[CWS-6123] Implement pivot_root (#47935)

### What does this PR do?

Implement the pivot_root syscall

### Motivation

When containers are spawned and create their mounts, it uses pivot_root to pivot the mounted mountpoint to the root of the mount namespace. This wasn't being tracked and was creating erroneous mountpoints in our events.

### Describe how you validated your changes

* KMT tests
* Deployed on a cluster

Co-authored-by: marcio.kovags <marcio.kovags@datadoghq.com>

Author: kovagsm

pkg/security/ebpf/c/include/constants/enums.h

@@ -74,6 +74,7 @@ enum event_type
     FAILED_DNS,
     EVENT_TRACER_MEMFD_CREATE,
     EVENT_TRACER_MEMFD_SEAL,
+    EVENT_PIVOT_ROOT,
     EVENT_NOP,
     EVENT_MAX, // has to be the last one
 
@@ -260,6 +261,7 @@ enum mount_source_t
     SOURCE_FSMOUNT,
     SOURCE_OPEN_TREE,
     SOURCE_MOVE_MOUNT,
+    SOURCE_PIVOT_ROOT,
 };
 
 #endif

pkg/security/ebpf/c/include/helpers/events_predicates.h

@@ -29,23 +29,23 @@ static int __attribute__((always_inline)) credentials_predicate(u64 type) {
 }
 
 static int __attribute__((always_inline)) mountpoint_predicate(u64 type) {
-    return type == EVENT_MOUNT || type == EVENT_UNSHARE_MNTNS || type == EVENT_OPEN_TREE || type == EVENT_MOVE_MOUNT;
+    return type == EVENT_MOUNT || type == EVENT_UNSHARE_MNTNS || type == EVENT_OPEN_TREE || type == EVENT_MOVE_MOUNT || type == EVENT_PIVOT_ROOT;
 }
 
 static int __attribute__((always_inline)) mount_or_open_tree(u64 type) {
     return type == EVENT_MOUNT || type == EVENT_OPEN_TREE;
 }
 
 static int __attribute__((always_inline)) unshare_or_move_mount(u64 type) {
-    return type == EVENT_UNSHARE_MNTNS || type == EVENT_MOVE_MOUNT;
+    return type == EVENT_UNSHARE_MNTNS || type == EVENT_MOVE_MOUNT || type == EVENT_PIVOT_ROOT;
 }
 
 static int __attribute__((always_inline)) mount_or_move_mount(u64 type) {
     return type == EVENT_MOUNT || type == EVENT_MOVE_MOUNT;
 }
 
 static int __attribute__((always_inline)) unshare_or_open_tree_or_move_mount(u64 type) {
-    return type == EVENT_UNSHARE_MNTNS || type == EVENT_OPEN_TREE || type == EVENT_MOVE_MOUNT;
+    return type == EVENT_UNSHARE_MNTNS || type == EVENT_OPEN_TREE || type == EVENT_MOVE_MOUNT || type == EVENT_PIVOT_ROOT;
 }
 
 #endif

pkg/security/ebpf/c/include/hooks/all.h

@@ -19,6 +19,7 @@
 #include "mprotect.h"
 #include "namespaces.h"
 #include "open.h"
+#include "pivot_root.h"
 #include "procfs.h"
 #include "ptrace.h"
 #include "raw_syscalls.h"

pkg/security/ebpf/c/include/hooks/mount.h

@@ -259,7 +259,7 @@ int __attribute__((always_inline)) dr_mount_stage_two_callback(void *ctx) {
         return 0;
     }
 
-    if (syscall->type == EVENT_MOUNT || syscall->type == EVENT_OPEN_TREE || syscall->type == EVENT_MOVE_MOUNT) {
+    if (syscall->type == EVENT_MOUNT || syscall->type == EVENT_OPEN_TREE || syscall->type == EVENT_MOVE_MOUNT || syscall->type == EVENT_PIVOT_ROOT) {
         struct mount_event_t event = {
             .syscall.retval = 0,
             .syscall_ctx.id = syscall->ctx_id,
@@ -284,6 +284,11 @@ int __attribute__((always_inline)) dr_mount_stage_two_callback(void *ctx) {
                 event.source = SOURCE_MOVE_MOUNT;
             }
         }
+        if (syscall->type == EVENT_PIVOT_ROOT) {
+            event.source = SOURCE_PIVOT_ROOT;
+            send_event(ctx, EVENT_PIVOT_ROOT, event);
+            return 0;
+        }
         if (syscall->type == EVENT_MOVE_MOUNT) {
             send_event(ctx, EVENT_MOVE_MOUNT, event);
             return 0;

pkg/security/ebpf/c/include/hooks/pivot_root.h

@@ -0,0 +1,31 @@
+#ifndef _HOOKS_PIVOT_ROOT_H_
+#define _HOOKS_PIVOT_ROOT_H_
+
+#include "constants/syscall_macro.h"
+#include "helpers/syscalls.h"
+
+HOOK_SYSCALL_ENTRY0(pivot_root) {
+    struct syscall_cache_t syscall = {
+        .type = EVENT_PIVOT_ROOT,
+    };
+
+    cache_syscall(&syscall);
+
+    return 0;
+}
+
+int __attribute__((always_inline)) sys_pivot_root_ret(void *ctx, int retval) {
+    pop_syscall(EVENT_PIVOT_ROOT);
+    return 0;
+}
+
+HOOK_SYSCALL_EXIT(pivot_root) {
+    int retval = SYSCALL_PARMRET(ctx);
+    return sys_pivot_root_ret(ctx, retval);
+}
+
+TAIL_CALL_TRACEPOINT_FNC(handle_sys_pivot_root_exit, struct tracepoint_raw_syscalls_sys_exit_t *args) {
+    return sys_pivot_root_ret(args, args->ret);
+}
+
+#endif

pkg/security/ebpf/c/include/maps.h

@@ -144,7 +144,7 @@ BPF_PROG_ARRAY(dentry_resolver_tracepoint_callbacks, EVENT_MAX)
 BPF_PROG_ARRAY(dentry_resolver_kprobe_or_fentry_progs, 6)
 BPF_PROG_ARRAY(dentry_resolver_tracepoint_progs, 3)
 BPF_PROG_ARRAY(classifier_router, 10)
-BPF_PROG_ARRAY(sys_exit_progs, 64)
+BPF_PROG_ARRAY(sys_exit_progs, EVENT_MAX)
 BPF_PROG_ARRAY(raw_packet_classifier_router, 32)
 BPF_PROG_ARRAY(flush_network_stats_progs, 2)
 BPF_PROG_ARRAY(open_ret_progs, 1)

pkg/security/ebpf/probes/event_types.go

@@ -265,6 +265,7 @@ func GetSelectorsPerEventType(hasFentry bool, hasCgroupSocket bool) map[eval.Eve
 			&manager.BestEffort{Selectors: ExpandSyscallProbesSelector(SecurityAgentUID, "move_mount", hasFentry, EntryAndExit, false)},
 			&manager.BestEffort{Selectors: ExpandSyscallProbesSelector(SecurityAgentUID, "umount", hasFentry, Exit)},
 			&manager.OneOf{Selectors: ExpandSyscallProbesSelector(SecurityAgentUID, "unshare", hasFentry, EntryAndExit)},
+			&manager.BestEffort{Selectors: ExpandSyscallProbesSelector(SecurityAgentUID, "pivot_root", hasFentry, EntryAndExit)},
 			&manager.OneOf{Selectors: []manager.ProbesSelector{
 				hookFunc("hook_attach_mnt"),
 				hookFunc("hook___attach_mnt"),

pkg/security/ebpf/probes/mount.go

@@ -122,5 +122,11 @@ func getMountProbes(fentry bool) []*manager.Probe {
 		},
 		SyscallFuncName: "move_mount",
 	}, fentry, EntryAndExit)...)
+	mountProbes = append(mountProbes, ExpandSyscallProbes(&manager.Probe{
+		ProbeIdentificationPair: manager.ProbeIdentificationPair{
+			UID: SecurityAgentUID,
+		},
+		SyscallFuncName: "pivot_root",
+	}, fentry, EntryAndExit)...)
 	return mountProbes
 }

pkg/security/ebpf/probes/raw_sys_exit.go

@@ -226,5 +226,12 @@ func getSysExitTailCallRoutes() []manager.TailCallRoute {
 				EBPFFuncName: tailCallTracepointFnc("handle_sys_prctl_exit"),
 			},
 		},
+		{
+			ProgArrayName: "sys_exit_progs",
+			Key:           uint32(model.PivotRootEventType),
+			ProbeIdentificationPair: manager.ProbeIdentificationPair{
+				EBPFFuncName: tailCallTracepointFnc("handle_sys_pivot_root_exit"),
+			},
+		},
 	}
 }

pkg/security/probe/probe_ebpf.go

@@ -1240,7 +1240,7 @@ func (p *EBPFProbe) handleRegularEvent(event *model.Event, offset int, dataLen u
 	eventType := event.GetEventType()
 	switch eventType {
 
-	case model.FileMountEventType, model.FileMoveMountEventType:
+	case model.FileMountEventType, model.FileMoveMountEventType, model.PivotRootEventType:
 		if !p.regularUnmarshalEvent(&event.Mount, eventType, offset, dataLen, data) {
 			return false
 		}
@@ -2310,7 +2310,7 @@ func (p *EBPFProbe) handleNewMount(ev *model.Event, m *model.Mount) error {
 	// so we remove all dentry entries belonging to the mountID.
 	p.Resolvers.DentryResolver.DelCacheEntriesForMountID(m.MountID)
 
-	if !m.Detached && ev.GetEventType() != model.FileMoveMountEventType {
+	if !m.Detached && ev.GetEventType() != model.FileMoveMountEventType && ev.GetEventType() != model.PivotRootEventType {
 		// Resolve mount point
 		if err := p.Resolvers.PathResolver.SetMountPoint(ev, m); err != nil {
 			return fmt.Errorf("failed to set mount point: %w", err)
@@ -2323,7 +2323,7 @@ func (p *EBPFProbe) handleNewMount(ev *model.Event, m *model.Mount) error {
 	}
 
 	var err error
-	if ev.GetEventType() == model.FileMoveMountEventType {
+	if ev.GetEventType() == model.FileMoveMountEventType || ev.GetEventType() == model.PivotRootEventType {
 		err = p.Resolvers.MountResolver.InsertMoved(*m)
 	} else {
 		err = p.Resolvers.MountResolver.Insert(*m)