diff --git a/infra/experimental/SystemSan/SystemSan.cpp b/infra/experimental/SystemSan/SystemSan.cpp index 17a84b82bdd7..ec01c57e32ad 100644 --- a/infra/experimental/SystemSan/SystemSan.cpp +++ b/infra/experimental/SystemSan/SystemSan.cpp @@ -178,6 +178,11 @@ std::string read_string(pid_t pid, unsigned long reg, unsigned long length) { void inspect_for_injection(pid_t pid, const user_regs_struct ®s) { // Inspect a PID's registers for the sign of shell injection. + + static bool is_enabled = check_enabled("shell_injection"); + if (not is_enabled) + return; + std::string path = read_string(pid, regs.rdi, kTripWire.length()); if (!path.length()) { return; @@ -271,6 +276,11 @@ void match_error_pattern(std::string buffer, std::string shell, pid_t pid) { void inspect_for_corruption(pid_t pid, const user_regs_struct ®s) { // Inspect a PID's registers for shell corruption. + + static bool is_enabled = check_enabled("shell_corruption"); + if (not is_enabled) + return; + std::string buffer = read_string(pid, regs.rsi, regs.rdx); debug_log("Write buffer: %s\n", buffer.c_str()); match_error_pattern(buffer, g_shell_pids[pid], pid); @@ -306,6 +316,11 @@ bool has_unprintable(const std::string &value) { void inspect_for_arbitrary_file_open(pid_t pid, const user_regs_struct ®s) { // Inspect a PID's register for the sign of arbitrary file open. + + static bool is_enabled = check_enabled("arbitrary_file_open"); + if (not is_enabled) + return; + std::string path = read_string(pid, regs.rsi, kRootDirMaxLength); if (!path.length()) { return; @@ -347,6 +362,10 @@ void report_bug_in_process(std::string bug_type, pid_t pid) { void inspect_for_evil_link(pid_t pid, const user_regs_struct ®s) { (void) regs; + + static bool is_enabled = check_enabled("malicious_symlink_following"); + if (not is_enabled) + return; std::string contents = read_evil_link_bombfile(); if ((contents.compare(kEvilLinkBombfileContents)) != 0) { @@ -355,6 +374,10 @@ void inspect_for_evil_link(pid_t pid, const user_regs_struct ®s) { } void evil_openat_hook(pid_t pid, const user_regs_struct ®s) { + static bool is_enabled = check_enabled("malicious_symlink_following"); + if (not is_enabled) + return; + std::string path = read_string(pid, regs.rsi, kPathMax); if (!path.length()) { return; diff --git a/infra/experimental/SystemSan/inspect_dns.cpp b/infra/experimental/SystemSan/inspect_dns.cpp index 8f08e3a3f7c3..aa72ad6655eb 100644 --- a/infra/experimental/SystemSan/inspect_dns.cpp +++ b/infra/experimental/SystemSan/inspect_dns.cpp @@ -38,6 +38,10 @@ const size_t kDnsHeaderLen = 12; void inspect_for_arbitrary_dns_connect(pid_t pid, const user_regs_struct ®s) { + static bool is_enabled = check_enabled("arbitrary_dns_resolution"); + if (not is_enabled) + return; + auto memory = read_memory(pid, regs.rsi, sizeof(struct sockaddr_in)); if (memory.size()) { struct sockaddr_in * sa = reinterpret_cast(memory.data()); diff --git a/infra/experimental/SystemSan/inspect_utils.cpp b/infra/experimental/SystemSan/inspect_utils.cpp index 47f4b43ad43b..2b99c13ac0e3 100644 --- a/infra/experimental/SystemSan/inspect_utils.cpp +++ b/infra/experimental/SystemSan/inspect_utils.cpp @@ -51,6 +51,19 @@ std::vector read_memory(pid_t pid, unsigned long long address, return memory; } +bool check_enabled(std::string feature) { + for (auto & ch: feature) + ch = toupper(ch); + + std::string env_var = "SYSTEMSAN_" + feature; + const char* value_charstr = getenv(env_var.c_str()); + std::string yes = "1"; + if (!value_charstr) + value_charstr = yes.c_str(); + int value = atoi(value_charstr); + return static_cast(value); +} + void report_bug(std::string bug_type, pid_t tid) { // Report the bug found based on the bug code. std::cerr << "===BUG DETECTED: " << bug_type << "===" << std::endl; diff --git a/infra/experimental/SystemSan/inspect_utils.h b/infra/experimental/SystemSan/inspect_utils.h index a0737f28b1ae..0e72a2122559 100644 --- a/infra/experimental/SystemSan/inspect_utils.h +++ b/infra/experimental/SystemSan/inspect_utils.h @@ -37,3 +37,4 @@ std::vector read_memory(pid_t pid, unsigned long long address, size_t size); void report_bug(std::string bug_type, pid_t tid); +bool check_enabled(std::string feature);