Skip to content

Commit

Permalink
feat(events): add security_task_setrlimit (#4148)
Browse files Browse the repository at this point in the history
  • Loading branch information
@OriGlassman
OriGlassman authored Jun 24, 2024
1 parent 6f94719 commit 3240182
Show file tree
Hide file tree
Showing 8 changed files with 84 additions and 0 deletions.
31 changes: 31 additions & 0 deletions docs/docs/events/builtin/extra/security_task_setrlimit.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# security_task_setrlimit

## Intro
security_task_setrlimit - Do a check when a task's resource limit is being set.

## Description
The event indicates a resource set of a task.
The event is triggered by the permissions check for the operation, as LSM hook.

## Arguments
* `target_host_pid`:`u32`[K] - the target host pid.
* `resource`:`int`[K] - the resource limit being changed.
* `new_rlim_cur`:`u64`[K] - the new current limit.
* `new_rlim_max`:`u64`[K] - the new maximum limit.

## Hooks
### security_task_setrlimit
#### Type
kprobe
#### Purpose
The LSM hook of setting the resource limit on a task. This hook triggers the event.

## Example Use Case

```console
./tracee -e security_task_setrlimit
```

## Issues

## Related Events
1 change: 1 addition & 0 deletions mkdocs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ nav:
- security_file_mprotect: docs/events/builtin/extra/security_file_mprotect.md
- security_inode_unlink: docs/events/builtin/extra/security_inode_unlink.md
- security_sb_mount: docs/events/builtin/extra/security_sb_mount.md
- security_task_setrlimit: docs/events/builtin/extra/security_task_setrlimit.md
- security_socket_accept: docs/events/builtin/extra/security_socket_accept.md
- security_socket_bind: docs/events/builtin/extra/security_socket_bind.md
- security_socket_connect: docs/events/builtin/extra/security_socket_connect.md
Expand Down
26 changes: 26 additions & 0 deletions pkg/ebpf/c/tracee.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5104,6 +5104,32 @@ int BPF_KPROBE(trace_set_fs_pwd)
return events_perf_submit(&p, 0);
}

SEC("kprobe/security_task_setrlimit")
int BPF_KPROBE(trace_security_task_setrlimit)
{
program_data_t p = {};
if (!init_program_data(&p, ctx, SECURITY_TASK_SETRLIMIT))
return 0;

if (!evaluate_scope_filters(&p))
return 0;

struct task_struct *task = (struct task_struct *) PT_REGS_PARM1(ctx);
unsigned int resource = (unsigned int) PT_REGS_PARM2(ctx);
struct rlimit *new_rlim = (struct rlimit *) PT_REGS_PARM3(ctx);

u32 target_host_tgid = get_task_host_tgid(task);
u64 new_rlim_cur = BPF_CORE_READ(new_rlim, rlim_cur);
u64 new_rlim_max = BPF_CORE_READ(new_rlim, rlim_max);

save_to_submit_buf(&p.event->args_buf, &target_host_tgid, sizeof(u32), 0);
save_to_submit_buf(&p.event->args_buf, &resource, sizeof(unsigned int), 1);
save_to_submit_buf(&p.event->args_buf, &new_rlim_cur, sizeof(u64), 2);
save_to_submit_buf(&p.event->args_buf, &new_rlim_max, sizeof(u64), 3);

return events_perf_submit(&p, 0);
}

// clang-format off

// Network Packets (works from ~5.2 and beyond)
Expand Down
1 change: 1 addition & 0 deletions pkg/ebpf/c/types.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ enum event_id_e
MODULE_FREE,
EXECUTE_FINISHED,
SECURITY_BPRM_CREDS_FOR_EXEC,
SECURITY_TASK_SETRLIMIT,
MAX_EVENT_ID,
NO_EVENT_SUBMIT,

Expand Down
5 changes: 5 additions & 0 deletions pkg/ebpf/c/vmlinux.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -899,6 +899,11 @@ struct kprobe {
struct seq_file {
};

struct rlimit {
u64 rlim_cur;
u64 rlim_max;
};

struct seq_operations {
void *(*start)(struct seq_file *m, loff_t *pos);
void (*stop)(struct seq_file *m, void *v);
Expand Down
1 change: 1 addition & 0 deletions pkg/ebpf/probes/probe_group.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,7 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
ExecuteAtFinishedARM: NewTraceProbe(KretProbe, "__arm64_sys_execveat", "trace_execute_finished"),
ExecuteFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execve", "trace_execute_finished"),
ExecuteAtFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execveat", "trace_execute_finished"),
SecurityTaskSetrlimit: NewTraceProbe(KProbe, "security_task_setrlimit", "trace_security_task_setrlimit"),

TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
ExecTest: NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),
Expand Down
1 change: 1 addition & 0 deletions pkg/ebpf/probes/probes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ const (
ExecuteAtFinishedARM
ExecuteFinishedCompatARM
ExecuteAtFinishedCompatARM
SecurityTaskSetrlimit
)

// Test probe handles
Expand Down
18 changes: 18 additions & 0 deletions pkg/events/core.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ const (
ModuleFree
ExecuteFinished
SecurityBprmCredsForExec
SecurityTaskSetrlimit
MaxCommonID
)

Expand Down Expand Up @@ -13054,6 +13055,23 @@ var CoreEvents = map[ID]Definition{
{Type: "const char*", Name: "resolved_path"},
},
},
SecurityTaskSetrlimit: {
id: SecurityTaskSetrlimit,
id32Bit: Sys32Undefined,
name: "security_task_setrlimit",
dependencies: Dependencies{
probes: []Probe{
{handle: probes.SecurityTaskSetrlimit, required: true},
},
},
sets: []string{"lsm"},
params: []trace.ArgMeta{
{Type: "u32", Name: "target_host_pid"},
{Type: "int", Name: "resource"},
{Type: "u64", Name: "new_rlim_cur"},
{Type: "u64", Name: "new_rlim_max"},
},
},
//
// Begin of Signal Events (Control Plane)
//
Expand Down

0 comments on commit 3240182

Please sign in to comment.