From c1b62e59374c259a68b2225e445fbd7ab9bbf522 Mon Sep 17 00:00:00 2001
From: Ori Glassman <ori.glassman1@gmail.com>
Date: Sun, 23 Jun 2024 15:47:28 +0300
Subject: [PATCH] feat(events): add security_task_setrlimit

---
 .../builtin/extra/security_task_setrlimit.md  | 31 +++++++++++++++++++
 mkdocs.yml                                    |  1 +
 pkg/ebpf/c/tracee.bpf.c                       | 26 ++++++++++++++++
 pkg/ebpf/c/types.h                            |  1 +
 pkg/ebpf/c/vmlinux.h                          |  5 +++
 pkg/ebpf/probes/probe_group.go                |  1 +
 pkg/ebpf/probes/probes.go                     |  1 +
 pkg/events/core.go                            | 18 +++++++++++
 8 files changed, 84 insertions(+)
 create mode 100644 docs/docs/events/builtin/extra/security_task_setrlimit.md

diff --git a/docs/docs/events/builtin/extra/security_task_setrlimit.md b/docs/docs/events/builtin/extra/security_task_setrlimit.md
new file mode 100644
index 000000000000..f96accaed120
--- /dev/null
+++ b/docs/docs/events/builtin/extra/security_task_setrlimit.md
@@ -0,0 +1,31 @@
+# security_task_setrlimit
+
+## Intro
+security_task_setrlimit - Do a check when a task's resource limit is being set.
+
+## Description
+The event indicates a resource set of a task.
+The event is triggered by the permissions check for the operation, as LSM hook.
+
+## Arguments
+* `target_host_pid`:`u32`[K] - the target host pid.
+* `resource`:`int`[K] - the resource limit being changed.
+* `new_rlim_cur`:`u64`[K] - the new current limit.
+* `new_rlim_max`:`u64`[K] - the new maximum limit.
+
+## Hooks
+### security_task_setrlimit
+#### Type
+kprobe
+#### Purpose
+The LSM hook of setting the resource limit on a task. This hook triggers the event. 
+
+## Example Use Case
+
+```console
+./tracee -e security_task_setrlimit
+```
+
+## Issues
+
+## Related Events
diff --git a/mkdocs.yml b/mkdocs.yml
index 7372dd4a7cc7..c075a9395255 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -104,6 +104,7 @@ nav:
                             - security_file_mprotect: docs/events/builtin/extra/security_file_mprotect.md
                             - security_inode_unlink: docs/events/builtin/extra/security_inode_unlink.md
                             - security_sb_mount: docs/events/builtin/extra/security_sb_mount.md
+                            - security_task_setrlimit: docs/events/builtin/extra/security_task_setrlimit.md
                             - security_socket_accept: docs/events/builtin/extra/security_socket_accept.md
                             - security_socket_bind: docs/events/builtin/extra/security_socket_bind.md
                             - security_socket_connect: docs/events/builtin/extra/security_socket_connect.md
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
index c02ee80e79d2..fc9ba29cb9f0 100644
--- a/pkg/ebpf/c/tracee.bpf.c
+++ b/pkg/ebpf/c/tracee.bpf.c
@@ -5104,6 +5104,32 @@ int BPF_KPROBE(trace_set_fs_pwd)
     return events_perf_submit(&p, 0);
 }
 
+SEC("kprobe/security_task_setrlimit")
+int BPF_KPROBE(trace_security_task_setrlimit)
+{
+    program_data_t p = {};
+    if (!init_program_data(&p, ctx, SECURITY_TASK_SETRLIMIT))
+        return 0;
+
+    if (!evaluate_scope_filters(&p))
+        return 0;
+
+    struct task_struct *task = (struct task_struct *) PT_REGS_PARM1(ctx);
+    unsigned int resource = (unsigned int) PT_REGS_PARM2(ctx);
+    struct rlimit *new_rlim = (struct rlimit *) PT_REGS_PARM3(ctx);
+
+    u32 target_host_tgid = get_task_host_tgid(task);
+    u64 new_rlim_cur = BPF_CORE_READ(new_rlim, rlim_cur);
+    u64 new_rlim_max = BPF_CORE_READ(new_rlim, rlim_max);
+
+    save_to_submit_buf(&p.event->args_buf, &target_host_tgid, sizeof(u32), 0);
+    save_to_submit_buf(&p.event->args_buf, &resource, sizeof(unsigned int), 1);
+    save_to_submit_buf(&p.event->args_buf, &new_rlim_cur, sizeof(u64), 2);
+    save_to_submit_buf(&p.event->args_buf, &new_rlim_max, sizeof(u64), 3);
+
+    return events_perf_submit(&p, 0);
+}
+
 // clang-format off
 
 // Network Packets (works from ~5.2 and beyond)
diff --git a/pkg/ebpf/c/types.h b/pkg/ebpf/c/types.h
index e540bea0e776..13c6c07ac4e1 100644
--- a/pkg/ebpf/c/types.h
+++ b/pkg/ebpf/c/types.h
@@ -128,6 +128,7 @@ enum event_id_e
     MODULE_FREE,
     EXECUTE_FINISHED,
     SECURITY_BPRM_CREDS_FOR_EXEC,
+    SECURITY_TASK_SETRLIMIT,
     MAX_EVENT_ID,
     NO_EVENT_SUBMIT,
 
diff --git a/pkg/ebpf/c/vmlinux.h b/pkg/ebpf/c/vmlinux.h
index ca8f742886c1..b55c444db1cf 100644
--- a/pkg/ebpf/c/vmlinux.h
+++ b/pkg/ebpf/c/vmlinux.h
@@ -899,6 +899,11 @@ struct kprobe {
 struct seq_file {
 };
 
+struct rlimit {
+    u64 rlim_cur;
+    u64 rlim_max;
+};
+
 struct seq_operations {
     void *(*start)(struct seq_file *m, loff_t *pos);
     void (*stop)(struct seq_file *m, void *v);
diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go
index e8a1abe81e42..ac8033af4711 100644
--- a/pkg/ebpf/probes/probe_group.go
+++ b/pkg/ebpf/probes/probe_group.go
@@ -222,6 +222,7 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
 		ExecuteAtFinishedARM:       NewTraceProbe(KretProbe, "__arm64_sys_execveat", "trace_execute_finished"),
 		ExecuteFinishedCompatARM:   NewTraceProbe(KretProbe, "__arm64_compat_sys_execve", "trace_execute_finished"),
 		ExecuteAtFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execveat", "trace_execute_finished"),
+		SecurityTaskSetrlimit:      NewTraceProbe(KProbe, "security_task_setrlimit", "trace_security_task_setrlimit"),
 
 		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
 		ExecTest:            NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),
diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go
index f069453207e9..32b1290894f8 100644
--- a/pkg/ebpf/probes/probes.go
+++ b/pkg/ebpf/probes/probes.go
@@ -148,6 +148,7 @@ const (
 	ExecuteAtFinishedARM
 	ExecuteFinishedCompatARM
 	ExecuteAtFinishedCompatARM
+	SecurityTaskSetrlimit
 )
 
 // Test probe handles
diff --git a/pkg/events/core.go b/pkg/events/core.go
index ba553ead97ed..1345e77539c4 100644
--- a/pkg/events/core.go
+++ b/pkg/events/core.go
@@ -110,6 +110,7 @@ const (
 	ModuleFree
 	ExecuteFinished
 	SecurityBprmCredsForExec
+	SecurityTaskSetrlimit
 	MaxCommonID
 )
 
@@ -13054,6 +13055,23 @@ var CoreEvents = map[ID]Definition{
 			{Type: "const char*", Name: "resolved_path"},
 		},
 	},
+	SecurityTaskSetrlimit: {
+		id:      SecurityTaskSetrlimit,
+		id32Bit: Sys32Undefined,
+		name:    "security_task_setrlimit",
+		dependencies: Dependencies{
+			probes: []Probe{
+				{handle: probes.SecurityTaskSetrlimit, required: true},
+			},
+		},
+		sets: []string{"lsm"},
+		params: []trace.ArgMeta{
+			{Type: "u32", Name: "target_host_pid"},
+			{Type: "int", Name: "resource"},
+			{Type: "u64", Name: "new_rlim_cur"},
+			{Type: "u64", Name: "new_rlim_max"},
+		},
+	},
 	//
 	// Begin of Signal Events (Control Plane)
 	//