diff --git a/rasp/jvm/JVMProbe/src/main/java/com/security/smith/client/Client.java b/rasp/jvm/JVMProbe/src/main/java/com/security/smith/client/Client.java index f7f405519..289a895aa 100644 --- a/rasp/jvm/JVMProbe/src/main/java/com/security/smith/client/Client.java +++ b/rasp/jvm/JVMProbe/src/main/java/com/security/smith/client/Client.java @@ -4,6 +4,7 @@ import com.google.gson.JsonArray; import com.google.gson.JsonElement; import com.google.gson.JsonParser; +import com.google.gson.GsonBuilder; import com.security.smith.client.message.*; import com.security.smith.common.ProcessHelper; import com.security.smith.log.SmithLogger; @@ -282,7 +283,8 @@ private void readMessage() { JsonArray jsonArray = jsonElement.getAsJsonArray(); for (JsonElement element : jsonArray) { if (element.isJsonObject()) { - Message message = new Gson().fromJson(element, Message.class); + Gson gson = new GsonBuilder().registerTypeAdapter(Message.class, new MessageDeserializer()).create(); + Message message = gson.fromJson(element, Message.class); onMessage(message); } } diff --git a/rasp/librasp/Cargo.toml b/rasp/librasp/Cargo.toml index d8cfaaac7..adeb7b21a 100644 --- a/rasp/librasp/Cargo.toml +++ b/rasp/librasp/Cargo.toml @@ -18,7 +18,8 @@ libc = "0.2.80" nix = "0.24" anyhow = "1.0.38" # elf -goblin = "0.3.4" +goblin = "0.8.0" +byteorder = "1.0" # lru cache lru_time_cache = "0.11.8" memmap = "0.7.0" diff --git a/rasp/librasp/src/golang.rs b/rasp/librasp/src/golang.rs index 5642e0687..950b0909f 100644 --- a/rasp/librasp/src/golang.rs +++ b/rasp/librasp/src/golang.rs @@ -1,7 +1,8 @@ use log::*; use std::fs::File; use std::{fs, path::PathBuf, process::Command}; - +use std::io::Read; +use regex::Regex; use anyhow::{anyhow, Result}; use goblin::elf::Elf; use memmap::MmapOptions; @@ -10,7 +11,9 @@ use crate::async_command::run_async_process; use crate::process::ProcessInfo; use crate::runtime::{ProbeCopy, ProbeState, ProbeStateInspect}; use crate::settings; +use crate::parse_elf::{find_by_section, find_by_symbol}; +const GOLANG_SUPPORT_VERSION: u32 = 22; pub struct GolangProbeState {} impl ProbeStateInspect for GolangProbeState { @@ -105,10 +108,10 @@ pub fn golang_attach(pid: i32) -> Result { Ok(true) } else if es_code == 255 { let msg = format!( - "golang attach exit code 255: {} {} {} {}", - es_code, pid, &stdout, &stderr + "golang attach exit code 255: {} {} {}", + es_code, &stdout, &stderr ); - error!("{}", msg); + error!("pid: {}, {}", pid, msg); Err(anyhow!("{}", msg)) } else { let msg = format!( @@ -123,7 +126,7 @@ pub fn golang_attach(pid: i32) -> Result { }; } -pub fn golang_bin_inspect(bin_file: PathBuf) -> Result { +pub fn golang_bin_inspect(bin_file: &PathBuf) -> Result { let metadata = match fs::metadata(bin_file.clone()) { Ok(md) => md, Err(e) => { @@ -141,11 +144,86 @@ pub fn golang_bin_inspect(bin_file: PathBuf) -> Result { let shstrtab = elf.shdr_strtab; for section in elf.section_headers.iter() { let offset = section.sh_name; - if let Some(name) = shstrtab.get(offset) { - if name.unwrap() == ".gopclntab" { + if let Some(name) = shstrtab.get_at(offset) { + if name == ".gopclntab" { return Ok(size); } } } return Ok(0); } + +pub fn parse_version(version: &String) -> Result { + let re = Regex::new(r"^go(\d+\.\d+)(?:\.\d+)?").unwrap(); + + // use regex to extract the version number from the string + if let Some(captures) = re.captures(version) { + if let Some(version_number) = captures.get(1) { + let extracted_version = version_number.as_str(); + return Ok(extracted_version.to_string()); + } + } + return Err(anyhow::anyhow!("Failed to extract version number, from: {}", version)); +} + +pub fn golang_version(bin_file: &PathBuf) -> Result { + let mut file = File::open(bin_file)?; + let mut buffer = Vec::new(); + file.read_to_end(&mut buffer)?; + + // parse elf + let elf = match Elf::parse(&buffer) { + Ok(elf) => elf, + Err(err) => { + let msg = format!( + "Failed to parse ELF file: {}", err + ); + warn!("{}", msg); + return Err(anyhow!("{}", msg)); + } + }; + + if let Ok(version) = find_by_section(&elf, &buffer, &file) { + return parse_version(&version); + } else { + if let Ok(version) = find_by_symbol(&elf, &file) { + return parse_version(&version); + } else { + return Err(anyhow!("get go version by section and symbol failed")); + } + } + +} + +pub fn check_golang_version(ver: &String) -> Result<()> { + let major_minor: Option<(u32, u32)> = match ver.split('.').next() { + Some(major_str) => { + if let Ok(major) = major_str.parse::() { + if let Some(minor_str) = ver.split('.').nth(1) { + if let Ok(minor) = minor_str.parse::() { + Some((major, minor)) + } else { + None + } + } else { + Some((major, 0)) + } + } else { + None + } + } + None => None, + }; + + if let Some((major, minor)) = major_minor { + if major == 1 && minor <= GOLANG_SUPPORT_VERSION { + return Ok(()); + } else { + let msg = format!("Golang version too big: {}", ver); + return Err(anyhow!(msg)); + } + } else { + let msg = format!("golang version cannot parse: {}", ver); + return Err(anyhow!(msg)); + } +} diff --git a/rasp/librasp/src/lib.rs b/rasp/librasp/src/lib.rs index 8211d5633..766b01d13 100644 --- a/rasp/librasp/src/lib.rs +++ b/rasp/librasp/src/lib.rs @@ -9,6 +9,7 @@ pub mod process; pub mod runtime; #[allow(non_snake_case)] pub mod settings; +pub mod parse_elf; pub mod async_command { use std::io::{BufRead, BufReader}; diff --git a/rasp/librasp/src/manager.rs b/rasp/librasp/src/manager.rs index 16c235607..0ce1cc877 100644 --- a/rasp/librasp/src/manager.rs +++ b/rasp/librasp/src/manager.rs @@ -2,16 +2,16 @@ use std::collections::HashMap; use std::ffi::OsStr; use std::fs; use std::path::Path; - +use std::os::unix::fs::PermissionsExt; use anyhow::{anyhow, Result, Result as AnyhowResult}; use crossbeam::channel::Sender; use fs_extra::dir::{copy, create_all, CopyOptions}; -use fs_extra::file::{copy as file_copy, CopyOptions as FileCopyOptions}; +use fs_extra::file::{copy as file_copy, remove, CopyOptions as FileCopyOptions}; use libraspserver::proto::{PidMissingProbeConfig, ProbeConfigData}; use log::*; use crate::cpython::{python_attach, CPythonProbe, CPythonProbeState}; -use crate::golang::{golang_attach, GolangProbe, GolangProbeState}; +use crate::golang::{check_golang_version, golang_attach, GolangProbe, GolangProbeState}; use crate::jvm::{check_java_version, java_attach, java_detach, JVMProbe, JVMProbeState}; use crate::nodejs::{check_nodejs_version, nodejs_attach, NodeJSProbe}; use crate::php::{php_attach, PHPProbeState}; @@ -41,8 +41,8 @@ impl RASPManager { ) -> AnyhowResult<()> { debug!("starting comm with probe, target pid: {}", process_info.pid); let mnt_namespace = process_info.get_mnt_ns()?; - let nspid = if let Some(nspid) = ProcessInfo::read_nspid(process_info.pid)? { - nspid + let nspid = if process_info.nspid != 0 { + process_info.nspid } else { process_info.pid }; @@ -259,8 +259,8 @@ impl RASPManager { } } - serde_json::to_string(&valid_messages)?; - //self.write_message_to_config_file(pid, nspid, valid_messages_string)?; + let valid_messages_string = serde_json::to_string(&valid_messages)?; + self.write_message_to_config_file(pid, nspid, valid_messages_string)?; Ok(()) } @@ -324,9 +324,9 @@ impl RASPManager { let runtime_info = &process_info.runtime.clone().unwrap(); let root_dir = format!("/proc/{}/root", process_info.pid); let pid = process_info.pid; - ProcessInfo::read_nspid(pid)?.ok_or(anyhow!("can not read nspid: {}", pid))?; + let nspid = process_info.nspid; // delete config - // self.delete_config_file(pid, nspid)?; + self.delete_config_file(pid, nspid)?; let attach_result = match runtime_info.name { "JVM" => match JVMProbeState::inspect_process(process_info)? { ProbeState::Attached => { @@ -371,7 +371,7 @@ impl RASPManager { let to = format!("{}{}",root_dir.clone(), settings::RASP_JAVA_AGENT_BIN()); let _ = self.copy_file_from_to_dest(settings::RASP_JAVA_JATTACH_BIN(), root_dir.clone()); let _ = self.copy_file_from_to_dest(settings::RASP_JAVA_AGENT_BIN(), root_dir.clone()); - info!("copy from jattach/SmithAgent.jar to {}", to.clone()); + info!("copy from java/SmithAgent.jar to {}", to.clone()); } } Err(e) => { @@ -430,6 +430,14 @@ impl RASPManager { Ok(true) } ProbeState::NotAttach => { + if !runtime_info.version.is_empty() { + match check_golang_version(&runtime_info.version) { + Ok(_) => {} + Err(e) => { + return Err(anyhow!(e)); + } + } + } let mut golang_attach = |pid: i32, bpf: bool| -> AnyhowResult { if bpf { if let Some(bpf_manager) = self.ebpf_comm.as_mut() { @@ -881,66 +889,40 @@ impl MntNamespaceTracer { } impl RASPManager { - /* pub fn write_message_to_config_file( &self, pid: i32, nspid: i32, message: String, ) -> AnyhowResult<()> { - let config_dir = "/var/run/elkeid_rasp"; + let config_dir = format!("/proc/{}/root/var/run/elkeid_rasp", pid); let config_path = format!("{}/{}.json", config_dir, nspid); let config_path_bak = format!("{}.bak", config_path); - debug!("write message to {} {}", config_path_bak, message); - crate::async_command::run_async_process( - Command::new(crate::settings::RASP_NS_ENTER_BIN()).args([ - "-m", - "-t", - pid.to_string().as_str(), - "sh", - "-c", - "PATH=/bin:/usr/bin:/sbin", - format!( - "mkdir -p {} && echo '{}' > {} && mv {} {}", - config_dir, message, config_path_bak, config_path_bak, config_path - ) - .as_str(), - ]), - )?; - let ns_thread = thread::Builder::new().spawn(move || -> AnyhowResult<()> { - debug!("switch namespace"); - libraspserver::ns::switch_namespace(pid); - if !Path::new(&config_dir).exists() { - fs_extra::dir::create(config_dir, true)?; - } - fs_extra::file::write_all(&config_path_bak, message.as_str())?; - let mut option = fs_extra::file::CopyOptions::new(); - option.overwrite = true; - fs_extra::file::move_file(config_path_bak, config_path, &option)?; - Ok(()) - }).unwrap(); - ns_thread.join()?; + info!("write message to {} {}", config_path_bak, message); + + if !Path::new(&config_dir).exists() { + fs_extra::dir::create(&config_dir, true)?; + } + fs::set_permissions(&config_dir, fs::Permissions::from_mode(0o666))?; + fs_extra::file::write_all(&config_path_bak, message.as_str())?; + fs::set_permissions(&config_path_bak, fs::Permissions::from_mode(0o777))?; + let mut option = fs_extra::file::CopyOptions::new(); + option.overwrite = true; + fs_extra::file::move_file(config_path_bak, config_path, &option)?; + info!("write message success"); Ok(()) } pub fn delete_config_file(&self, pid: i32, nspid: i32) -> AnyhowResult<()> { - let config_path = format!("/var/run/elkeid_rasp/{}.json", nspid); + + let config_path = format!("/proc/{}/root/var/run/elkeid_rasp/{}.json", pid, nspid); if Path::new(&config_path).exists() { - crate::async_command::run_async_process( - Command::new(crate::settings::RASP_NS_ENTER_BIN()).args([ - "-m", - "-t", - pid.to_string().as_str(), - "sh", - "-c", - format!("rm {}", config_path).as_str(), - ]), - )?; + info!("delete config file: {}", config_path); + remove(config_path)? } Ok(()) } - */ } fn read_dir

(path: P) -> AnyhowResult> diff --git a/rasp/librasp/src/parse_elf.rs b/rasp/librasp/src/parse_elf.rs new file mode 100644 index 000000000..dc1df4063 --- /dev/null +++ b/rasp/librasp/src/parse_elf.rs @@ -0,0 +1,234 @@ +use std::fs::File; +use goblin::elf::{Elf, Sym}; +use byteorder::{ByteOrder, LittleEndian, BigEndian}; + +use anyhow::{anyhow, Result}; +use std::io::{Read, Seek, SeekFrom}; +use log::*; + +const MAGIC: &[u8] = b"\xff Go buildinf:"; +const RUNTIME_VERSION_MAGIC: &str = "runtime.buildVersion"; +const EXPECTED_MAGIC_LEN: usize = 14; +const FLAGS_OFFSET: usize = 15; + +const BUILDINFO_ALIGN: usize = 16; +const BUILDINFO_HEADER_SIZE: usize = 32; +const MAX_VAR_INT_LEN64: usize = 10; + +const FLAGS_VERSION_MASK: u8 = 0x2; +const FLAGS_ENDIAN_BIG: u8 = 0x1; + + +fn uvarint(buf: &[u8]) -> (u64, i32) { + let mut x: u64 = 0; + let mut s: u32 = 0; + for (i, &b) in buf.iter().enumerate() { + if i == MAX_VAR_INT_LEN64 { + return (0, -(i as i32 + 1)); // overflow + } + if b < 0x80 { + if i == MAX_VAR_INT_LEN64 - 1 && b > 1 { + return (0, -(i as i32 + 1)); // overflow + } + return (x | (b as u64) << s, (i + 1) as i32); + } + x |= ((b & 0x7F) as u64) << s; + s += 7; + } + return (0, 0); +} + +fn read_ptr(b: &[u8], ptr_size: usize, is_little_endian: bool) -> Option { + match ptr_size { + 4 => { + if is_little_endian{ + return Some(u64::from(LittleEndian::read_u32(b))); + } else { + return Some(u64::from(BigEndian::read_u32(b))); + } + } + 8 => { + if is_little_endian{ + return Some(u64::from(LittleEndian::read_u64(b))); + } else { + return Some(u64::from(BigEndian::read_u64(b))); + } + } + _ => None, + } +} + +fn read_data_at_address(mut file: &File, elf: &Elf, address: u64, size: usize) -> Option> { + let section = match elf.section_headers.iter().find(|section| { + section.sh_addr <= address && address < section.sh_addr + section.sh_size + }) { + Some(section) => section, + None => return None, + }; + + let offset = (address - section.sh_addr) as u64; + if let Err(_) = file.seek(SeekFrom::Start(section.sh_offset + offset)) { + return None; + } + + let mut buffer = vec![0u8; size]; + if let Err(_) = file.read_exact(&mut buffer) { + return None; + } + + Some(buffer) +} + +fn find_symbol<'a>(elf: &'a Elf<'a>, symbol_name: &str) -> Option { + for sym in &elf.syms { + if let Some(name) = elf.strtab.get_at(sym.st_name) { + if name == symbol_name { + return Some(sym.clone()); + } + } + } + None +} + +pub fn find_by_symbol(elf: &Elf, file: &File) -> Result { + // find runtime.buildVersion symbol + let symbol= find_symbol(&elf, RUNTIME_VERSION_MAGIC); + if let Some(sym) = symbol { + // read version data + let version_address_ptr = sym.st_value; + let version_len = sym.st_size; + let is_little_endian = elf.little_endian; + + let version_u8 = match read_data_at_address(&file, &elf, version_address_ptr, version_len as usize) { + Some(data) => data, + None => { + let msg = format!("Failed to read version data"); + warn!("{}", msg); + return Err(anyhow!(msg)); + } + }; + info!("find symbol version: {:?}", version_u8); + let ptr_size = version_len / 2; + let version_address = match read_ptr(&version_u8, ptr_size as usize, is_little_endian) { + Some(ptr) => ptr, + None => { + let msg = format!("Failed to read version addr pointer"); + warn!("{}", msg); + return Err(anyhow!(msg)); + } + }; + let version_address_len = match read_ptr(&version_u8[ptr_size as usize..], ptr_size as usize, is_little_endian) { + Some(ptr) => ptr, + None => { + let msg = format!("Failed to read version length pointer"); + warn!("{}", msg); + return Err(anyhow!(msg)); + } + }; + + let version_addr_u8 = match read_data_at_address(&file, &elf, version_address, version_address_len as usize) { + Some(data) => data, + None => { + let msg = format!("Failed to read version data"); + warn!("{}", msg); + return Err(anyhow!(msg)); + } + }; + let version = String::from_utf8_lossy(&version_addr_u8).to_string(); + Ok(version) + } else { + let msg = format!("file {:?} Failed to find symbol: runtime.buildVersion", file); + warn!("{}", msg); + Err(anyhow!(msg)) + } +} + +pub fn find_by_section(elf: &Elf, buffer:&Vec, file: &File) -> Result { + let mut version: String = String::new(); + + // find .go.buildinfo + if let Some(go_buildinfo_section) = elf.section_headers.iter().find(|section| { + if let Some(sect_name) = elf.shdr_strtab.get_at(section.sh_name) { + sect_name == ".go.buildinfo" + } else { + false + } + }) { + // read ".go.buildinfo" section data + if buffer.len() < (go_buildinfo_section.sh_offset as usize + go_buildinfo_section.sh_size as usize) || go_buildinfo_section.sh_size < BUILDINFO_HEADER_SIZE as u64 { + return Err(anyhow!("buidinfo size too large: size: {}, offset: {}",go_buildinfo_section.sh_offset, go_buildinfo_section.sh_size)); + } + + let buildinfo_data = &buffer[go_buildinfo_section.sh_offset as usize + ..(go_buildinfo_section.sh_offset + go_buildinfo_section.sh_size) as usize]; + + // check Magic + let magic_header = &buildinfo_data[0..EXPECTED_MAGIC_LEN]; + if magic_header == MAGIC { + let flag = buildinfo_data[FLAGS_OFFSET]; + // Since 1.18, the flags version bit is flagsVersionInl. In this case, + // the header is followed by the string contents inline as + // length-prefixed (as varint) string contents. First is the version + // string, followed immediately by the modinfo string. + if flag & FLAGS_VERSION_MASK == FLAGS_VERSION_MASK { + let version_u8 = match read_data_at_address(&file, &elf, go_buildinfo_section.sh_addr + BUILDINFO_HEADER_SIZE as u64, MAX_VAR_INT_LEN64) { + Some(data) => data, + None => { + let msg = format!("Failed to read version data"); + warn!("{}", msg); + return Err(anyhow!(msg)); + } + }; + let len = uvarint(&version_u8).0; + let offset = uvarint(&version_u8).1; + + version = String::from_utf8_lossy(&buildinfo_data[BUILDINFO_HEADER_SIZE + offset as usize ..BUILDINFO_HEADER_SIZE + len as usize + offset as usize ]).to_string(); + + } else { + // go version < 1.18 + let ptr_size = buildinfo_data[EXPECTED_MAGIC_LEN] as usize; + let big_endian = flag & FLAGS_VERSION_MASK == FLAGS_ENDIAN_BIG; + // Read the version address and length based on endianness + if let Some(version_address) = read_ptr(&buildinfo_data[BUILDINFO_ALIGN as usize..(BUILDINFO_ALIGN + ptr_size) as usize], ptr_size, !big_endian) { + if let Some(version_address_ptr) = read_data_at_address(&file, &elf, version_address, ptr_size * 2) { + let version_address_ptr_u64 = match read_ptr(&version_address_ptr[0..ptr_size], ptr_size, !big_endian) { + Some(ptr) => ptr, + None => { + let msg = format!("Failed to read version address pointer, {}", ptr_size); + warn!("{}", msg); + return Err(anyhow!(msg)); + } + }; + let version_len_ptr_u64 = match read_ptr(&version_address_ptr[ptr_size..ptr_size * 2], ptr_size, !big_endian) { + Some(ptr) => ptr, + None => { + let msg = format!("Failed to read version length pointer"); + warn!("{}", msg); + return Err(anyhow!(msg)); + } + }; + let version_u8 = match read_data_at_address(&file, &elf, version_address_ptr_u64, version_len_ptr_u64 as usize) { + Some(data) => data, + None => { + let msg = format!("Failed to read version version data"); + warn!("{}", msg); + return Err(anyhow!(msg)); + } + }; + + version = String::from_utf8_lossy(&version_u8).to_string(); + } + } + } + return Ok(version); + } else { + let msg = format!("file {:?} Failed to find magic header: {:?}", file, magic_header); + warn!("{}", msg); + return Err(anyhow!(msg)); + } + } else { + let msg = format!("file {:?} Failed to find section:.go.buildinfo", file); + warn!("{}", msg); + Err(anyhow!(msg)) + } +} \ No newline at end of file diff --git a/rasp/librasp/src/process.rs b/rasp/librasp/src/process.rs index d40d6c1d4..d1e7b4a9f 100644 --- a/rasp/librasp/src/process.rs +++ b/rasp/librasp/src/process.rs @@ -28,6 +28,7 @@ pub struct ProcessInfo { pub fgid: u32, pub ppid: i32, pub tgid: i32, + pub nspid: i32, pub environ: Option>, pub namespace_info: Option, @@ -117,6 +118,7 @@ impl ProcessInfo { self.sgid = status.sgid; self.fuid = status.fuid; self.fgid = status.fgid; + self.nspid = Self::read_nspid(process.pid).unwrap_or_default().unwrap(); Ok(()) } pub fn update_start_time(&mut self, process: &Process) -> AnyhowResult { @@ -222,9 +224,7 @@ impl ProcessInfo { } pub fn update_failed_reason(&mut self, reason: &String) -> AnyhowResult<()> { - if self.failed_reason.is_none() { - self.failed_reason = Some(reason.clone()); - } + self.failed_reason = Some(reason.clone()); Ok(()) } pub fn get_mnt_ns(&self) -> AnyhowResult { diff --git a/rasp/librasp/src/runtime.rs b/rasp/librasp/src/runtime.rs index 2cbc3ffd8..3d04f2822 100644 --- a/rasp/librasp/src/runtime.rs +++ b/rasp/librasp/src/runtime.rs @@ -8,7 +8,7 @@ use serde_json; use std::fs; use std::path::Path; use crate::cpython; -use crate::golang::golang_bin_inspect; +use crate::golang::{golang_bin_inspect, golang_version}; use crate::jvm::vm_version; use crate::nodejs::nodejs_version; use crate::php::{inspect_phpfpm, inspect_phpfpm_version, inspect_phpfpm_zts}; @@ -205,12 +205,21 @@ pub trait RuntimeInspect { path.push(p); } } - match golang_bin_inspect(path) { + match golang_bin_inspect(&path) { Ok(res) => { if res > 0 { + let version = match golang_version(&path) { + Ok(v) => { + v + } + Err(e) => { + warn!("read golang elf version failed: {}", e); + String::new() + } + }; return Ok(Some(Runtime { name: "Golang", - version: String::new(), + version: version, size: res, })); } diff --git a/rasp/plugin/src/monitor.rs b/rasp/plugin/src/monitor.rs index 111fc2e34..fbef000ce 100644 --- a/rasp/plugin/src/monitor.rs +++ b/rasp/plugin/src/monitor.rs @@ -251,8 +251,8 @@ fn internal_main( } for pid in pids.iter() { debug!("send pid: {}", pid); - if let Err(_) = pid_sender.send(*pid) { - error!("can not send pid to pid_sender channel, quiting"); + if let Err(e) = pid_sender.send(*pid) { + error!("can not send pid to pid_sender channel, quiting, err: {}", e); let _ = pid_recv_ctrl.stop(); break; }; @@ -506,6 +506,7 @@ fn internal_main( } else { String::new() }; + let _ = process.update_failed_reason(&String::new()); process.current_config_hash = probe_config_hash; (*opp).insert(process.pid, process); } diff --git a/rasp/plugin/src/operation.rs b/rasp/plugin/src/operation.rs index 5df91c981..bf223a54f 100644 --- a/rasp/plugin/src/operation.rs +++ b/rasp/plugin/src/operation.rs @@ -97,6 +97,7 @@ impl Operator { } Err(e) => { //if process.tracing_state != ProbeState::Attached { + self.rasp_manager.delete_config_file(process.pid, process.nspid)?; process.update_failed_time(); warn!( "pid: {} runtime: {}, attach failed", @@ -117,14 +118,8 @@ impl Operator { } pub fn handle_missing(&mut self, process: &mut ProcessInfo) -> AnyhowResult<()> { - if process - .tracing_state - .ok_or(anyhow!("empty state found during handle missing"))? - .to_string() - == "ATTACHED" - { - process.update_missing_time(); - } + // for count abnormal process + process.update_missing_time(); self.stop_comm(&process)?; return Ok(()); } @@ -135,6 +130,7 @@ impl Operator { .namespace_info.clone().ok_or(anyhow!("unable fetch namespace"))? .mnt.ok_or(anyhow!("unable fetch namespace"))?; // self.rasp_manager.write_message_to_config_file(pid, process_info.nspid, probe_message.clone()); + self.rasp_manager.delete_config_file(pid, process_info.nspid)?; self.rasp_manager.send_message_to_probe(pid, &mnt_namespace, probe_message) } diff --git a/rasp/plugin/src/utils.rs b/rasp/plugin/src/utils.rs index 9f637e7a5..f42b7191f 100644 --- a/rasp/plugin/src/utils.rs +++ b/rasp/plugin/src/utils.rs @@ -47,7 +47,7 @@ pub fn generate_heartbeat(watched_process: &ProcessInfo) -> HashMap<&'static str message.insert("try_attach_count", watched_process.try_attach_count.to_string()); message.insert("attached_count", watched_process.attached_count.to_string()); message.insert("probe_version", RASP_VERSION.to_string()); - message.insert("info", watched_process.failed_reason.clone().unwrap_or("".to_string())); + message.insert("reason", watched_process.failed_reason.clone().unwrap_or("".to_string())); message.insert("uptime", match count_uptime(watched_process.start_time.unwrap_or(0 as f32)) { Ok(t) => t.to_string(), Err(e) => {