From dc7e08f62a38709affe432cb1dcaf07c63e6fd89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=C3=B3rio=20G=2E?= <geyslan@gmail.com>
Date: Mon, 21 Oct 2024 11:41:52 -0300
Subject: [PATCH] feat(ebpf): restrict set_fs_pwd to (f)chdir syscall (#4359)
 (#4361)

commit: ab6344f (main), cherry-pick

Co-authored-by: OriGlassman <39296766+OriGlassman@users.noreply.github.com>
---
 pkg/ebpf/c/tracee.bpf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
index 112b44d9bb10..c9d05192630a 100644
--- a/pkg/ebpf/c/tracee.bpf.c
+++ b/pkg/ebpf/c/tracee.bpf.c
@@ -5088,6 +5088,9 @@ int BPF_KPROBE(trace_set_fs_pwd)
     if (!init_program_data(&p, ctx, SET_FS_PWD))
         return 0;
 
+    if (p.event->context.syscall != SYSCALL_CHDIR && p.event->context.syscall != SYSCALL_FCHDIR)
+        return 0;
+
     if (!evaluate_scope_filters(&p))
         return 0;