update: seperate getrlimit and setrlimit

Signed-off-by: rohith-raju <[email protected]>
falcosecurity · Sep 12, 2023 · ded2f47 · ded2f47
1 parent af74c01
commit ded2f47
Show file tree

Hide file tree

Showing 4 changed files with 113 additions and 9 deletions.
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -1034,7 +1034,48 @@ FILLER(sys_getrlimit_setrlimit_e, true)
 	return bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource));
 }
 
-FILLER(sys_getrlimit_setrlrimit_x, true)
+FILLER(sys_getrlimit_x, true)
+{
+	unsigned long val;
+	long retval;
+	s64 cur;
+	s64 max;
+	int res;
+
+	/* Parameter 1: ret (type: PT_ERRNO) */
+	retval = bpf_syscall_get_retval(data->ctx);
+	res = bpf_push_s64_to_ring(data, retval);
+	CHECK_RES(res);
+
+	/*
+	 * Copy the user structure and extract cur and max
+	 */
+	if(retval >= 0 || data->state->tail_ctx.evt_type == PPME_SYSCALL_SETRLIMIT_X)
+	{
+		struct rlimit rl;
+
+		val = bpf_syscall_get_argument(data, 1);
+		if(bpf_probe_read_user(&rl, sizeof(rl), (void *)val))
+			return PPM_FAILURE_INVALID_USER_MEMORY;
+
+		cur = rl.rlim_cur;
+		max = rl.rlim_max;
+	}
+	else
+	{
+		cur = -1;
+		max = -1;
+	}
+
+	/* Parameter 2: cur (type: PT_ERRNO) */
+	res = bpf_push_s64_to_ring(data, cur);
+	CHECK_RES(res);
+
+	/* Parameter 3: max (type: PT_ERRNO) */
+	return bpf_push_s64_to_ring(data, max);
+}
+
+FILLER(sys_setrlrimit_x, true)
 {
 	unsigned long val;
 	long retval;
@@ -1070,11 +1111,11 @@ FILLER(sys_getrlimit_setrlrimit_x, true)
 		max = -1;
 	}
 
-	/* Parameter 3: resource (type: PT_ERRNO) */
+	/* Parameter 3: cur (type: PT_ERRNO) */
 	res = bpf_push_s64_to_ring(data, cur);
 	CHECK_RES(res);
 
-	/* Parameter 4: resource (type: PT_ERRNO) */
+	/* Parameter 4: max (type: PT_ERRNO) */
 	return bpf_push_s64_to_ring(data, max);
 }
 

diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -144,9 +144,9 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_REF(sys_inotify_init_e)},
 	[PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_single_x)},
 	[PPME_SYSCALL_GETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
-	[PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_setrlrimit_x)},
+	[PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_x)},
 	[PPME_SYSCALL_SETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
-	[PPME_SYSCALL_SETRLIMIT_X] = {FILLER_REF(sys_getrlimit_setrlrimit_x)},
+	[PPME_SYSCALL_SETRLIMIT_X] = {FILLER_REF(sys_setrlrimit_x)},
 	[PPME_SYSCALL_PRLIMIT_E] = {FILLER_REF(sys_prlimit_e)},
 	[PPME_SYSCALL_PRLIMIT_X] = {FILLER_REF(sys_prlimit_x)},
 	[PPME_DROP_E] = {FILLER_REF(sched_drop)},

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -4271,7 +4271,69 @@ int f_sys_getrlimit_setrlimit_e(struct event_filler_arguments *args)
 	return add_sentinel(args);
 }
 
-int f_sys_getrlimit_setrlrimit_x(struct event_filler_arguments *args)
+int f_sys_getrlimit_x(struct event_filler_arguments *args) {
+	unsigned long val;
+	int res;
+	int64_t retval;
+	struct rlimit rl;
+#ifdef CONFIG_COMPAT
+	struct compat_rlimit compat_rl;
+#endif
+	int64_t cur;
+	int64_t max;
+
+	/* Parameter 1: res */
+	retval = (int64_t)(long)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	/*
+	 * Copy the user structure and extract cur and max
+	 */
+	if(retval >= 0 || args->event_type == PPME_SYSCALL_SETRLIMIT_X)
+	{
+		syscall_get_arguments_deprecated(args, 1, 1, &val);
+
+#ifdef CONFIG_COMPAT
+		if(!args->compat)
+		{
+#endif
+			if(unlikely(ppm_copy_from_user(&rl, (const void __user *)val, sizeof(struct rlimit))))
+				return PPM_FAILURE_INVALID_USER_MEMORY;
+			cur = rl.rlim_cur;
+			max = rl.rlim_max;
+#ifdef CONFIG_COMPAT
+		}
+		else
+		{
+			if(unlikely(ppm_copy_from_user(&compat_rl, (const void __user *)compat_ptr(val),
+						       sizeof(struct compat_rlimit))))
+				return PPM_FAILURE_INVALID_USER_MEMORY;
+			cur = compat_rl.rlim_cur;
+			max = compat_rl.rlim_max;
+		}
+#endif
+	}
+	else
+	{
+		cur = -1;
+		max = -1;
+	}
+
+	/* Parameter 2: cur */
+	res = val_to_ring(args, cur, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 3: max */
+	res = val_to_ring(args, max, 0, false, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
+
+
+int f_sys_setrlrimit_x(struct event_filler_arguments *args)
 {
 	unsigned long val;
 	int res;
@@ -4319,11 +4381,11 @@ int f_sys_getrlimit_setrlrimit_x(struct event_filler_arguments *args)
 		max = -1;
 	}
 
-	/* Parameter 3: resource */
+	/* Parameter 3: cur */
 	res = val_to_ring(args, cur, 0, false, 0);
 	CHECK_RES(res);
 
-	/* Parameter 4: resource */
+	/* Parameter 4: max */
 	res = val_to_ring(args, max, 0, false, 0);
 	CHECK_RES(res);
 

diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h
@@ -66,7 +66,8 @@ or GPL2.txt for full copies of the license.
 	FN(sys_pwritev_e)			\
 	FN(sys_nanosleep_e)			\
 	FN(sys_getrlimit_setrlimit_e)		\
-	FN(sys_getrlimit_setrlrimit_x)		\
+	FN(sys_getrlimit_x)		\
+	FN(sys_setrlrimit_x)		\
 	FN(sys_prlimit_e)			\
 	FN(sys_prlimit_x)			\
 	FN(sched_switch_e)			\