Add new metric for suspicious operations.

The new metric contains fields and will replace the below existing metric:
- opened_write_execute_file

PiperOrigin-RevId: 373884604

7 files changed, 26 insertions, 3 deletions

diff --git a/pkg/metric/metric.go b/pkg/metric/metric.go
index e822fe77d..528910d7c 100644
--- a/pkg/metric/metric.go
+++ b/pkg/metric/metric.go
@@ -36,10 +36,17 @@ var (
 	// new metric after initialization.
 	ErrInitializationDone = errors.New("metric cannot be created after initialization is complete")
 
+	// createdSentryMetrics indicates that the sentry metrics are created.
+	createdSentryMetrics = false
+
 	// WeirdnessMetric is a metric with fields created to track the number
 	// of weird occurrences such as time fallback, partial_result and
 	// vsyscall count.
 	WeirdnessMetric *Uint64Metric
+
+	// SuspiciousOperationsMetric is a metric with fields created to detect
+	// operations such as opening an executable file to write from a gofer.
+	SuspiciousOperationsMetric *Uint64Metric
 )
 
 // Uint64Metric encapsulates a uint64 that represents some kind of metric to be
@@ -388,13 +395,21 @@ func EmitMetricUpdate() {
 
 // CreateSentryMetrics creates the sentry metrics during kernel initialization.
 func CreateSentryMetrics() {
-	if WeirdnessMetric != nil {
+	if createdSentryMetrics {
 		return
 	}
 
-	WeirdnessMetric = MustCreateNewUint64Metric("/weirdness", true /* sync */, "Increment for weird occurrences of problems such as time fallback, partial result and vsyscalls invoked in the sandbox",
+	createdSentryMetrics = true
+
+	WeirdnessMetric = MustCreateNewUint64Metric("/weirdness", true /* sync */, "Increment for weird occurrences of problems such as time fallback, partial result and vsyscalls invoked in the sandbox.",
 		Field{
 			name:          "weirdness_type",
 			allowedValues: []string{"time_fallback", "partial_result", "vsyscall_count"},
 		})
+
+	SuspiciousOperationsMetric = MustCreateNewUint64Metric("/suspicious_operations", true /* sync */, "Increment for suspicious operations such as opening an executable file to write from a gofer.",
+		Field{
+			name:          "operation_type",
+			allowedValues: []string{"opened_write_execute_file"},
+		})
 }
diff --git a/pkg/sentry/fs/gofer/BUILD b/pkg/sentry/fs/gofer/BUILD
index c4a069832..94cb05246 100644
--- a/pkg/sentry/fs/gofer/BUILD
+++ b/pkg/sentry/fs/gofer/BUILD
@@ -29,6 +29,7 @@ go_library(
         "//pkg/fd",
         "//pkg/hostarch",
         "//pkg/log",
+        "//pkg/metric",
         "//pkg/p9",
         "//pkg/refs",
         "//pkg/safemem",
diff --git a/pkg/sentry/fs/gofer/file.go b/pkg/sentry/fs/gofer/file.go
index 8f5a87120..bcdb2dda2 100644
--- a/pkg/sentry/fs/gofer/file.go
+++ b/pkg/sentry/fs/gofer/file.go
@@ -21,6 +21,7 @@ import (
 	"golang.org/x/sys/unix"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/log"
+	"gvisor.dev/gvisor/pkg/metric"
 	"gvisor.dev/gvisor/pkg/p9"
 	"gvisor.dev/gvisor/pkg/sentry/device"
 	"gvisor.dev/gvisor/pkg/sentry/fs"
@@ -92,6 +93,7 @@ func NewFile(ctx context.Context, dirent *fs.Dirent, name string, flags fs.FileF
 	if flags.Write {
 		if err := dirent.Inode.CheckPermission(ctx, fs.PermMask{Execute: true}); err == nil {
 			fsmetric.GoferOpensWX.Increment()
+			metric.SuspiciousOperationsMetric.Increment("opened_write_execute_file")
 			log.Warningf("Opened a writable executable: %q", name)
 		}
 	}
diff --git a/pkg/sentry/fsimpl/gofer/BUILD b/pkg/sentry/fsimpl/gofer/BUILD
index 52879f871..368272f12 100644
--- a/pkg/sentry/fsimpl/gofer/BUILD
+++ b/pkg/sentry/fsimpl/gofer/BUILD
@@ -54,6 +54,7 @@ go_library(
         "//pkg/fspath",
         "//pkg/hostarch",
         "//pkg/log",
+        "//pkg/metric",
         "//pkg/p9",
         "//pkg/refs",
         "//pkg/refsvfs2",
diff --git a/pkg/sentry/fsimpl/gofer/regular_file.go b/pkg/sentry/fsimpl/gofer/regular_file.go
index f0e7bbaf7..0a954c138 100644
--- a/pkg/sentry/fsimpl/gofer/regular_file.go
+++ b/pkg/sentry/fsimpl/gofer/regular_file.go
@@ -24,6 +24,7 @@ import (
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/hostarch"
 	"gvisor.dev/gvisor/pkg/log"
+	"gvisor.dev/gvisor/pkg/metric"
 	"gvisor.dev/gvisor/pkg/p9"
 	"gvisor.dev/gvisor/pkg/safemem"
 	"gvisor.dev/gvisor/pkg/sentry/fs/fsutil"
@@ -60,6 +61,7 @@ func newRegularFileFD(mnt *vfs.Mount, d *dentry, flags uint32) (*regularFileFD,
 	}
 	if fd.vfsfd.IsWritable() && (atomic.LoadUint32(&d.mode)&0111 != 0) {
 		fsmetric.GoferOpensWX.Increment()
+		metric.SuspiciousOperationsMetric.Increment("opened_write_execute_file")
 	}
 	if atomic.LoadInt32(&d.mmapFD) >= 0 {
 		fsmetric.GoferOpensHost.Increment()
diff --git a/pkg/sentry/fsimpl/gofer/special_file.go b/pkg/sentry/fsimpl/gofer/special_file.go
index ac3b5b621..dc019ebd5 100644
--- a/pkg/sentry/fsimpl/gofer/special_file.go
+++ b/pkg/sentry/fsimpl/gofer/special_file.go
@@ -21,6 +21,7 @@ import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/fdnotifier"
+	"gvisor.dev/gvisor/pkg/metric"
 	"gvisor.dev/gvisor/pkg/p9"
 	"gvisor.dev/gvisor/pkg/safemem"
 	"gvisor.dev/gvisor/pkg/sentry/fsmetric"
@@ -101,6 +102,7 @@ func newSpecialFileFD(h handle, mnt *vfs.Mount, d *dentry, flags uint32) (*speci
 	d.fs.syncMu.Unlock()
 	if fd.vfsfd.IsWritable() && (atomic.LoadUint32(&d.mode)&0111 != 0) {
 		fsmetric.GoferOpensWX.Increment()
+		metric.SuspiciousOperationsMetric.Increment("opened_write_execute_file")
 	}
 	if h.fd >= 0 {
 		fsmetric.GoferOpensHost.Increment()
diff --git a/pkg/sentry/watchdog/watchdog.go b/pkg/sentry/watchdog/watchdog.go
index 8e3146d8d..bd31464d0 100644
--- a/pkg/sentry/watchdog/watchdog.go
+++ b/pkg/sentry/watchdog/watchdog.go
@@ -312,7 +312,7 @@ func (w *Watchdog) runTurn() {
 					// New stuck task detected.
 					//
 					// Note that tasks blocked doing IO may be considered stuck in kernel,
-					// unless they are surrounded b
+					// unless they are surrounded by
 					// Task.UninterruptibleSleepStart/Finish.
 					tc = &offender{lastUpdateTime: lastUpdateTime}
 					stuckTasks.Increment()