update: add cmd to bpf exit event

Signed-off-by: rohith-raju <[email protected]>
falcosecurity · Nov 22, 2023 · 3902acb · 3902acb
1 parent 4e9a3cc
commit 3902acb
Show file tree

Hide file tree

Showing 7 changed files with 103 additions and 16 deletions.
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-2.13.0
+2.14.0
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -5778,11 +5778,13 @@ FILLER(sys_bpf_e, true)
 
 FILLER(sys_bpf_x, true)
 {
-	/*
-	 * fd
-	 */
+	/* Parameter 1: fd (type: PT_DEC) */
 	long fd = bpf_syscall_get_retval(data->ctx);
-	return bpf_push_s64_to_ring(data, fd);
+	bpf_push_s64_to_ring(data, fd);
+
+	/* Parameter 2: cmd (type: PT_INT64) */
+	int32_t cmd = (int32_t)bpf_syscall_get_argument(data, 0);
+	return bpf_push_s64_to_ring(data,(int64_t)cmd);
 }
 
 FILLER(sys_unlinkat_x, true)

diff --git a/driver/event_table.c b/driver/event_table.c
@@ -347,7 +347,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_SETPGID_E] = {"setpgid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"pid", PT_PID, PF_DEC}, {"pgid", PT_PID, PF_DEC} } },
 	[PPME_SYSCALL_SETPGID_X] = {"setpgid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_PID, PF_DEC} } },
 	[PPME_SYSCALL_BPF_E] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_OLD_VERSION, 1, {{"cmd", PT_INT64, PF_DEC} } },
-	[PPME_SYSCALL_BPF_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_OLD_VERSION, 1, {{"res_or_fd", PT_DYN, PF_DEC, bpf_dynamic_param, PPM_BPF_IDX_MAX} } },
+	[PPME_SYSCALL_BPF_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_OLD_VERSION, 1, {{"res_or_fd", PT_DYN, PF_DEC, bpf_dynamic_param, PPM_BPF_IDX_MAX}} },
 	[PPME_SYSCALL_SECCOMP_E] = {"seccomp", EC_OTHER | EC_SYSCALL, EF_NONE, 2, {{"op", PT_UINT64, PF_DEC}, {"flags", PT_UINT64, PF_HEX} } },
 	[PPME_SYSCALL_SECCOMP_X] = {"seccomp", EC_OTHER | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SYSCALL_UNLINK_2_E] = {"unlink", EC_FILE | EC_SYSCALL, EF_NONE, 0},
@@ -419,7 +419,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_DUP_1_E] = {"dup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
 	[PPME_SYSCALL_DUP_1_X] = {"dup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC} } },
 	[PPME_SYSCALL_BPF_2_E] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, {{"cmd", PT_INT64, PF_DEC} } },
-	[PPME_SYSCALL_BPF_2_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, { {"fd", PT_FD, PF_DEC} } },
+	[PPME_SYSCALL_BPF_2_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 2, { {"fd", PT_FD, PF_DEC}, {"cmd",PT_INT64, PF_DEC} } },
 	[PPME_SYSCALL_MLOCK2_E] = {"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 0},
 	[PPME_SYSCALL_MLOCK2_X] = {"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX, mlock2_flags}}},
 	[PPME_SYSCALL_FSCONFIG_E] = {"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_NONE, 0},

diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -105,7 +105,7 @@
 #define PIPE_E_SIZE HEADER_LEN
 #define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
 #define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
 #define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c
@@ -58,6 +58,11 @@ int BPF_PROG(bpf_x,
 	/* Parameter 1: fd (type: PT_FD) */
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: cmd (type: PT_INT64) */
+	int32_t cmd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (int64_t)cmd);
+
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -6721,16 +6721,21 @@ int f_sys_bpf_e(struct event_filler_arguments *args)
 
 int f_sys_bpf_x(struct event_filler_arguments *args)
 {
-	int res;
-	int64_t fd;
+	int res = 0;
+	int64_t fd = 0;
+	unsigned long val = 0;
+	int32_t cmd = 0;
 
-	/*
-	 * fd
-	 */
+	/* Parameter 1: fd (type: PT_DEC) */
 	fd = (int64_t)syscall_get_return_value(current, args->regs);
 	res = val_to_ring(args, fd, 0, false, 0);
 	CHECK_RES(res);
 
+	/* Parameter 2: cmd (type: PT_INT64) */
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	cmd = (int32_t)val;
+	res = val_to_ring(args, (int64_t)cmd, 0, false, 0);
+	CHECK_RES(res);
 	return add_sentinel(args);
 }
 

diff --git a/test/drivers/test_suites/syscall_exit_suite/bpf_x.cpp b/test/drivers/test_suites/syscall_exit_suite/bpf_x.cpp
@@ -5,7 +5,7 @@
 #include <linux/sched.h>
 #include <linux/bpf.h>
 
-TEST(SyscallExit, bpfX)
+TEST(SyscallExit, bpfX_invalid_cmd)
 {
 	auto evt_test = get_syscall_event_test(__NR_bpf, EXIT_EVENT);
 
@@ -72,8 +72,83 @@ TEST(SyscallExit, bpfX)
 	/* Parameter 1: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(1, (int64_t)errno_value);
 
+	/* Parameter 2: cmd (type: PT_FD) */
+	evt_test->assert_numeric_param(2, (int64_t)cmd);
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(2);
+}
+
+
+TEST(SyscallExit, bpfX_MAP_CREATE)
+{
+	auto evt_test = get_syscall_event_test(__NR_bpf, EXIT_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL  ===========================*/
+
+	int32_t cmd = BPF_MAP_CREATE;
+	union bpf_attr *attr = NULL;
+	uint32_t size = 0;
+
+	/* Here we need to call the `bpf` from a child because the main process throws lots of
+	 * `bpf` syscalls to manage the bpf drivers.
+	 */
+	struct clone_args cl_args = {0};
+	cl_args.exit_signal = SIGCHLD;
+	pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args));
+
+	if(ret_pid == 0)
+	{
+		/* When BPF_MAP_CREATE is used, the new file descriptor associated with the eBPF map is returned.*/
+
+		int fd = syscall(__NR_bpf, cmd, attr, size);
+		/* In this way in the father we know if the call was successful or not. */
+		if(fd != -1)
+		{
+			/* SUCCESS because we want the call to fail */
+			exit(EXIT_SUCCESS);
+		}
+		else
+		{
+			exit(EXIT_FAILURE);
+		}
+	}
+
+	assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1);
+	/* Catch the child before doing anything else. */
+	int status = 0;
+	int options = 0;
+	assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1);
+
+	/* This is the errno value we expect from the `bpf` call. */
+	int64_t errno_value = -EINVAL;
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence(ret_pid);
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	/* Parameter 1: fd (type: PT_FD) */
+	evt_test->assert_numeric_param(1, (int64_t)errno_value);
+	evt_test->assert_numeric_param(2, (int64_t)cmd);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(1);
+	evt_test->assert_num_params_pushed(2);
 }
-#endif
+#endif