Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(events): add security_task_setrlimit #4148

Merged
merged 1 commit into from
Jun 24, 2024
Merged

feat(events): add security_task_setrlimit #4148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions docs/docs/events/builtin/extra/security_task_setrlimit.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# security_task_setrlimit

## Intro
security_task_setrlimit - Do a check when a task's resource limit is being set.

## Description
The event indicates a resource set of a task.
The event is triggered by the permissions check for the operation, as LSM hook.

## Arguments
* `target_host_pid`:`u32`[K] - the target host pid.
* `resource`:`int`[K] - the resource limit being changed.
* `new_rlim_cur`:`u64`[K] - the new current limit.
* `new_rlim_max`:`u64`[K] - the new maximum limit.

## Hooks
### security_task_setrlimit
#### Type
kprobe
#### Purpose
The LSM hook of setting the resource limit on a task. This hook triggers the event.

## Example Use Case

```console
./tracee -e security_task_setrlimit
```

## Issues

## Related Events
1 change: 1 addition & 0 deletions mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ nav:
- security_file_mprotect: docs/events/builtin/extra/security_file_mprotect.md
- security_inode_unlink: docs/events/builtin/extra/security_inode_unlink.md
- security_sb_mount: docs/events/builtin/extra/security_sb_mount.md
- security_task_setrlimit: docs/events/builtin/extra/security_task_setrlimit.md
- security_socket_accept: docs/events/builtin/extra/security_socket_accept.md
- security_socket_bind: docs/events/builtin/extra/security_socket_bind.md
- security_socket_connect: docs/events/builtin/extra/security_socket_connect.md
Expand Down
26 changes: 26 additions & 0 deletions pkg/ebpf/c/tracee.bpf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5104,6 +5104,32 @@ int BPF_KPROBE(trace_set_fs_pwd)
return events_perf_submit(&p, 0);
}

SEC("kprobe/security_task_setrlimit")
int BPF_KPROBE(trace_security_task_setrlimit)
{
program_data_t p = {};
if (!init_program_data(&p, ctx, SECURITY_TASK_SETRLIMIT))
return 0;

if (!evaluate_scope_filters(&p))
return 0;

struct task_struct *task = (struct task_struct *) PT_REGS_PARM1(ctx);
unsigned int resource = (unsigned int) PT_REGS_PARM2(ctx);
struct rlimit *new_rlim = (struct rlimit *) PT_REGS_PARM3(ctx);

u32 target_host_tgid = get_task_host_tgid(task);
u64 new_rlim_cur = BPF_CORE_READ(new_rlim, rlim_cur);
u64 new_rlim_max = BPF_CORE_READ(new_rlim, rlim_max);

save_to_submit_buf(&p.event->args_buf, &target_host_tgid, sizeof(u32), 0);
save_to_submit_buf(&p.event->args_buf, &resource, sizeof(unsigned int), 1);
save_to_submit_buf(&p.event->args_buf, &new_rlim_cur, sizeof(u64), 2);
save_to_submit_buf(&p.event->args_buf, &new_rlim_max, sizeof(u64), 3);

return events_perf_submit(&p, 0);
}

// clang-format off

// Network Packets (works from ~5.2 and beyond)
Expand Down
1 change: 1 addition & 0 deletions pkg/ebpf/c/types.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ enum event_id_e
MODULE_FREE,
EXECUTE_FINISHED,
SECURITY_BPRM_CREDS_FOR_EXEC,
SECURITY_TASK_SETRLIMIT,
MAX_EVENT_ID,
NO_EVENT_SUBMIT,

Expand Down
5 changes: 5 additions & 0 deletions pkg/ebpf/c/vmlinux.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -899,6 +899,11 @@ struct kprobe {
struct seq_file {
};

struct rlimit {
u64 rlim_cur;
u64 rlim_max;
};

struct seq_operations {
void *(*start)(struct seq_file *m, loff_t *pos);
void (*stop)(struct seq_file *m, void *v);
Expand Down
1 change: 1 addition & 0 deletions pkg/ebpf/probes/probe_group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,7 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
ExecuteAtFinishedARM: NewTraceProbe(KretProbe, "__arm64_sys_execveat", "trace_execute_finished"),
ExecuteFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execve", "trace_execute_finished"),
ExecuteAtFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execveat", "trace_execute_finished"),
SecurityTaskSetrlimit: NewTraceProbe(KProbe, "security_task_setrlimit", "trace_security_task_setrlimit"),

TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
ExecTest: NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),
Expand Down
1 change: 1 addition & 0 deletions pkg/ebpf/probes/probes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ const (
ExecuteAtFinishedARM
ExecuteFinishedCompatARM
ExecuteAtFinishedCompatARM
SecurityTaskSetrlimit
)

// Test probe handles
Expand Down
18 changes: 18 additions & 0 deletions pkg/events/core.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ const (
ModuleFree
ExecuteFinished
SecurityBprmCredsForExec
SecurityTaskSetrlimit
MaxCommonID
)

Expand Down Expand Up @@ -13054,6 +13055,23 @@ var CoreEvents = map[ID]Definition{
{Type: "const char*", Name: "resolved_path"},
},
},
SecurityTaskSetrlimit: {
id: SecurityTaskSetrlimit,
id32Bit: Sys32Undefined,
name: "security_task_setrlimit",
dependencies: Dependencies{
probes: []Probe{
{handle: probes.SecurityTaskSetrlimit, required: true},
},
},
sets: []string{"lsm"},
params: []trace.ArgMeta{
{Type: "u32", Name: "target_host_pid"},
{Type: "int", Name: "resource"},
{Type: "u64", Name: "new_rlim_cur"},
{Type: "u64", Name: "new_rlim_max"},
},
},
//
// Begin of Signal Events (Control Plane)
//
Expand Down
Loading