vivarium 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2fb7901d1f200e910b88b75fd8ba54cbaa2d6cf2152c31e35b6f790e8b9150e5
-  data.tar.gz: 045c6ef47acb148605a7dd7cbbda5526d82d3548191135baedecaa5d09840f25
+  metadata.gz: 973df86f00b8e2ca9d5e963958562e2f58822e13c0e4d33af53e85a8d38f12be
+  data.tar.gz: a5651655ef69c10e6b6eab89baf9f98e5d99a158a8e89a6fc940fe2d844ab636
 SHA512:
-  metadata.gz: 9042d44b860bde781d512e36367bfc178a74dd57c6ae6be49c5cea73ec4fbd8b621382ace5d0e1b18188e36bae41d3f5e7e273fd8e019c1ec88820f95653b255
-  data.tar.gz: 9c22285362cea0fe871af6c1f67a66eeb85556a52c5f6aabe93da2b20daa51cbf6528df9021ead0fbb2acdcb152bbee60a1a873c9d7a9b75b1edc8ea244c6016
+  metadata.gz: 3606b1f6df38a813e2b0cdf48aef48312be1a7c0bd3f20f88ca8a4c527c724733184c1c0d52f39fc9242282ab6d41ca18f6bcc977f4cafad0c5d4faa17a27d78
+  data.tar.gz: 4171eefdd7052d8634cd5a49267c8fe4f925e87f5b18691cb0721dd3f014efac68475196762e9ecc800627bcc529d9077e088b7d0366d91a6252867d3a0fc5f1

data/README.md

@@ -18,9 +18,20 @@ The goal is to visualize which Ruby method context triggered low-level events.
 Implemented in this repository:
 
 - BPF LSM hook on `file_open`
+- BPF LSM hooks on `inode_symlink`, `inode_link`, `inode_rename`, `path_chmod`
+- BPF tracepoint on `sys_enter_getdents64`
+- BPF tracepoint on `sys_enter_execve` (captures executable path and first few argv entries as `proc_exec`)
+- BPF LSM hooks for suspicious behavior checks:
+	- `ptrace_access_check` (emits `ptrace_check`)
+	- `sb_mount` (emits `sb_mount`)
+	- `kernel_read_file` (emits `kernel_read_file`)
+	- `task_kill` (emits `task_kill`)
+	- `task_fix_setuid` (emits `setid_change`)
+	- `capable` for high-risk capabilities only (emits `capable_check`)
+	- `bprm_creds_from_file` (emits `bprm_creds`)
 - BPF LSM hook on `socket_create` (flags unusual socket creation as `odd_socket`)
 - BPF LSM hook on `socket_connect` (captures destination family/address/port as `sock_connect`)
-- BPF kprobe on `ip_local_out` (captures UDP/53 DNS QNAME raw bytes as `dns_req`)
+- BPF tracepoints on `sys_enter_sendmsg`, `sys_enter_sendto`, `sys_enter_sendmmsg` (capture UDP/53 DNS QNAME raw bytes as `dns_req`)
 - Shared pinned maps on bpffs
 	- `config_root_targets` (root PID -> 0/1)
 	- `config_spawned_targets` (spawned TID -> 0/1)
@@ -38,6 +49,7 @@ Implemented in this repository:
 
 ```c
 struct event_t {
+	u64 ktime_ns;
 	u32 pid;
 	char event_name[16];
 	char payload[256];
@@ -48,7 +60,7 @@ struct event_t {
 
 - Linux kernel/environment supporting BPF LSM
 - `libbcc` installed
-- `bpftool` installed (used to resolve `struct file::f_path` offset from BTF)
+- `bpftool` installed (used to resolve `struct file::f_path` and `struct dentry::d_name` offsets from BTF)
 - root privileges for `vivariumd`
 - bpffs mounted (typically `/sys/fs/bpf`)
 
@@ -92,6 +104,38 @@ bundle exec ruby examples/network_client_demo.rb
 
 This demo intentionally triggers `sock_connect`, `dns_req`, and `odd_socket` events.
 
+4) File operation demo client (only touches `/tmp`):
+
+```bash
+bundle exec ruby examples/file_operation_demo.rb
+```
+
+This demo intentionally triggers `path_open`, `file_symlink`, `file_hardlink`, `file_rename`, `file_chmod`, and `file_getdents` events under `/tmp`.
+
+5) Execve demo client:
+
+```bash
+bundle exec ruby examples/execve_demo.rb
+```
+
+This demo intentionally triggers `proc_exec` with several argument patterns using direct `execve`-style process launches.
+
+6) Signal demo client:
+
+```bash
+bundle exec ruby examples/signal_kill_demo.rb
+```
+
+This demo forks a child process and sends `TERM` with `Process.kill`, which is useful for triggering `task_kill`.
+
+7) Privilege-related event demo client:
+
+```bash
+bundle exec ruby examples/privilege_event_demo.rb
+```
+
+This demo attempts setuid/setgid changes, sensitive file access, and `sudo` exec to trigger privilege-related events such as `setid_change`, `capable_check`, and `bprm_creds`.
+
 You can also start top-level observation without a block (it keeps observing until process exit):
 
 ```ruby
@@ -135,11 +179,16 @@ bundle exec vivariumd --pin-dir /sys/fs/bpf/vivarium
 ## Notes
 
 - Thread/Ractor-awareness is not yet implemented.
-- `event_invoked` uses fixed 64 slots and wraps around when full.
-- Payload is truncated to 64 bytes in kernel space.
+- `event_invoked` uses fixed 1024 slots and wraps around when full.
+- `payload` is 256 bytes in `event_t`; some event types intentionally use smaller structured slices inside that buffer.
+- `proc_exec` currently stores the executable path plus up to 3 argv entries in 4 fixed 64-byte slots to keep the BPF verifier happy.
+- Each event is tagged with severity metadata: `high` for `setid_change`, `capable_check`, `bprm_creds`, `task_kill`, `ptrace_check`, `sb_mount`, and `kernel_read_file`; others are `medium` by default.
+- In `human` format output, `high` severity events are rendered in red.
+- `capable_check` is intentionally filtered to high-risk capabilities to reduce noise from extremely frequent `capable` hook calls.
 - Current output format is textual and intended for iteration.
 - `vivariumd` resolves `struct file::f_path` offset from `/sys/kernel/btf/vmlinux` at startup.
-- You can override offset manually with `VIVARIUM_FILE_F_PATH_OFFSET` if auto-detection fails.
+- `vivariumd` also resolves `struct dentry::d_name` offset from `/sys/kernel/btf/vmlinux` at startup.
+- You can override offsets manually with `VIVARIUM_FILE_F_PATH_OFFSET` and `VIVARIUM_DENTRY_D_NAME_OFFSET` if auto-detection fails.
 - `vivariumd` also prints `bpf_trace_printk` lines (`vivarium: pid=... path=...`) to its own logs.
 
 ## Contributing

data/examples/execve_demo.rb

@@ -0,0 +1,49 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "tmpdir"
+require "vivarium"
+
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#   2) Run this script: bundle exec ruby examples/execve_demo.rb
+
+TMP_PREFIX = "vivarium-exec-demo"
+
+def try_step(title)
+  puts "[exec-demo] #{title}"
+  yield
+rescue StandardError => e
+  puts "[exec-demo] #{title} failed: #{e.class}: #{e.message}"
+end
+
+Dir.mktmpdir(TMP_PREFIX, "/tmp") do |dir|
+  output_path = File.join(dir, "execve-demo.out")
+
+  Vivarium.observe do
+    try_step("system echo with multiple args") do
+      system("/bin/echo", "hello", "from", "vivarium", out: File::NULL)
+    end
+
+    try_step("spawn env with explicit argv") do
+      pid = Process.spawn(
+        "/usr/bin/env",
+        "env",
+        "printf",
+        "execve-demo\n",
+        out: output_path,
+        err: File::NULL
+      )
+      Process.wait(pid)
+    end
+
+    try_step("spawn sleep with flag") do
+      pid = Process.spawn("/bin/sleep", "0")
+      Process.wait(pid)
+    end
+  end
+
+  puts "[exec-demo] output file: #{output_path}" if File.exist?(output_path)
+end
+
+puts "[exec-demo] done"

data/examples/file_operation_demo.rb

@@ -0,0 +1,68 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "fileutils"
+require "tmpdir"
+require "vivarium"
+
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#   2) Run this script: bundle exec ruby examples/file_operation_demo.rb
+
+TMP_PREFIX = "vivarium-file-demo"
+
+def try_step(title)
+  puts "[file-demo] #{title}"
+  yield
+rescue StandardError => e
+  puts "[file-demo] #{title} failed: #{e.class}: #{e.message}"
+end
+
+Dir.mktmpdir(TMP_PREFIX, "/tmp") do |dir|
+  source_path = File.join(dir, "source.txt")
+  renamed_path = File.join(dir, "renamed.txt")
+  hardlink_path = File.join(dir, "hardlink.txt")
+  symlink_path = File.join(dir, "symlink.txt")
+
+  Vivarium.observe do
+    try_step("create source file") do
+      File.write(source_path, "vivarium sample\n")
+      File.read(source_path)
+    end
+
+    try_step("directory listing") do
+      Dir.children(dir)
+    end
+
+    try_step("rename file") do
+      File.rename(source_path, renamed_path)
+      File.read(renamed_path)
+    end
+
+    try_step("create hardlink") do
+      File.link(renamed_path, hardlink_path)
+      File.read(hardlink_path)
+    end
+
+    try_step("create symlink") do
+      File.symlink(renamed_path, symlink_path)
+      File.read(symlink_path)
+    end
+
+    try_step("chmod file") do
+      File.chmod(0o640, renamed_path)
+      File.stat(renamed_path)
+    end
+
+    try_step("list directory again") do
+      Dir.children(dir)
+    end
+  end
+
+  FileUtils.rm_f(symlink_path)
+  FileUtils.rm_f(hardlink_path)
+  FileUtils.rm_f(renamed_path)
+  FileUtils.rm_f(source_path)
+end
+
+puts "[file-demo] done"

data/examples/privilege_event_demo.rb

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "vivarium"
+
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#   2) Run this script: bundle exec ruby examples/privilege_event_demo.rb
+
+def try_step(title)
+  puts "[priv-demo] #{title}"
+  yield
+rescue StandardError => e
+  puts "[priv-demo] #{title} failed: #{e.class}: #{e.message}"
+end
+
+Vivarium.observe do
+  try_step("attempt setuid(0)") do
+    Process::UID.change_privilege(0)
+  end
+
+  try_step("attempt setgid(0)") do
+    Process::GID.change_privilege(0)
+  end
+
+  try_step("attempt opening /etc/shadow") do
+    File.read("/etc/shadow")
+  end
+
+  try_step("exec setuid-related binary") do
+    pid = Process.spawn("/usr/bin/sudo", "-n", "true", out: File::NULL, err: File::NULL)
+    Process.wait(pid)
+  rescue Errno::ENOENT
+    puts "[priv-demo] sudo not found; skipped"
+  end
+end
+
+puts "[priv-demo] done"

data/examples/signal_kill_demo.rb

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "vivarium"
+
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#   2) Run this script: bundle exec ruby examples/signal_kill_demo.rb
+
+def try_step(title)
+  puts "[signal-demo] #{title}"
+  yield
+rescue StandardError => e
+  puts "[signal-demo] #{title} failed: #{e.class}: #{e.message}"
+end
+
+child_pid = nil
+
+Vivarium.observe do
+  try_step("fork child process") do
+    child_pid = fork do
+      trap("TERM") { exit!(0) }
+      loop { sleep 1 }
+    end
+    puts "[signal-demo] child pid=#{child_pid}"
+  end
+
+  try_step("send TERM signal to child") do
+    sleep 0.1
+    Process.kill("TERM", child_pid)
+  end
+
+  try_step("wait child process") do
+    Process.wait(child_pid)
+  end
+end
+
+puts "[signal-demo] done"

data/lib/vivarium/logger.rb

@@ -5,6 +5,8 @@ require "json"
 module Vivarium
   class Logger
     FORMATS = %i[human json].freeze
+    ANSI_RED = "\e[31m"
+    ANSI_RESET = "\e[0m"
 
     # dest: IO object or file path string
     # format: :human or :json
@@ -45,7 +47,9 @@ module Vivarium
       @io.puts "[vivarium] #{events.size} event(s) at #{tp.defined_class}##{tp.method_id} (#{tp.event})"
       @io.puts "  location: #{tp.path}:#{tp.lineno}"
       events.each do |event|
-        @io.puts "  ktime_ns=#{event.ktime_ns} pid=#{event.pid} #{event.event_name} payload=#{Vivarium.render_event_payload(event)}"
+        severity = event.respond_to?(:severity) ? event.severity : Vivarium.event_severity(event.event_name)
+        line = "  ktime_ns=#{event.ktime_ns} pid=#{event.pid} severity=#{severity} #{event.event_name} payload=#{Vivarium.render_event_payload(event)}"
+        @io.puts(severity == "high" ? "#{ANSI_RED}#{line}#{ANSI_RESET}" : line)
       end
       @io.puts "  stack:"
       stack.each do |loc|
@@ -59,7 +63,15 @@ module Vivarium
         event:  tp.event.to_s,
         path:   tp.path,
         lineno: tp.lineno,
-        events: events.map { |e| { ktime_ns: e.ktime_ns, pid: e.pid, event_name: e.event_name, payload: Vivarium.render_event_payload(e) } },
+        events: events.map do |e|
+          {
+            ktime_ns: e.ktime_ns,
+            pid: e.pid,
+            severity: (e.respond_to?(:severity) ? e.severity : Vivarium.event_severity(e.event_name)),
+            event_name: e.event_name,
+            payload: Vivarium.render_event_payload(e)
+          }
+        end,
         stack:  stack.map { |loc| "#{loc.path}:#{loc.lineno}:in #{loc.base_label}" }
       }
       @io.puts JSON.generate(entry)

data/lib/vivarium/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Vivarium
-  VERSION = "0.1.2"
+  VERSION = "0.2.0"
 end

data/lib/vivarium.rb

@@ -22,12 +22,56 @@ module Vivarium
   EVENT_NAME_SIZE = 16
   EVENT_PAYLOAD_SIZE = 256
   EVENT_TS_SIZE = 8
+  PROC_EXEC_SLOT_SIZE = 64
+  PROC_EXEC_SLOT_COUNT = 4
   EVENT_STRUCT_SIZE = 288
   EVENT_TS_OFFSET = 0
   EVENT_PID_OFFSET = 8
   EVENT_NAME_OFFSET = 12
   EVENT_PAYLOAD_OFFSET = 28
   EVENT_CAPACITY = 1024
+  EVENT_SEVERITY_HIGH = %w[
+    capable_check bprm_creds setid_change task_kill
+    ptrace_check sb_mount kernel_read_file
+  ].freeze
+
+  CAPABILITY_NAMES = {
+    0 => "CAP_CHOWN",
+    1 => "CAP_DAC_OVERRIDE",
+    2 => "CAP_DAC_READ_SEARCH",
+    3 => "CAP_FOWNER",
+    4 => "CAP_FSETID",
+    5 => "CAP_KILL",
+    6 => "CAP_SETGID",
+    7 => "CAP_SETUID",
+    8 => "CAP_SETPCAP",
+    9 => "CAP_LINUX_IMMUTABLE",
+    10 => "CAP_NET_BIND_SERVICE",
+    12 => "CAP_NET_ADMIN",
+    13 => "CAP_NET_RAW",
+    16 => "CAP_SYS_MODULE",
+    17 => "CAP_SYS_RAWIO",
+    18 => "CAP_SYS_CHROOT",
+    19 => "CAP_SYS_PTRACE",
+    21 => "CAP_SYS_ADMIN",
+    22 => "CAP_SYS_BOOT",
+    23 => "CAP_SYS_NICE",
+    24 => "CAP_SYS_RESOURCE",
+    25 => "CAP_SYS_TIME",
+    27 => "CAP_MKNOD",
+    29 => "CAP_AUDIT_WRITE",
+    37 => "CAP_AUDIT_READ",
+    38 => "CAP_PERFMON",
+    39 => "CAP_BPF",
+    40 => "CAP_CHECKPOINT_RESTORE"
+  }.freeze
+
+  SETID_FLAG_NAMES = {
+    0x01 => "LSM_SETID_ID",
+    0x02 => "LSM_SETID_RE",
+    0x04 => "LSM_SETID_RES",
+    0x08 => "LSM_SETID_FS"
+  }.freeze
 
   @bpf_pin_dir = PIN_DIR
 
@@ -44,6 +88,10 @@ module Vivarium
       ktime_ns.to_i.zero? && pid.to_i.zero? && event_name.to_s.empty? && payload.to_s.empty?
     end
 
+    def severity
+      Vivarium.event_severity(event_name)
+    end
+
     def self.from_binary(raw)
       bytes = raw.to_s.b
       bytes = bytes.ljust(EVENT_STRUCT_SIZE, "\x00")
@@ -52,7 +100,13 @@ module Vivarium
       pid = bytes[EVENT_PID_OFFSET, 4].unpack1("L<")
       event_name = c_string(bytes[EVENT_NAME_OFFSET, EVENT_NAME_SIZE])
       raw_payload = bytes[EVENT_PAYLOAD_OFFSET, EVENT_PAYLOAD_SIZE]
-      payload = if %w[dns_req sock_connect odd_socket].include?(event_name)
+      raw_payload_events = %w[
+        dns_req sock_connect odd_socket proc_exec
+        file_symlink file_hardlink file_rename file_chmod file_getdents
+        ptrace_check sb_mount kernel_read_file task_kill
+        setid_change capable_check bprm_creds
+      ]
+      payload = if raw_payload_events.include?(event_name)
                   raw_payload
                 else
                   c_string(raw_payload)
@@ -70,6 +124,14 @@ module Vivarium
     end
   end
 
+  def self.c_string(bytes)
+    Event.c_string(bytes)
+  end
+
+  def self.event_severity(event_name)
+    EVENT_SEVERITY_HIGH.include?(event_name.to_s) ? "high" : "medium"
+  end
+
   def self.decode_dns_qname(raw_payload)
     bytes = raw_payload.to_s.b.bytes
     labels = []
@@ -143,6 +205,131 @@ module Vivarium
     decode_odd_socket_payload(raw_payload)
   end
 
+  def self.decode_file_symlink_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    target = c_string(bytes[0, 128])
+    link_name = c_string(bytes[128, 128])
+    "target=#{target.inspect} link_name=#{link_name.inspect}"
+  end
+
+  def self.decode_file_hardlink_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    old_path = c_string(bytes[0, 128])
+    new_name = c_string(bytes[128, 128])
+    "old_path=#{old_path.inspect} new_name=#{new_name.inspect}"
+  end
+
+  def self.decode_file_rename_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    old_name = c_string(bytes[0, 128])
+    new_name = c_string(bytes[128, 128])
+    "old_name=#{old_name.inspect} new_name=#{new_name.inspect}"
+  end
+
+  def self.decode_file_chmod_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 2
+
+    mode = bytes[0, 2].unpack1("S<")
+    path = c_string(bytes[2, 254])
+    "mode=#{format('0o%o', mode)} path=#{path.inspect}"
+  end
+
+  def self.decode_file_getdents_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 8
+
+    fd = bytes[0, 4].unpack1("L<")
+    count = bytes[4, 4].unpack1("L<")
+    "fd=#{fd} count=#{count}"
+  end
+
+  def self.decode_proc_exec_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    slots = PROC_EXEC_SLOT_COUNT.times.map do |index|
+      offset = index * PROC_EXEC_SLOT_SIZE
+      c_string(bytes[offset, PROC_EXEC_SLOT_SIZE])
+    end
+    slots.reject!(&:empty?)
+    return "" if slots.empty?
+
+    filename = slots.shift
+    argv = slots
+    "filename=#{filename.inspect} argv=[#{argv.map(&:inspect).join(', ')}]"
+  end
+
+  def self.decode_ptrace_check_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 4
+
+    mode = bytes[0, 4].unpack1("L<")
+    "mode=0x#{mode.to_s(16)}"
+  end
+
+  def self.decode_sb_mount_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 248
+
+    flags = bytes[0, 8].unpack1("Q<")
+    dev_name = c_string(bytes[8, 120])
+    fs_type = c_string(bytes[128, 120])
+    "flags=0x#{flags.to_s(16)} dev_name=#{dev_name.inspect} fs_type=#{fs_type.inspect}"
+  end
+
+  def self.decode_kernel_read_file_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 8
+
+    id = bytes[0, 4].unpack1("L<")
+    contents = bytes[4, 4].unpack1("L<")
+    "id=#{id} contents=#{contents}"
+  end
+
+  def self.decode_task_kill_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 4
+
+    sig = bytes[0, 4].unpack1("l<")
+    signame = begin
+      Signal.signame(sig)
+    rescue ArgumentError
+      nil
+    end
+
+    signame ? "sig=#{sig} signame=#{signame}" : "sig=#{sig}"
+  end
+
+  def self.decode_setid_change_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 4
+
+    flags = bytes[0, 4].unpack1("L<")
+    names = SETID_FLAG_NAMES.each_with_object([]) do |(bit, name), acc|
+      acc << name if (flags & bit) != 0
+    end
+    names << "UNKNOWN" if names.empty?
+    "flags=0x#{flags.to_s(16)} kinds=[#{names.join(', ')}]"
+  end
+
+  def self.decode_capable_check_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 8
+
+    cap = bytes[0, 4].unpack1("L<")
+    opts = bytes[4, 4].unpack1("L<")
+    cap_name = CAPABILITY_NAMES.fetch(cap, "UNKNOWN")
+    "cap=#{cap}(#{cap_name}) opts=0x#{opts.to_s(16)}"
+  end
+
+  def self.decode_bprm_creds_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 2
+
+    has_file = bytes.getbyte(0).to_i
+    path = c_string(bytes[1, EVENT_PAYLOAD_SIZE - 1])
+    "has_file=#{has_file} file=#{path.inspect}"
+  end
+
   def self.render_event_payload(event)
     case event.event_name
     when "dns_req"
@@ -154,6 +341,45 @@ module Vivarium
     when "odd_socket"
       decoded = decode_odd_socket_payload(event.payload)
       decoded.empty? ? event.payload.inspect : decoded
+    when "proc_exec"
+      decoded = decode_proc_exec_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "ptrace_check"
+      decoded = decode_ptrace_check_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "sb_mount"
+      decoded = decode_sb_mount_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "kernel_read_file"
+      decoded = decode_kernel_read_file_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "task_kill"
+      decoded = decode_task_kill_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "setid_change"
+      decoded = decode_setid_change_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "capable_check"
+      decoded = decode_capable_check_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "bprm_creds"
+      decoded = decode_bprm_creds_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_symlink"
+      decoded = decode_file_symlink_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_hardlink"
+      decoded = decode_file_hardlink_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_rename"
+      decoded = decode_file_rename_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_chmod"
+      decoded = decode_file_chmod_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_getdents"
+      decoded = decode_file_getdents_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
     else
       event.payload.inspect
     end
@@ -249,6 +475,11 @@ module Vivarium
       struct net;
       struct sock;
       struct sk_buff;
+      struct task_struct;
+      struct kernel_siginfo;
+      struct cred;
+      struct user_namespace;
+      struct linux_binprm;
 
       struct path {
         void *mnt;
@@ -259,6 +490,24 @@ module Vivarium
         struct path f_path;
       };
 
+      struct qstr {
+        union {
+          struct {
+            u64 hash_len;
+          };
+          struct {
+            u32 hash;
+            u32 len;
+          };
+        };
+        const unsigned char *name;
+      };
+
+      struct dentry_base {
+        char __pad[__VIVARIUM_DENTRY_D_NAME_OFFSET__];
+        struct qstr d_name;
+      };
+
       struct sockaddr_t {
         u16 sa_family;
         unsigned char sa_data[14];
@@ -341,6 +590,29 @@ module Vivarium
         return 0;
       }
 
+      static __always_inline int monitored_capability(int cap)
+      {
+        switch (cap) {
+          case 1:  /* CAP_DAC_OVERRIDE */
+          case 2:  /* CAP_DAC_READ_SEARCH */
+          case 6:  /* CAP_SETGID */
+          case 7:  /* CAP_SETUID */
+          case 12: /* CAP_NET_ADMIN */
+          case 16: /* CAP_SYS_MODULE */
+          case 17: /* CAP_SYS_RAWIO */
+          case 19: /* CAP_SYS_PTRACE */
+          case 21: /* CAP_SYS_ADMIN */
+          case 22: /* CAP_SYS_BOOT */
+          case 25: /* CAP_SYS_TIME */
+          case 38: /* CAP_PERFMON */
+          case 39: /* CAP_BPF */
+          case 40: /* CAP_CHECKPOINT_RESTORE */
+            return 1;
+          default:
+            return 0;
+        }
+      }
+
       static __always_inline void submit_event(struct event_t *ev)
       {
         u32 zero = 0;
@@ -396,6 +668,29 @@ module Vivarium
         submit_event(&ev);
       }
 
+      static __always_inline int read_dentry_name(struct dentry *dentry, char *buffer, size_t max)
+      {
+        struct dentry_base d = {};
+        struct qstr qname = {};
+
+        if (!dentry || !buffer) {
+          return -1;
+        }
+
+        bpf_probe_read_kernel(&d, sizeof(d), (void *)dentry);
+        if (!d.d_name.name) {
+          return -1;
+        }
+
+        unsigned int len = d.d_name.len;
+        if (len > max) {
+          len = max;
+        }
+
+        bpf_probe_read_kernel_str(buffer, len + 1, (void *)d.d_name.name);
+        return len;
+      }
+
       TRACEPOINT_PROBE(sched, sched_process_fork)
       {
         u32 parent = args->parent_pid;
@@ -630,6 +925,343 @@ module Vivarium
 
         return 0;
       }
+
+      TRACEPOINT_PROBE(syscalls, sys_enter_execve)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        const char *argv0 = 0;
+        const char *argv1 = 0;
+        const char *argv2 = 0;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        if (!args->filename) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "proc_exec", 10);
+        bpf_probe_read_user_str(&ev.payload[0], #{PROC_EXEC_SLOT_SIZE}, args->filename);
+
+        if (args->argv) {
+          bpf_probe_read_user(&argv0, sizeof(argv0), &args->argv[0]);
+          bpf_probe_read_user(&argv1, sizeof(argv1), &args->argv[1]);
+          bpf_probe_read_user(&argv2, sizeof(argv2), &args->argv[2]);
+
+          if (argv0) {
+            bpf_probe_read_user_str(&ev.payload[#{PROC_EXEC_SLOT_SIZE}], #{PROC_EXEC_SLOT_SIZE}, argv0);
+          }
+          if (argv1) {
+            bpf_probe_read_user_str(&ev.payload[#{PROC_EXEC_SLOT_SIZE * 2}], #{PROC_EXEC_SLOT_SIZE}, argv1);
+          }
+          if (argv2) {
+            bpf_probe_read_user_str(&ev.payload[#{PROC_EXEC_SLOT_SIZE * 3}], #{PROC_EXEC_SLOT_SIZE}, argv2);
+          }
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
+      LSM_PROBE(ptrace_access_check, struct task_struct *child, unsigned int mode)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u32 mode32 = mode;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "ptrace_check", 13);
+        __builtin_memcpy(&ev.payload[0], &mode32, sizeof(mode32));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(sb_mount, const char *dev_name, const struct path *path, const char *type, unsigned long flags, void *data)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u64 flags64 = flags;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "sb_mount", 9);
+        __builtin_memcpy(&ev.payload[0], &flags64, sizeof(flags64));
+
+        if (dev_name) {
+          bpf_probe_read_kernel_str(&ev.payload[8], 120, dev_name);
+        }
+        if (type) {
+          bpf_probe_read_kernel_str(&ev.payload[128], 120, type);
+        }
+
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(kernel_read_file, struct file *file, int id, int contents)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u32 id32 = id;
+        u32 contents32 = contents;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "kernel_read_file", 16);
+        __builtin_memcpy(&ev.payload[0], &id32, sizeof(id32));
+        __builtin_memcpy(&ev.payload[4], &contents32, sizeof(contents32));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(task_kill, struct task_struct *p, struct kernel_siginfo *info, int sig, const struct cred *cred)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "task_kill", 10);
+        __builtin_memcpy(&ev.payload[0], &sig, sizeof(sig));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(task_fix_setuid, struct cred *new, const struct cred *old, int flags)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u32 flags32 = flags;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "setid_change", 13);
+        __builtin_memcpy(&ev.payload[0], &flags32, sizeof(flags32));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(capable, const struct cred *cred, struct user_namespace *targ_ns, int cap, unsigned int opts)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        if (!monitored_capability(cap)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u32 cap32 = cap;
+        u32 opts32 = opts;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "capable_check", 14);
+        __builtin_memcpy(&ev.payload[0], &cap32, sizeof(cap32));
+        __builtin_memcpy(&ev.payload[4], &opts32, sizeof(opts32));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(bprm_creds_from_file, struct linux_binprm *bprm, struct file *file)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u8 has_file = 0;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "bprm_creds", 11);
+
+        if (file) {
+          has_file = 1;
+          bpf_d_path(&file->f_path, &ev.payload[1], sizeof(ev.payload) - 1);
+        }
+
+        __builtin_memcpy(&ev.payload[0], &has_file, sizeof(has_file));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(inode_symlink, struct inode *dir, struct dentry *dentry, const char *oldname)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "file_symlink", 13);
+
+        if (oldname) {
+          bpf_probe_read_user_str(&ev.payload[0], 128, oldname);
+        }
+
+        if (dentry) {
+          read_dentry_name(dentry, &ev.payload[128], 128);
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
+      LSM_PROBE(inode_link, struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "file_hardlink", 14);
+
+        if (old_dentry) {
+          read_dentry_name(old_dentry, &ev.payload[0], 128);
+        }
+
+        if (new_dentry) {
+          read_dentry_name(new_dentry, &ev.payload[128], 128);
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
+      LSM_PROBE(inode_rename, struct inode *old_dir, struct dentry *old_dentry, 
+                struct inode *new_dir, struct dentry *new_dentry, unsigned int flags)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "file_rename", 12);
+
+        if (old_dentry) {
+          read_dentry_name(old_dentry, &ev.payload[0], 128);
+        }
+
+        if (new_dentry) {
+          read_dentry_name(new_dentry, &ev.payload[128], 128);
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
+      LSM_PROBE(path_chmod, struct path *path, umode_t mode)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        if (!path) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u16 mode_short = mode & 0xFFFF;
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "file_chmod", 11);
+        __builtin_memcpy(&ev.payload[0], &mode_short, sizeof(mode_short));
+
+        bpf_d_path(path, &ev.payload[2], sizeof(ev.payload) - 2);
+        submit_event(&ev);
+        return 0;
+      }
+
+      TRACEPOINT_PROBE(syscalls, sys_enter_getdents64)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u32 fd = args->fd;
+        u32 count = args->count;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "file_getdents", 14);
+        __builtin_memcpy(&ev.payload[0], &fd, sizeof(fd));
+        __builtin_memcpy(&ev.payload[4], &count, sizeof(count));
+
+        submit_event(&ev);
+        return 0;
+      }
     CLANG
 
     def initialize(pin_dir: Vivarium.bpf_pin_dir)
@@ -641,7 +1273,10 @@ module Vivarium
       FileUtils.mkdir_p(@pin_dir)
 
       f_path_offset = detect_f_path_offset
-      program = BPF_PROGRAM_TEMPLATE.gsub("__VIVARIUM_F_PATH_OFFSET__", f_path_offset.to_s)
+      d_name_offset = detect_dentry_d_name_offset
+      program = BPF_PROGRAM_TEMPLATE
+        .gsub("__VIVARIUM_F_PATH_OFFSET__", f_path_offset.to_s)
+        .gsub("__VIVARIUM_DENTRY_D_NAME_OFFSET__", d_name_offset.to_s)
 
       bpf = RbBCC::BCC.new(text: program)
       kprint_thread = start_kprint_logger(bpf)
@@ -777,6 +1412,56 @@ module Vivarium
     rescue Errno::ENOENT
       raise Error, "bpftool is required to resolve struct file::f_path offset"
     end
+
+    def detect_dentry_d_name_offset
+      env_offset = ENV["VIVARIUM_DENTRY_D_NAME_OFFSET"]
+      return Integer(env_offset, 10) if env_offset
+
+      raw = IO.popen(
+        %w[bpftool btf dump file /sys/kernel/btf/vmlinux format raw],
+        err: IO::NULL,
+        &:read
+      )
+
+      in_dentry_struct = false
+      d_name_bits_offset = nil
+
+      raw.each_line do |line|
+        if line =~ /^\[\d+\] STRUCT 'dentry' /
+          in_dentry_struct = true
+          next
+        end
+
+        if in_dentry_struct && line.start_with?("[")
+          break
+        end
+
+        next unless in_dentry_struct
+
+        if (match = line.match(/'d_name'.*bits_offset=(\d+)/))
+          d_name_bits_offset = Integer(match[1], 10)
+          break
+        end
+      end
+
+      if d_name_bits_offset
+        if (d_name_bits_offset % 8).positive?
+          raise Error, "unsupported d_name bits offset=#{d_name_bits_offset}"
+        end
+
+        if d_name_bits_offset >= 1024
+          warn "[vivariumd] suspicious d_name offset=#{d_name_bits_offset / 8}, fallback to offset=32"
+          return 32
+        end
+
+        return d_name_bits_offset / 8
+      end
+
+      warn "[vivariumd] could not find struct dentry::d_name in BTF, fallback to offset=32"
+      32
+    rescue Errno::ENOENT
+      raise Error, "bpftool is required to resolve struct dentry::d_name offset"
+    end
   end
 
   class ObservationSession

data/sig/vivarium.rbs

@@ -11,6 +11,7 @@ module Vivarium
     attr_accessor payload: String?
 
     def empty?: bool
+    def severity: () -> String
     def self.from_binary: (String raw) -> Event
   end
 
@@ -41,6 +42,8 @@ module Vivarium
   EVENT_NAME_SIZE: Integer
   EVENT_PAYLOAD_SIZE: Integer
   EVENT_TS_SIZE: Integer
+  PROC_EXEC_SLOT_SIZE: Integer
+  PROC_EXEC_SLOT_COUNT: Integer
   EVENT_STRUCT_SIZE: Integer
   EVENT_TS_OFFSET: Integer
   EVENT_PID_OFFSET: Integer
@@ -50,10 +53,24 @@ module Vivarium
 
   def self.bpf_pin_dir: () -> String
   def self.bpf_pin_dir=: (String dir) -> String
+  def self.event_severity: (String event_name) -> String
   def self.decode_dns_qname: (String raw_payload) -> String
   def self.decode_sock_connect_payload: (String raw_payload) -> String
   def self.decode_odd_socket_payload: (String raw_payload) -> String
   def self.decode_bad_socket_payload: (String raw_payload) -> String
+  def self.decode_proc_exec_payload: (String raw_payload) -> String
+  def self.decode_ptrace_check_payload: (String raw_payload) -> String
+  def self.decode_sb_mount_payload: (String raw_payload) -> String
+  def self.decode_kernel_read_file_payload: (String raw_payload) -> String
+  def self.decode_task_kill_payload: (String raw_payload) -> String
+  def self.decode_setid_change_payload: (String raw_payload) -> String
+  def self.decode_capable_check_payload: (String raw_payload) -> String
+  def self.decode_bprm_creds_payload: (String raw_payload) -> String
+  def self.decode_file_symlink_payload: (String raw_payload) -> String
+  def self.decode_file_hardlink_payload: (String raw_payload) -> String
+  def self.decode_file_rename_payload: (String raw_payload) -> String
+  def self.decode_file_chmod_payload: (String raw_payload) -> String
+  def self.decode_file_getdents_payload: (String raw_payload) -> String
   def self.render_event_payload: (Event event) -> String
   def self.observe: (?pin_dir: String pin_dir, ?logger: untyped logger, ?dest: untyped dest, ?format: Symbol format) { () -> untyped } -> untyped
   def self.top_observe: (?pin_dir: String pin_dir, ?logger: untyped logger, ?dest: untyped dest, ?format: Symbol format) -> ObservationSession

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vivarium
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Uchio Kondo
@@ -23,6 +23,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.11.4
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Vivarium visualizes low-level events such as file open paths and relates
   them to Ruby method boundaries by combining RbBCC (eBPF LSM) and TracePoint.
 email:
@@ -34,7 +48,11 @@ extra_rdoc_files: []
 files:
 - README.md
 - Rakefile
+- examples/execve_demo.rb
+- examples/file_operation_demo.rb
 - examples/network_client_demo.rb
+- examples/privilege_event_demo.rb
+- examples/signal_kill_demo.rb
 - exe/vivariumd
 - lib/vivarium.rb
 - lib/vivarium/logger.rb