Skip to content

[WP] Add is_session_leader field to process events#48307

Open
loresuso wants to merge 2 commits intoDataDog:mainfrom
loresuso:loresuso/add-is-session-leader
Open

[WP] Add is_session_leader field to process events#48307
loresuso wants to merge 2 commits intoDataDog:mainfrom
loresuso:loresuso/add-is-session-leader

Conversation

@loresuso
Copy link
Copy Markdown
Contributor

@loresuso loresuso commented Mar 24, 2026
edited
Loading

Add a new boolean field is_session_leader to CWS process events that indicates whether a process is a session leader (PID == SID).

The session ID is read from the kernel via:

task->signal->pids[PIDTYPE_SID]->numbers[0].nr

and compared against the process tgid. Two new kernel offset constants are introduced (task_struct_signal_offset, signal_struct_pids_offset) resolved via BTF at runtime.

The field is exposed in SECL as process.is_session_leader and propagates to all process-related event types (exec, exit, signal, ptrace, etc.).

Example of condition where this could be useful: spawning of a session leader shell from a not known binary (e.g. a shell given by the shell command of a sliver C2 implant

exec.file.name in ["sh", "bash", "zsh", "dash"] &&
  process.is_session_leader &&
  process.parent.file.name not in ["sshd", "login", "systemd", "init", "su", "sudo", "cron", "tmux: server", "screen", "agetty"]

@loresuso loresuso marked this pull request as ready for review March 25, 2026 11:07
@loresuso loresuso requested review from a team as code owners March 25, 2026 11:07
@loresuso loresuso force-pushed the loresuso/add-is-session-leader branch from 5705414 to d93f625 Compare March 25, 2026 11:10
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 25, 2026
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5705414150

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@loresuso loresuso force-pushed the loresuso/add-is-session-leader branch from d93f625 to 71464db Compare March 25, 2026 12:03
safchain
safchain reviewed Mar 25, 2026
View reviewed changes
safchain
safchain reviewed Mar 25, 2026
View reviewed changes
@loresuso loresuso force-pushed the loresuso/add-is-session-leader branch 2 times, most recently from 6c88473 to d56a9f8 Compare March 25, 2026 14:01
@safchain safchain added category/improvement qa/done QA done before merge and regressions are covered by tests labels Mar 25, 2026
@safchain safchain added this to the 7.79.0 milestone Mar 25, 2026
@loresuso loresuso added the changelog/no-changelog No changelog entry needed label Mar 25, 2026
@loresuso
Copy link
Copy Markdown
Contributor Author

loresuso commented Mar 25, 2026

I have read the CLA Document and I hereby sign the CLA

@loresuso
Copy link
Copy Markdown
Contributor Author

loresuso commented Mar 25, 2026

recheck

@loresuso loresuso force-pushed the loresuso/add-is-session-leader branch 2 times, most recently from 2fdc306 to 43addd7 Compare March 26, 2026 14:26
loresuso and others added 2 commits March 26, 2026 15:32
@loresuso @claude
CWS: Add is_session_leader field to process events
f4bc822 
Add a new boolean field `is_session_leader` to CWS process events that
indicates whether a process is a session leader (PID == SID).

The session ID is read from the kernel via:
  task->signal->pids[PIDTYPE_SID]->numbers[0].nr

and compared against the process tgid. Two new kernel offset constants
are introduced (task_struct_signal_offset, signal_struct_pids_offset)
resolved via BTF at runtime.

The field is exposed in SECL as process.is_session_leader and propagates
to all process-related event types (exec, exit, signal, ptrace, etc.).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@loresuso @claude
CWS: Address review feedback for is_session_leader
b704d29 
- Use bitfield for is_kworker and is_session_leader in process_context_t,
  keeping the struct at 40 bytes instead of growing to 48
- Restore the original if/else in exec handler cookie update

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@loresuso loresuso force-pushed the loresuso/add-is-session-leader branch from 43addd7 to b704d29 Compare March 26, 2026 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@safchain safchain safchain left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@domalessi domalessi domalessi approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

category/improvement changelog/no-changelog No changelog entry needed qa/done QA done before merge and regressions are covered by tests team/agent-security

Projects

None yet

Milestone

7.79.0

Development

Successfully merging this pull request may close these issues.

3 participants

@loresuso @safchain @domalessi