vivarium 0.4.0 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6549be32807adc904ffe18fbefc055600cf14c85c68b106a3abfd7dce354e8b1
-  data.tar.gz: 1f9c961424d4712b2c43ad3df8d81ee679ea2190acaa8ea24e78a4f88b92f452
+  metadata.gz: 0a0f8b6dfc29af71d39ff5fe1ebceca9040cf62a2c6147dba5c2a074b392cdc1
+  data.tar.gz: c9f10129e5b42fd51653dcda0a02ed0e7be8b4c2ad7daef4f48a9fa5c03dcf41
 SHA512:
-  metadata.gz: ebe88587a6328a37703899da2f0c8275f9321d7ea34e1af9806dccfaf929a6ee45bce68378356aeb2171708936b74ebb33545ada8a7eace2774aa60783b31b24
-  data.tar.gz: f707b190642345628ddf613038942a87cd95585877b45a264e13ffb1c243da0b7576712d6b5e5eb65e336dab06ff95a01f329b383bdb0007aec879629c30d2eb
+  metadata.gz: 9530187d826e63976bd7e1c86872345f5cad281608b2ee06f0dbe20e6211455d8d050a18013822f6baecf4c0af18e9e01b58fec7fe13174d9631181df8660569
+  data.tar.gz: c3ee802cf168d5ca917c6d9de5cce25c9441ba46a35995bc5e5f78ce6c78055c1a4d8141bff7dd4e7763205d65c1a41344a789185dbea8fc65f4589ef8e90586

data/README.md

@@ -139,6 +139,30 @@ bundle exec ruby examples/privilege_event_demo.rb
 
 This demo attempts setuid/setgid changes, sensitive file access, and `sudo` exec to trigger privilege-related events such as `setid_change`, `capable_check`, and `bprm_creds`.
 
+8) Ruby internal ENV access demo client:
+
+```bash
+bundle exec ruby examples/env_access_ruby_demo.rb
+```
+
+This demo triggers Ruby-side ENV methods (`[]`, `fetch`, `key?`, `[]=`, `store`, `delete`, `clear`, `replace`) and is intended to produce SPAN events.
+
+9) External command ENV libc access demo client:
+
+```bash
+bundle exec ruby examples/env_access_external_demo.rb
+```
+
+This demo spawns an external process that directly calls libc `getenv`, `setenv`, `unsetenv`, `putenv`, and `clearenv`, intended to trigger `env_caccess` eBPF events.
+
+10) Box context demo:
+
+```bash
+bundle exec ruby examples/box_demo.rb
+```
+
+This demo shows how to use `Vivarium::Box` to isolate Ruby code evaluation and trace method calls within that isolated context.
+
 You can also start top-level observation without a block (it keeps observing until process exit):
 
 ```ruby

data/examples/box_demo.rb

@@ -0,0 +1,59 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "vivarium"
+
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#   2) Run this script: bundle exec ruby examples/box_demo.rb
+#
+# This demo demonstrates Vivarium::Box usage for automatically tracing
+# method calls within an isolated eval context.
+
+FILTER = {
+  include_events: %w[span_start span_stop]
+}.freeze
+
+# Create a box and define a class within it
+box = Vivarium::Box.new
+
+box.eval(<<~RUBY)
+  require "net/http"
+  class Calculator
+    def add(a, b)
+      a + b
+    end
+
+    def multiply(a, b)
+      a * b
+    end
+  end
+
+  class Greeter
+    def greet(name)
+      system "echo Hello \#{name}!"
+    end
+  end
+
+  system "ping -c 1 example.com"
+RUBY
+
+box.done_load!
+
+# Enable observation - all Box method calls will be automatically traced
+puts "[box-demo] calling box methods with automatic tracing"
+
+# Access classes defined in the box through const_missing
+calc = box::Calculator.new
+result1 = calc.add(10, 20)
+puts "[box-demo] calc.add(10, 20) = #{result1}"
+
+result2 = calc.multiply(3, 4)
+puts "[box-demo] calc.multiply(3, 4) = #{result2}"
+
+greeter = box::Greeter.new
+greeting = greeter.greet("World")
+puts "[box-demo] greeter.greet('World') = #{greeting}"
+
+puts "[box-demo] done"
+

data/examples/env_access_external_demo.rb

@@ -0,0 +1,52 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "rbconfig"
+require "vivarium"
+
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#   2) Run this script: bundle exec ruby examples/env_access_external_demo.rb
+#
+# This demo launches an external Ruby process and forces direct libc calls to
+# getenv/setenv/unsetenv/putenv/clearenv through Fiddle.
+# These should appear as eBPF events with event_name=env_caccess.
+
+FILTER = {
+  include_events: %w[env_caccess proc_fork proc_exec]
+}.freeze
+
+CHILD_CODE = <<~RUBY
+  require "fiddle"
+
+  libc = begin
+    Fiddle.dlopen("libc.so.6")
+  rescue Fiddle::DLError
+    Fiddle.dlopen(nil)
+  end
+
+  getenv = Fiddle::Function.new(libc["getenv"], [Fiddle::TYPE_VOIDP], Fiddle::TYPE_VOIDP)
+  setenv = Fiddle::Function.new(libc["setenv"], [Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT], Fiddle::TYPE_INT)
+  unsetenv = Fiddle::Function.new(libc["unsetenv"], [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT)
+  putenv = Fiddle::Function.new(libc["putenv"], [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT)
+  clearenv = Fiddle::Function.new(libc["clearenv"], [], Fiddle::TYPE_INT)
+
+  key = "VIVARIUM_ENV_EXT_DEMO"
+  putenv_buf = "VIVARIUM_ENV_EXT_PUT=from_putenv"
+
+  getenv.call("HOME")
+  setenv.call(key, "from_setenv", 1)
+  getenv.call(key)
+  putenv.call(putenv_buf)
+  unsetenv.call(key)
+  clearenv.call
+RUBY
+
+Vivarium.observe(filter: FILTER) do
+  puts "[env-external-demo] spawning external child"
+  pid = Process.spawn(RbConfig.ruby, "-e", CHILD_CODE)
+  Process.wait(pid)
+  puts "[env-external-demo] child exit status=#{Process.last_status.exitstatus}"
+end
+
+puts "[env-external-demo] done"

data/examples/env_access_ruby_demo.rb

@@ -0,0 +1,52 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "vivarium"
+
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#   2) Run this script: bundle exec ruby examples/env_access_ruby_demo.rb
+#
+# This demo intentionally triggers Ruby-side ENV access methods so they are
+# observed through TracePoint -> SPAN (USDT) path.
+
+FILTER = {
+  include_events: %w[span_start span_stop env_caccess]
+}.freeze
+
+def safe_fetch(key)
+  ENV.fetch(key)
+rescue KeyError
+  nil
+end
+
+def demo_env_reads
+  ENV["HOME"]
+  safe_fetch("PATH")
+  ENV.key?("SHELL")
+end
+
+def demo_env_writes
+  ENV["VIVARIUM_ENV_DEMO_A"] = "1"
+  ENV.store("VIVARIUM_ENV_DEMO_B", "2")
+  ENV.delete("VIVARIUM_ENV_DEMO_A")
+  ENV.replace(ENV.to_h.merge("VIVARIUM_ENV_DEMO_C" => "3"))
+  ENV.delete("VIVARIUM_ENV_DEMO_B")
+  ENV.delete("VIVARIUM_ENV_DEMO_C")
+end
+
+Vivarium.observe(filter: FILTER) do
+  original_env = ENV.to_h
+
+  puts "[env-ruby-demo] read methods"
+  demo_env_reads
+
+  puts "[env-ruby-demo] write methods"
+  demo_env_writes
+
+  puts "[env-ruby-demo] clear"
+  ENV.clear
+  ENV.replace(original_env)
+end
+
+puts "[env-ruby-demo] done"

data/lib/vivarium/box.rb

@@ -0,0 +1,136 @@
+# frozen_string_literal: true
+
+require "set"
+
+module Vivarium
+  # Box provides an isolated execution context where method calls are automatically traced
+  # through Vivarium's observation system.
+  #
+  # Usage:
+  #   box = Vivarium::Box.new
+  #   box.eval('class MyClass; def foo; "result"; end; end')
+  #   result = box::MyClass.new.foo  # automatically traced if Vivarium.observe is active
+  #
+  class Box < Module
+    DEFAULT_FILTER = {
+      include_events: %w[
+        proc_fork proc_exec span_start span_stop
+        sock_connect dns_req odd_socket
+        ssl_write
+        dlopen mmap_exec
+        task_kill
+        setid_change capable_check bprm_creds
+      ]
+    }
+
+    def initialize(pin_dir: Vivarium.bpf_pin_dir, dest: $stdout, filter: DEFAULT_FILTER)
+      super()
+      @inner_box = Ruby::Box.new
+      @pin_dir = pin_dir
+      @dest = dest
+      @filter = filter
+      @session = nil
+
+      @tracing_level = [0]
+      # Set up TracePoint to automatically trace method calls within this box
+      @tracer = TracePoint.new(:call, :return) do |tp|
+        handle_trace_event(tp, @tracing_level, @inner_box)
+      end
+    end
+    attr_reader :inner_box, :tracer
+
+    # Evaluate code within the box context
+    def eval(code)
+      result = nil
+      Vivarium.observe(filter: @filter) do
+        result = @inner_box.eval(code)
+      end
+      result
+    end
+
+    # Require a file within the box context
+    # Automatically traced if Vivarium.observe is active
+    def require(path)
+      result = nil
+      Vivarium.observe(filter: @filter) do
+        result = @inner_box.require(path)
+      end
+      result
+    end
+
+    # Require a file relative to the current file within the box context
+    # Automatically traced if Vivarium.observe is active
+    def require_relative(path)
+      result = nil
+      Vivarium.observe(filter: @filter) do
+        result = @inner_box.require_relative(path)
+      end
+      result
+    end
+
+    # Load a file within the box context (executed every time, unlike require)
+    # Automatically traced if Vivarium.observe is active
+    def load(path, wrap = false)
+      result = nil
+      Vivarium.observe(filter: @filter) do
+        result = @inner_box.load(path, wrap)
+      end
+      result
+    end
+
+    # Intercept constant access to resolve from the box's evaluated context
+    def const_missing(name)
+      @inner_box.const_get(name)
+    rescue NameError => e
+      raise NameError, "#{name} not found in box: #{e.message}"
+    end
+
+    def done_load!
+      @tracer.enable
+    end
+
+    private
+
+    def handle_trace_event(tp, tracing_level, target_box)
+      begin
+        if should_trace_call?(tp, target_box)
+          case tp.event
+          when :call
+            if tracing_level[0].zero?
+              start_vivarium_observation
+            end
+            tracing_level[0] += 1
+            file_arg = Vivarium.tail_fit_string(tp.path, Vivarium::SPAN_FILE_ARG_MAX)
+            root = Ruby::Box.root
+            root::Vivarium::Usdt.start("#{tp.defined_class}", tp.method_id.to_s, file: file_arg, lineno: tp.lineno)
+          when :return
+            tracing_level[0] -= 1
+            file_arg = Vivarium.tail_fit_string(tp.path, Vivarium::SPAN_FILE_ARG_MAX)
+            root = Ruby::Box.root
+            root::Vivarium::Usdt.stop("#{tp.defined_class}", tp.method_id.to_s, file: file_arg, lineno: tp.lineno)
+            if tracing_level[0].zero?
+              stop_vivarium_observation
+            end
+          end
+        end
+      rescue StandardError
+        # Silently ignore tracing errors to avoid breaking user code
+      end
+    end
+
+    def should_trace_call?(tp, target_box)
+      tp.binding.eval("Ruby::Box.current") == target_box
+    end
+
+    def start_vivarium_observation
+      puts "[debug] Starting Vivarium observation for Box method calls"
+      @session = Vivarium.top_observe(pin_dir: @pin_dir, dest: @dest, filter: @filter)
+    end
+
+    def stop_vivarium_observation
+      puts "[debug] Stopping Vivarium observation for Box method calls"
+      @session&.stop
+      @session = nil
+    end
+  end
+end

data/lib/vivarium/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Vivarium
-  VERSION = "0.4.0"
+  VERSION = "0.4.2"
 end

data/lib/vivarium.rb

@@ -7,6 +7,12 @@ require "optparse"
 require "pathname"
 require "rbbcc"
 require "socket"
+if defined?(Ruby) && defined?(Ruby::Box) && Ruby::Box.enabled?
+  Ruby::Box.root.require "vivarium_usdt"
+else
+  require "vivarium_usdt"
+end
+
 require_relative "vivarium/version"
 require_relative "vivarium/cli"
 
@@ -95,7 +101,20 @@ module Vivarium
     "Kernel#eval",
     "Object#instance_eval",
     "Object#instance_exec",
+    "ENV#[]",
+    "ENV#fetch",
+    "ENV#key?",
+    "ENV#[]=",
+    "ENV#store",
+    "ENV#delete",
+    "ENV#clear",
+    "ENV#replace",
   ].freeze
+
+  ENV_PAYLOAD_OP_SIZE = 16
+  ENV_PAYLOAD_KEY_OFFSET = ENV_PAYLOAD_OP_SIZE
+  ENV_PAYLOAD_KEY_SIZE = EVENT_PAYLOAD_SIZE - ENV_PAYLOAD_KEY_OFFSET
+
   EVENT_SEVERITY_HIGH = %w[
     capable_check bprm_creds setid_change task_kill
     ptrace_check sb_mount kernel_read_file
@@ -407,6 +426,20 @@ module Vivarium
     { data_len: data_len, cap_len: cap_len, data: data }
   end
 
+  def self.decode_env_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < ENV_PAYLOAD_OP_SIZE
+
+    op = c_string(bytes[0, ENV_PAYLOAD_OP_SIZE])
+    key = c_string(bytes[ENV_PAYLOAD_KEY_OFFSET, ENV_PAYLOAD_KEY_SIZE])
+
+    return "" if op.empty?
+    return "op=#{op}" if key.empty?
+
+    key = key.split("=", 2).first if op == "putenv"
+    "op=#{op} key=#{key.inspect}"
+  end
+
   def self.decode_span_raise_payload(raw_payload)
     bytes = raw_payload.to_s.b
     return "" if bytes.bytesize < 8
@@ -494,6 +527,9 @@ module Vivarium
     when "ssl_write"
       decoded = decode_ssl_write_payload(event.payload)
       "data_len=#{decoded[:data_len]} cap_len=#{decoded[:cap_len]}"
+    when "env_caccess"
+      decoded = decode_env_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
     when "dlopen", "mmap_exec"
       strip_to_first_null(event.payload).inspect
     else
@@ -726,6 +762,26 @@ module Vivarium
         events.ringbuf_submit(ev, 0);
       }
 
+      static __always_inline void submit_env_event(u32 pid, const char *op, u32 op_len, const char *name_ptr)
+      {
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "env_caccess", 12);
+
+        if (op && op_len > 0) {
+          if (op_len > #{ENV_PAYLOAD_OP_SIZE} - 1) {
+            op_len = #{ENV_PAYLOAD_OP_SIZE} - 1;
+          }
+          __builtin_memcpy(&ev.payload[0], op, op_len);
+        }
+
+        if (name_ptr) {
+          bpf_probe_read_user_str(&ev.payload[#{ENV_PAYLOAD_KEY_OFFSET}], #{ENV_PAYLOAD_KEY_SIZE}, name_ptr);
+        }
+
+        submit_event(&ev);
+      }
+
       static __always_inline int is_dns_destination(void *addr)
       {
         u16 family = 0;
@@ -1519,6 +1575,80 @@ module Vivarium
         return 0;
       }
 
+      int on_getenv(struct pt_regs *ctx)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        const char *name = (const char *)PT_REGS_PARM1(ctx);
+
+        if (!target_enabled(pid, tid) || !name) {
+          return 0;
+        }
+
+        submit_env_event(pid, "getenv", 6, name);
+        return 0;
+      }
+
+      int on_setenv(struct pt_regs *ctx)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        const char *name = (const char *)PT_REGS_PARM1(ctx);
+
+        if (!target_enabled(pid, tid) || !name) {
+          return 0;
+        }
+
+        submit_env_event(pid, "setenv", 6, name);
+        return 0;
+      }
+
+      int on_unsetenv(struct pt_regs *ctx)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        const char *name = (const char *)PT_REGS_PARM1(ctx);
+
+        if (!target_enabled(pid, tid) || !name) {
+          return 0;
+        }
+
+        submit_env_event(pid, "unsetenv", 8, name);
+        return 0;
+      }
+
+      int on_putenv(struct pt_regs *ctx)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        const char *string = (const char *)PT_REGS_PARM1(ctx);
+
+        if (!target_enabled(pid, tid) || !string) {
+          return 0;
+        }
+
+        submit_env_event(pid, "putenv", 6, string);
+        return 0;
+      }
+
+      int on_clearenv(struct pt_regs *ctx)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        submit_env_event(pid, "clearenv", 8, 0);
+        return 0;
+      }
+
       int on_span_raise(struct pt_regs *ctx)
       {
         u64 pid_tgid = bpf_get_current_pid_tgid();
@@ -1551,11 +1681,12 @@ module Vivarium
     CLANG
 
     def initialize(pin_dir: Vivarium.bpf_pin_dir, ssl_trace: true, libssl_path: nil,
-                   dlopen_trace: true, libc_path: nil)
+                   dlopen_trace: true, env_trace: true, libc_path: nil)
       @pin_dir      = pin_dir
       @ssl_trace    = ssl_trace
       @libssl_path  = libssl_path
       @dlopen_trace = dlopen_trace
+      @env_trace    = env_trace
       @libc_path    = libc_path
     end
 
@@ -1569,7 +1700,6 @@ module Vivarium
         .gsub("__VIVARIUM_F_PATH_OFFSET__", f_path_offset.to_s)
         .gsub("__VIVARIUM_DENTRY_D_NAME_OFFSET__", d_name_offset.to_s)
 
-      require "vivarium_usdt"
       usdt_so_path = ENV.fetch("VIVARIUM_USDT_SO_PATH") { Vivarium.locate_vivarium_usdt_so }
       usdt = RbBCC::USDT.new(path: usdt_so_path)
       usdt.enable_probe(probe: "start_probe", fn_name: "on_span_start")
@@ -1580,6 +1710,7 @@ module Vivarium
 
       attach_ssl_write_uprobe(bpf) if @ssl_trace
       attach_dlopen_uprobe(bpf) if @dlopen_trace
+      attach_env_uprobes(bpf) if @env_trace
 
       config_root_targets = bpf["config_root_targets"]
       config_spawned_targets = bpf["config_spawned_targets"]
@@ -1652,6 +1783,30 @@ module Vivarium
       warn "[vivariumd] dlopen uprobe attach failed: #{e.class}: #{e.message}"
     end
 
+    def attach_env_uprobes(bpf)
+      path = resolve_libc_path
+      unless path
+        warn "[vivariumd] libc not found; ENV uprobes disabled " \
+             "(set --libc PATH or VIVARIUM_LIBC_PATH to override)"
+        return
+      end
+
+      {
+        "getenv" => "on_getenv",
+        "setenv" => "on_setenv",
+        "unsetenv" => "on_unsetenv",
+        "putenv" => "on_putenv",
+        "clearenv" => "on_clearenv"
+      }.each do |sym, fn_name|
+        begin
+          bpf.attach_uprobe(name: path, sym: sym, fn_name: fn_name)
+          puts "[vivariumd] #{sym} uprobe attached via #{path}"
+        rescue StandardError => e
+          warn "[vivariumd] #{sym} uprobe attach failed: #{e.class}: #{e.message}"
+        end
+      end
+    end
+
     def resolve_libc_path
       if @libc_path
         return @libc_path if File.exist?(@libc_path)
@@ -1819,8 +1974,6 @@ module Vivarium
   end
 
   def self.top_observe(pin_dir: bpf_pin_dir, dest: $stdout, filter: nil)
-    require "vivarium_usdt"
-
     store = MapStore.new(pin_dir: pin_dir)
     pid = Process.pid
     store.register_pid(pid)
@@ -1847,8 +2000,6 @@ module Vivarium
   end
 
   def self.scoped_observe(pin_dir:, dest:, filter: nil)
-    require "vivarium_usdt"
-
     store = MapStore.new(pin_dir: pin_dir)
     pid = Process.pid
     store.register_pid(pid)
@@ -1892,18 +2043,23 @@ module Vivarium
         next
       end
 
-      signature = "#{tp.defined_class}##{tp.method_id}"
+      signature = if tp.self.equal?(ENV)
+        "ENV##{tp.method_id}"
+      else
+        "#{tp.defined_class}##{tp.method_id}"
+      end
       is_target = allowlist.include?(signature) || \
         allow_classes.any? { |klass| tp.defined_class == klass } || \
         allow_classes.any? { |klass| tp.defined_class == klass.singleton_class }
       next unless is_target
 
       file_arg = tail_fit_string(tp.path, SPAN_FILE_ARG_MAX)
+      span_class_name = tp.self.equal?(ENV) ? "ENV" : tp.defined_class.to_s
       case tp.event
       when :call, :c_call
-        Vivarium::Usdt.start(tp.defined_class.to_s, tp.method_id.to_s, file: file_arg, lineno: tp.lineno)
+        Vivarium::Usdt.start(span_class_name, tp.method_id.to_s, file: file_arg, lineno: tp.lineno)
       when :return, :c_return
-        Vivarium::Usdt.stop(tp.defined_class.to_s, tp.method_id.to_s, file: file_arg, lineno: tp.lineno)
+        Vivarium::Usdt.stop(span_class_name, tp.method_id.to_s, file: file_arg, lineno: tp.lineno)
       end
     end
   end
@@ -1924,7 +2080,6 @@ module Vivarium
   end
 
   def self.locate_vivarium_usdt_so
-    require "vivarium_usdt/vivarium_usdt"
     so = $LOADED_FEATURES.find { |p| p =~ %r{vivarium_usdt/vivarium_usdt\.(so|bundle|dylib)\z} }
     raise Error, "vivarium_usdt native extension not found in $LOADED_FEATURES" unless so
 
@@ -1935,10 +2090,11 @@ module Vivarium
 
   def self.run_daemon!(argv = ARGV)
     options = { pin_dir: bpf_pin_dir, ssl_trace: true, libssl_path: nil,
+                env_trace: true,
                 dlopen_trace: true, libc_path: nil }
     OptionParser.new do |opts|
       opts.banner = "Usage: vivariumd [--pin-dir PATH] [--no-ssl-trace] [--libssl PATH] " \
-                    "[--no-dlopen-trace] [--libc PATH]"
+                    "[--no-dlopen-trace] [--no-env-trace] [--libc PATH]"
       opts.on("--pin-dir PATH", "Pinned map directory") { |v| options[:pin_dir] = v }
       opts.on("--[no-]ssl-trace", "Attach OpenSSL SSL_write uprobe (default: enabled)") do |v|
         options[:ssl_trace] = v
@@ -1949,6 +2105,9 @@ module Vivarium
       opts.on("--[no-]dlopen-trace", "Attach libc dlopen uprobe (default: enabled)") do |v|
         options[:dlopen_trace] = v
       end
+      opts.on("--[no-]env-trace", "Attach libc getenv/setenv uprobes (default: enabled)") do |v|
+        options[:env_trace] = v
+      end
       opts.on("--libc PATH", "Path to libc.so for dlopen uprobe") do |v|
         options[:libc_path] = v
       end
@@ -1959,6 +2118,7 @@ module Vivarium
       ssl_trace: options[:ssl_trace],
       libssl_path: options[:libssl_path],
       dlopen_trace: options[:dlopen_trace],
+      env_trace: options[:env_trace],
       libc_path: options[:libc_path]
     ).run
   end
@@ -1967,3 +2127,6 @@ end
 require_relative "vivarium/correlator"
 require_relative "vivarium/display_filter"
 require_relative "vivarium/tree_renderer"
+if defined?(Ruby) && defined?(Ruby::Box) && Ruby::Box.enabled?
+  require_relative "vivarium/box"
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vivarium
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.2
 platform: ruby
 authors:
 - Uchio Kondo
@@ -64,8 +64,11 @@ files:
 - CONTEXT.md
 - README.md
 - Rakefile
+- examples/box_demo.rb
 - examples/dlopen_demo.rb
 - examples/drop_demo.rb
+- examples/env_access_external_demo.rb
+- examples/env_access_ruby_demo.rb
 - examples/execve_demo.rb
 - examples/file_operation_demo.rb
 - examples/network_client_demo.rb
@@ -78,6 +81,7 @@ files:
 - exe/vivariumd
 - image.png
 - lib/vivarium.rb
+- lib/vivarium/box.rb
 - lib/vivarium/cli.rb
 - lib/vivarium/correlator.rb
 - lib/vivarium/display_filter.rb