DataDog
diff --git a/‎docs/cloud-workload-security/linux_expressions.md
Lines changed: 429 additions & 124 deletions b/‎docs/cloud-workload-security/linux_expressions.md
Lines changed: 429 additions & 124 deletions
diff --git a/‎docs/cloud-workload-security/secl_linux.json
Lines changed: 1621 additions & 2 deletions b/‎docs/cloud-workload-security/secl_linux.json
Lines changed: 1621 additions & 2 deletions
diff --git a/‎pkg/security/ebpf/c/include/constants/enums.h
Lines changed: 1 addition & 0 deletions b/‎pkg/security/ebpf/c/include/constants/enums.h
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/security/ebpf/c/include/events_definition.h
Lines changed: 13 additions & 0 deletions b/‎pkg/security/ebpf/c/include/events_definition.h
Lines changed: 13 additions & 0 deletions
diff --git a/‎pkg/security/ebpf/c/include/hooks/all.h
Lines changed: 1 addition & 0 deletions b/‎pkg/security/ebpf/c/include/hooks/all.h
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/security/ebpf/c/include/hooks/setrlimit.h
Lines changed: 145 additions & 0 deletions b/‎pkg/security/ebpf/c/include/hooks/setrlimit.h
Lines changed: 145 additions & 0 deletions
diff --git a/‎pkg/security/ebpf/c/include/structs/syscalls.h
Lines changed: 9 additions & 0 deletions b/‎pkg/security/ebpf/c/include/structs/syscalls.h
Lines changed: 9 additions & 0 deletions
diff --git a/‎pkg/security/ebpf/probes/all.go
Lines changed: 1 addition & 0 deletions b/‎pkg/security/ebpf/probes/all.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/security/ebpf/probes/event_types.go
Lines changed: 7 additions & 0 deletions b/‎pkg/security/ebpf/probes/event_types.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/security/ebpf/probes/raw_sys_exit.go
Lines changed: 7 additions & 0 deletions b/‎pkg/security/ebpf/probes/raw_sys_exit.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/security/ebpf/probes/setrlimit.go
Lines changed: 37 additions & 0 deletions b/‎pkg/security/ebpf/probes/setrlimit.go
Lines changed: 37 additions & 0 deletions
diff --git a/‎pkg/security/probe/probe_ebpf.go
Lines changed: 15 additions & 0 deletions b/‎pkg/security/probe/probe_ebpf.go
Lines changed: 15 additions & 0 deletions
@@ -58,6 +58,7 @@ enum event_type
     EVENT_NETWORK_FLOW_MONITOR,
     EVENT_STAT,
     EVENT_SYSCTL,
+    EVENT_SETRLIMIT,
     EVENT_SETSOCKOPT,
     EVENT_MAX, // has to be the last one
 
 
@@ -518,6 +518,19 @@ struct sysctl_event_t {
     char sysctl_buffer[MAX_SYSCTL_BUFFER_LEN];
 };
 
+struct setrlimit_event_t {
+    struct kevent_t event;
+    struct process_context_t process;
+    struct span_context_t span;
+    struct container_context_t container;
+    struct syscall_t syscall;
+
+    int resource;
+    u32 target;
+    u64 rlim_cur;
+    u64 rlim_max;
+};
+
 struct setsockopt_event_t {
     struct kevent_t event;
     struct process_context_t process;
 
@@ -36,6 +36,7 @@
 #include "utimes.h"
 #include "on_demand.h"
 #include "chdir.h"
+#include "setrlimit.h"
 
 #include "network/accept.h"
 #include "network/bind.h"
 
@@ -0,0 +1,145 @@
+#ifndef _HOOKS_SETRLIMIT_H_
+#define _HOOKS_SETRLIMIT_H_
+
+#include "constants/syscall_macro.h"   
+#include "helpers/discarders.h"        
+#include "helpers/syscalls.h"          
+#include "events_definition.h"        
+
+#define SETRLIMIT_RATE_LIMITER  100     
+
+static const int important_resources[] = {
+    RLIMIT_CPU,
+    RLIMIT_FSIZE,
+    RLIMIT_NOFILE,
+    RLIMIT_STACK,
+    RLIMIT_NPROC,
+    RLIMIT_CORE
+};
+
+static __always_inline int handle_setrlimit_common(unsigned int resource, const struct rlimit __user *new_rlim, u32 target_pid)
+{
+    bool is_important = false;
+    for (int i = 0; i < ARRAY_SIZE(important_resources); i++) {
+        if (resource == important_resources[i]) {
+            is_important = true;
+            break;
+        }
+    }
+    if (!is_important &&
+        !pid_rate_limiter_allow(SETRLIMIT_RATE_LIMITER, 1)) {
+        return 0;
+    }
+
+    struct rlimit rlim;
+    if (bpf_probe_read_user(&rlim, sizeof(rlim), new_rlim) < 0) {
+        return 0;
+    }
+
+    struct syscall_cache_t cache = {
+        .type        = EVENT_SETRLIMIT,
+        .setrlimit = {
+            .resource     = resource,
+            .pid          = target_pid,
+            .rlim_cur     = rlim.rlim_cur,
+            .rlim_max     = rlim.rlim_max,
+        }
+    };
+
+    cache_syscall(&cache);
+    return 0;
+}
+
+HOOK_SYSCALL_ENTRY2(setrlimit,
+                    unsigned int, resource,
+                    const struct rlimit __user *, new_rlim)
+{
+    return handle_setrlimit_common(resource, new_rlim, 0);
+}
+
+HOOK_ENTRY("security_task_setrlimit")
+int hook_security_task_setrlimit(ctx_t *ctx)
+{
+    struct task_struct *task = (struct task_struct *)CTX_PARM1(ctx);
+    if (!task) {
+        return 0;
+    }
+
+    struct syscall_cache_t *cache = peek_syscall(EVENT_SETRLIMIT);
+    if (!cache) {
+        return 0;
+    }
+
+    // Get the root namespace PID for the target process
+    u32 root_pid = get_root_nr_from_task_struct(task);
+    if (root_pid == 0) {
+        return 0;
+    }
+
+    // Update the cache with the target process information
+    cache->setrlimit.pid = root_pid;
+
+    return 0;
+}
+
+static __always_inline int
+sys_setrlimit_ret(void *ctx, int ret)
+{
+    struct syscall_cache_t *cache = pop_syscall(EVENT_SETRLIMIT);
+    if (!cache) {
+        return 0;
+    }
+
+    if (ret != 0 && ret != -EPERM) {
+        return 0;
+    }
+
+    if (cache->setrlimit.pid == 0) {
+       u32 fallback = bpf_get_current_pid_tgid() >> 32;
+       cache->setrlimit.pid = fallback;
+    }
+
+    struct setrlimit_event_t evt = {
+        .syscall.retval = ret,
+        .resource = cache->setrlimit.resource,
+        .rlim_cur = cache->setrlimit.rlim_cur,
+        .rlim_max = cache->setrlimit.rlim_max,
+        .target = cache->setrlimit.pid,
+    };
+
+    struct proc_cache_t *pc = fill_process_context(&evt.process);
+    fill_container_context(pc, &evt.container);
+    fill_span_context(&evt.span);
+
+    send_event(ctx, EVENT_SETRLIMIT, evt);
+    return 0;
+}
+
+HOOK_SYSCALL_EXIT(setrlimit) {
+    return sys_setrlimit_ret(ctx, (int)SYSCALL_PARMRET(ctx));
+}
+
+TAIL_CALL_TRACEPOINT_FNC(handle_sys_setrlimit_exit,
+                         struct tracepoint_raw_syscalls_sys_exit_t *args)
+{
+    return sys_setrlimit_ret(args, args->ret);
+}
+
+HOOK_SYSCALL_ENTRY4(prlimit64,
+                    pid_t, pid,
+                    int, resource,
+                    const struct rlimit __user *, new_limit,
+                    struct rlimit __user *, old_limit)
+{
+    if (new_limit == NULL) {
+        return 0;
+    }
+    
+    return handle_setrlimit_common(resource, new_limit, pid);
+}
+
+HOOK_SYSCALL_EXIT(prlimit64) {
+    return sys_setrlimit_ret(ctx, (int)SYSCALL_PARMRET(ctx));
+}
+
+#endif  // _HOOKS_SETRLIMIT_H_
@@ -74,6 +74,15 @@ struct syscall_cache_t {
             struct file_t target_file;
         } rename;
 
+        struct {
+            int resource;
+            u64 rlim_cur;
+            u64 rlim_max;
+            u32 pid;
+            struct process_context_t target_process;
+            struct container_context_t target_container;
+        } setrlimit;
+
         struct {
             struct dentry *dentry;
             struct path *path;
 
@@ -113,6 +113,7 @@ func AllProbes(fentry bool, cgroup2MountPoint string) []*manager.Probe {
 	allProbes = append(allProbes, GetOnDemandProbes()...)
 	allProbes = append(allProbes, GetPerfEventProbes()...)
 	allProbes = append(allProbes, getSysCtlProbes(cgroup2MountPoint)...)
+	allProbes = append(allProbes, getSetrlimitProbes(fentry)...)
 
 	allProbes = append(allProbes,
 		&manager.Probe{
 
@@ -536,6 +536,13 @@ func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSe
 				hookFunc("hook_proc_sys_call_handler"),
 			}},
 		},
+		"setrlimit": {
+			&manager.BestEffort{Selectors: ExpandSyscallProbesSelector(SecurityAgentUID, "setrlimit", fentry, EntryAndExit)},
+			&manager.BestEffort{Selectors: ExpandSyscallProbesSelector(SecurityAgentUID, "prlimit64", fentry, EntryAndExit)},
+			&manager.AllOf{Selectors: []manager.ProbesSelector{
+				hookFunc("hook_security_task_setrlimit"),
+			}},
+		},
 	}
 
 	// Add probes required to track network interfaces and map network flows to processes
 
@@ -205,6 +205,13 @@ func getSysExitTailCallRoutes() []manager.TailCallRoute {
 				EBPFFuncName: tailCallTracepointFnc("handle_sys_newfstatat_exit"),
 			},
 		},
+		{
+			ProgArrayName: "sys_exit_progs",
+			Key:           uint32(model.SetrlimitEventType),
+			ProbeIdentificationPair: manager.ProbeIdentificationPair{
+				EBPFFuncName: tailCallTracepointFnc("handle_sys_setrlimit_exit"),
+			},
+		},
 		{
 			ProgArrayName: "sys_exit_progs",
 			Key:           uint32(model.SetSockOptEventType),
 
@@ -0,0 +1,37 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package probes holds probes related files
+package probes
+
+import manager "github.com/DataDog/ebpf-manager"
+
+func getSetrlimitProbes(fentry bool) []*manager.Probe {
+	var setrlimitProbes []*manager.Probe
+	setrlimitProbes = append(setrlimitProbes, ExpandSyscallProbes(&manager.Probe{
+		ProbeIdentificationPair: manager.ProbeIdentificationPair{
+			UID: SecurityAgentUID,
+		},
+		SyscallFuncName: "setrlimit",
+	}, fentry, EntryAndExit)...)
+	setrlimitProbes = append(setrlimitProbes, ExpandSyscallProbes(&manager.Probe{
+		ProbeIdentificationPair: manager.ProbeIdentificationPair{
+			UID: SecurityAgentUID,
+		},
+		SyscallFuncName: "prlimit64",
+	}, fentry, EntryAndExit)...)
+
+	// Add the LSM hook for setrlimit
+	setrlimitProbes = append(setrlimitProbes, &manager.Probe{
+		ProbeIdentificationPair: manager.ProbeIdentificationPair{
+			UID:          SecurityAgentUID,
+			EBPFFuncName: "hook_security_task_setrlimit",
+		},
+	})
+
+	return setrlimitProbes
+}
@@ -1441,6 +1441,21 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 			seclog.Errorf("failed to decode setsockopt event: %s (offset %d, len %d)", err, offset, len(data))
 			return
 		}
+	case model.SetrlimitEventType:
+		if _, err = event.Setrlimit.UnmarshalBinary(data[offset:]); err != nil {
+			seclog.Errorf("failed to decode setrlimit event: %s (offset %d, len %d)", err, offset, len(data))
+			return
+		}
+		// resolve target process context
+		var pce *model.ProcessCacheEntry
+		if event.Setrlimit.TargetPid > 0 {
+			pce = p.Resolvers.ProcessResolver.Resolve(event.Setrlimit.TargetPid, event.Setrlimit.TargetPid, 0, false, newEntryCb)
+		}
+		if pce == nil {
+			pce = model.NewPlaceholderProcessCacheEntry(event.Setrlimit.TargetPid, event.Setrlimit.TargetPid, false)
+		}
+		event.Setrlimit.Target = &pce.ProcessContext
+
 	}
 
 	// resolve the container context