[vibe code hackathon] Send process information#141
Draft
Conversation
This change introduces the ability to monitor process executions by adding a new LSM probe attached to `bprm_check_security`. A new event type, `PROCESS_ACTIVITY_EXEC`, is used to signal these events from the kernel. To support activities beyond file operations, the main `Event` struct has been refactored. It now contains a generic `Activity` enum that can represent either a file or a process activity. This makes the event model more extensible for future additions, such as network events. Additionally, a defensive null check for the `dentry` pointer has been added in the `submit_event` function to improve robustness. This entire commit has been vibe coded, took over an hour to get here with multiple prompts.
The StackRox sensor API consumes events from different gRPC services depending on their type. This change introduces support for the `SignalService` to send process-related signals, separating them from the existing `FileActivityService`. This involves: - Compiling the `signal_iservice.proto` definitions. - Adding a `SignalServiceClient` in the gRPC output module. - Implementing the conversion from the internal `Event` struct to the `v1.Signal` protobuf message. - Updating the gRPC client to run two concurrent streams, filtering and routing file and process events to their respective services. - Refactoring protobuf conversions to align with upstream API models. This entire commit was vibe coded, took about 1 hour.
Process events that do not have an associated container ID are considered noise. This change filters them out in the main BPF event loop to avoid sending them downstream, reducing the overall volume of events. This change was vibe coded.
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This entire PR was vibe coded, a new LSM hook on
bprm_check_securityis used to capture process execution and sending that information through the process service that collector usually uses.I've barely tested this by deploying fact in place of collector, it seems to work since I can see new processes being created in the risk tab.
That said, the change itself is terribly implemented, we can probably clean it up or re-write it entirely.
Checklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
TODO(replace-me)
Use this space to explain how you tested your PR, or, if you didn't test it, why you did not do so. (Valid reasons include "CI is sufficient" or "No testable changes")
In addition to reviewing your code, reviewers must also review your testing instructions, and make sure they are sufficient.
For more details, ref the Confluence page about this section.