[CWS] add syscall ctx for rmdir & mkdir (#32553)

DataDog · Jan 3, 2025 · 9256717 · 9256717
1 parent ae3044e
commit 9256717
Show file tree

Hide file tree

Showing 14 changed files with 378 additions and 10 deletions.
diff --git a/docs/cloud-workload-security/backend_linux.md b/docs/cloud-workload-security/backend_linux.md
@@ -1615,6 +1615,12 @@ CSM Threats event for Linux systems have the following JSON schema:
                 },
                 "mount": {
                     "$ref": "#/$defs/SyscallArgs"
+                },
+                "mkdir": {
+                    "$ref": "#/$defs/SyscallArgs"
+                },
+                "rmdir": {
+                    "$ref": "#/$defs/SyscallArgs"
                 }
             },
             "additionalProperties": false,
@@ -4206,6 +4212,12 @@ CSM Threats event for Linux systems have the following JSON schema:
         },
         "mount": {
             "$ref": "#/$defs/SyscallArgs"
+        },
+        "mkdir": {
+            "$ref": "#/$defs/SyscallArgs"
+        },
+        "rmdir": {
+            "$ref": "#/$defs/SyscallArgs"
         }
     },
     "additionalProperties": false,

diff --git a/docs/cloud-workload-security/backend_linux.schema.json b/docs/cloud-workload-security/backend_linux.schema.json
@@ -1604,6 +1604,12 @@
         },
         "mount": {
           "$ref": "#/$defs/SyscallArgs"
+        },
+        "mkdir": {
+          "$ref": "#/$defs/SyscallArgs"
+        },
+        "rmdir": {
+          "$ref": "#/$defs/SyscallArgs"
         }
       },
       "additionalProperties": false,

diff --git a/docs/cloud-workload-security/linux_expressions.md b/docs/cloud-workload-security/linux_expressions.md
@@ -873,6 +873,8 @@ A directory was created
 | [`mkdir.file.uid`](#common-filefields-uid-doc) | UID of the file's owner |
 | [`mkdir.file.user`](#common-filefields-user-doc) | User of the file's owner |
 | [`mkdir.retval`](#common-syscallevent-retval-doc) | Return value of the syscall |
+| [`mkdir.syscall.mode`](#mkdir-syscall-mode-doc) | Mode of the new directory |
+| [`mkdir.syscall.path`](#mkdir-syscall-path-doc) | Path argument of the syscall |
 
 ### Event `mmap`
 
@@ -1346,6 +1348,7 @@ A directory was removed
 | [`rmdir.file.uid`](#common-filefields-uid-doc) | UID of the file's owner |
 | [`rmdir.file.user`](#common-filefields-user-doc) | User of the file's owner |
 | [`rmdir.retval`](#common-syscallevent-retval-doc) | Return value of the syscall |
+| [`rmdir.syscall.path`](#rmdir-syscall-path-doc) | Path argument of the syscall |
 
 ### Event `selinux`
 
@@ -2969,6 +2972,20 @@ Constants: [File mode constants](#file-mode-constants)
 
 
 
+### `mkdir.syscall.mode` {#mkdir-syscall-mode-doc}
+Type: int
+
+Definition: Mode of the new directory
+
+
+
+### `mkdir.syscall.path` {#mkdir-syscall-path-doc}
+Type: string
+
+Definition: Path argument of the syscall
+
+
+
 ### `mmap.flags` {#mmap-flags-doc}
 Type: int
 
@@ -3137,6 +3154,13 @@ Definition: Path argument of the syscall
 
 
 
+### `rmdir.syscall.path` {#rmdir-syscall-path-doc}
+Type: string
+
+Definition: Path argument of the syscall
+
+
+
 ### `selinux.bool.name` {#selinux-bool-name-doc}
 Type: string
 

diff --git a/docs/cloud-workload-security/secl_linux.json b/docs/cloud-workload-security/secl_linux.json
@@ -3402,6 +3402,16 @@
           "name": "mkdir.retval",
           "definition": "Return value of the syscall",
           "property_doc_link": "common-syscallevent-retval-doc"
+        },
+        {
+          "name": "mkdir.syscall.mode",
+          "definition": "Mode of the new directory",
+          "property_doc_link": "mkdir-syscall-mode-doc"
+        },
+        {
+          "name": "mkdir.syscall.path",
+          "definition": "Path argument of the syscall",
+          "property_doc_link": "mkdir-syscall-path-doc"
         }
       ]
     },
@@ -5523,6 +5533,11 @@
           "name": "rmdir.retval",
           "definition": "Return value of the syscall",
           "property_doc_link": "common-syscallevent-retval-doc"
+        },
+        {
+          "name": "rmdir.syscall.path",
+          "definition": "Path argument of the syscall",
+          "property_doc_link": "rmdir-syscall-path-doc"
         }
       ]
     },
@@ -10264,6 +10279,30 @@
       "constants_link": "file-mode-constants",
       "examples": []
     },
+    {
+      "name": "mkdir.syscall.mode",
+      "link": "mkdir-syscall-mode-doc",
+      "type": "int",
+      "definition": "Mode of the new directory",
+      "prefixes": [
+        "mkdir"
+      ],
+      "constants": "",
+      "constants_link": "",
+      "examples": []
+    },
+    {
+      "name": "mkdir.syscall.path",
+      "link": "mkdir-syscall-path-doc",
+      "type": "string",
+      "definition": "Path argument of the syscall",
+      "prefixes": [
+        "mkdir"
+      ],
+      "constants": "",
+      "constants_link": "",
+      "examples": []
+    },
     {
       "name": "mmap.flags",
       "link": "mmap-flags-doc",
@@ -10516,6 +10555,18 @@
       "constants_link": "",
       "examples": []
     },
+    {
+      "name": "rmdir.syscall.path",
+      "link": "rmdir-syscall-path-doc",
+      "type": "string",
+      "definition": "Path argument of the syscall",
+      "prefixes": [
+        "rmdir"
+      ],
+      "constants": "",
+      "constants_link": "",
+      "examples": []
+    },
     {
       "name": "selinux.bool.name",
       "link": "selinux-bool-name-doc",

diff --git a/pkg/security/ebpf/c/include/events_definition.h b/pkg/security/ebpf/c/include/events_definition.h
@@ -223,6 +223,7 @@ struct mkdir_event_t {
     struct span_context_t span;
     struct container_context_t container;
     struct syscall_t syscall;
+    struct syscall_context_t syscall_ctx;
     struct file_t file;
     u32 mode;
     u32 padding;
@@ -354,6 +355,7 @@ struct rmdir_event_t {
     struct span_context_t span;
     struct container_context_t container;
     struct syscall_t syscall;
+    struct syscall_context_t syscall_ctx;
     struct file_t file;
 };
 

diff --git a/pkg/security/ebpf/c/include/hooks/mkdir.h b/pkg/security/ebpf/c/include/hooks/mkdir.h
@@ -7,7 +7,7 @@
 #include "helpers/filesystem.h"
 #include "helpers/syscalls.h"
 
-long __attribute__((always_inline)) trace__sys_mkdir(u8 async, umode_t mode) {
+long __attribute__((always_inline)) trace__sys_mkdir(u8 async, const char *filename, umode_t mode) {
     if (is_discarded_by_pid()) {
         return 0;
     }
@@ -21,17 +21,20 @@ long __attribute__((always_inline)) trace__sys_mkdir(u8 async, umode_t mode) {
             .mode = mode }
     };
 
+    if (!async) {
+        collect_syscall_ctx(&syscall, SYSCALL_CTX_ARG_STR(0) | SYSCALL_CTX_ARG_INT(1), (void *)filename, (void *)&mode, NULL);
+    }
     cache_syscall(&syscall);
 
     return 0;
 }
 
 HOOK_SYSCALL_ENTRY2(mkdir, const char *, filename, umode_t, mode) {
-    return trace__sys_mkdir(SYNC_SYSCALL, mode);
+    return trace__sys_mkdir(SYNC_SYSCALL, filename, mode);
 }
 
 HOOK_SYSCALL_ENTRY3(mkdirat, int, dirfd, const char *, filename, umode_t, mode) {
-    return trace__sys_mkdir(SYNC_SYSCALL, mode);
+    return trace__sys_mkdir(SYNC_SYSCALL, filename, mode);
 }
 
 HOOK_ENTRY("vfs_mkdir")
@@ -99,7 +102,7 @@ int hook_do_mkdirat(ctx_t *ctx) {
     struct syscall_cache_t *syscall = peek_syscall(EVENT_MKDIR);
     if (!syscall) {
         umode_t mode = (umode_t)CTX_PARM3(ctx);
-        return trace__sys_mkdir(ASYNC_SYSCALL, mode);
+        return trace__sys_mkdir(ASYNC_SYSCALL, NULL, mode);
     }
     return 0;
 }
@@ -144,6 +147,7 @@ int __attribute__((always_inline)) dr_mkdir_callback(void *ctx) {
 
     struct mkdir_event_t event = {
         .syscall.retval = retval,
+        .syscall_ctx.id = syscall->ctx_id,
         .event.flags = syscall->async ? EVENT_FLAGS_ASYNC : 0,
         .file = syscall->mkdir.file,
         .mode = syscall->mkdir.mode,

diff --git a/pkg/security/ebpf/c/include/hooks/rmdir.h b/pkg/security/ebpf/c/include/hooks/rmdir.h
@@ -7,27 +7,30 @@
 #include "helpers/filesystem.h"
 #include "helpers/syscalls.h"
 
-int __attribute__((always_inline)) trace__sys_rmdir(u8 async, int flags) {
+int __attribute__((always_inline)) trace__sys_rmdir(u8 async, const char *filename) {
     struct syscall_cache_t syscall = {
         .type = EVENT_RMDIR,
         .policy = fetch_policy(EVENT_RMDIR),
         .async = async,
     };
 
+    if (!async) {
+        collect_syscall_ctx(&syscall, SYSCALL_CTX_ARG_STR(0), (void *)filename, NULL, NULL);
+    }
     cache_syscall(&syscall);
 
     return 0;
 }
 
-HOOK_SYSCALL_ENTRY0(rmdir) {
-    return trace__sys_rmdir(SYNC_SYSCALL, 0);
+HOOK_SYSCALL_ENTRY1(rmdir, const char *, filename) {
+    return trace__sys_rmdir(SYNC_SYSCALL, filename);
 }
 
 HOOK_ENTRY("do_rmdir")
 int hook_do_rmdir(ctx_t *ctx) {
     struct syscall_cache_t *syscall = peek_syscall_with(rmdir_predicate);
     if (!syscall) {
-        return trace__sys_rmdir(ASYNC_SYSCALL, 0);
+        return trace__sys_rmdir(ASYNC_SYSCALL, NULL);
     }
     return 0;
 }
@@ -138,6 +141,7 @@ int __attribute__((always_inline)) sys_rmdir_ret(void *ctx, int retval) {
     if (syscall->state != DISCARDED && is_event_enabled(EVENT_RMDIR)) {
         struct rmdir_event_t event = {
             .syscall.retval = retval,
+            .syscall_ctx.id = syscall->ctx_id,
             .event.flags = syscall->async ? EVENT_FLAGS_ASYNC : 0,
             .file = syscall->rmdir.file,
         };