18 | ## Hooks 19 | ### adjtimex 20 | #### Type 21 | Kprobes + tracepoints 22 | #### Purpose 23 | Monitoring and modifying system time variables. 24 | 25 | ## Example Use Case 26 | The `adjtimex` system call can be used to adjust the system's clock offset, frequency and phase. This can be used to provide better time synchronization if there is an issue with current system time accuracy. 27 | 28 | ## Issues 29 | It can lead to unexpected behavior if used incorrectly (e.g. time rollbacks). 30 | 31 | ## Related Events 32 | * settimeofday 33 | * clock_settime 34 | * do_adjtimex 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/brk.md: -------------------------------------------------------------------------------- 1 | 2 | # brk 3 | 4 | ## Intro 5 | brk - manipulates the calling process's data segment. 6 | 7 | ## Description 8 | The brk() system call changes the location of the program break, which 9 | defines the end of the process's data segment (i.e., the program break 10 | is the first location after the end of the uninitialized data segment). 11 | Increasing the program break has the effect of allocating memory to the 12 | process; decreasing the break deallocates memory. 13 | 14 | The functionality of the brk() system call is provided by libc, which 15 | implements brk() by calling the sbrk() system call. 16 | 17 | ## Arguments 18 | * `addr`:`void*`[K] - pointer to the requested address at which the program break would be set. 19 | 20 | ### Available Tags 21 | * K - Originated from kernel-space. 22 | 23 | ## Hooks 24 | ### sbrk 25 | #### Type 26 | Kprobe+Uprobe 27 | #### Purpose 28 | To hook this function to track when the program break is changed. 29 | 30 | ## Example Use Case 31 | brk() is used by programs to manage their own memory usage. This is 32 | particularly useful when dealing with dynamic memory allocation. 33 | 34 | ## Issues 35 | There is no guarantee that brk() will successfully allocate memory. 36 | Additionally, it can lead to memory fragmentation if memory is requested 37 | in large chunks rather than smaller ones. 38 | 39 | ## Related Events 40 | malloc - for allocating memory in chunks larger than the page size. 41 | 42 | > This document was automatically generated by OpenAI and needs review. It might 43 | > not be accurate and might contain errors. The authors of Tracee recommend that 44 | > the user reads the "events.go" source file to understand the events and their 45 | > arguments better. 46 | -------------------------------------------------------------------------------- /web/static/syscalls/chdir.md: -------------------------------------------------------------------------------- 1 | 2 | # chdir 3 | 4 | ## Intro 5 | chdir - Change the current working directory 6 | 7 | ## Description 8 | The chdir syscall allows the user to set the current working directory and affects the behavior of subsequent path-related syscals. The argument provided is a const char pointer, which points to the directory to which the working directory should be set. If a path is specified that does not exist or is not accessible, a -1 error code is returned 9 | 10 | ## Arguments 11 | * `path`:const char* - Pointer to a C-style string that holds the path of the directory to be set as the current working directory 12 | 13 | ### Available Tags 14 | * K - Originated from kernel-space. 15 | * U - Originated from user space (for example, pointer to user space memory used to get it) 16 | * OPT - Optional argument - might not always be available (passed with null value) 17 | 18 | ## Hooks 19 | ### sys\_chdir 20 | #### Type 21 | Kprobe 22 | #### Purpose 23 | To monitor and measure execution of the chdir syscall 24 | 25 | ## Example Use Case 26 | In some situation, it is useful to monitor chdir syscall invocations and to get various stats regarding their execution. One example of a situation that could benefit from this is separate attempts to change the working directory in a program. This data can be used to better understand the program's behavior or to detect any suspicious activity. 27 | 28 | ## Issues 29 | None. 30 | 31 | ## Related Events 32 | * execve - Execute program 33 | 34 | > This document was automatically generated by OpenAI and needs review. It might 35 | > not be accurate and might contain errors. The authors of Tracee recommend that 36 | > the user reads the "events.go" source file to understand the events and their 37 | > arguments better. 38 | -------------------------------------------------------------------------------- /web/static/syscalls/chown.md: -------------------------------------------------------------------------------- 1 | 2 | # chown 3 | 4 | ## Intro 5 | 6 | chown - change the owner and group of a file. 7 | 8 | ## Description 9 | 10 | The `chown()` system call is used to change the owner and group of a specified 11 | file or directory, determined by the parameter `pathname`. The new owner and 12 | group are specified by the `owner` and `group` arguments respectively. 13 | 14 | ## Arguments 15 | 16 | * `pathname`:`const char*`[U,TOCTOU] - Path to the file or directory whose owner and group are to be changed. 17 | * `owner`:`uid_t`[K] - User identifier of the new owner. 18 | * `group`:`gid_t`[K] - Group identifier of the new group. 19 | 20 | ### Available Tags 21 | 22 | * K - Originated from kernel-space. 23 | * U - Originated from user space. 24 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use). 25 | * OPT - Optional argument - might not always be available (passed with null value). 26 | 27 | ## Hooks 28 | 29 | ### sys_chown 30 | 31 | #### Type 32 | 33 | Tracepoint (through `sys_enter`). 34 | 35 | #### Purpose 36 | 37 | To observe and trace when the `chown()` system call is performed, collecting 38 | information about the file or directory, and the new owner and group. 39 | 40 | ## Example Use Case 41 | 42 | Monitoring changes in file or directory ownership in a system, especially when 43 | dealing with sensitive or critical files and directories. 44 | 45 | ## Issues 46 | 47 | The `chown()` system call can be subjected to TOCTOU issues, where the file or 48 | directory specified by `pathname` could be changed between the time of check and 49 | the time of use, leading to potential security risks. 50 | 51 | Using `fchownat()` deals with the symlink situation, removing the TOCTOU issue in 52 | that case. 53 | 54 | ## Related Events 55 | 56 | * fchown() 57 | * fchownat() 58 | * lchown() 59 | 60 | > This document was automatically generated by OpenAI and reviewed by a Human. 61 | -------------------------------------------------------------------------------- /web/static/syscalls/chroot.md: -------------------------------------------------------------------------------- 1 | 2 | # chroot 3 | 4 | ## Intro 5 | chroot() - changes the root directory of a process 6 | 7 | ## Description 8 | The chroot() system call changes the root directory of the calling process to the path specified in the path argument. This directory will be the new root directory for the calling process and all its children. The chroot() system call restricts the ability of a process to access files outside the new root directory. The process must have root privileges in order to successfully call chroot(). 9 | 10 | Edge cases/drawbacks: 11 | * This call should only be used under extreme circumstances since it is not reversible. 12 | 13 | 14 | ## Arguments 15 | * `path`:`const char*` - path of the new root directory. 16 | 17 | ### Available Tags 18 | * K - Originated from kernel-space. 19 | * U - Originated from user space (for example, pointer to user space memory used to get it) 20 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 21 | * OPT - Optional argument - might not always be available (passed with null value) 22 | 23 | ## Hooks 24 | ### execve 25 | #### Type 26 | kprobe. 27 | #### Purpose 28 | Hooked to detect a process that has been successfully chrooted. 29 | 30 | ## Example Use Case 31 | It can be used to detect malicious activity when a process inside the system is attempting to break out of its jailed environment. 32 | 33 | ## Issues 34 | The chroot() syscall should be used with extreme caution since it is not reversible and can be easily misused. 35 | 36 | ## Related Events 37 | * chdir - changes the current working directory of a process. 38 | 39 | > This document was automatically generated by OpenAI and needs review. It might 40 | > not be accurate and might contain errors. The authors of Tracee recommend that 41 | > the user reads the "events.go" source file to understand the events and their 42 | > arguments better. 43 | -------------------------------------------------------------------------------- /web/static/syscalls/clock_getres_time32.md: -------------------------------------------------------------------------------- 1 | 2 | # clock_getres_time32 3 | ## Intro 4 | clock_getres_time32 - retrieves the resolution of the specified clock. 5 | 6 | ## Description 7 | clock_getres_time32 retrives the resolution of the specified clock in struct old_timespec32 variable provided in the tp argument. This function allows information about the resolution of the clock to be queried, for use in accurately measuring time intervals. 8 | 9 | clock_getres_time32 exists for backward compatibility with 32bit systems, in replacement to clock_getres which takes timespec structure as an argument. 10 | 11 | ## Arguments 12 | * `which_clock`:`clockid_t`[K] - clock id use to query its resolution. Supported clocks are the same as with clock_gettime. 13 | * `tp`:`struct old_timespec32*`[KU] - pointer to a buffer where the resolution of the clock will be stored. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | * U - Originated from user space (for example, pointer to user space memory used to get it) 18 | 19 | ## Hooks 20 | ### sys_clock_getres_time32 21 | #### Type 22 | Kprobe 23 | #### Purpose 24 | To monitor and trace the execution of clock_getres_time32 syscall. 25 | 26 | ## Example Use Case 27 | clock_getres_time32 can be useful in various timing-related projects. For example, it can be used to compare the resolution of different clocks, or query a clock's resolution before a precise time measurement is taken with clock_gettime. 28 | 29 | ## Issues 30 | None. 31 | 32 | ## Related Events 33 | * clock_gettime - query the current time 34 | * clock_getres - query the resolution of a clock (64bit version) 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/clock_settime32.md: -------------------------------------------------------------------------------- 1 | 2 | # clock_settime32 3 | 4 | ## Intro 5 | clock_settime32 - set the time of the specified clock 6 | 7 | ## Description 8 | clock_settime32() sets the time of the clock specified by which_clock to the time given by tp. 9 | 10 | Advantages of using clock_settime32 is that it provides a way to set the time of the specified clock with a precision of nanoseconds, while drawbacks are that it doesn't change the system time, nor the time obtained with other clocks such as CLOCK_REALTIME. 11 | 12 | ## Arguments 13 | * `which_clock`:`clockid_t` - ID of the clock to set. 14 | * `tp`:`struct old_timespec32*` - pointer to a struct containing the new time of the specified clock. 15 | 16 | ### Available Tags 17 | * K - Originated from kernel-space. 18 | * U - Originated from user space (for example, pointer to user space memory used to get it) 19 | 20 | ## Hooks 21 | ### do_sys_clock_settime 22 | #### Type 23 | Kprobe + Kretprobe 24 | #### Purpose 25 | Hooked for observability purposes, to measure the execution time of clock_settime32 syscall and collect per-thread and per-process scenarios, such as library calls and user delay calls. 26 | 27 | ## Example Use Case 28 | clock_settime32 can be used to synchronize multiple applications running on the same machine by setting the same clock time with the same specified clock. 29 | 30 | ## Issues 31 | None. 32 | 33 | ## Related Events 34 | clock_gettime32 syscall. 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/eventfd2.md: -------------------------------------------------------------------------------- 1 | 2 | # eventfd2 3 | 4 | ## Intro 5 | eventfd2 - create/get an eventfd file descriptor for improved asynchronous handling of events. 6 | 7 | ## Description 8 | eventfd2 creates an "eventfd" object that can be used as an event wait/notify mechanism by user-space applications, and by the kernel to notify user-space applications of events. It is similar to the pipe system call, but the read/write operations on /dev/eventfd are atomic. The initval argument is a initial value of the counter; The flags argument is a bitmask of flags that affects the semantics of the create. 9 | 10 | ## Arguments 11 | * `initval`:`unsigned int`[U] - the initial value of the counter. 12 | * `flags`:`int`[U] - a bitmask which can be set to request specific eventfd features and/or classes of behavior. 13 | 14 | ### Available Tags 15 | * K - Originated from kernel-space. 16 | * U - Originated from user space (for example, pointer to user space memory used to get it) 17 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 18 | * OPT - Optional argument - might not always be available (passed with null value) 19 | 20 | ## Hooks 21 | ### sys_eventfd2 22 | #### Type 23 | Kprobe 24 | #### Purpose 25 | To track the execution of eventfd2 syscall. 26 | 27 | ## Example Use Case 28 | An application may use an eventfd object as a notification of an event, for example an overflow of a threshold, by setting initval to zero, and storing the count that triggered the event in the user space, each time the kernel reads the count, it will add the trigger count and set the counter to the initial value. 29 | 30 | ## Issues 31 | None. 32 | 33 | ## Related Events 34 | pipe(), poll() 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/exit.md: -------------------------------------------------------------------------------- 1 | 2 | # Exit 3 | 4 | ## Intro 5 | exit -- Cause normal process termination 6 | 7 | ## Description 8 | The `exit()` syscall is used to terminate the process that called it. All the 9 | resources held by the process, such as open files and memory mappings, are released 10 | as part of the process termination. The status code is passed to other processes 11 | to inform them about the termination of the process. 12 | 13 | ## Arguments 14 | * `status`:`int` - The status code of process which is returned to the parent 15 | process. The lower 8 bits of the status code contains the exiting status (please 16 | check the manual for more details). The higher 8 bit bits of the status code 17 | contain certain flags. 18 | 19 | ### Available Tags 20 | * K - Originated from kernel-space. 21 | * TOCTOU - vulnerable to TOCTOU (time of check, time of use) 22 | 23 | ## Hooks 24 | ### do_exit 25 | #### Type 26 | Kprobe 27 | #### Purpose 28 | Hook the kernel entry point to trace process termination. 29 | 30 | ## Example Use Case 31 | Analyzing the exit status code of children processes. 32 | 33 | ## Issues 34 | None 35 | 36 | ## Related Events 37 | The `fork()` and `exec()` syscalls are related to this event since they are used 38 | to create and load a new process which will eventually terminate with the `exit()` 39 | syscall. 40 | 41 | > This document was automatically generated by OpenAI and needs review. It might 42 | > not be accurate and might contain errors. The authors of Tracee recommend that 43 | > the user reads the "events.go" source file to understand the events and their 44 | > arguments better. 45 | -------------------------------------------------------------------------------- /web/static/syscalls/fanotify_init.md: -------------------------------------------------------------------------------- 1 | 2 | # fanotify_init 3 | 4 | ## Intro 5 | fanotify_init - initialize fanotify handle 6 | 7 | ## Description 8 | The fanotify_init() system call initializes the fanotify handle, which is used to register fanotify events and mark paths and files to be monitored with the `fanotify_mark` system call. This call allocates the required structures, sets the given flags and allocates an event queue. 9 | 10 | A fanotify handle can be used to monitor events in multiple directories by calling the `fanotify_mark` system call and the returned file descriptor can be monitored with `select()`, `poll()` or `epoll_wait()`. 11 | 12 | The flags used in fanotify_init determine the behavior of the fanotify handle. Some of the available flags are `FAN_CLOEXEC`, `FAN_NONBLOCK` and `FAN_UNLIMITED_QUEUE`. 13 | 14 | ## Arguments 15 | * `flags`:`unsigned int`[K] - set of flags used to determine the behavior of the fanotify handle. 16 | * `event_f_flags`:`unsigned int`[K] - set of event flags used to select the events to report to the fanotify handle. 17 | 18 | ### Available Tags 19 | * K - Originated from kernel-space. 20 | 21 | ## Hooks 22 | ### fanotify_init 23 | #### Type 24 | Probe 25 | #### Purpose 26 | To monitor events related to fanotify_init. 27 | 28 | ## Example Use Case 29 | A monitoring tool could use fanotify_init to create handles which it can then use to monitor files and directories for any changes and act on them. 30 | 31 | ## Issues 32 | There is a known issue that fanotify_init does not support 64-bit arguments. 33 | 34 | ## Related Events 35 | * fanotify_mark - set up fanotify notification 36 | * fanotify_close - close fanotify notification 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/fchown.md: -------------------------------------------------------------------------------- 1 | 2 | # fchown 3 | 4 | ## Intro 5 | 6 | fchown - change the owner and group of a file, using a file descriptor. 7 | 8 | ## Description 9 | 10 | The `fchown()` system call is used to change the owner and group of a specified 11 | file or directory, using a file descriptor to identify the file or directory. 12 | The new owner and group are specified by the `owner` and `group` arguments 13 | respectively. 14 | 15 | ## Arguments 16 | 17 | * `fd`:`int`[K] - The file descriptor of the file or directory whose owner and group are to be changed. 18 | * `owner`:`uid_t`[K] - User identifier of the new owner. 19 | * `group`:`gid_t`[K] - Group identifier of the new group. 20 | 21 | ### Available Tags 22 | 23 | * K - Originated from kernel-space. 24 | * U - Originated from user space. 25 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use). 26 | * OPT - Optional argument - might not always be available (passed with null value). 27 | 28 | ## Hooks 29 | 30 | ### sys_fchown 31 | 32 | #### Type 33 | 34 | Tracepoint (through `sys_enter`). 35 | 36 | #### Purpose 37 | 38 | To observe and trace when the `fchown()` system call is performed, collecting 39 | information about the file or directory, and the new owner and group. 40 | 41 | ## Example Use Case 42 | 43 | Monitoring changes in file or directory ownership in a system, especially in 44 | scenarios where file descriptors are used instead of file pathnames. 45 | 46 | ## Issues 47 | 48 | Unlike `chown()`, the `fchown()` system call uses a file descriptor, which can 49 | provide a level of safety against TOCTOU (time of check, time of use) issues as 50 | the file descriptor references the actual object and not the pathname. 51 | 52 | ## Related Events 53 | 54 | * chown() 55 | * fchownat() 56 | * lchown() 57 | 58 | > This document was automatically generated by OpenAI and reviewed by a Human. 59 | -------------------------------------------------------------------------------- /web/static/syscalls/fcntl.md: -------------------------------------------------------------------------------- 1 | 2 | # fcntl 3 | 4 | ## Intro 5 | fcntl - Manipulates file descriptor 6 | 7 | ## Description 8 | The fcntl system call is used to manipulate a file descriptor. It can be used to read and modify the flags associated with a particular file descriptor, including changing the non-blocking status and closing the file descriptor. It can also be used to implement file locking, sharing file descriptors between processes, and more. 9 | 10 | The function takes three arguments, a file descriptor ``fd``, an action ``cmd``, and an argument ``arg``. Depending on the action, the argument may or may not be used and can contain various values. 11 | 12 | ## Arguments 13 | * `fd`:`int` - The file descriptor to manipulate. 14 | * `cmd`:`int` - The type of operation to perform. 15 | * `arg`:`unsigned long` - An optional argument for some of the operations. 16 | 17 | ### Available Tags 18 | * K - Originated from kernel-space. 19 | * U - Originated from user space (for example, pointer to user space memory used to get it) 20 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 21 | * OPT - Optional argument - might not always be available (passed with null value) 22 | 23 | ## Hooks 24 | ### sys_fcntl 25 | #### Type 26 | Kprobe + Kretprobe. 27 | #### Purpose 28 | To trace all calls to sys_fcntl and return values. 29 | 30 | ## Example Use Case 31 | Tracking all attempts to change the non-blocking status of any file descriptor for debugging or security purposes. 32 | 33 | ## Issues 34 | None. 35 | 36 | ## Related Events 37 | * open 38 | * close 39 | * read 40 | * write 41 | * lseek 42 | 43 | > This document was automatically generated by OpenAI and needs review. It might 44 | > not be accurate and might contain errors. The authors of Tracee recommend that 45 | > the user reads the "events.go" source file to understand the events and their 46 | > arguments better. 47 | -------------------------------------------------------------------------------- /web/static/syscalls/ftime.md: -------------------------------------------------------------------------------- 1 | 2 | # ftime 3 | 4 | ## Intro 5 | ftime - Get and set the current system time 6 | 7 | ## Description 8 | The ftime() function gets the current time of day, expressed in seconds and milliseconds since the Epoch (00:00:00 UTC, January 1, 1970). It has the following parameters: 9 | 10 | * `buf`:`struct timeb *`[K] - a pointer to a `struct timeb` which will be filled in with the current time and date. 11 | * `tz`:`struct timezone *`[K] - an optional pointer to a `struct timezone`, which if supplied, is filled in with information about the local timezone. 12 | 13 | For both of these parameters, passing `NULL` will simply indicate that you do not want to receive the corresponding information. 14 | 15 | Using ftime() is not recommended for obtaining the current date and time, as there are more accurate methods, but it is most commonly used for calculating the execution time of a program. 16 | 17 | ### Available Tags 18 | * K - Originated from kernel-space. 19 | 20 | ## Hooks 21 | ### ftime 22 | #### Type 23 | Kprobes 24 | #### Purpose 25 | To observe the execution of ftime and observe the arguments passed to it. 26 | 27 | ## Example Use Case 28 | One use case for ftime would be to measure the time taken for a certain process or program to be completed. This can be done by obtaining the current time with ftime() before and after an operation, then subtracting the two to get the execution time. 29 | 30 | ## Issues 31 | The resolution of ftime() is limited at milliseconds, so it is not suitable for performance tuning operations for which higher accuracy is required. 32 | 33 | ## Related Events 34 | clock_gettime 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/ftruncate.md: -------------------------------------------------------------------------------- 1 | 2 | # ftruncate 3 | 4 | ## Intro 5 | ftruncate - scan event that occurs when the function is called to truncate a file 6 | 7 | ## Description 8 | The ftruncate() function truncates the file referenced by fd to the length specified by length. If the file previously was larger than length, the extra data is discarded. If the file previously was shorter, it is extended and the extended part reads as null bytes. 9 | 10 | The ftruncate() function can be used to resize just the size of the file, without altering its contents. 11 | 12 | ## Arguments 13 | * `fd`:int[K] - file descriptor for the file to be truncated 14 | * `length`:off_t[K] - desired length of the file 15 | 16 | ### Available Tags 17 | * K - Originated from kernel-space. 18 | 19 | ## Hooks 20 | ### sys_ftruncate 21 | #### Type 22 | kprobes 23 | #### Purpose 24 | To measure the size of the file before and after the truncate. 25 | 26 | ## Example Use Case 27 | ftruncate() can be used to truncate a log file after it has exceeded a certain size. 28 | 29 | ## Issues 30 | If the ftruncate operation fails, it returns -1 and sets errno. 31 | 32 | ## Related Events 33 | * fstat - to obtain information about file size prior to truncating 34 | * open - to obtain a file descriptor for a given file 35 | * write - to write to a file 36 | * read - to reed from a file 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/getegid.md: -------------------------------------------------------------------------------- 1 | 2 | # getegid 3 | 4 | ## Intro 5 | getegid - get process effective group ID 6 | 7 | ## Description 8 | The getegid() system call returns the effective group ID of the calling process. This is the group ID that the kernel uses when checking group permissions for the calling process. 9 | 10 | ## Arguments 11 | This syscall does not accept any arguments. 12 | 13 | ## Hooks 14 | ### getegid 15 | #### Type 16 | kprobe 17 | #### Purpose 18 | This function is hooked to collect data on process effective group ID 19 | 20 | ## Example Use Case 21 | getegid() is useful in multi-user systems to ensure that every user has the correct set of resource access permissions. 22 | 23 | ## Issues 24 | None 25 | 26 | ## Related Events 27 | * geteuid() - get process effective user ID 28 | 29 | > This document was automatically generated by OpenAI and needs review. It might 30 | > not be accurate and might contain errors. The authors of Tracee recommend that 31 | > the user reads the "events.go" source file to understand the events and their 32 | > arguments better. 33 | -------------------------------------------------------------------------------- /web/static/syscalls/getegid16.md: -------------------------------------------------------------------------------- 1 | 2 | # getegid16 3 | 4 | ## Intro 5 | getegid16 - get real group ID for the calling process 6 | 7 | ## Description 8 | getegid16 returns the real group ID of the calling process, as seen by the kernel. This call is functionally identical to getegid except that it takes a 16-bit argument, and returns 16-bit. 9 | 10 | The underlying system call returnes a 32-bit value, which is truncated and returned as a 16-bit integer. This call is mainly present on older systems, but new programs should rather use the getegid call if possible. 11 | 12 | ## Arguments 13 | This syscall does not take any arguments. 14 | 15 | ### Available Tags 16 | N/A 17 | 18 | ## Hooks 19 | The `sys_getegid16` function can be hooked. 20 | 21 | ### sys_getegid16 22 | #### Type 23 | Kprobes 24 | #### Purpose 25 | Kprobes provide the highest level of kernel instrumentation and can measure time at any byte-code level in any part of the kernel. By hooking into this function, it is possible to measure the kernel execution time for system calls. 26 | 27 | ## Example Use Case 28 | For example, this call can be used for measuring the latency of the system call in an embedded system or a system under high load. 29 | 30 | ## Issues 31 | N/A 32 | 33 | ## Related Events 34 | * `getegid` - returns the real group ID of the calling process. 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/geteuid.md: -------------------------------------------------------------------------------- 1 | 2 | # geteuid 3 | 4 | ## Intro 5 | geteuid - Retrieve the effective user ID. 6 | 7 | ## Description 8 | geteuid is a syscall used to retrieve the effective user ID of the current process. This value is used by the kernel when determining which operations are allowed to be executed by the current process. It can be used to enforce access control policies. 9 | 10 | The geteuid syscall does not take any parameters, which makes it simpler to use than other syscalls. However, it is important to note that the effective user ID may be different from the real user ID, as the kernel may allow certain processes to temporarily execute in a different user context. 11 | 12 | ## Arguments 13 | None 14 | 15 | ### Available Tags 16 | None 17 | 18 | ## Hooks 19 | ### geteuid 20 | #### Type 21 | Probe 22 | #### Purpose 23 | To monitor the effective user ID of the current process 24 | 25 | ## Example Use Case 26 | Using geteuid can be useful in a system that enforces access control policies, by ensuring that privileged operations are only allowed to be performed by processes with an effective user ID matching the expected one. 27 | 28 | ## Issues 29 | None 30 | 31 | ## Related Events 32 | getuid - Retrieve the real user ID. 33 | 34 | > This document was automatically generated by OpenAI and needs review. It might 35 | > not be accurate and might contain errors. The authors of Tracee recommend that 36 | > the user reads the "events.go" source file to understand the events and their 37 | > arguments better. 38 | -------------------------------------------------------------------------------- /web/static/syscalls/geteuid16.md: -------------------------------------------------------------------------------- 1 | 2 | # geteuid16 3 | 4 | ## Intro 5 | geteuid16 - Get the user ID of the current user. 6 | 7 | ## Description 8 | geteuid16 is a system call in Linux which returns the user id of the user associated with the current process. It does not take any arguments, and simply returns the requested user ID type. It is notable for being a compatibility call for older binaries which were intended to be used with different architectures. 9 | 10 | The advantages of using geteuid16 are that it is very simple to use, does not take any arguments and does not depend on any context; the user ID is simply returned as trivially as possible. 11 | 12 | ## Arguments 13 | * This syscall does not take any arguments. 14 | 15 | ### Available Tags 16 | This syscall does not have any tags. 17 | 18 | ## Hooks 19 | ### sys_geteuid16 20 | #### Type 21 | kprobe 22 | #### Purpose 23 | To detect when the geteuid16 system call has been called. 24 | 25 | ## Example Use Case 26 | A security policy may include the requirement that only privileged users should be able to call geteuid16. This syscall can be used in conjunction with other monitoring systems to detect any unauthorized access attempts. 27 | 28 | ## Issues 29 | As geteuid16 is a compatibility syscall, there is a slight chance of it being obsolete and/or unavailable if its intended architecture is no longer supported. 30 | 31 | ## Related Events 32 | * getuid16 33 | 34 | > This document was automatically generated by OpenAI and needs review. It might 35 | > not be accurate and might contain errors. The authors of Tracee recommend that 36 | > the user reads the "events.go" source file to understand the events and their 37 | > arguments better. 38 | -------------------------------------------------------------------------------- /web/static/syscalls/getgid16.md: -------------------------------------------------------------------------------- 1 | 2 | # getgid16 3 | 4 | ## Intro 5 | getgid16 - Get the real group ID of the calling process 6 | 7 | ## Description 8 | This system call gets the real group ID of the calling process. This is a wrapper for the 64-bit system call, which is expected to be faster than the 32-bit system call. There are no edge cases, drawbacks or advantages when using this system call. 9 | 10 | ## Arguments 11 | * `None`: void - No arguments used 12 | 13 | ### Available Tags 14 | * None - This call does not have any available tags. 15 | 16 | ## Hooks 17 | 18 | ### sys_getgid16 19 | 20 | #### Type 21 | kprobe 22 | 23 | #### Purpose 24 | Hooking this function is used for debugging and inspecting the state of the system call in order to gain insight into how the real group ID of the calling process is determined. 25 | 26 | ## Example Use Case 27 | This system call is used to get the group ID of the user that executed a specific process. This is useful for getting access control information or writing scripts based on process identities. 28 | 29 | ## Issues 30 | There are no known issues with this system call. 31 | 32 | ## Related Events 33 | * getuid16 - Get the real user ID of the calling process 34 | * setgid16 - Set the real group ID of the calling process 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/getgroups.md: -------------------------------------------------------------------------------- 1 | 2 | # getgroups 3 | 4 | ## Intro 5 | getgroups - get group access list for user 6 | 7 | ## Description 8 | The getgroups() system call gets the group access list for the current user, and places it in the array pointed to by list. It returns the size of the group access list in size. 9 | 10 | Access list is that set of supplementary group IDs associated with the calling process, initialised from the /etc/passwd file when each user first logs in. 11 | 12 | ## Arguments 13 | * `size`:`int`[K] - the size of the array in list 14 | * `list`:`gid_t*`[KU] - pointer to an array of gid_t which will be filled with the group access list 15 | 16 | ### Available Tags 17 | * K - Originated from kernel-space. 18 | * U - Originated from user space (for example, pointer to user space memory used to get it) 19 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 20 | * OPT - Optional argument - might not always be available (passed with null value) 21 | 22 | ## Hooks 23 | ### sys_getgroups 24 | #### Type 25 | Kprobes 26 | #### Purpose 27 | To get group access list for user. 28 | 29 | ## Example Use Case 30 | getgroups() is often used before setgroups() to obtain the list of current group IDs associated with the calling process, so it can be used for auditing and logging changes to the group access list. 31 | 32 | ## Issues 33 | No known issues. 34 | 35 | ## Related Events 36 | setgroups() - set group access list for user 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/getpgrp.md: -------------------------------------------------------------------------------- 1 | 2 | # getpgrp 3 | 4 | ## Intro 5 | getpgrp - get the process group ID of the calling process 6 | 7 | ## Description 8 | The getpgrp() function returns the process group ID of the calling process. Process groups are the mechanism used by drivers implementing job control. 9 | 10 | getpgrp() is the equivalent of getpgid(0), getpgid() can be used to get the process group ID for another process; see getpgid(2). 11 | 12 | The main advantage of using getpgrp() is that it saves an expensive system call (in the case of getpgid(2)). On the other hand, getpgrp() can be only used with the calling process. 13 | 14 | ## Arguments 15 | No arguments for this system call. 16 | 17 | ## Hooks 18 | ### sys_getpgrp 19 | #### Type 20 | Kprobe 21 | #### Purpose 22 | To log a trace when the getpgrp() system call is called. 23 | 24 | ## Example Use Case 25 | This system call can be used by a service or daemon that needs to change the process group ID in order to run a command or to determine the process group ID to check if it is a child process. 26 | 27 | ## Issues 28 | This system call does not have any known issues. 29 | 30 | ## Related Events 31 | getpgid(2) - get a process group ID of another process 32 | 33 | > This document was automatically generated by OpenAI and needs review. It might 34 | > not be accurate and might contain errors. The authors of Tracee recommend that 35 | > the user reads the "events.go" source file to understand the events and their 36 | > arguments better. 37 | -------------------------------------------------------------------------------- /web/static/syscalls/getpmsg.md: -------------------------------------------------------------------------------- 1 | 2 | # getpmsg 3 | 4 | ## Intro 5 | getpmsg - delivers the next message on a STREAMS pipe 6 | 7 | ## Description 8 | The getpmsg() system call is used to read message from a STREAMS pipe. A message from the pipe is either read into the buffers that are specified by the `ctrlptr`, `datptr`, `flags` and `bandp` arguments, or it is skipped depending on the settings of `flags`. 9 | 10 | getpmsg() is useful in applications dealing with STREAMS pipes where messages have different priority and should be read in different order than they are available. 11 | 12 | ## Arguments 13 | * `fd`:`int`[K] - file descriptor associated with the STREAMS pipe 14 | * `ctrlptr`:`void *`[K] - pointer to buffer for control information 15 | * `datptr`:`void *`[K] - pointer to buffer for data 16 | * `bandp`:`int *`[K] - pointer to a variable for indicating the band of the message 17 | * `flags`:`int`[K] - flags indicating how the messages should be delivered 18 | 19 | ### Available Tags 20 | * K - Originated from kernel-space. 21 | 22 | ## Hooks 23 | ### getpmsg 24 | #### Type 25 | Kprobes 26 | #### Purpose 27 | To measure the time taken by the getpmsg syscall. 28 | 29 | ## Example Use Case 30 | getpmsg() can be used in applications that read messages from STREAMS pipes. For example, a text editor can use getpmsg() to read messages from a STREAMS pipe and display them in the application window. 31 | 32 | ## Issues 33 | Due to the asynchronous nature of STREAMS pipes, it is possible that getpmsg() will read an invalid message, or a message intended for a different application. 34 | 35 | ## Related Events 36 | * getmsg 37 | * putmsg 38 | 39 | > This document was automatically generated by OpenAI and needs review. It might 40 | > not be accurate and might contain errors. The authors of Tracee recommend that 41 | > the user reads the "events.go" source file to understand the events and their 42 | > arguments better. 43 | -------------------------------------------------------------------------------- /web/static/syscalls/getppid.md: -------------------------------------------------------------------------------- 1 | 2 | # getppid 3 | 4 | ## Intro 5 | getppid - return the process ID of the parent of the calling process 6 | 7 | ## Description 8 | The `getppid()` system call is used to determine the PID of the parent of the calling process. This is an important information for parent-child process relationships, as the PPID value for the parent of the process can be used to separate process hierarchies. The return value is a positive number, or zero if the parent process does not exist. 9 | 10 | There are some edge cases and drawbacks to using `getppid()`. For example, a process can check its parent process ID with `getppid()` but this value is not guaranteed to stay the same over the course of execution. Furthermore, if the parent process has exited, then getppid will return zero, which is not very helpful. 11 | 12 | ## Arguments 13 | **No arguments** 14 | 15 | ## Hooks 16 | ### sys_getppid 17 | #### Type 18 | kprobe 19 | #### Purpose 20 | To trace all calls to `getppid()` in the kernel. 21 | 22 | ## Example Use Case 23 | By generating trace events at each `sys_getppid` occurrence, one can get all of the process IDs in the parent-child process tree and maintain a timeline of process creation and exits. 24 | 25 | ## Issues 26 | If the parent of a process exits and is replaced with a different process of the same PID, then `getppid` would return the same value, leading to potential confusion. 27 | 28 | ## Related Events 29 | * `execve` - checks whether the current process is the parent of a given process 30 | * `fork` - creates a new process that is the parent of the calling process 31 | 32 | > This document was automatically generated by OpenAI and needs review. It might 33 | > not be accurate and might contain errors. The authors of Tracee recommend that 34 | > the user reads the "events.go" source file to understand the events and their 35 | > arguments better. 36 | -------------------------------------------------------------------------------- /web/static/syscalls/getresgid16.md: -------------------------------------------------------------------------------- 1 | 2 | # getresgid16 3 | 4 | ## Intro 5 | getresgid16 - get the real, effective, and saved group IDs of the calling process 6 | 7 | ## Description 8 | The getresgid16() system call gets the real, effective, and saved group IDs of the calling process (in that order). 9 | 10 | Using this call, a process can be sure that its real, effective and saved group IDs are the same. This can help with privilege elevation when changing credentials. 11 | 12 | Since it takes no arguments, there are no edge-cases or drawbacks, however, in kernel versions prior to 4.20 the `allocated` argument was present and had to be set to the size of the `old_gid_t` type, which might be confusing for some. 13 | 14 | ## Arguments 15 | * `rgid`:`old_gid_t*`[K] - Pointer to the real group ID of the caller. 16 | * `egid`:`old_gid_t*`[K] - Pointer to the effective group ID of the caller. 17 | * `sgid`:`old_gid_t*`[K] - Pointer to the saved group ID of the caller. 18 | 19 | ### Available Tags 20 | * K - Originated from kernel-space. 21 | 22 | ## Hooks 23 | ### do_getresgid16 24 | #### Type 25 | Kprobe 26 | #### Purpose 27 | To allow users to trace or monitor calls to the getresgid16() system call from user space. 28 | 29 | ## Example Use Case 30 | Monitoring the progress of setting the caller's real, effective, and saved group IDs. 31 | 32 | ## Issues 33 | In some kernels, the `allocated` argument had to be set to the size of the `old_gid_t` type, but this was deprecated in kernel 4.20. 34 | 35 | ## Related Events 36 | * setresgid16 - set the real, effective, and saved group IDs of the calling process 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/getsid.md: -------------------------------------------------------------------------------- 1 | 2 | # getsid 3 | 4 | ## Intro 5 | getsid - get the session ID of a process 6 | 7 | ## Description 8 | getsid() returns the session ID of the process specified in pid. If pid is zero, the call applies to the calling process. If pid is not a member of the current session, getsid() returns -1 and sets errno to ESRCH. The current session ID is determined by a call to getsid() for the process specified in pid equal to 0. 9 | 10 | ## Arguments 11 | * `pid`:`pid_t` - the PID of the process whose session ID will be returned. 12 | 13 | ### Available Tags 14 | N/A 15 | 16 | ## Hooks 17 | ### sys_getsid 18 | #### Type 19 | Kprobes 20 | #### Purpose 21 | Enable more fine-grained tracing in the user and system level by tracing 22 | through the process executed code. 23 | 24 | ## Example Use Case 25 | Example of a use case for getsid would be implementing a process that 26 | replaces the current session's leader process with a new one, or getting 27 | the PID and session ID of newly created processes to ensure they were not 28 | orphaned. 29 | 30 | ## Issues 31 | It needs to be monitored carefully when using getsid() on processes that 32 | do not belong to the calling process’s session in order to prevent malicious 33 | actions such as hijacking of processes running in different sessions. 34 | 35 | ## Related Events 36 | getpgid, setpgid, setsid 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/gettid.md: -------------------------------------------------------------------------------- 1 | 2 | # gettid 3 | 4 | ## Intro 5 | gettid - return the caller's thread ID (TID) 6 | 7 | ## Description 8 | gettid() returns the caller's thread ID. On success, the thread ID of the calling thread is returned. On error, (pid_t)-1 is returned, and errno is set to indicate the cause of the error. 9 | 10 | A thread ID is only guaranteed to be unique within a process. There are no two threads in the same process whose thread IDs are the same. 11 | 12 | ## Arguments 13 | * `None`:`N/A`[K] - gettid does not require any arguments 14 | 15 | ### Available Tags 16 | K - Originated from kernel-space. 17 | 18 | ## Hooks 19 | ### gettid 20 | #### Type 21 | Kprobe 22 | #### Purpose 23 | To get information about the thread ID of the calling thread. 24 | 25 | ## Example Use Case 26 | This event can be used in a multi-threaded program to get information about the threads running in the program. 27 | 28 | ## Issues 29 | None 30 | 31 | ## Related Events 32 | getpid - return the caller's process ID 33 | 34 | > This document was automatically generated by OpenAI and needs review. It might 35 | > not be accurate and might contain errors. The authors of Tracee recommend that 36 | > the user reads the "events.go" source file to understand the events and their 37 | > arguments better. 38 | -------------------------------------------------------------------------------- /web/static/syscalls/getuid.md: -------------------------------------------------------------------------------- 1 | 2 | # getuid 3 | 4 | ## Intro 5 | getuid - Retrieve user identity 6 | 7 | ## Description 8 | This event retrieves the user identity of the calling process. This is usually the real user ID of the calling process, but may be changed to the effective user ID or saved user ID depending on the implementation of the calling process. 9 | 10 | The getuid event is useful for authentication of process and user identities in systems which require privilege separation. However, there are some potential drawbacks: it may not be possible to differentiate processes across userid boundaries, or between related userids in certain implementations. 11 | 12 | ## Arguments 13 | no arguments 14 | 15 | ### Available Tags 16 | none 17 | 18 | ## Hooks 19 | ### getuid 20 | #### Type 21 | Kprobe 22 | #### Purpose 23 | For auditing, logging or tracing purposes, the getuid event can be used to monitor and log the user identity of a process. 24 | 25 | ## Example Use Case 26 | The getuid event can be used to trace users who are using a program or an application in order to track the usage of the program. 27 | 28 | ## Issues 29 | The getuid event may not be able to differentiate between processes running with different userids in certain implementations. 30 | 31 | ## Related Events 32 | * geteuid - Retrieve effective user identity 33 | * getresuid - Get real, effective and saved user identity 34 | 35 | > This document was automatically generated by OpenAI and needs review. It might 36 | > not be accurate and might contain errors. The authors of Tracee recommend that 37 | > the user reads the "events.go" source file to understand the events and their 38 | > arguments better. 39 | -------------------------------------------------------------------------------- /web/static/syscalls/getuid16.md: -------------------------------------------------------------------------------- 1 | 2 | # getuid16 3 | 4 | ## Intro 5 | getuid16 - get the real user ID of the calling process 6 | 7 | ## Description 8 | The getuid16() system call returns the real user ID of the calling process. It may be used to check if the user has the appropriate privileges to perform certain operations. getuid16() and geteuid16() pair together in order to determine the effective and real user ID that the process is running under. There are no edge cases or drawbacks to using this system call, however, it is important to note that a process can only view the real user ID of itself, as opposed to other processes. 9 | 10 | ## Arguments 11 | * `void`: `void` - This system call takes no arguments. 12 | 13 | ## Hooks 14 | ### sys_getuid16 15 | #### Type 16 | Kprobe 17 | #### Purpose 18 | To examine the processes that are making this system call. 19 | 20 | ## Example Use Case 21 | This system call can be used to check for certain privileges or access rights of the user in order to allow certain operations to be executed. For example, a web application could use this system call to check for the user ID of the currently logged in user and then determine if that user has permission to delete or modify certain content. 22 | 23 | ## Issues 24 | There are no known issues with this system call. 25 | 26 | ## Related Events 27 | * geteuid16 - get the effective user ID of the calling process 28 | * setuid16 - set the real user ID and effective user ID of the calling process 29 | 30 | > This document was automatically generated by OpenAI and needs review. It might 31 | > not be accurate and might contain errors. The authors of Tracee recommend that 32 | > the user reads the "events.go" source file to understand the events and their 33 | > arguments better. 34 | -------------------------------------------------------------------------------- /web/static/syscalls/gtty.md: -------------------------------------------------------------------------------- 1 | 2 | # gtty 3 | 4 | ## Intro 5 | gtty - Set or get terminal attributes 6 | 7 | ## Description 8 | The gtty syscall is used to enable/disable certain terminal attributes. This includes toggling echoing of typed characters, the end-of-line behavior and special control characters. Additionally, these attributes can be set for the controlling terminal as well. 9 | 10 | The syscall also allows querying current terminal attributes. This can be useful for some applications to determine the current state of the terminal and set the same for the output. 11 | 12 | ## Arguments 13 | No arguments 14 | 15 | ## Hooks 16 | ### gtty 17 | #### Type 18 | Kprobe 19 | #### Purpose 20 | To monitor the manipulation of terminal parameters. 21 | 22 | ## Example Use Case 23 | An application that uses several terminal attributes, like an ANSI escape sequence enabled terminal emulator. By using gtty, these terminal parameters can be applied to the terminal to ensure a correct display. 24 | 25 | ## Issues 26 | There are no known issues with this syscall. 27 | 28 | ## Related Events 29 | * stty: Set or get terminal attributes 30 | 31 | > This document was automatically generated by OpenAI and needs review. It might 32 | > not be accurate and might contain errors. The authors of Tracee recommend that 33 | > the user reads the "events.go" source file to understand the events and their 34 | > arguments better. 35 | -------------------------------------------------------------------------------- /web/static/syscalls/index.md: -------------------------------------------------------------------------------- 1 | # Syscalls 2 | 3 | Tracee supports tracing all Linux system calls. To trace a system call, use it's name as the event name. For example, to trace the `open` system call, use the `open` event name. The arguments of the system call will be available as event arguments. For more information about system calls, please consult the [man pages](https://man7.org/linux/man-pages/dir_section_2.html). 4 | -------------------------------------------------------------------------------- /web/static/syscalls/io_destroy.md: -------------------------------------------------------------------------------- 1 | 2 | # io_destroy 3 | 4 | ## Intro 5 | 'io_destroy' - destroys an io_context. 6 | 7 | ## Description 8 | The io_destroy() system call function is used to destroy the io_context structure and free operation associated with it. The io_context structure may be freed after all operations have finished executing. The return value specified the remaining number of IO contexts associated with this context_fd number. 9 | 10 | Generally this syscall is useful when multiple threads, or processes, require service from an asynchronous IO context and the context needs to be destroyed once the operations have completed. It's also possible to use this call with a NULL context_fd, which will temporarily suspend all operations associated with the current context. 11 | 12 | ## Arguments 13 | * `ctx_id`:`io_context_t`[KU] - a pointer to an existing io context structure. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | * U - Originated from user space (for example, pointer to user space memory used to get it) 18 | 19 | ## Hooks 20 | ### io_destroy 21 | #### Type 22 | Kprobe 23 | #### Purpose 24 | Trace asynchronous io operations. 25 | 26 | ## Example Use Case 27 | Tracking the progress of an asynchronous IO operation, or group of IO operations, from start to completion. 28 | 29 | ## Issues 30 | No known issues. 31 | 32 | ## Related Events 33 | * io_submit 34 | * io_cancel 35 | * io_getevents 36 | 37 | > This document was automatically generated by OpenAI and needs review. It might 38 | > not be accurate and might contain errors. The authors of Tracee recommend that 39 | > the user reads the "events.go" source file to understand the events and their 40 | > arguments better. 41 | -------------------------------------------------------------------------------- /web/static/syscalls/io_setup.md: -------------------------------------------------------------------------------- 1 | 2 | # io_setup 3 | 4 | ## Intro 5 | 6 | io_setup - sets up a new asynchronous I/O context 7 | 8 | ## Description 9 | 10 | The io_setup() system call prepares the data structures and initialization for subsequent use of asynchronous I/O operations. It creates a new asyncronous I/O context with the value nr_events being the maximum number of expected events to be queued for this context. ctx_idp is an output parameter that has null at the start and is assigned to the identifier of the AIO context created. 11 | 12 | ## Arguments 13 | 14 | * `nr_events`: `unsigned int` - Maximum number of expected event requests to be queued for this context. 15 | * `ctx_idp`: `io_context_t *`[U] - Address to store the identifier of the created AIO context. 16 | 17 | ### Available Tags 18 | 19 | * K - Originated from kernel-space. 20 | * U - Originated from user space (for example, pointer to user space memory used to get it) 21 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 22 | * OPT - Optional argument - might not always be available (passed with null value) 23 | 24 | ## Hooks 25 | 26 | ### do_io_setup 27 | 28 | #### Type 29 | Kprobes 30 | 31 | #### Purpose 32 | Used to identify when a new asynchronous I/O context is being set up 33 | 34 | ## Example Use Case 35 | 36 | The io_setup system call can be used in order to monitor the start of new asynchronous I/O operations. 37 | 38 | ## Issues 39 | 40 | None 41 | 42 | ## Related Events 43 | 44 | io_submit, io_cancel, io_destroy 45 | 46 | > This document was automatically generated by OpenAI and needs review. It might 47 | > not be accurate and might contain errors. The authors of Tracee recommend that 48 | > the user reads the "events.go" source file to understand the events and their 49 | > arguments better. 50 | -------------------------------------------------------------------------------- /web/static/syscalls/keyctl.md: -------------------------------------------------------------------------------- 1 | 2 | # keyctl 3 | 4 | ## Intro 5 | keyctl - is a system call for manipulating the kernel’s key management facility. 6 | 7 | ## Description 8 | keyctl is a function in the Linux kernel through which applications can request to manage the kernel's key management facility. It has several operations for creating, accessing, and destroying keys. Creating and accessing keys are usually done in process-local or session-wide aspects. The call can accept up to five arguments, with `operation` being the first one used to describe what the kernel should do. 9 | 10 | The use of this call can be advantageous, since it helps in facilitating secure communication between applications and services, in addition to better access control over system calls. This can also be used to ensure secure storage of sensitive data such as encryption keys. 11 | 12 | ## Arguments 13 | * `operation`: `int` - type of operation to be carried out. It is specified as one of the KEYCTL_ macros. 14 | * `arg2`: `unsigned long` - argument associated with the specified operation. 15 | * `arg3`: `unsigned long` - argument associated with the specified operation. 16 | * `arg4`: `unsigned long` - argument associated with the specified operation. 17 | * `arg5`: `unsigned long` - argument associated with the specified operation. 18 | 19 | ### Available Tags 20 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use). 21 | 22 | ## Hooks 23 | ### 24 | 25 | > This document was automatically generated by OpenAI and needs review. It might 26 | > not be accurate and might contain errors. The authors of Tracee recommend that 27 | > the user reads the "events.go" source file to understand the events and their 28 | > arguments better. 29 | -------------------------------------------------------------------------------- /web/static/syscalls/lchown.md: -------------------------------------------------------------------------------- 1 | # lchown 2 | 3 | ## Intro 4 | 5 | lchown - change the owner and group of a symbolic link. 6 | 7 | ## Description 8 | 9 | The `lchown()` system call is used to change the owner and group of a specified symbolic link, without dereferencing it. The new owner and group are specified by the `owner` and `group` arguments respectively. 10 | 11 | ## Arguments 12 | 13 | * `pathname`:`const char*`[U,TOCTOU] - Path to the symbolic link whose owner and group are to be changed. 14 | * `owner`:`uid_t`[K] - User identifier of the new owner. 15 | * `group`:`gid_t`[K] - Group identifier of the new group. 16 | 17 | ### Available Tags 18 | 19 | * K - Originated from kernel-space. 20 | * U - Originated from user space. 21 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use). 22 | * OPT - Optional argument - might not always be available (passed with null value). 23 | 24 | ## Hooks 25 | 26 | ### sys_lchown 27 | 28 | #### Type 29 | 30 | Tracepoint (through `sys_enter`). 31 | 32 | #### Purpose 33 | 34 | To observe and trace when the `lchown()` system call is performed, collecting information about the symbolic link, and the new owner and group. 35 | 36 | ## Example Use Case 37 | 38 | Monitoring changes in symbolic link ownership in a system, especially in scenarios where the dereferencing of symbolic links needs to be avoided. 39 | 40 | ## Issues 41 | 42 | The `lchown()` system call can be subjected to TOCTOU issues, where the symbolic link specified by `pathname` could be changed between the time of check and the time of use, leading to potential security risks. 43 | 44 | ## Related Events 45 | 46 | * chown() 47 | * fchown() 48 | * fchownat() 49 | 50 | > This document was automatically generated by OpenAI and reviewed by a Human. 51 | -------------------------------------------------------------------------------- /web/static/syscalls/lremovexattr.md: -------------------------------------------------------------------------------- 1 | 2 | # lremovexattr 3 | 4 | ## Intro 5 | lremovexattr - remove an extended attribute from a file or directory. 6 | 7 | ## Description 8 | The lremovexattr() system call removes the extended attribute specified by `name` from the file specified by `path`. Extended attributes are metadata associated with a file or directory, which may include things such as access control lists, security labels, and file system capabilities. If the `path` argument refers to a symbolic link, the attributes of the symbolic link itself are modified, rather than the attributes of the file or directory referenced by the symbolic link. 9 | 10 | ## Arguments 11 | * `path` : `const char*` [K] - Path to the file or directory. 12 | * `name` : `const char*` [K] - Name of the attribute to be removed. 13 | 14 | ### Available Tags 15 | * K - Originated from kernel-space. 16 | * U - Originated from user space (for example, pointer to user space memory used to get it) 17 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 18 | * OPT - Optional argument - might not always be available (passed with null value) 19 | 20 | ## Hooks 21 | ### sys_removexattr 22 | #### Type 23 | kprobe + kretprobe 24 | #### Purpose 25 | To detect calls and returns of the lremovexattr() syscall. 26 | 27 | ## Example Use Case 28 | An application might use lremovexattr() to remove extended attributes such as an ACL from a file or directory. 29 | 30 | ## Issues 31 | The lremovexattr() system call is not supported on many systems. 32 | 33 | ## Related Events 34 | * lgetxattr 35 | * llistxattr 36 | * lsetxattr 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/lsetxattr.md: -------------------------------------------------------------------------------- 1 | 2 | # lsetxattr 3 | 4 | ## Intro 5 | lsetxattr - sets the value of a extended attribute in the filesystem 6 | 7 | ## Description 8 | The lsetxattr() system call sets the value of an extended attribute associated 9 | with a file or directory referenced by path. The attributes are interpreted 10 | according to the namespace indicated by the prefix argument. The value 11 | parameter is a byte array of size size that will be associated with the 12 | attribute identified by the pair of arguments (path, name). 13 | 14 | The flags argument is currently undefined on Linux systems, and should be 15 | specified as 0. 16 | 17 | ## Arguments 18 | * `path`:`const char*`[K] - A pointer to a string indicating the path of the file or directory. 19 | * `name`:`const char*`[K] - A pointer to a string with the name of the extended attribute to set. 20 | * `value`:`const void*`[K] - A pointer to a buffer with the value for the extended attribute. 21 | * `size`:`size_t`[K] - The size of the buffer. 22 | * `flags`:`int`[K] - A value that is currently undefined on Linux and should be specified as 0. 23 | 24 | ### Available Tags 25 | * K - Originated from kernel-space. 26 | 27 | ## Hooks 28 | ### lsetxattr 29 | #### Type 30 | Kprobe 31 | #### Purpose 32 | To monitor the activity of lsetxattr syscalls. 33 | 34 | ## Example Use Case 35 | Real-time monitoring of lsetxattr syscalls being called to provide insights into 36 | the access and modification of extended file attributes on a system. 37 | 38 | ## Issues 39 | None 40 | 41 | ## Related Events 42 | lgetxattr, fsetxattr, fgetxattr, listxattr, removexattr. 43 | 44 | > This document was automatically generated by OpenAI and needs review. It might 45 | > not be accurate and might contain errors. The authors of Tracee recommend that 46 | > the user reads the "events.go" source file to understand the events and their 47 | > arguments better. 48 | -------------------------------------------------------------------------------- /web/static/syscalls/lstat.md: -------------------------------------------------------------------------------- 1 | 2 | # lstat 3 | 4 | ## Intro 5 | lstat() - Get file status 6 | 7 | ## Description 8 | The lstat() system call is used to get information about the file at a certain location in the filesystem. The information is stored in the struct stat and can be used for various purposes including permissions checking, file size, time stamps, etc. The lstat() does not follow symbolic links, so it should be called for each link in order to get its status. 9 | 10 | ## Arguments 11 | * `pathname`:`const char *`[U] - A pointer to a character string with the pathname of the file which status is wanted. 12 | * `statbuf`:`struct stat *`[K] - A pointer to a stat structure where the status information will be stored. 13 | 14 | ### Available Tags 15 | * K - Originated from kernel-space. 16 | * U - Originated from user space (for example, pointer to user space memory used to get it) 17 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 18 | * OPT - Optional argument - might not always be available (passed with null value) 19 | 20 | ## Hooks 21 | ### sys_lstat 22 | #### Type 23 | Kprobe 24 | #### Purpose 25 | To capture system events related to the lstat() system call. 26 | 27 | ## Example Use Case 28 | Using lstat() in order to check the permissions of a certain file before actually accessing it. 29 | 30 | ## Issues 31 | The lstat() system call might not work properly in some systems. 32 | 33 | ## Related Events 34 | open(), read(), write(), close(), fstat() 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/memfd_secret.md: -------------------------------------------------------------------------------- 1 | 2 | # memfd_secret 3 | 4 | ## Intro 5 | memfd_secret - creates an anonymous file backed by memory, with the ability 6 | to lock a portion of the file. 7 | 8 | ## Description 9 | The memfd_secret() system call creates a file descriptor that refers to an 10 | anonymous, in-memory file. It differs from memfd_create() in that it has a 11 | secret option, which allows a portion of the file to be locked in memory, 12 | preventing it from being swapped to disk. This can be useful for sensitive 13 | data, such as cryptographic key material, which should not be written to 14 | persistent storage. 15 | 16 | The `flags` argument determines how the file is created, and is a bitmask of 17 | permission bits. It can be used to control whether read and write operations 18 | are allowed on the file. 19 | 20 | ## Arguments 21 | * `flags`: `unsigned int`[K] - bitmask of permission bits to control whether read and write operations are allowed on the file. 22 | 23 | ### Available Tags 24 | * K - Originated from kernel-space. 25 | 26 | ## Hooks 27 | ### memfd_secret 28 | #### Type 29 | Kprobe 30 | #### Purpose 31 | To monitor and log when the system call is called. 32 | 33 | ## Example Use Case 34 | This system call can be used to create a file that is stored in memory, with the ability to lock a portion of the file. This could be used to store sensitive data, such as cryptographic keys, preventing it from being written to persistent storage. 35 | 36 | ## Issues 37 | None known. 38 | 39 | ## Related Events 40 | * memfd_create() - creates an anonymous file backed by memory 41 | 42 | > This document was automatically generated by OpenAI and needs review. It might 43 | > not be accurate and might contain errors. The authors of Tracee recommend that 44 | > the user reads the "events.go" source file to understand the events and their 45 | > arguments better. 46 | -------------------------------------------------------------------------------- /web/static/syscalls/mlock.md: -------------------------------------------------------------------------------- 1 | 2 | # mlock 3 | 4 | ## Intro 5 | mlock - lock the given range of memory so it won't be swapped to disk. 6 | 7 | ## Description 8 | The `mlock` syscall locks the given range of memory into RAM so it won't be swapped to disk. This is useful in scenarios where you need to access or modify data stored in memory, but don't want it to get overwritten or written to disk by the kernel's virtual memory system. While this syscall ensures that the data will stay in RAM, it can still be accessed by other processes in the system, so caution should be used when using this syscall. One common misuse is allocating too much memory that cannot possibly fit in RAM, resulting in the system becoming unresponsive. 9 | 10 | ## Arguments 11 | * `addr`:`const void*`[K] - starting address of the range of pages to lock. 12 | * `len`:`size_t`[K] - length of the range of pages to lock. 13 | 14 | ### Available Tags 15 | * K - Originated from kernel-space. 16 | 17 | ## Hooks 18 | ### sys_mlock 19 | #### Type 20 | Kprobes 21 | #### Purpose 22 | Monitoring the parameters of the mlock syscall and its return value. 23 | 24 | ## Example Use Case 25 | An example use case for this event could be monitoring suspicous memory locking activity. This could facilitate the detection of malware that attempts to protect its data from scrutiny by using mlock. 26 | 27 | ## Issues 28 | This syscall requires root level privileges, so it can potentially be used by malicious actors to lock critical system memory that may cause the system to become unresponsive. 29 | 30 | ## Related Events 31 | * mlockall - lock all the process's virtual pages into RAM. 32 | 33 | > This document was automatically generated by OpenAI and needs review. It might 34 | > not be accurate and might contain errors. The authors of Tracee recommend that 35 | > the user reads the "events.go" source file to understand the events and their 36 | > arguments better. 37 | -------------------------------------------------------------------------------- /web/static/syscalls/mlockall.md: -------------------------------------------------------------------------------- 1 | 2 | # mlockall 3 | 4 | ## Intro 5 | mlockall - lock all mapped pages into physical memory. 6 | 7 | ## Description 8 | mlockall allows the calling process to lock all its pages into physical memory. This means that the pages can not be swapped out, will not cause page faults, and will never be moved by any operation. The effect of this can, in some cases, offer better performance. 9 | 10 | There are two flags which can be used with mlockall: 11 | 12 | * MCL_CURRENT: Lock only currently mapped pages. 13 | * MCL_FUTURE: Lock all pages which are mapped in the future. 14 | 15 | ## Arguments 16 | * `flags`:`int`[K] - flags for mlockall operation. An ORed combination of values from mlockall(2) can be used. 17 | 18 | ### Available Tags 19 | * K - Originated from kernel-space. 20 | 21 | ## Hooks 22 | ### mlockall 23 | #### Type 24 | Kprobes 25 | #### Purpose 26 | To monitor processes which make use of mlockall and their interaction with the physical memory. 27 | 28 | ## Example Use Case 29 | On a real-time embedded system, processes may have a large total number of pages mapped. Under heavy workload, the pages may be swapped out during times of heavy system load. By using mlockall, the real-time processes may be preserved in physical memory. 30 | 31 | ## Issues 32 | The main drawbacks of mlockall is its high resource usage. When used, the amount of RAM available to the system will be limited. As a result, memory pressure can be an issue when mlockall is used on a system with multiple processes. 33 | 34 | ## Related Events 35 | * mlock(2) 36 | * munlockall(2) 37 | * mlock2(2) 38 | 39 | > This document was automatically generated by OpenAI and needs review. It might 40 | > not be accurate and might contain errors. The authors of Tracee recommend that 41 | > the user reads the "events.go" source file to understand the events and their 42 | > arguments better. 43 | -------------------------------------------------------------------------------- /web/static/syscalls/modify_ldt.md: -------------------------------------------------------------------------------- 1 | 2 | # modify_ldt 3 | 4 | ## Intro 5 | modify_ldt - Changes the definition of local descriptor table entries. 6 | 7 | ## Description 8 | The modify_ldt() system call provides a way to read and modify the local descriptor table (LDT) entries as well as to determine the current size of the table. Upon success, it returns the amount of memory actually read or written. Upon failure, it returns -1 and sets errno to indicate the error. 9 | 10 | The flags argument is a bit mask composed of the OR'ed value of constants defined in . This provides a way to tell the kernel which operation should be performed and what data should be included. 11 | 12 | Using this system call allows the programmer to inspect and modify the LDT entries from user space. This can be useful for debugging, sandboxing, creating segmentation modules with user-space applications, or for any other reason. 13 | 14 | ## Arguments 15 | * `func`:`int`[K] - Specifies the operation to be performed. See for available constants. 16 | * `ptr`:`void*`[K] - Pointer to an ldt_entry struct, which specifies what the LDT entry should be set to. 17 | * `bytecount`:`unsigned long`[K] - Amount of memory to read/write from/to the LDT entry. 18 | 19 | ### Available Tags 20 | * K - Originated from kernel-space. 21 | 22 | ## Hooks 23 | ### sys_modify_ldt 24 | #### Type 25 | Kprobe 26 | #### Purpose 27 | Hooked to inspect and modify the LDT entries from user space. 28 | 29 | ## Example Use Case 30 | Create a segmentation module with user-space applications. 31 | 32 | ## Issues 33 | None known. 34 | 35 | ## Related Events 36 | * modify_ldt_entry 37 | * modify_ldt64 38 | 39 | > This document was automatically generated by OpenAI and needs review. It might 40 | > not be accurate and might contain errors. The authors of Tracee recommend that 41 | > the user reads the "events.go" source file to understand the events and their 42 | > arguments better. 43 | -------------------------------------------------------------------------------- /web/static/syscalls/mq_unlink.md: -------------------------------------------------------------------------------- 1 | 2 | # mq_unlink 3 | 4 | ## Intro 5 | mq_unlink - remove a message queue from the system 6 | 7 | ## Description 8 | The mq_unlink() system call removes a message queue named name from the system. 9 | This is a permanent operation, and any associated resources are immediately 10 | freed for other use. 11 | 12 | If the message queue does not exist, the call fails and the system call returns 13 | with the errno set to ENOENT. 14 | 15 | ## Arguments 16 | * `name`:`const char*`[K] - the name of the message queue to be unlinked. 17 | 18 | ### Available Tags 19 | * K - Originated from kernel-space. 20 | 21 | ## Hooks 22 | ### sys_mq_unlink 23 | #### Type 24 | kprobes 25 | #### Purpose 26 | To be able to track when a message queue is unlinked from the system. 27 | 28 | ## Example Use Case 29 | This system call can be used to be aware of what message queues are 30 | unlinked from the system in order to debug an application or analyze 31 | where resources are being freed in the system. 32 | 33 | ## Issues 34 | No known issues. 35 | 36 | ## Related Events 37 | * mq_open 38 | * mq_send 39 | * mq_close 40 | 41 | > This document was automatically generated by OpenAI and needs review. It might 42 | > not be accurate and might contain errors. The authors of Tracee recommend that 43 | > the user reads the "events.go" source file to understand the events and their 44 | > arguments better. 45 | -------------------------------------------------------------------------------- /web/static/syscalls/old_getrlimit.md: -------------------------------------------------------------------------------- 1 | 2 | # old_getrlimit 3 | 4 | ## Intro 5 | old_getrlimit - get resource limits knwon to the kernel 6 | 7 | ## Description 8 | The old_getrlimit syscall is used to retrieve the resource limit values for a particular resource, such as the maximum size of a file that may be written, the maximum number of processes that may be started, etc. It returns the values in the struct rlimit pointed to by the rlim parameter. 9 | 10 | This syscall is available in Linux kernel versions 2.2 and earlier, although it is no longer supported in newer kernels. As such, it is important to note that, while it may return the correct results, those results may be outdated and the kernel may be changing it's behavior without the process being aware. 11 | 12 | ## Arguments 13 | * `resource`:`int` - resource identifier. 14 | * `rlim`:`struct rlimit*` - pointer to struct rlimit that will store the limit values. 15 | 16 | ### Availiable Tags 17 | * K - Originated from kernel-space. 18 | * U - Originated from user space (for example, pointer to user space memory used to get it) 19 | 20 | ## Hooks 21 | ### old_getrlimit 22 | #### Type 23 | Kprobe + Kretprobe 24 | #### Purpose 25 | To monitor resource limit values in the kernel. 26 | 27 | ## Example Use Case 28 | If a process needs to monitor its resource limit values, it can use old_getrlimit syscall. 29 | 30 | ## Issues 31 | The old_getrlimit syscall is no longer supported in newer kernels and as such the results returned may be outdated and the kernel may be changing it's behavior without the process being aware. 32 | 33 | ## Related Events 34 | * setrlimit - set resource limit values. 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/oldolduname.md: -------------------------------------------------------------------------------- 1 | 2 | # oldolduname 3 | 4 | ## Intro 5 | oldolduname - gets the legacy version of the system name 6 | 7 | ## Description 8 | The **oldolduname** syscall obtains the system's legacy version of the name of the operating system running on the system. This name is a string that can contain a maximum of 8 characters and is displayed like `GECOS` (where the `OS/32` operating system got its name). This syscall, which is deprecated, should not be used in any production code and its use is discouraged. 9 | 10 | ## Arguments 11 | * `name`:`struct oldold_utsname*`[U] - pointer to a buffer of type `struct oldold_utsname` which will be populated with the system name. 12 | 13 | ### Available Tags 14 | * U - Originated from user space (for example, pointer to user space memory used to get it) 15 | 16 | ## Hooks 17 | ### 18 | #### Type 19 | Kprobe. 20 | #### Purpose 21 | Hooking this syscall allows users to trace system information, such as getting the specific operating system name, when a process calls it. 22 | 23 | ## Example Use Case 24 | The **oldolduname** syscall can be used to figure out what legacy operating system the system is running on. It is particularly useful for debuggers and software that needs to identify what system they are running on. 25 | 26 | ## Issues 27 | This syscall is deprecated, so its use is discouraged. 28 | 29 | ## Related Events 30 | **uname** - gets the system name and version information. 31 | 32 | > This document was automatically generated by OpenAI and needs review. It might 33 | > not be accurate and might contain errors. The authors of Tracee recommend that 34 | > the user reads the "events.go" source file to understand the events and their 35 | > arguments better. 36 | -------------------------------------------------------------------------------- /web/static/syscalls/open.md: -------------------------------------------------------------------------------- 1 | 2 | # open 3 | 4 | ## Intro 5 | open - is a system call used to open the file specified by its filename 6 | 7 | ## Description 8 | The purpose of open is to provide a system call to logicaly open a file in the file system. 9 | It might be important to keep in mind that the open call does not actually access the file in the system. 10 | Using the flags parameter, one could get different types of access rights to the file. 11 | One of the drawbacks of using open is that it is vulnerable to TOCTOU (time of check, time of use). 12 | 13 | ## Arguments 14 | * `pathname`:`const char*`[K] - The path to the file we want to open. 15 | * `flags`:`int`[K] - Flags for the access. Used to set the access/permissions for the call. 16 | * `mode`:`mode_t`[K] - Control access to the opened file. 17 | 18 | ### Available Tags 19 | * K - Originated from kernel-space. 20 | * U - Originated from user space (for example, pointer to user space memory used to get it) 21 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 22 | * OPT - Optional argument - might not always be available (passed with null value) 23 | 24 | ## Hooks 25 | ### sys_open 26 | #### Type 27 | Kprobe 28 | #### Purpose 29 | To record every open system call, including its associated arguments. 30 | 31 | ## Example Use Case 32 | This event could be used to monitor reads and writes to a specific file. 33 | 34 | ## Issues 35 | open could be very vulnerable to race-condition issues, as it is vulnerable to TOCTOU (Time Of Check, Time Of Use). 36 | 37 | ## Related Events 38 | The related events for the open syscall are __close()__, __read()__, and __write()__. 39 | 40 | > This document was automatically generated by OpenAI and needs review. It might 41 | > not be accurate and might contain errors. The authors of Tracee recommend that 42 | > the user reads the "events.go" source file to understand the events and their 43 | > arguments better. 44 | -------------------------------------------------------------------------------- /web/static/syscalls/open_tree.md: -------------------------------------------------------------------------------- 1 | 2 | # open_tree 3 | 4 | ## Intro 5 | open_tree - open a file relative to a directory file descriptor 6 | 7 | ## Description 8 | open_tree is an Linux system call available since kernel 3.3. It can be used to open a file relative to an open directory file descriptor. It is similar to open but allows the opening of a file relative to an open directory file descriptor which can make the creation of an absolute path easier. 9 | 10 | Advantages of using this syscall include reducing the number of calls needed to build an absolute path. 11 | 12 | Drawbacks include lack of compatibility until kernel 3.3. 13 | 14 | ## Arguments 15 | * `dfd`:`int` - File descriptor of the directory used as base for the relative path of the file to open. 16 | * `filename`:`const char*` - The pathname relative to the directory referenced by the file descriptor. 17 | * `flags`:`unsigned int` [K] - Flags to be used when opening the file. 18 | 19 | ### Available Tags 20 | * K - Originated from kernel-space. 21 | 22 | ## Hooks 23 | ### do_sys_open 24 | #### Type 25 | kprobe 26 | #### Purpose 27 | To get details about when, and with which arguments, open_tree is called. 28 | 29 | ## Example Use Case 30 | open_tree is useful when particularially when the path of the file to open needs to be known before it is open, such as when opening a configuration file. 31 | 32 | ## Issues 33 | Since open_tree is a relatively new system call, kernel versions before 3.3 do not support it. 34 | 35 | ## Related Events 36 | open: similar Linux system call for opening files, but does not support relative paths. 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/pause.md: -------------------------------------------------------------------------------- 1 | 2 | # Pause 3 | 4 | ## Intro 5 | Pause - pauses the calling process until a signal is received. 6 | 7 | ## Description 8 | The pause() system call suspends the calling process until one of its child process terminates or a signal is received. If any of the currently pending signals have SIGCONT set as its action, pause() returns immediately. Any function that do not have SIGCONT as its action will suspend the process until a signal occurs. 9 | 10 | The pause() system call is used to synchronize a process with its child processes, so that when a child terminates, the parent can be notified. It is also used to temporarily suspend a process while signals are handled. 11 | 12 | ## Arguments 13 | * None. 14 | 15 | ## Hooks 16 | ### do_sys_pause 17 | #### Type 18 | Kprobes 19 | #### Purpose 20 | The do_sys_pause() function is the kernel entry point for the pause system call. Kprobes is used to hook this function to record system call parameters. 21 | 22 | ## Example Use Case 23 | The pause() system call could be used for throttling the current process before it runs a task. 24 | 25 | ## Issues 26 | The pause() system call fails if any of the pending signals have SIGCONT as its action. 27 | 28 | ## Related Events 29 | * signal() - send a signal to a process or process group 30 | 31 | > This document was automatically generated by OpenAI and needs review. It might 32 | > not be accurate and might contain errors. The authors of Tracee recommend that 33 | > the user reads the "events.go" source file to understand the events and their 34 | > arguments better. 35 | -------------------------------------------------------------------------------- /web/static/syscalls/pipe2.md: -------------------------------------------------------------------------------- 1 | 2 | # pipe2 3 | 4 | ## Intro 5 | pipe2 - create a pipe and set its flags atomically 6 | 7 | ## Description 8 | The pipe2() system call works similarly to pipe(), but it adds an extra argument flags, which contains the flags for opening the handle to the newly-created pipe. The flags argument is an OR-ed combination of the following ints: `O_CLOEXEC`, `O_NONBLOCK`, `O_DIRECT`. It is useful when the application is in a situation, where it might need to atomically create a pipe, while setting some of its flags. 9 | 10 | ## Arguments 11 | * `pipefd`:`int[2]`[K] - Descriptor vector for the created pipe. The first element in the vector will refer to the read end of the pipe, while the second will refer to the write end. 12 | * `flags`:`int`[K] - flags to be used when opening the pipe. An OR-ed combination of `O_CLOEXEC`, `O_NONBLOCK`, `O_DIRECT` 13 | 14 | ### Available Tags 15 | * K - Originated from kernel-space. 16 | 17 | ## Hooks 18 | ### pipe2 19 | #### Type 20 | Kprobes 21 | #### Purpose 22 | To trace the system call pipe2 and its arguments 23 | 24 | ## Example Use Case 25 | pipe2 can be used in a situation in which a process needs to create a pipe atomically, and set some of its flags. For example, named pipes (FIFOs) which are used for Inter Process Communication (IPC), need to be opened with the `O_NONBLOCK` flag in order to prevent blocking when there is no process connected to the other side. 26 | 27 | ## Issues 28 | Zombie processes can appear if the write end of the pipe is not closed by any process. 29 | 30 | ## Related Events 31 | * open 32 | 33 | > This document was automatically generated by OpenAI and needs review. It might 34 | > not be accurate and might contain errors. The authors of Tracee recommend that 35 | > the user reads the "events.go" source file to understand the events and their 36 | > arguments better. 37 | -------------------------------------------------------------------------------- /web/static/syscalls/pivot_root.md: -------------------------------------------------------------------------------- 1 | 2 | # pivot_root 3 | 4 | ## Intro 5 | pivot_root - change the root file system of the current process 6 | 7 | ## Description 8 | The pivot_root() system call makes the directory put_old the new root file system. 9 | It moves the current root file system to the directory new_root. 10 | This comparison is done by making the parent of the old PWD as the new PWD. 11 | 12 | pivot_root() is typically used in the final stages of a shift of a system into a chroot 13 | environment. The old root directory is placed in put_old and can be used later to switch 14 | back or unmount the old root directory (pivot/unpivot). 15 | 16 | The both directories must be on the same file system. This can also be used to change to 17 | a different root file system if necessary. 18 | 19 | ## Arguments 20 | 21 | * `new_root`:`const char*`[K] - a pointer to a pathname of the new directory which will become the root directory (the starting point for absolute paths). 22 | * `put_old`:`const char*`[K] - a pointer to a pathname of the directory which will be the new parent of the old root directory. 23 | 24 | ### Available Tags 25 | 26 | * K - Originated from kernel-space. 27 | 28 | ## Hooks 29 | ### sys_pivot_root 30 | #### Type 31 | Kprobe 32 | #### Purpose 33 | To audit attempts to pivot_root. 34 | 35 | ## Example Use Case 36 | When a process wants to enter a chroot jail for more security, it can use pivot_root() to change its root file system to the one inside the jail. 37 | 38 | ## Issues 39 | pivot_root() cannot be used across file systems. 40 | 41 | ## Related Events 42 | chdir, chroot 43 | 44 | > This document was automatically generated by OpenAI and needs review. It might 45 | > not be accurate and might contain errors. The authors of Tracee recommend that 46 | > the user reads the "events.go" source file to understand the events and their 47 | > arguments better. 48 | -------------------------------------------------------------------------------- /web/static/syscalls/pkey_alloc.md: -------------------------------------------------------------------------------- 1 | 2 | # pkey_alloc 3 | 4 | ## Intro 5 | pkey_alloc - allocate an protection key 6 | 7 | ## Description 8 | The pkey_alloc system call is used to allocate a protection key; these are used to give a process access to privileges and other capabilities. The flags argument takes an ORed bitmask of options to control access to the key, such as whether or not it can be used with certain instructions like load_exclusive. The access_rights argument specifies the access rights allowed by the key, such as RWX (read-write-execute). 9 | 10 | ## Arguments 11 | * `flags`:`unsigned int` - the set of flags controlling access of the key. 12 | * `access_rights`:`unsigned long` - the set of access rights allowed by the key. 13 | 14 | ### Available Tags 15 | * K - Originated from kernel-space. 16 | * U - Originated from user space (for example, pointer to user space memory used to get it) 17 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 18 | * OPT - Optional argument - might not always be available (passed with null value) 19 | 20 | ## Hooks 21 | ### pkey_alloc 22 | #### Type 23 | Kprobes 24 | #### Purpose 25 | To monitor any syscall invocation of the function. 26 | 27 | ## Example Use Case 28 | Using pkey_alloc can be used to control which users have access to privileged instructions. 29 | 30 | ## Issues 31 | No known issues. 32 | 33 | ## Related Events 34 | The related system call for this event is [pkey_free](https://man7.org/linux/man-pages/man2/pkey_free.2.html) which is used to deallocate a protection key. 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/pkey_free.md: -------------------------------------------------------------------------------- 1 | 2 | # pkey_free 3 | 4 | ## Intro 5 | pkey_free - frees an arch-specific key assigned to a memory address 6 | 7 | ## Description 8 | pkey_free is a syscall which removes the architecture-specific protection key 9 | assigned to a memory address. The memory address associated with the protection 10 | key is then available to be accessed without any restrictions, and the 11 | protection key is freed from the table managed by the kernel. 12 | 13 | This syscall is necessary when dealing with memory regions where access needs 14 | to be restricted for particular users or tasks. This can be done by assigning 15 | an array of protection keys to a memory address. Access to this memory will 16 | then be restricted to those users and tasks that have been assigned the 17 | protection key. 18 | 19 | ## Arguments 20 | * `pkey`:`int`[K] - key to be freed. 21 | 22 | ### Available Tags 23 | * K - Originated from kernel-space. 24 | 25 | ## Hooks 26 | ### pkey_free 27 | #### Type 28 | Kprobes 29 | #### Purpose 30 | To monitor the freeing of protection keys by users or processes, as well as to detect any potential misuse. 31 | 32 | ## Example Use Case 33 | pkey_free can be used to enforce memory protection policies. For example, it 34 | can be used to restrict access to certain sensitive memory regions to a 35 | select group of users or tasks. 36 | 37 | ## Issues 38 | No known issues. 39 | 40 | ## Related Events 41 | * pkey_alloc 42 | 43 | > This document was automatically generated by OpenAI and needs review. It might 44 | > not be accurate and might contain errors. The authors of Tracee recommend that 45 | > the user reads the "events.go" source file to understand the events and their 46 | > arguments better. 47 | -------------------------------------------------------------------------------- /web/static/syscalls/restart_syscall.md: -------------------------------------------------------------------------------- 1 | 2 | # restart_syscall 3 | 4 | ## Intro 5 | restart_syscall - Restarts a stopped system call that was previously interrupted by a signal 6 | 7 | ## Description 8 | The `restart_syscall` system call restarts a previously suspended system call using the `SA_RESTART` flag supplied when setting a signal handler with `sigaction`. This system call restarts the call which was previously interrupted using `sigprocmask` and allows execution to continue where it left off. This system call is useful in situations where a signal was handled by a signal handler, such as when a child process is killed, but without restarting the system call, execution could be left in an inconsistent state. 9 | 10 | ## Arguments 11 | * `None` 12 | 13 | ### Available Tags 14 | * None 15 | 16 | ## Hooks 17 | ### sys_restart_syscall 18 | #### Type 19 | Kprobe 20 | #### Purpose 21 | Tracing restarted system calls to monitor the impact of signals in the system. 22 | 23 | ## Example Use Case 24 | Tracing restarted system calls to detect a system call that is taking too long to complete, or to determine how long it takes to restart a system call. 25 | 26 | ## Issues 27 | There may be some system calls which cannot be restarted, and in those cases the `restart_syscall` system call may fail. 28 | 29 | ## Related Events 30 | * [sigaction](https://man7.org/linux/man-pages/man2/sigaction.2.html) 31 | * [sigprocmask](https://man7.org/linux/man-pages/man2/sigprocmask.2.html) 32 | 33 | > This document was automatically generated by OpenAI and needs review. It might 34 | > not be accurate and might contain errors. The authors of Tracee recommend that 35 | > the user reads the "events.go" source file to understand the events and their 36 | > arguments better. 37 | -------------------------------------------------------------------------------- /web/static/syscalls/rmdir.md: -------------------------------------------------------------------------------- 1 | 2 | # rmdir 3 | 4 | ## Intro 5 | rmdir - delete an empty directory 6 | 7 | ## Description 8 | The rmdir() system call deletes an empty directory. The directory must be 9 | empty, and the calling process must have the necessary permissions to delete 10 | it. It is possible to use relative pathnames to remove directories that are 11 | not in the current working directory. 12 | 13 | The rmdir() system call is often used to remove a parent directory that 14 | contains a now-unneeded subdirectory. For example, if an application 15 | creates a subdirectory "foo" under "/tmp", it should call rmdir() on "/tmp/foo" 16 | as soon as the subdirectory is no longer needed. 17 | 18 | ## Arguments 19 | * `pathname`:`const char`* - The pathname of the directory to delete. 20 | 21 | ### Available Tags 22 | * K - Originated from kernel-space. 23 | 24 | ## Hooks 25 | ### do_rmdir 26 | #### Type 27 | Kprobes 28 | #### Purpose 29 | To inspect when an empty directory is deleted. 30 | 31 | ## Example Use Case 32 | Using rmdir in order to remove a directory created by an application after it is no longer needed. 33 | 34 | ## Issues 35 | The rmdir system call will fail if the directory is not empty. Furthermore, it will not delete directories that contain files that have been unlinked, but are still open. 36 | 37 | ## Related Events 38 | * unlink: to delete a file from a directory. 39 | * rename: to rename or move a directory. 40 | 41 | > This document was automatically generated by OpenAI and needs review. It might 42 | > not be accurate and might contain errors. The authors of Tracee recommend that 43 | > the user reads the "events.go" source file to understand the events and their 44 | > arguments better. 45 | -------------------------------------------------------------------------------- /web/static/syscalls/sched_get_priority_max.md: -------------------------------------------------------------------------------- 1 | 2 | # `sched_get_priority_max` 3 | 4 | ## Intro 5 | `sched_get_priority_max` - get the maximum priority value for a given scheduling policy 6 | 7 | ## Description 8 | The `sched_get_prority_max` function returns the maximum priority value allowed by a given scheduling policy. It is used to obtain the highest allowed scheduling priority for the specified policy of a particular process. 9 | 10 | `sched_get_priority_max` is most commonly used in combination with the `sched_get_priority_min` syscall, which returns the minimum priority value allowed by a given policy. Together, the two syscalls allow the range of valid scheduling priorities to be determined. It returns the maximum value allowed according to the operating systems configuration, but this value may be limited by the user or system. 11 | 12 | ## Arguments 13 | * `policy`: `int`[K] - Specifies the scheduling policy for which the maximum priority value is to be returned. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space 17 | 18 | ## Hooks 19 | ### `sched_get_priority_max` 20 | #### Type 21 | kprobes 22 | #### Purpose 23 | To obtain the maximum priority value for a given scheduling policy. 24 | 25 | ## Example Use Case 26 | This syscall can be used to get task or thread priority values in order to properly manage the scheduling of threads in a system. 27 | 28 | ## Issues 29 | N/A 30 | 31 | ## Related Events 32 | * `sched_get_priority_min` - get the minimum priority value for a given scheduling policy. 33 | 34 | > This document was automatically generated by OpenAI and needs review. It might 35 | > not be accurate and might contain errors. The authors of Tracee recommend that 36 | > the user reads the "events.go" source file to understand the events and their 37 | > arguments better. 38 | -------------------------------------------------------------------------------- /web/static/syscalls/sched_get_priority_min.md: -------------------------------------------------------------------------------- 1 | 2 | # sched_get_priority_min 3 | 4 | ## Intro 5 | sched_get_priority_min - returns the minimum priority value that can be used with the scheduling policy 6 | 7 | ## Description 8 | This system call is used to get the minimum priority value that can be used when using the scheduling policy mentioned as the parameter. This call will usually return -1 if the policy is invalid, and will return the minimum priority value that can be used with the scheduling policy upon successful completion. 9 | 10 | There are a few drawbacks when using this system call. Firstly, it may be too restrictive in that it is limited to only one scheduling policy, meaning if multiple scheduling policies are used, multiple separate calls are needed. Additionally, the accuracy of the minimum priority value depends on the implementation of the OS, and may not be as precise as desired. 11 | 12 | ## Arguments 13 | * `policy`:`int`[K] - a scheduling policy identified by an integer. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | 18 | ## Hooks 19 | 20 | ### sched_get_priority_min 21 | #### Type 22 | Kprobe. 23 | #### Purpose 24 | To inform the user of the minimum priority value that can be used in the given scheduling policy. 25 | 26 | ## Example Use Case 27 | This system call can be utilized to define the limits on the chosen priorities for various threads in a multithreading application. 28 | 29 | ## Issues 30 | There can be a margin of error present when considering the minimum priority values, depending on the implementation of the OS. 31 | 32 | ## Related Events 33 | sched_get_priority_max, sched_setscheduler, sched_setparam 34 | 35 | > This document was automatically generated by OpenAI and needs review. It might 36 | > not be accurate and might contain errors. The authors of Tracee recommend that 37 | > the user reads the "events.go" source file to understand the events and their 38 | > arguments better. 39 | -------------------------------------------------------------------------------- /web/static/syscalls/sched_getscheduler.md: -------------------------------------------------------------------------------- 1 | 2 | # sched_getscheduler 3 | 4 | ## Intro 5 | sched_getscheduler - Retrieve the scheduling policy of a process. 6 | 7 | ## Description 8 | The sched_getscheduler() system call retrieves the scheduling policy currently applied to the process identified by pid. If pid is zero, 9 | the policy of the calling process is retrieved. 10 | 11 | The available scheduling policies are: 12 | * SCHED_OTHER - the traditional time-sharing policy. 13 | * SCHED_FIFO - a first-in, first-out policy 14 | * SCHED_RR - a round-robin policy 15 | 16 | sched_getscheduler() can be used to retrieve the currently used scheduling policy for any process, allowing for the comparison of different policies for a process or for multiple processes. 17 | 18 | ## Arguments 19 | * `pid`:`pid_t`[K] - The tid of the process whose policy will be retrieved. 20 | 21 | ### Available Tags 22 | * K - Originated from kernel-space. 23 | 24 | ## Hooks 25 | No functions are hooked in order to allow execution of the system call. 26 | 27 | ## Example Use Case 28 | This system call can be used in the context of a monitoring application to compare scheduling policies between different processes. 29 | 30 | ## Issues 31 | None. 32 | 33 | ## Related Events 34 | The system call `sched_setscheduler` is related to this system call, as it allows for the setting of the scheduling policy for a process. 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/sched_yield.md: -------------------------------------------------------------------------------- 1 | 2 | # sched_yield 3 | 4 | ## Intro 5 | sched_yield - temporarily pause the current thread in favor of other threads 6 | 7 | ## Description 8 | The task sched_yield() cause the calling thread to relinquish the CPU. The thread is put to the end of the queue for its static priority and another thread will be scheduled to run. If there are no other threads running in the system, the yield will cause the thread to continue to run. 9 | 10 | sched_yield() is useful for an application to allow other threads to run (i.e. to prevent starvation of other threads) or for a thread to be scheduled in to reduce the latency for an scheduling event. 11 | 12 | ## Arguments 13 | No arguments for this syscall. 14 | 15 | ## Hooks 16 | ### do_sys_sched_yield 17 | #### Type 18 | Tracepoint 19 | #### Purpose 20 | To monitor context switches. 21 | 22 | ## Example Use Case 23 | sched_yield() should be used when a process needs to pause its execution and give a chance to the other threads, waiting in the same priority queue. 24 | 25 | ## Issues 26 | If there are no runnable threads with the same priority level, then the current thread will not be context switched and all other threads will be stuck behind it. 27 | 28 | ## Related Events 29 | * sched_setscheduler: to change the scheduling policy and priority of selected thread. 30 | * sched_get_priority_max/min: to get the highest/lowest priority limit of a scheduling policy. 31 | 32 | > This document was automatically generated by OpenAI and needs review. It might 33 | > not be accurate and might contain errors. The authors of Tracee recommend that 34 | > the user reads the "events.go" source file to understand the events and their 35 | > arguments better. 36 | -------------------------------------------------------------------------------- /web/static/syscalls/semop.md: -------------------------------------------------------------------------------- 1 | 2 | # semop 3 | 4 | ## Intro 5 | semop - atomically perform operations on a set of semaphores 6 | 7 | ## Description 8 | Semop is a Linux system call used to perform operations on a set of semaphores. It ensures that all operations specified in the argument `sops` will either be completed or none of them will be performed at all. This call can be used for synchronization between threads or processes. The only drawback is that if the maximum number of semaphores allowed is reached, the call will fail. 9 | 10 | ## Arguments 11 | * `semid`:`int` - ID of the set of semaphores. 12 | * `sops`:`struct sembuf*` - pointer to an array of semaphore operations. 13 | * `nsops`:`size_t` - number of semaphores in the array. 14 | 15 | ### Available Tags 16 | * KU - Originated from kernel-space or user space. 17 | * OPT - Optional argument - might not always be available (passed with null value) 18 | 19 | ## Hooks 20 | ### sys_semop 21 | #### Type 22 | kprobe 23 | #### Purpose 24 | To gain insight to the arguments passed to semop, as well as to log any broken semaphore constraints. 25 | 26 | ## Example Use Case 27 | If you need to synchronize between threads or processes, semop can be used to guarantee that a set of operations on a set of semaphores will either all succeed or none of them will. 28 | 29 | ## Issues 30 | If the maximum number of semaphores allowed is reached, the call will fail. 31 | 32 | ## Related Events 33 | * semget - Gets an existing semaphore set or allocate a new one. 34 | * semctl - Examine or change an existing semaphore set. 35 | * semtimedop - Like `semop`, but with an additional timeout parameter. 36 | 37 | > This document was automatically generated by OpenAI and needs review. It might 38 | > not be accurate and might contain errors. The authors of Tracee recommend that 39 | > the user reads the "events.go" source file to understand the events and their 40 | > arguments better. 41 | -------------------------------------------------------------------------------- /web/static/syscalls/setdomainname.md: -------------------------------------------------------------------------------- 1 | 2 | # setdomainname 3 | 4 | ## Intro 5 | setdomainname - sets the system's hostname to the given name 6 | 7 | ## Description 8 | The setdomainname() system call is used to set the domain name of the system. The name is set to the value pointed to by the argument name, which is subject to the size restrictions on the hostname parameter as specified by length. 9 | 10 | The setdomainname() syscall is generally used in conjunction with the sethostname() syscall, which sets the hostname parameter. 11 | 12 | This system call is useful for setting the full domain name of a system as part of a larger system or network. It is also useful for setting up servers and switches on a local network. 13 | 14 | ## Arguments 15 | * `name`: `const char*`[K] - a pointer to a character string specifying the domain name of the system. 16 | * `len`: `size_t`[K] - length of the supplied name, in bytes. 17 | 18 | ### Available Tags 19 | * K - Originated from kernel-space. 20 | 21 | ## Hooks 22 | ### sys_setdomainname 23 | #### Type 24 | KProbes 25 | #### Purpose 26 | To log every setdomainname call and its arguments. 27 | 28 | ## Example Use Case 29 | You are setting up a local network with several servers and computers in order to host an application. You can use the sethostname and setdomainname calls to quickly configure the system to have the unique domain name and host name that is required for this application. 30 | 31 | ## Issues 32 | None known. 33 | 34 | ## Related Events 35 | * sethostname - sets the system's hostname. 36 | * uname - gets system information, including domainname and hostname. 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/setfsgid16.md: -------------------------------------------------------------------------------- 1 | 2 | # setfsgid16 3 | 4 | ## Intro 5 | setfsgid16 - set the effective group id for the current thread 6 | 7 | ## Description 8 | The setfsgid16() call sets the effective group ID for the current thread to fsgid. It is analogous to setegid(), but can only be used to set the effective group ID of the calling process to one of the real, effective, or saved GIDs. 9 | 10 | setfsgid16() is intended for use only in systems with an 16-bit GID type. On Linux and other systems with a 32-bit GID type, the setfsgid() wrapper function is provided using the new setfsgid32() system call. 11 | 12 | ## Arguments 13 | * `fsgid`:`old_gid_t`[U, OPT] - the new group id for the current thread. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | * U - Originated from user space (for example, pointer to user space memory used to get it) 18 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 19 | * OPT - Optional argument - might not always be available (passed with null value) 20 | 21 | ## Hooks 22 | ### sys_setfsgid16 23 | #### Type 24 | Tracepoints 25 | #### Purpose 26 | To monitor attempts to change the effective group ID of the current thread. 27 | 28 | ## Example Use Case 29 | A user space application could use setfsgid16() to change its effective GID after verifying its permission to do so. 30 | 31 | ## Issues 32 | None known. 33 | 34 | ## Related Events 35 | setegid(), setfsgid32() 36 | 37 | > This document was automatically generated by OpenAI and needs review. It might 38 | > not be accurate and might contain errors. The authors of Tracee recommend that 39 | > the user reads the "events.go" source file to understand the events and their 40 | > arguments better. 41 | -------------------------------------------------------------------------------- /web/static/syscalls/setfsuid16.md: -------------------------------------------------------------------------------- 1 | 2 | # setfsuid16 3 | 4 | ## Intro 5 | setfsuid16 - sets the effective user ID of the calling process 6 | 7 | ## Description 8 | The setfsuid16 syscall sets the effective user ID of the calling process to fsuid. This syscall will only be successful if the user process has the appropriate privileges to set their own effective user ID to the given value. This syscall can be used to change the effective user ID of the calling process, and it may also set the saved set-user-ID if the user has appropriate privileges. It is important to note that this does not change the real user ID or group ID, or the process credentials. 9 | 10 | In order for a process to make use of this syscall, the user needs to have the capability CAP_SETUID set. 11 | 12 | ## Arguments 13 | * `fsuid`:`old_uid_t`[K] - The effective user ID of the calling process will be set to this value. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | 18 | ## Hooks 19 | ### sys_setfsuid16 20 | #### Type 21 | KProbe 22 | #### Purpose 23 | To monitor processes changing their effective user ID. 24 | 25 | ## Example Use Case 26 | This syscall can be used to set the effective user ID of the calling process to a different value, which might be necessary in the case of switching users in a process. 27 | 28 | ## Issues 29 | This syscall can lead to a privilege escalation vulnerability if used incorrectly. Care should be taken to ensure that the user has the appropriate privileges to set their own effective user ID. 30 | 31 | ## Related Events 32 | setresuid16 33 | 34 | > This document was automatically generated by OpenAI and needs review. It might 35 | > not be accurate and might contain errors. The authors of Tracee recommend that 36 | > the user reads the "events.go" source file to understand the events and their 37 | > arguments better. 38 | -------------------------------------------------------------------------------- /web/static/syscalls/setgid16.md: -------------------------------------------------------------------------------- 1 | 2 | # setgid16 3 | 4 | ## Intro 5 | setgid16 - change the effective of the calling process and the saved set-group-ID 6 | 7 | ## Description 8 | The setgid16() system call is used to set the user's real group ID, effective group ID, and the saved set-group-ID of the calling process. This can be used to change the privileges of a process to that of a new group. The setgid16() call is one of the set-ID system calls, meaning that the real user ID and effective user ID of the calling process will also be set. This call is made obsolete by the setgid() call. 9 | 10 | ## Arguments 11 | * `gid`:`old_gid_t`[KU] - represents a group ID. 12 | 13 | ### Available Tags 14 | * K - Originated from kernel-space. 15 | * U - Originated from user space (for example, pointer to user space memory used to get it). 16 | 17 | ## Hooks 18 | ### sys_setgid16 19 | #### Type 20 | Kprobes 21 | #### Purpose 22 | To capture calls to the setgid16 system call. 23 | 24 | ## Example Use Case 25 | The setgid16 system call could be used to temporarily switch the effective group ID of a process from a privileged group to that of an unprivileged single-user group in order to perform a task that requires elevated privileges. After the task is complete, the process can be switched back to its original group ID. 26 | 27 | ## Issues 28 | The setgid16 system call is obsolete and should not be used in modern Linux systems. It should be replaced with setgid. 29 | 30 | ## Related Events 31 | * setgid 32 | * getgid 33 | * setegid 34 | * getegid 35 | 36 | > This document was automatically generated by OpenAI and needs review. It might 37 | > not be accurate and might contain errors. The authors of Tracee recommend that 38 | > the user reads the "events.go" source file to understand the events and their 39 | > arguments better. 40 | -------------------------------------------------------------------------------- /web/static/syscalls/setgroups.md: -------------------------------------------------------------------------------- 1 | 2 | # setgroups 3 | 4 | ## Intro 5 | setgroups - sets the list of supplementary groups of the calling process 6 | 7 | ## Description 8 | The setgroups() system call allows the calling process to set its supplementary group IDs directly, without manipulating the supplementary group IDs with the initgroups() system call. The setgroups() system call is limited to processes with the CAP_SETGID capability and with an effective user ID of 0. 9 | 10 | This system call is the complementary system call to the getgroups() system call, which gets the supplementary group IDs of the calling process. 11 | 12 | ## Arguments 13 | * `size`:`int` - The number of supplementary group IDs in the list. 14 | * `list`:`gid_t*`[K] - A pointer to the list of group IDs. 15 | 16 | ### Available Tags 17 | * K - Originated from kernel-space. 18 | 19 | ## Hooks 20 | ### sys_setgroups 21 | #### Type 22 | kprobe+kretprobe 23 | #### Purpose 24 | Observe setgroups() calls and the return values. 25 | 26 | ## Example Use Case 27 | For example, an administrator could use the setgroups() system call to change the supplementary group IDs associated with a process in order to temporarily assign it additional privileges. 28 | 29 | ## Issues 30 | One possible issue with setgroups is that it may be vulnerable to time of check, time of use (TOCTOU) race conditions. 31 | 32 | ## Related Events 33 | getgroups - gets the list of supplementary groups of the calling process 34 | 35 | > This document was automatically generated by OpenAI and needs review. It might 36 | > not be accurate and might contain errors. The authors of Tracee recommend that 37 | > the user reads the "events.go" source file to understand the events and their 38 | > arguments better. 39 | -------------------------------------------------------------------------------- /web/static/syscalls/setregid16.md: -------------------------------------------------------------------------------- 1 | 2 | # setregid16 3 | 4 | ## Intro 5 | setregid16 - Set real and effective group IDs in a 16-bit environment 6 | 7 | ## Description 8 | The setregid16() system call changes the real and effective group IDs of the calling process to rgid and egid, respectively. 9 | The argument rgid is taken as the new real group ID, and the argument egid is taken as the new effective group ID. If the effective UID of the process is 0 (root), then both arguments are taken as the real group ID and the saved group ID is set to egid. If the effective UID of the process is nonzero, then only rgid needs to be equal to the real group ID, and setregid16() sets the effective group ID to egid provided that it is equal to either the real group ID or the saved group ID. 10 | 11 | ## Arguments 12 | * `rgid`:`old_gid_t`[K] - Real group ID to be set. 13 | * `egid`:`old_gid_t`[K] - Effective group ID to be set. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | 18 | ## Hooks 19 | ### sys_setregid16 20 | #### Type 21 | Kprobe 22 | #### Purpose 23 | Trace when the setregid16 system call is called. 24 | 25 | ## Example Use Case 26 | Setregid16 can be useful in security contexts as it allows to change the real GID of the current process to a specific number or values which is important for granting or revoking access to certain resources which could be guarded by specific modern capabilities. 27 | 28 | ## Issues 29 | It is important to note that setregid16 system call has been deprecated in newer versions of Linux in favor of setregid system call. 30 | 31 | ## Related Events 32 | * `setregid` system call 33 | 34 | > This document was automatically generated by OpenAI and needs review. It might 35 | > not be accurate and might contain errors. The authors of Tracee recommend that 36 | > the user reads the "events.go" source file to understand the events and their 37 | > arguments better. 38 | -------------------------------------------------------------------------------- /web/static/syscalls/setresuid16.md: -------------------------------------------------------------------------------- 1 | 2 | # setresuid16 3 | 4 | ## Intro 5 | setresuid16 - set real, effective and saved user identity 6 | 7 | ## Description 8 | The setresuid16 syscall sets the effective, real, and saved user identities 9 | depending on the value of the argument flags. A process with the CAP_SETUID 10 | capability can set its own user ID's. A process without the CAP_SETUID 11 | capability can set the real and effective user ID's to the effective user ID of 12 | the process. All the ID's are changed regardless of the value of the flags 13 | argument, so group and supplemental group changes can not be suppressed. 14 | 15 | ## Arguments 16 | * `ruid`:`old_uid_t`[K] - real user ID 17 | * `euid`:`old_uid_t`[K] - effective user ID 18 | * `suid`:`old_uid_t`[K] - saved set-user-ID 19 | 20 | ### Available Tags 21 | * K - Originated from kernel-space. 22 | 23 | ## Hooks 24 | ### sys_setresuid16 25 | #### Type 26 | Kprobe 27 | #### Purpose 28 | To monitor changes in user ID's. 29 | 30 | ## Example Use Case 31 | An example of a use case for this event is if a system administrator wanted to 32 | monitor user ID changes as they occur. This event can be used to detect any 33 | attempts to change a user's identity in order to access resources they are not 34 | authorized to access. 35 | 36 | ## Issues 37 | There are no known issues with this event. 38 | 39 | ## Related Events 40 | * getresuid16 - get real, effective, and saved user identity 41 | * setreuid16 - set real and effective user identity 42 | * setfsuid16 - set filesystem user identity 43 | 44 | > This document was automatically generated by OpenAI and needs review. It might 45 | > not be accurate and might contain errors. The authors of Tracee recommend that 46 | > the user reads the "events.go" source file to understand the events and their 47 | > arguments better. 48 | -------------------------------------------------------------------------------- /web/static/syscalls/settimeofday.md: -------------------------------------------------------------------------------- 1 | 2 | # settimeofday 3 | 4 | ## Intro 5 | settimeofday - sets the system's time and date, and optional timezone 6 | 7 | ## Description 8 | The settimeofday() system call is used to set the system's time, and optionally 9 | also the timezone if the tz parameter is not NULL. This is usually used when 10 | synchronizing the system's time with an external time source. In order to set 11 | the timezone, there must also be an associated time value. When setting the time 12 | only, the tz parameter should be NULL. 13 | 14 | There are some caveats when it comes to setting the time or the timezone. The 15 | kernel will not accept values which are out of valid ranges, or are otherwise 16 | invalid. Additionally, there can be side effects depending on the system where 17 | settimeofday() is called. For example, on some systems setting the time may 18 | cause certain user tasks to be interrupted. 19 | 20 | ## Arguments 21 | * `tv`:`const struct timeval*`[K] - Pointer to const struct timeval. Should contain the desired time to be set. 22 | * `tz`:`const struct timezone*`[K] - Pointer to const struct timezone. Should contain the desired timezone to be set. 23 | 24 | ### Available Tags 25 | * K - Originated from kernel-space. 26 | 27 | ## Hooks 28 | ### settimeofday 29 | #### Type 30 | kprobe 31 | #### Purpose 32 | Monitoring timezone changes and time changes 33 | 34 | ## Example Use Case 35 | One can use settimeofday() to monitor changes in system time or timezone. 36 | 37 | ## Issues 38 | settimeofday() is vulnerable to TOCTOU (time of check, time of use) attacks. 39 | 40 | ## Related Events 41 | setitimer() - set interval timer 42 | 43 | > This document was automatically generated by OpenAI and needs review. It might 44 | > not be accurate and might contain errors. The authors of Tracee recommend that 45 | > the user reads the "events.go" source file to understand the events and their 46 | > arguments better. 47 | -------------------------------------------------------------------------------- /web/static/syscalls/setuid16.md: -------------------------------------------------------------------------------- 1 | 2 | # setuid16 3 | 4 | ## Intro 5 | setuid16 - sets the effective user ID of the calling process 6 | 7 | ## Description 8 | setuid16() sets the effective user ID of the calling process. The argument uid is used to set the effective user ID of the caller. 9 | 10 | If the calling process is privileged (i.e., owns the superuser id), the effective user ID can be set to any value. 11 | 12 | Under normal conditions, an unprivileged process may change the real and saved user IDs to the value of uid only if they match its own real (or effective, if uid is not privileged) user ID. A privileged process (under Linux: one having the CAP_SETUID capability) may set the effective user ID to any value. 13 | 14 | The related seteuid16(), setreuid16() and setresuid16() provide more fine-grain control over processes' privilege. 15 | 16 | ## Arguments 17 | * `uid`:old_old_uid_t[KU] - user ID of the new set of the IDs. 18 | 19 | ### Available Tags 20 | * K - Originated from kernel-space. 21 | * U - Originated from user space (for example, pointer to user space memory used to get it) 22 | 23 | ## Hooks 24 | ### setuid16 25 | #### Type 26 | kprobe 27 | #### Purpose 28 | Monitoring of user identity changes. 29 | 30 | ## Example Use Case 31 | One example of use case of setuid16 is to trace a malicious thread changing its user identity and running malicious code. 32 | 33 | ## Issues 34 | There are no known issues with setuid16. 35 | 36 | ## Related Events 37 | setreuid16, setresuid16, seteuid16. 38 | 39 | > This document was automatically generated by OpenAI and needs review. It might 40 | > not be accurate and might contain errors. The authors of Tracee recommend that 41 | > the user reads the "events.go" source file to understand the events and their 42 | > arguments better. 43 | -------------------------------------------------------------------------------- /web/static/syscalls/sgetmask.md: -------------------------------------------------------------------------------- 1 | 2 | # sgetmask 3 | 4 | ## Intro 5 | sgetmask - Get the current signal mask of the calling thread 6 | 7 | ## Description 8 | The sgetmask() syscall retrieves the current signal mask for the calling thread in the form of an integer. The signal mask consists of a set of bits, one for each signal, that specifies which signals are blocked from delivery to the thread. By default, signals will always be blocked when they are generated. This syscall allows processes to customize this behavior by blocking or unblocking specific signals. It is not possible to unblock signals that were not blocked in the first place. 9 | 10 | ## Arguments 11 | 12 | No arguments. 13 | 14 | ### Available Tags 15 | 16 | N/A 17 | 18 | ## Hooks 19 | 20 | No hooks configured. 21 | 22 | ## Example Use Case 23 | This syscall could be used in multi-threaded applications to discover which signals are blocked in each thread. This could be used to implement custom signal handling strategies on a per-thread basis. 24 | 25 | ## Issues 26 | This syscall may be vulnerable to TOCTOU (time of check, time of use) race conditions. It is possible that a signal mask could be changed between the time the syscall is invoked and the time the updated signal mask value is returned. 27 | 28 | ## Related Events 29 | * sigprocmask() - Used to set or retrieve the signal mask of a specified process. 30 | 31 | > This document was automatically generated by OpenAI and needs review. It might 32 | > not be accurate and might contain errors. The authors of Tracee recommend that 33 | > the user reads the "events.go" source file to understand the events and their 34 | > arguments better. 35 | -------------------------------------------------------------------------------- /web/static/syscalls/sigpending.md: -------------------------------------------------------------------------------- 1 | 2 | # sigpending 3 | 4 | ## Intro 5 | sigpending - Check the signals that are pending for the process. 6 | 7 | ## Description 8 | The sigpending() system call queries the pending signals for the calling process (check which signals have been raised while blocked). It fills in the signal set pointed to by set, which is of type sigset_t, with the set of signals currently pending for the process. 9 | 10 | Are there any edge-cases, drawbacks or advantages of using it? 11 | 12 | The most useful edge-case is that it allows a process to find out signals that have been sent to it, but blocked by the process with `sigprocmask()`. 13 | 14 | ## Arguments 15 | * `set`:`sigset_t*`[U] - Pointer to a signal set which will be set to the set of pending signals for the process. 16 | 17 | ### Available Tags 18 | * K - Originated from kernel-space. 19 | * U - Originated from user space (for example, pointer to user space memory used to get it) 20 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 21 | * OPT - Optional argument - might not always be available (passed with null value) 22 | 23 | ## Hooks 24 | ### do_sigpending 25 | #### Type 26 | Kprobes 27 | #### Purpose 28 | Triggers every time the system call is made, allowing to analyze what was the source of the call. 29 | 30 | ## Example Use Case 31 | For example, this system call can be used to create a signal handler to check whether or not a particular signal is blocked. 32 | 33 | ## Issues 34 | No known issues. 35 | 36 | ## Related Events 37 | signal, sigprocmask, sigaction 38 | 39 | > This document was automatically generated by OpenAI and needs review. It might 40 | > not be accurate and might contain errors. The authors of Tracee recommend that 41 | > the user reads the "events.go" source file to understand the events and their 42 | > arguments better. 43 | -------------------------------------------------------------------------------- /web/static/syscalls/sigsuspend.md: -------------------------------------------------------------------------------- 1 | 2 | # sigsuspend 3 | 4 | ## Intro 5 | sigsuspend - temporarily replaces the signal mask of the executing thread with the given set of signals. 6 | 7 | ## Description 8 | The sigsuspend() system call suspends the caller until a signal is received. It is equivalent to 9 | 10 | ```c 11 | sigprocmask(SIG_SETMASK, &mask, NULL); 12 | pause(); 13 | ``` 14 | 15 | The mask given as argument is used as the signal mask of the process during the period of suspension; upon return from the call it is restored to the previous value. While sigsuspend() is being executed, any signal may be accepted, except SIGKILL and SIGSTOP. 16 | 17 | The sigsuspend() function shall not return if it is interrupted by a signal handler and the signal handler does not return. 18 | 19 | ## Arguments 20 | * `mask`:const sigset_t*[K] - pointer to a signal set specifying the new signal mask for the process. 21 | 22 | ### Available Tags 23 | * K - Originated from kernel-space. 24 | 25 | ## Hooks 26 | ### sigsuspend 27 | #### Type 28 | kprobe + kretprobe 29 | #### Purpose 30 | To monitor when the program defines a new signal mask and waits until a signal is received. 31 | 32 | ## Example Use Case 33 | When monitoring a program that handles signals and the need to know when a new signal mask is set and in which order the signals are handled. 34 | 35 | ## Issues 36 | If a signal is sent with a higher priority than SIGKILL and SIGSTOP, it might be missed by the call to sigsuspend(). 37 | 38 | ## Related Events 39 | * sigprocmask() 40 | * sigsuspend() 41 | * sigpending() 42 | 43 | > This document was automatically generated by OpenAI and needs review. It might 44 | > not be accurate and might contain errors. The authors of Tracee recommend that 45 | > the user reads the "events.go" source file to understand the events and their 46 | > arguments better. 47 | -------------------------------------------------------------------------------- /web/static/syscalls/ssetmask.md: -------------------------------------------------------------------------------- 1 | 2 | # ssetmask 3 | 4 | ## Intro 5 | ssetmask - Change calling thread signal mask 6 | 7 | ## Description 8 | The ssetmask function sets the signal mask of the calling thread to the argument newmask, and returns the previous signal mask of the thread. The calls have no effect on signals that are ignored. The ssetmask() function is equivalent to sigprocmask(2). 9 | 10 | ## Arguments 11 | * `newmask`:`long`[K] - The signal mask to be set. 12 | 13 | ### Available Tags 14 | * K - Originated from kernel-space. 15 | * U - Originated from user space (for example, pointer to user space memory used to get it) 16 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 17 | * OPT - Optional argument - might not always be available (passed with null value) 18 | 19 | ## Hooks 20 | ### ssetmask 21 | #### Type 22 | Kprobes 23 | #### Purpose 24 | To detect when threads change their signal masks. 25 | 26 | ## Example Use Case 27 | ssetmask() can be used to detect if a thread is attempting to block certain signals. This is useful to detect certain malicious activities, as it can indicate the presence of signal handlers. 28 | 29 | ## Issues 30 | None 31 | 32 | ## Related Events 33 | * signal(2) - Send signal. 34 | * sigaction(2) - Change signal action. 35 | * sigprocmask(2) - Examine and change blocked signals. 36 | 37 | > This document was automatically generated by OpenAI and needs review. It might 38 | > not be accurate and might contain errors. The authors of Tracee recommend that 39 | > the user reads the "events.go" source file to understand the events and their 40 | > arguments better. 41 | -------------------------------------------------------------------------------- /web/static/syscalls/statfs.md: -------------------------------------------------------------------------------- 1 | 2 | # statfs 3 | 4 | ## Intro 5 | statfs - copies information relating to mounted filesystems 6 | 7 | ## Description 8 | The `statfs` system call obtains details of the mounted file system specified 9 | by the path. The information is stored in the struct `statfs`, which is 10 | returned to the user at `buf`. The `statfs` system call is commonly used for 11 | finding out the total size of the file system, the number of available 12 | blocks or the number of free blocks. 13 | 14 | ## Arguments 15 | * `path`:`const char*`[U] - path of the mounted file system 16 | * `buf`:`struct statfs*`[U] - pointer to a buffer where the statfs data will be stored 17 | 18 | ### Available Tags 19 | * K - Originated from kernel-space. 20 | * U - Originated from user space (for example, pointer to user space memory used to get it) 21 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 22 | * OPT - Optional argument - might not always be available (passed with null value) 23 | 24 | ## Hooks 25 | ### sys_statfs 26 | #### Type 27 | Kprobe 28 | #### Purpose 29 | To keep track of when and how often the `statfs` system call is used. 30 | 31 | ## Example Use Case 32 | The `statfs` system call could be used to gather file system statistics, such as the size and number of free blocks, for monitoring the health of the system. 33 | 34 | ## Issues 35 | None. 36 | 37 | ## Related Events 38 | * mount (from which relevant statfs information can be obtained) 39 | 40 | > This document was automatically generated by OpenAI and needs review. It might 41 | > not be accurate and might contain errors. The authors of Tracee recommend that 42 | > the user reads the "events.go" source file to understand the events and their 43 | > arguments better. 44 | -------------------------------------------------------------------------------- /web/static/syscalls/stime.md: -------------------------------------------------------------------------------- 1 | 2 | #stime 3 | 4 | ## Intro 5 | stime - set the system's date and time 6 | 7 | ## Description 8 | The stime system call sets the system's idea of the current calendar time and time of day. 9 | The time argument is the time in seconds since the epoch, and time should always be non-negative. 10 | The time argument is interpreted as UTC by the kernel. The syscall does not check whether any arguments are out of range, leading to a potential TOCTOU (time of check, time of use) vulnerability. 11 | 12 | ## Arguments 13 | * `t`:`const time_t*`[K] - timestamp of current time in seconds since the Epoch. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | 18 | ## Hooks 19 | ### sys_stime 20 | 21 | #### Type 22 | Kprobes 23 | 24 | #### Purpose 25 | To log the invocation of the `stime()` system call. 26 | 27 | ## Example Use Case 28 | The `stime` system call can be used to manually adjust the system time. One example use case can be to periodically invoke this system call to keep the system time in sync with an NTP server. 29 | 30 | ## Issues 31 | Due to the lack of input sanitation, this system call has been found vulnerable to TOCTOU (Time of Check / Time of Use) vulnerability in certain cases. 32 | 33 | ## Related Events 34 | * `nanosleep` - to suspend execution of the current thread. 35 | * `clock_settime` - to change the current time of a clock relative to an epoch 36 | 37 | > This document was automatically generated by OpenAI and needs review. It might 38 | > not be accurate and might contain errors. The authors of Tracee recommend that 39 | > the user reads the "events.go" source file to understand the events and their 40 | > arguments better. 41 | -------------------------------------------------------------------------------- /web/static/syscalls/stty.md: -------------------------------------------------------------------------------- 1 | 2 | # stty 3 | 4 | ## Intro 5 | stty - sets the parameters associated with the terminal. 6 | 7 | ## Description 8 | The stty utility sets or reports terminal characteristics (POSIX termios style) for open terminals in the pseudo-terminal family. The terminal characteristics determine how input and output behave on the input and output streams of the terminal. All subsequent reads and writes on the terminal use these characteristics until the characteristics are re-set with stty. 9 | 10 | The POSIX terminal interface is derived from the Unix system and provides more comprehensive control of the terminal than the more traditional interface derived from System V and supplied as the ioctl function. 11 | 12 | ## Arguments 13 | * `command_string`:`string`[K] - A stty command string made of words, separators, and quote marks that contains one or more stty commands to be performed on the terminal output or input. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | * U - Originated from user space (for example, pointer to user space memory used to get it) 18 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 19 | * OPT - Optional argument - might not always be available (passed with null value) 20 | 21 | ## Hooks 22 | ### Syscall 23 | #### Type 24 | Probe 25 | #### Purpose 26 | To detect calls to the stty syscall. 27 | 28 | ## Example Use Case 29 | stty can be used to change the baud rate and other aspects of the serial port operation, thus it is a common event used in debugging serial port issues. 30 | 31 | ## Issues 32 | N/A 33 | 34 | ## Related Events 35 | * tcgets 36 | * tcsetattr 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/swapoff.md: -------------------------------------------------------------------------------- 1 | 2 | # swapoff 3 | 4 | ## Intro 5 | swapoff - unregister a path from the list of used swap devices 6 | 7 | ## Description 8 | The `swapoff()` function unregisters the path pointed to by the `path` parameter from the list of used swap devices. This call can be used to deactivate swap devices without reboot. Since the Linux kernel version 4.14, swap devices can also be limited to a specific range of physical memory pages. This allows creating swap devices out of unused physical memory. 9 | 10 | ## Arguments 11 | * `path`:`const char*`[K] - path to the swap device. 12 | 13 | ### Available Tags 14 | * K - Originated from kernel space. 15 | 16 | ## Hooks 17 | ### sys_swapoff 18 | #### Type 19 | kprobe 20 | #### Purpose 21 | Used to unregister the path pointed to by the path parameter from the list of used swap devices. 22 | 23 | ## Example Use Case 24 | When we want to unregister a swap device without rebooting the system. 25 | 26 | ## Issues 27 | On some systems, swapoff() fails with an "Operation not permitted" error if called from a non-root process. 28 | 29 | ## Related Events 30 | The `swapon()` syscall can be used in combination with `swapoff()` to activate and deactivate swap devices. 31 | 32 | > This document was automatically generated by OpenAI and needs review. It might 33 | > not be accurate and might contain errors. The authors of Tracee recommend that 34 | > the user reads the "events.go" source file to understand the events and their 35 | > arguments better. 36 | -------------------------------------------------------------------------------- /web/static/syscalls/sync.md: -------------------------------------------------------------------------------- 1 | 2 | # sync 3 | 4 | ## Intro 5 | sync - waits until all disk write operations have been completed 6 | 7 | ## Description 8 | The sync command causes all in-memory modified blocks to be written to disk. This is useful in order to ensure the full integrality and consistency of the data in the case of a system crash or power failure. However, it is not a full backup solution and it should be used in combination with other data safety measures. Moreover, regular synchronization of the disks is suggested in order to minimize the impact of unclean shutdown. 9 | 10 | ## Arguments 11 | * `None` 12 | 13 | ## Hooks 14 | ### sync_file_range 15 | #### Type 16 | Kprobes 17 | #### Purpose 18 | Detecting when a process is syncing files to create a superblock barrier. 19 | 20 | ### sys_sync 21 | #### Type 22 | Kprobes 23 | #### Purpose 24 | Detecting calls to the sys_sync function in the kernel. 25 | 26 | ## Example Use Case 27 | For example, the sync command can be used to make sure that the in-memory modified blocks are written to disk before rebooting the system. 28 | 29 | ## Issues 30 | Depending on the file system used, the sync command doesn't guarantee that the data is flushed completely. 31 | 32 | ## Related Events 33 | fsync - sync data and associated metadata for specified file 34 | 35 | > This document was automatically generated by OpenAI and needs review. It might 36 | > not be accurate and might contain errors. The authors of Tracee recommend that 37 | > the user reads the "events.go" source file to understand the events and their 38 | > arguments better. 39 | -------------------------------------------------------------------------------- /web/static/syscalls/syncfs.md: -------------------------------------------------------------------------------- 1 | 2 | # syncfs 3 | 4 | ## Intro 5 | syncfs - synchronize all file system data on the device associated with a file descriptor 6 | 7 | ## Description 8 | The syncfs() system call synchronizes all data associated with the device opened via the file descriptor fd. It calls the file system's sync() operation, which transfers all cached data to permanent storage, and then the fsync() call. This is typically used to ensure that everything written to a file by the application is really on permanent storage. 9 | 10 | syncfs() is similar to sync(), but applies only to the filesystem associated with the file descriptor fd. 11 | 12 | ## Arguments 13 | * `fd`:`int`[K] - file descriptor pointing to a filesystem device. 14 | 15 | ### Available Tags 16 | * K - Originated from kernel-space. 17 | * U - Originated from user space (for example, pointer to user space memory used to get it) 18 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 19 | * OPT - Optional argument - might not always be available (passed with null value) 20 | 21 | ## Hooks 22 | ### syncfs 23 | #### Type 24 | kprobe 25 | #### Purpose 26 | Used to synchronize all data associated with a filesystem device. 27 | 28 | ## Example Use Case 29 | Let's say you wanted to take a backup of a file system in a file descriptor. The syncfs() system call is the one to do this, as it transfers all cached data to permanent storage. 30 | 31 | ## Issues 32 | None. 33 | 34 | ## Related Events 35 | * sync - synchronize all file system data 36 | * fsync - synchronize files or directories 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/tgkill.md: -------------------------------------------------------------------------------- 1 | 2 | # tgkill 3 | 4 | ## Intro 5 | tgkill - Sending a signal to a thread in another thread group. 6 | 7 | ## Description 8 | The tgkill syscall is used to send a signal to a thread in another thread group. It is the same as calling kill, but allows a thread to be targeted in another thread group, instead of needing to rely on a separate process. 9 | 10 | The tgkill syscall is useful for situations when thread-to-thread and thread-group-to-thread-group communications are needed, but when signaling would otherwise be too imprecise. 11 | 12 | The main disadvantage of tgkill is that it only works on two specific threads, not thread groups in general. This means it may be difficult to send a signal to all threads in another thread group. 13 | 14 | ## Arguments 15 | * `tgid`:`int` - The thread group identifier of the target process. 16 | * `tid`:`int` - The thread identifier of the target thread in the thread group. 17 | * `sig`:`int`[K] - The signal to be sent to the thread. 18 | 19 | ### Available Tags 20 | * K - Originated from kernel-space. 21 | 22 | ## Hooks 23 | ### do_tgkill 24 | #### Type 25 | Kprobe + Kretprobe 26 | #### Purpose 27 | Hooked to do_tgkill to monitor when tgkill is executed, and the arguments it is called with. 28 | 29 | ## Example Use Case 30 | tgkill can be useful in situations where two threads need to communicate, but are in different thread groups. For example, if one thread is in a daemon thread group and another is in a user process thread group, tgkill can be used to signal between the two. 31 | 32 | ## Issues 33 | None 34 | 35 | ## Related Events 36 | Signal events (such as kill) and thread management events (such as clone). 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/timer_delete.md: -------------------------------------------------------------------------------- 1 | 2 | # timer_delete 3 | 4 | ## Intro 5 | timer_delete - deletes previously created timer 6 | 7 | ## Description 8 | timer_delete() deletes the specified timer, timer_id. The timer must have been 9 | created by a previous call to timer_create(2) and must not have been already 10 | deleted. The associated clock, allocated memory and timer overrun handlers are 11 | all released. If a required underlying alarm request was issued to the real-time 12 | clock, it is also canceled. After a successful timer_delete() call, the timer_t 13 | value is invalid and should not be reused. 14 | 15 | ## Arguments 16 | * `timer_id`:`timer_t`[K] - ID of the timer to be deleted. 17 | 18 | ### Available Tags 19 | * K - Originated from kernel-space. 20 | 21 | ## Hooks 22 | ### timer_delete 23 | #### Type 24 | Kprobe + Kretprobe 25 | #### Purpose 26 | Investigate the performance of timer_delete system call. 27 | 28 | ## Example Use Case 29 | timer_delete can be used to delete a timer, which was created by a previous 30 | call to timer_create(2), in order to prevent it from expiring. 31 | 32 | ## Issues 33 | If a call to timer_delete() fails, the timer may be left in an undefined state, 34 | which can cause the timer to be reused at a future point in time. 35 | 36 | ## Related Events 37 | timer_create(2) - creates a timer, which can later be deleted by timer_delete(). 38 | 39 | > This document was automatically generated by OpenAI and needs review. It might 40 | > not be accurate and might contain errors. The authors of Tracee recommend that 41 | > the user reads the "events.go" source file to understand the events and their 42 | > arguments better. 43 | -------------------------------------------------------------------------------- /web/static/syscalls/timer_getoverrun.md: -------------------------------------------------------------------------------- 1 | 2 | # timer_getoverrun 3 | 4 | ## Intro 5 | timer_getoverrun - returns an overrun count 6 | 7 | ## Description 8 | The timer_getoverrun function returns the overrun count for a specified timer. The overrun count is equal to the number of times the expiration callback was invoked since the last time the timer expired. 9 | 10 | The timer_getoverrun function works by reading the timer's state and therefore the overrun count may be stale by the time it is returned. If the timer is in the process of expiring, the overrun count may not agree with the actual overrun count since the expiration callback started running. 11 | 12 | ## Arguments 13 | 14 | * `timer_id` : `timer_t` - identifier of the timer whose overrun count should be returned. 15 | 16 | ### Available Tags 17 | * K - Originated from kernel-space. 18 | * U - Originated from user space (for example, pointer to user space memory used to get it) 19 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 20 | * OPT - Optional argument - might not always be available (passed with null value) 21 | 22 | ## Hooks 23 | ### sys_timer_getoverrun 24 | #### Type 25 | KProbes 26 | #### Purpose 27 | Used to log the timer identifier and the overrun count. 28 | 29 | ## Example Use Case 30 | This event can be used to track the behavior of a timer and its overrun count over time. 31 | 32 | ## Issues 33 | None. 34 | 35 | ## Related Events 36 | * [timer_settime](https://linux.die.net/man/2/timer_settime) - used to set up the timer which will be tracked with timer_getoverrun. 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/timer_gettime.md: -------------------------------------------------------------------------------- 1 | 2 | # timer_gettime 3 | 4 | ## Intro 5 | timer_gettime - Get the current value of the timer specified by timerid. 6 | 7 | ## Description 8 | The timer_gettime() system call gets the current value of the timer specified by timerid. It stores the amount of time until the timer expires into the itimerspec pointed to by curr_value. Additional flags, like TIMER_ABSTIME may modify the behavior of this call by setting the reference from which the relative waiting time is calculated. If the timer is disarmed, the itimerspec is set to 0. 9 | 10 | ## Arguments 11 | * `timer_id`:`timer_t` - ID of timer to query. 12 | * `curr_value`:`struct itimerspec*`K[TOCTOU] - Pointer to a preallocated itimerspec structure, to which the timer's current value will be written. 13 | 14 | ### Available Tags 15 | * K - Originated from kernel-space. 16 | * U - Originated from user space (for example, pointer to user space memory used to get it) 17 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 18 | * OPT - Optional argument - might not always be available (passed with null value) 19 | 20 | ## Hooks 21 | ### sys_timer_gettime 22 | #### Type 23 | kprobe. 24 | #### Purpose 25 | To detect calls to timer_gettime() and to monitor the parameters passed to it. 26 | 27 | ## Example Use Case 28 | This event could be used to detect application calls to timer_gettime() and to gather additional data regarding the timer associated with this call. This data can be used for investigation or profiling purposes. 29 | 30 | ## Issues 31 | No known issues at the moment. 32 | 33 | ## Related Events 34 | * timer_create 35 | * timer_settime 36 | * timer_delete 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/timerfd_create.md: -------------------------------------------------------------------------------- 1 | 2 | # timerfd_create 3 | 4 | ## Intro 5 | timerfd_create - creates a file descriptor for use with the timerfd routines. 6 | 7 | ## Description 8 | The timerfd_create() system call creates a new timer object and returns a file descriptor that refers to it. The clockid argument specifies the clock that is used to mark the progress of the timer. The flags argument specifies optional creation flags; currently only TFD_CLOEXEC is supported. 9 | 10 | Once created, the file descriptor can be used to wait for the expiration of the timer using read(), select(), or poll(). 11 | 12 | ## Arguments 13 | * `clockid`:`int` - specifies the clock that is used to mark the progress of the timer. 14 | * `flags`:`int`[OPT] - specifies optional creation flags; currently only TFD_CLOEXEC is supported. 15 | 16 | ### Available Tags 17 | * K - Originated from kernel-space. 18 | * U - Originated from user space (for example, pointer to user space memory used to get it) 19 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 20 | * OPT - Optional argument - might not always be available (passed with null value) 21 | 22 | ## Hooks 23 | ### sys_timerfd_create 24 | #### Type 25 | KProbe 26 | #### Purpose 27 | To hook the kernel entry point for the timerfd_create system call. 28 | 29 | ## Example Use Case 30 | A process that needs to track time at the system level could use this event to create a file descriptor for a timer and use that to track time in the process. 31 | 32 | ## Issues 33 | No known issues. 34 | 35 | ## Related Events 36 | timerfd_settime, timerfd_gettime 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/timerfd_settime.md: -------------------------------------------------------------------------------- 1 | 2 | # timerfd_settime 3 | 4 | ## Intro 5 | timerfd_settime - set the expiration and interval of an installed timer 6 | 7 | ## Description 8 | The timerfd_settime() system call arms (starts) or disarms (stops) the timer 9 | referred to by the file descriptor `fd`. It does this by setting the timer's 10 | expiration and interval according to the values specified in the 11 | `struct itimerspec` pointed to by the `new_value` argument. If the `old_value` 12 | argument is non-NULL, then the previous `struct itimerspec` is returned in this 13 | location. This syscall also allows the user to specify the `TFD_TIMER_ABSTIME` 14 | descriptor to indicate that `new_value->it_value` is evaluated relative to the 15 | CLOCK_REALTIME clock. 16 | 17 | ## Arguments 18 | * `fd`: `int` - file descriptor referring to the timer instance. 19 | * `flags`: `int` - flags specifying the behavior of the timer. Flags: `TFD_TIMER_ABSTIME` 20 | * `new_value`: `const struct itimerspec*` [K] - pointer to the new timer value. 21 | * `old_value`: `struct itimerspec*` [K] - pointer to the previous timer value 22 | 23 | ### Available Tags 24 | * K - Originated from kernel-space. 25 | 26 | ## Hooks 27 | ### `sys_timerfd_settime` 28 | #### Type 29 | kprobe 30 | #### Purpose 31 | To monitor the duration of timerfd_settime system calls. 32 | 33 | ## Example Use Case 34 | This event can be used for monitoring a timer. For example, it can be used to record the time at which an application sets a timer. 35 | 36 | ## Issues 37 | None known. 38 | 39 | ## Related Events 40 | * `timerfd_gettime` - read the timer expiration and interval 41 | 42 | > This document was automatically generated by OpenAI and needs review. It might 43 | > not be accurate and might contain errors. The authors of Tracee recommend that 44 | > the user reads the "events.go" source file to understand the events and their 45 | > arguments better. 46 | -------------------------------------------------------------------------------- /web/static/syscalls/truncate.md: -------------------------------------------------------------------------------- 1 | 2 | # truncate 3 | 4 | ## Intro 5 | truncate - Change the size of a file to a specified length 6 | 7 | ## Description 8 | The truncate() system call causes the regular file referenced by path or referenced by the file descriptor fd to have a size of exactly length bytes. 9 | 10 | If the file previously was larger than length, the extra data is discarded. If the file was previously shorter, it is extended, and the extended part reads as null bytes (‘\0’). 11 | 12 | ## Arguments 13 | * `path`:`const char*`[U] - The path of the file to be truncated. 14 | * `length`:`off_t`[K] - The length of the file. 15 | 16 | ### Available Tags 17 | * K - Originated from kernel-space. 18 | * U - Originated from user space (for example, pointer to user space memory used to get it) 19 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 20 | * OPT - Optional argument - might not always be available (passed with null value) 21 | 22 | ## Hooks 23 | ### sys_truncate 24 | #### Type 25 | KPROBE 26 | #### Purpose 27 | sys_truncate is hooked to gather information about a regular file being truncated. 28 | 29 | ## Example Use Case 30 | Truncate can be used to reduce the size of a file, with the extra data being discarded if it is longer than the specified length. 31 | 32 | ## Issues 33 | If the length specified is longer than the actual size of the file, security issues may arise if the file is allocated and filled with data afterwards. 34 | 35 | ## Related Events 36 | fchmodat, creat, ftruncate 37 | 38 | > This document was automatically generated by OpenAI and needs review. It might 39 | > not be accurate and might contain errors. The authors of Tracee recommend that 40 | > the user reads the "events.go" source file to understand the events and their 41 | > arguments better. 42 | -------------------------------------------------------------------------------- /web/static/syscalls/truncate64.md: -------------------------------------------------------------------------------- 1 | 2 | # truncate64 3 | 4 | ## Intro 5 | truncate64() - truncate a file to a specified length 6 | 7 | ## Description 8 | The truncate64() system call is used to truncate a file to a specified length. If the file is larger than the length specified, the extra data is lost. If the file is shorter than the length specified, the file will be extended with NUL bytes (`\0`). The truncate64() system call operates on files, not directories. 9 | 10 | ## Arguments 11 | * `path`:`const char*` - pathname of the file whose length is to be changed 12 | * `length`:`off_t` - size to which the file should be truncated 13 | 14 | ### Available Tags 15 | N/A 16 | 17 | ## Hooks 18 | ### sys_truncate64 19 | #### Type 20 | Kprobe 21 | #### Purpose 22 | To detect when the `truncate64` system call is called 23 | 24 | ## Example Use Case 25 | truncate64() can be used to ensure that a certain file does not exceed a certain size. For example, it can be used to ensure a log file does not exceed 1GB in size. 26 | 27 | ## Issues 28 | The truncate64() system call does not check if the current user has the necessary permissions to truncate the file, this must be done manually. 29 | 30 | ## Related Events 31 | * open() - to open a file handle before truncating it 32 | * ftruncate64() - similar system call, but which operates on an open file descriptor 33 | 34 | > This document was automatically generated by OpenAI and needs review. It might 35 | > not be accurate and might contain errors. The authors of Tracee recommend that 36 | > the user reads the "events.go" source file to understand the events and their 37 | > arguments better. 38 | -------------------------------------------------------------------------------- /web/static/syscalls/tuxcall.md: -------------------------------------------------------------------------------- 1 | 2 | # tuxcall 3 | 4 | ## Intro 5 | tuxcall - handle requests from userspace, typically IOCTL calls 6 | 7 | ## Description 8 | tuxcall is a way for programs running in userspace to make requests to the kernel. It is typically used to control devices and configure hardware. The kernel will check the associated data structures and privileges and then process the request and return a response to the user program. The drawbacks of using tuxcall are that it can be complex and time-consuming to debug and debug when using multiple threads and ioctls. 9 | 10 | ## Arguments 11 | * `cmd`: `int`[K] - defines the command to be executed. 12 | * `arg`: `void *`[K] - a void pointer to a data structure associated with the command. 13 | 14 | ### Available Tags 15 | * K - Originated from kernel-space. 16 | * U - Originated from user space (for example, pointer to user space memory used to get it) 17 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 18 | * OPT - Optional argument - might not always be available (passed with null value) 19 | 20 | ## Hooks 21 | ### syscall_entry_tuxcall 22 | #### Type 23 | Kprobe 24 | #### Purpose 25 | To trace tuxcall system calls 26 | 27 | ## Example Use Case 28 | A program running in user space is using tuxcall to configure a device. It will pass the relevant data structures and arguments to the kernel via the tuxcall syscall and wait for a response. 29 | 30 | ## Issues 31 | One of the major issues with tuxcall is that it can be difficult to debug when errors occur due to the complexity of the system. 32 | 33 | ## Related Events 34 | * ioctl - performs io control operations 35 | * read - read data from a file descriptor 36 | 37 | > This document was automatically generated by OpenAI and needs review. It might 38 | > not be accurate and might contain errors. The authors of Tracee recommend that 39 | > the user reads the "events.go" source file to understand the events and their 40 | > arguments better. 41 | -------------------------------------------------------------------------------- /web/static/syscalls/uname.md: -------------------------------------------------------------------------------- 1 | 2 | # uname 3 | 4 | ## Intro 5 | uname - get the system name 6 | 7 | ## Description 8 | The uname() system call wraps the get_utsname() kernel function and is used to get information about the current system, including the system name, version and the release. The struct utsname argument, buf, passes the system information to user space. 9 | 10 | ## Arguments 11 | * `buf`:`struct utsname*`[K, U] - pointer to a buffer to store the utsname struct. 12 | 13 | ### Available Tags 14 | * K - Originated from kernel-space. 15 | * U - Originated from user space (for example, pointer to user space memory used to get it) 16 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 17 | * OPT - Optional argument - might not always be available (passed with null value) 18 | 19 | ## Hooks 20 | ### sys_uname 21 | #### Type 22 | Kprobes 23 | #### Purpose 24 | To trace when the uname() syscall is called and get the arguments passed. 25 | 26 | ## Example Use Case 27 | In a security monitoring system, the uname() syscall can be used to identify if a system is undergoing changes to its core characteristics. 28 | 29 | ## Issues 30 | None 31 | 32 | ## Related Events 33 | The get_utsname() kernel function, from which this syscall originates. 34 | 35 | > This document was automatically generated by OpenAI and needs review. It might 36 | > not be accurate and might contain errors. The authors of Tracee recommend that 37 | > the user reads the "events.go" source file to understand the events and their 38 | > arguments better. 39 | -------------------------------------------------------------------------------- /web/static/syscalls/unlinkat.md: -------------------------------------------------------------------------------- 1 | 2 | # unlinkat 3 | 4 | ## Intro 5 | unlinkat - system call that deletes a file name, relative to an open directory 6 | 7 | ## Description 8 | unlinkat is a system call that deletes a file name, relative to an open directory. The purpose of unlinkat is to provide a more secure and robust way to delete a file than the remove() syscall, as it allows users to avoid race conditions while deleting a file. 9 | 10 | Unlinkat also allows a user to delete links without traversing whole directory hierarchies, by providing the location of the file (directory) and its name as two separate arguments. 11 | 12 | ## Arguments 13 | * `dirfd`:`int`[K] - an open file descriptor referring to a directory. 14 | * `pathname`:`const char*`[KU] - a string containing the name of the file to be deleted, relative to the directory referred to by dirfd. 15 | * `flags`:`int`[K] - optional flags that can include **AT_REMOVEDIR**. 16 | 17 | ### Available Tags 18 | * K - Originated from kernel-space. 19 | * U - Originated from user space (for example, pointer to user space memory used to get it) 20 | * TOCTOU - Vulnerable to TOCTOU (time of check, time of use) 21 | * OPT - Optional argument - might not always be available (passed with null value) 22 | 23 | ## Hooks 24 | ### sys_unlinkat 25 | #### Type 26 | Tracepoint 27 | #### Purpose 28 | To monitor file deletions. 29 | 30 | ## Example Use Case 31 | Finding malicious file deletions. 32 | 33 | ## Issues 34 | unlinkat is vulnerable to TOCTOU (time of check, time of use) attacks. 35 | 36 | ## Related Events 37 | unlink(), remove(), readlinkat(), openat() 38 | 39 | > This document was automatically generated by OpenAI and needs review. It might 40 | > not be accurate and might contain errors. The authors of Tracee recommend that 41 | > the user reads the "events.go" source file to understand the events and their 42 | > arguments better. 43 | -------------------------------------------------------------------------------- /web/static/syscalls/vhangup.md: -------------------------------------------------------------------------------- 1 | 2 | # vhangup 3 | 4 | ## Intro 5 | vhangup - Revoke access to all descriptors associated with the caller's tty 6 | 7 | ## Description 8 | The vhangup() system call will cause all descriptors associated with the caller's tty to be revoked. On Mac OS X, and many other Unix-like operating systems, this system call has been made obsolete by the setsid() system call. On some Linux-based systems, using this system call may reset certain signal -> PID mappings and socket connection state. 9 | 10 | Using vhangup may also cause some process wait states to be reset. Note that, using this system call may cause certain terminal state to be reset, such as terminal baud rate, size and control characters. 11 | 12 | ## Arguments 13 | 14 | None 15 | 16 | ### Available Tags 17 | N/A 18 | 19 | ## Hooks 20 | ### vhangup 21 | #### Type 22 | Kprobe 23 | #### Purpose 24 | To monitor calls of vhangup system call. 25 | 26 | ## Example Use Case 27 | When debugging a program that utilizes terminal control, vhangup can be used to reset the state of the terminal. 28 | 29 | ## Issues 30 | No known issues. 31 | 32 | ## Related Events 33 | setsid 34 | 35 | > This document was automatically generated by OpenAI and needs review. It might 36 | > not be accurate and might contain errors. The authors of Tracee recommend that 37 | > the user reads the "events.go" source file to understand the events and their 38 | > arguments better. 39 | -------------------------------------------------------------------------------- /web/static/syscalls/waitpid.md: -------------------------------------------------------------------------------- 1 | 2 | # waitpid 3 | 4 | ## Intro 5 | waitpid - wait for a process to change its state 6 | 7 | ## Description 8 | The waitpid() system call suspends execution of the calling process until a 9 | child process specified by pid argument has changed state. By giving the 10 | WNOHANG or WUNTRACED options to waitpid() call, the calling process can 11 | specify that it should return immediately if there is no process state 12 | change. The status pointer argument may be specified as NULL. 13 | 14 | ## Arguments 15 | * `pid`:`pid_t` - Specifies a set of child processes for which to wait. 16 | * `status`:`int*`[U] - A pointer to an integer into which status information 17 | about the child process will be stored. This can be NULL if the calling process 18 | is not interested in this information. 19 | * `options`:`int` - May be specified to include WNOHANG or WUNTRACED, which 20 | modify the behavior of the waitpid() system call. 21 | 22 | ### Available Tags 23 | * U - Originated from user space (for example, pointer to user space memory used to get it) 24 | 25 | ## Hooks 26 | ### do_wait() 27 | #### Type 28 | KProbes 29 | #### Purpose 30 | Used to monitor usage of waitpid in the system. 31 | 32 | ## Example Use Case 33 | This event can be used to monitor and detect when a process with a specified 34 | pid has changed state. 35 | 36 | ## Issues 37 | None. 38 | 39 | ## Related Events 40 | - fork() 41 | - execve() 42 | - signal() 43 | 44 | > This document was automatically generated by OpenAI and needs review. It might 45 | > not be accurate and might contain errors. The authors of Tracee recommend that 46 | > the user reads the "events.go" source file to understand the events and their 47 | > arguments better. 48 | -------------------------------------------------------------------------------- /web/static/syscalls/write.md: -------------------------------------------------------------------------------- 1 | 2 | # write 3 | 4 | ## Intro 5 | write - a syscall for writing data to a specified file descriptor 6 | 7 | ## Description 8 | The write syscall is used to write data to a specified file descriptor. It takes three arguments: a file descriptor `fd`, a pointer to the data `buf` and its size `count`. It returns the number of bytes written, or -1 if there was an error. 9 | 10 | Writing more bytes than the buffer size may cause a buffer overflow and should be avoided. Data should also be checked before writing to make sure that it is valid. It is important to note that the write syscall is non-atomic and may be interrupted by signals. 11 | 12 | ## Arguments 13 | * `fd`:`int` - file descriptor to write the data to 14 | * `buf`:`void*`[K, U] - pointer to the data to be written 15 | * `count`:`size_t`[K] - number of bytes to write from the buffer 16 | 17 | ### Available Tags 18 | * K - Originated from kernel-space 19 | * U - Originated from user space (for example, pointer to user space memory used to get it) 20 | 21 | ## Hooks 22 | ### sys_write 23 | #### Type 24 | Kprobe 25 | #### Purpose 26 | To collect data from all write syscall invocation. 27 | 28 | ## Example Use Case 29 | A system administrator could use the write syscall to write data to a logfile. 30 | 31 | ## Issues 32 | If the buffer size is larger than the specified count, the write syscall may cause a buffer overflow. 33 | 34 | ## Related Events 35 | * read - allows a file descriptor to be read into a buffer 36 | * open - allows a file to be opened and set a file descriptor 37 | * close - closes a previously opened file descriptor 38 | 39 | > This document was automatically generated by OpenAI and needs review. It might 40 | > not be accurate and might contain errors. The authors of Tracee recommend that 41 | > the user reads the "events.go" source file to understand the events and their 42 | > arguments better. 43 | --------------------------------------------------------------------------------