fix(modern_bpf): resolve dirfd path in kernel space to prevent race conditions

This patch resolves the directory file descriptor path in kernel space
at syscall time, preventing race conditions where the dirfd may point
to a different directory by the time user space processes the event.

The race condition occurs when:
1. openat(dirfd=3, name="hosts") is called with dirfd pointing to /etc
2. Event is captured in kernel space with dirfd=3
3. Process closes dirfd=3 and opens a new file, reusing FD number 3
   for a different directory (e.g., /dev)
4. User space resolves dirfd=3 at processing time via /proc/<pid>/fd/3,
   which now points to /dev instead of /etc
5. Result: /dev/hosts instead of /etc/hosts

By resolving the path in kernel space, we capture the actual directory
at the moment of the syscall, eliminating the race condition.

Changes:
- Append new parameter 'dirfdpath' (PT_FSPATH) to existing event versions
  (PPME_SYSCALL_OPENAT_2_X and PPME_SYSCALL_OPENAT2_X) for backward
  compatibility with old scap files
- Resolve dirfd path in BPF programs using extract__file_struct_from_fd()
  and auxmap__store_d_path_approx()
- For AT_FDCWD, capture CWD from task_struct->fs->pwd in kernel space
- Update user space to prefer kernel-resolved path over user-space resolution
- Add comprehensive test coverage for both AT_FDCWD and real dirfd cases

The new parameter is appended at the end of the parameter list, allowing
older libsinsp versions to safely ignore it when processing old scap files
with fewer parameters.

Related to: falcosecurity/falco#3789

Author: irozzo-1A

driver/event_table.c

@@ -2083,14 +2083,15 @@ const struct ppm_event_info g_event_info[] = {
         [PPME_SYSCALL_OPENAT_2_X] = {"openat",
                                      EC_FILE | EC_SYSCALL,
                                      EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
-                                     7,
+                                     8,
                                      {{"fd", PT_FD, PF_DEC},
                                       {"dirfd", PT_FD, PF_DEC},
                                       {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)},
                                       {"flags", PT_FLAGS32, PF_HEX, file_flags},
                                       {"mode", PT_UINT32, PF_OCT},
                                       {"dev", PT_UINT32, PF_HEX},
-                                      {"ino", PT_UINT64, PF_DEC}}},
+                                      {"ino", PT_UINT64, PF_DEC},
+                                      {"dirfdpath", PT_FSPATH, PF_NA}}},
         [PPME_SYSCALL_LINK_2_E] = {"link", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 0},
         [PPME_SYSCALL_LINK_2_X] = {"link",
                                    EC_FILE | EC_SYSCALL,
@@ -2182,15 +2183,16 @@ const struct ppm_event_info g_event_info[] = {
         [PPME_SYSCALL_OPENAT2_X] = {"openat2",
                                     EC_FILE | EC_SYSCALL,
                                     EF_CREATES_FD | EF_MODIFIES_STATE | EF_CONVERTER_MANAGED,
-                                    8,
+                                    9,
                                     {{"fd", PT_FD, PF_DEC},
                                      {"dirfd", PT_FD, PF_DEC},
                                      {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)},
                                      {"flags", PT_FLAGS32, PF_HEX, file_flags},
                                      {"mode", PT_UINT32, PF_OCT},
                                      {"resolve", PT_FLAGS32, PF_HEX, openat2_flags},
                                      {"dev", PT_UINT32, PF_HEX},
-                                     {"ino", PT_UINT64, PF_DEC}}},
+                                     {"ino", PT_UINT64, PF_DEC},
+                                     {"dirfdpath", PT_FSPATH, PF_NA}}},
         [PPME_SYSCALL_MPROTECT_E] = {"mprotect",
                                      EC_MEMORY | EC_SYSCALL,
                                      EF_OLD_VERSION | EF_CONVERTER_MANAGED,

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c

@@ -65,6 +65,49 @@ int BPF_PROG(openat_x, struct pt_regs *regs, long ret) {
 	/* Parameter 7: ino (type: PT_UINT64) */
 	auxmap__store_u64_param(auxmap, ino);
 
+	/* Parameter 8: dirfdpath (type: PT_FSPATH) - kernel-resolved dirfd path */
+	if(dirfd == PPM_AT_FDCWD) {
+		/* For AT_FDCWD, capture the process's current working directory
+		 * in kernel space to prevent race conditions. This captures the
+		 * actual CWD path at syscall time, before the process may exec
+		 * or change directories.
+		 */
+		struct task_struct *task = get_current_task();
+		struct fs_struct *fs = NULL;
+		struct path cwd_path = {};
+
+		BPF_CORE_READ_INTO(&fs, task, fs);
+		if(fs != NULL) {
+			BPF_CORE_READ_INTO(&cwd_path, fs, pwd);
+			auxmap__store_d_path_approx(auxmap, &cwd_path);
+		} else {
+			/* If we cannot access fs_struct, store empty and fall back
+			 * to user space resolution.
+			 */
+			auxmap__store_empty_param(auxmap);
+		}
+	} else if(dirfd >= 0) {
+		/* Resolve the dirfd path in kernel space to prevent race conditions.
+		 * This captures the actual directory path at syscall time, before
+		 * the process may exec or the FD table may change.
+		 */
+		struct file *dir_file = extract__file_struct_from_fd(dirfd);
+		if(dir_file != NULL) {
+			struct path dir_path = {};
+			BPF_CORE_READ_INTO(&dir_path, dir_file, f_path);
+			auxmap__store_d_path_approx(auxmap, &dir_path);
+		} else {
+			/* If we cannot resolve the FD (e.g., it was closed between
+			 * syscall entry and exit), store empty and fall back to
+			 * user space resolution.
+			 */
+			auxmap__store_empty_param(auxmap);
+		}
+	} else {
+		/* Invalid FD, store empty */
+		auxmap__store_empty_param(auxmap);
+	}
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c

@@ -74,6 +74,49 @@ int BPF_PROG(openat2_x, struct pt_regs *regs, long ret) {
 	/* Parameter 8: ino (type: PT_UINT64) */
 	auxmap__store_u64_param(auxmap, ino);
 
+	/* Parameter 9: dirfdpath (type: PT_FSPATH) - kernel-resolved dirfd path */
+	if(dirfd == PPM_AT_FDCWD) {
+		/* For AT_FDCWD, capture the process's current working directory
+		 * in kernel space to prevent race conditions. This captures the
+		 * actual CWD path at syscall time, before the process may exec
+		 * or change directories.
+		 */
+		struct task_struct *task = get_current_task();
+		struct fs_struct *fs = NULL;
+		struct path cwd_path = {};
+
+		BPF_CORE_READ_INTO(&fs, task, fs);
+		if(fs != NULL) {
+			BPF_CORE_READ_INTO(&cwd_path, fs, pwd);
+			auxmap__store_d_path_approx(auxmap, &cwd_path);
+		} else {
+			/* If we cannot access fs_struct, store empty and fall back
+			 * to user space resolution.
+			 */
+			auxmap__store_empty_param(auxmap);
+		}
+	} else if(dirfd >= 0) {
+		/* Resolve the dirfd path in kernel space to prevent race conditions.
+		 * This captures the actual directory path at syscall time, before
+		 * the process may exec or the FD table may change.
+		 */
+		struct file *dir_file = extract__file_struct_from_fd(dirfd);
+		if(dir_file != NULL) {
+			struct path dir_path = {};
+			BPF_CORE_READ_INTO(&dir_path, dir_file, f_path);
+			auxmap__store_d_path_approx(auxmap, &dir_path);
+		} else {
+			/* If we cannot resolve the FD (e.g., it was closed between
+			 * syscall entry and exit), store empty and fall back to
+			 * user space resolution.
+			 */
+			auxmap__store_empty_param(auxmap);
+		}
+	} else {
+		/* Invalid FD, store empty */
+		auxmap__store_empty_param(auxmap);
+	}
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

test/drivers/event_class/event_class.cpp

@@ -3,6 +3,7 @@
 #include <time.h>
 #include <sys/vfs.h> /* or <sys/statfs.h> */
 #include <linux/magic.h>
+#include <filesystem>
 
 #define MAX_CHARBUF_NUM 16
 #define CGROUP_NUMBER 5
@@ -1157,6 +1158,39 @@ void event_test::assert_charbuf_param_any_of(const int param_num,
 	FAIL() << oss.str();
 }
 
+std::string event_test::get_charbuf_param(int param_num) {
+	assert_param_boundaries(param_num);
+	const auto& [param_value, param_size] = m_event_params[m_current_param];
+
+	if(param_size == 0) {
+		return std::string();
+	}
+
+	// Handle null termination
+	size_t str_len =
+	        (param_size > 0 && param_value[param_size - 1] == '\0') ? param_size - 1 : param_size;
+
+	return std::string(param_value, str_len);
+}
+
+void event_test::assert_dirfdpath_matches_cwd(int param_num, const char* expected_cwd) {
+	std::string captured_cwd = get_charbuf_param(param_num);
+	ASSERT_FALSE(captured_cwd.empty()) << "dirfdpath (parameter " << param_num
+	                                   << ") should contain the CWD path, but it's empty";
+
+	/* Use std::filesystem::path for proper path normalization and comparison */
+	std::filesystem::path expected_path(expected_cwd);
+	std::filesystem::path captured_path(captured_cwd);
+
+	/* Normalize paths (remove trailing slashes, resolve . and .., etc.) */
+	expected_path = expected_path.lexically_normal();
+	captured_path = captured_path.lexically_normal();
+
+	ASSERT_TRUE(captured_path == expected_path)
+	        << "Captured CWD path '" << captured_path.string() << "' should match expected CWD '"
+	        << expected_path.string() << "'";
+}
+
 void event_test::assert_charbuf_array_param(int param_num, const char** param) {
 	assert_param_boundaries(param_num);
 	uint16_t total_len = 0;

test/drivers/event_class/event_class.h

@@ -98,13 +98,16 @@ enum direction {
 /*
  * Macro that wraps internal _assert_syscall_state,
  * dealing with ENOSYS syscalls, ie: syscalls that are defined but unimplemented,
+ * and EOPNOTSUPP when the syscall exists but the operation is not supported,
  * skipping the test.
  */
-#define assert_syscall_state(syscall_state, syscall_name, ...)                             \
-	do {                                                                                   \
-		_assert_syscall_state(syscall_state, syscall_name, __VA_ARGS__);                   \
-		if(errno == ENOSYS)                                                                \
-			GTEST_SKIP() << "Syscall " << syscall_name << " not implemented" << std::endl; \
+#define assert_syscall_state(syscall_state, syscall_name, ...)                                     \
+	do {                                                                                           \
+		_assert_syscall_state(syscall_state, syscall_name, __VA_ARGS__);                           \
+		if(errno == ENOSYS)                                                                        \
+			GTEST_SKIP() << "Syscall " << syscall_name << " not implemented" << std::endl;         \
+		if(errno == EOPNOTSUPP || errno == 95)                                                     \
+			GTEST_SKIP() << "Syscall " << syscall_name << " operation not supported" << std::endl; \
 	} while(0)
 
 /////////////////////////////////
@@ -569,6 +572,22 @@ class event_test {
 
 	void assert_charbuf_param_any_of(int param_num, const std::vector<const char*>& candidates);
 
+	/**
+	 * @brief Get the value of a charbuf parameter as a string
+	 *
+	 * @param param_num number of the parameter to get
+	 * @return std::string the parameter value
+	 */
+	std::string get_charbuf_param(int param_num);
+
+	/**
+	 * @brief Assert that a dirfdpath parameter matches the expected CWD path
+	 *
+	 * @param param_num number of the dirfdpath parameter to verify
+	 * @param expected_cwd the expected current working directory path
+	 */
+	void assert_dirfdpath_matches_cwd(int param_num, const char* expected_cwd);
+
 	/**
 	 * @brief Assert that the parameter is a `charbuf` array and
 	 * compare element per element the array with the one passed as a parameter `param`.

test/drivers/flags/flags_definitions.h

@@ -3,9 +3,10 @@
 #include <sys/syscall.h>
 
 /* capabilities */
-#if defined(__NR_capget) && defined(__NR_capset)
+#if defined(__NR_capget) && defined(__NR_capset) && defined(__linux__) && \
+        __has_include(<sys/capability.h>)
 
 #include <sys/capability.h>
 uint64_t capabilities_to_scap(unsigned long caps);
 
-#endif /* __NR_capget */
+#endif /* __NR_capget && __NR_capset && __linux__ && __has_include(<sys/capability.h>) */