Tracing file creation by kernel modules

[itamarmaouda101]

Hi

Sometimes, kernel rootkits try to commutate with the user-space.

To accomplish that they create files with special file operations that handle their requests.

To create those files from the kernel they can use one of these functions:

• [x] https://github.com/aquasecurity/tracee/pull/1614 (proc_create - to create file under /proc)
• [x] https://github.com/aquasecurity/tracee/pull/1648 (debugfs_create_file - to create file under /sys/kernel/debug)
• [x] https://github.com/aquasecurity/tracee/pull/1649 (debugfs_create_dir - to create dir under /sys/kernel/debug)
• [x] https://github.com/aquasecurity/tracee/pull/1661(add register_chrdev_region event )
• [x] (add trace to create_device function)

We should add an event on those functions to alert if some kernel try to communicate with the user space.

Here's an example that uses this function to complete a container escape in a privileged container: https://xcellerator.github.io/posts/docker_escape/

[rafaeldtinoco]

Sorry, I realized there are missing PRs for this case. Please link PRs to the issues so we can track them altogether. Thanks!