Update(prlimit&setrlimit): Add resource arg for exit event

[Rohith-Raju]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area tests

What this PR does / why we need it:
Adding the resource argument to the exit events of setrlimit and prlimit will detect and provide useful alerts.

Which issue(s) this PR fixes:

Fixes #1327

Special notes for your reviewer:

Does this PR introduce a user-facing change?: No

Update(`prlimit`&`setrlimit`):  Add `resource` arg for exit event

[github-actions]

Please double check driver/API_VERSION file. See versioning.

/hold

[Andreagit97]

Thank you for this, we will take a look soon! :)

[Andreagit97]

Thank you for this! Left some comments
@Biagio-Dipalma after this PR it would be possible to access the resource field in setrlimit and prlimit syscalls through evt.arg.resource. Does it sound good to you?

[Andreagit97]

Here we need a minor, so 2.13.0.
Moreover, we need also a major bump in the API_VERSION since we removed some old fillers

[Andreagit97]

Suggested change

	if(retval >= 0 || data->state->tail_ctx.evt_type == PPME_SYSCALL_SETRLIMIT_X)
	if(retval >= 0)

[Andreagit97]

Same in the setrlimit filler, now that we split them there is no more need for this if

[Andreagit97]

Suggested change

	/* Parameter 2: cur (type: PT_ERRNO) */
	/* Parameter 2: cur (type: PT_INT64) */

[Andreagit97]

Same in all other places

[Andreagit97]

Suggested change

	unsigned long resource = bpf_syscall_get_argument(data, 0);
	uint32_t resource = bpf_syscall_get_argument(data, 0);

[Andreagit97]

Same in all other drivers

[Rohith-Raju]

Have a doubt: #1348 (comment)

[Andreagit97]

Suggested change

	if(retval >= 0 || args->event_type == PPME_SYSCALL_SETRLIMIT_X)
	if(retval >= 0)

[Andreagit97]

probably we can remove this, same below

[Andreagit97]

Suggested change

	unsigned long resource = extract__syscall_argument(regs, 0);
	uint32_t resource = extract__syscall_argument(regs, 0);

[Andreagit97]

we could add a test both in setrlimit and prlimit in which we use a valid resource, for example RLIMIT_MEMLOCK, and an invalid pointer to a struct rlimit, so something like syscall(__NR_setrlimit, RLIMIT_MEMLOCK, NULL), WDYT?

[Rohith-Raju]

Yes, Sounds good!!

[Andreagit97]

Instead of returning this code probably here we want to return cur = 0; and max = 0; See the modern bpf implementation. Same for the kmod

[Andreagit97]

We can do something like this

		struct rlimit rl = {0};
		val = bpf_syscall_get_argument(data, 1);
		bpf_probe_read_user(&rl, sizeof(rl), (void *)val);
		cur = rl.rlim_cur;
		max = rl.rlim_max;

instead of returning PPM_FAILURE_INVALID_USER_MEMORY if we fail in bpf_probe_read_user

[Andreagit97]

The PR is great, thank you!
Since I was there I just added a commit to increase consistency between drivers, feel free to revert it if you don't like it :)

[Andreagit97]

unfortunately, due to an inconsistency (#1283) we need a new major API version every time we add a new filler in the old probe

[Rohith-Raju]

@Andreagit97 Understood!!

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 1730c644404b29a94e3f7e48a796c58cf6938783

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, jasondellaluce, Rohith-Raju

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [FedeDP,jasondellaluce]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[FedeDP]

/unhold