From 2450f8ee19b23a63841c5996c4a8023075f616b6 Mon Sep 17 00:00:00 2001 From: Gianmatteo Palmieri Date: Thu, 18 Jan 2024 13:53:59 +0000 Subject: [PATCH 1/6] feat(driver): add support for newfstatat syscall Signed-off-by: Gianmatteo Palmieri --- driver/bpf/fillers.h | 31 +++++ driver/event_stats.h | 2 +- driver/event_table.c | 2 + driver/fillers_table.c | 4 +- driver/flags_table.c | 7 ++ .../definitions/events_dimensions.h | 1 + .../newfstatat.bpf.c | 92 +++++++++++++++ driver/ppm_events_public.h | 12 +- driver/ppm_fillers.c | 38 ++++++ driver/ppm_fillers.h | 1 + driver/ppm_flag_helpers.h | 20 ++++ driver/syscall_table.c | 6 +- .../syscall_enter_suite/newfstatat_e.cpp | 44 +++++++ .../syscall_exit_suite/newfstatat_x.cpp | 111 ++++++++++++++++++ userspace/libpman/src/events_prog_names.h | 4 +- userspace/libscap/linux/scap_ppm_sc.c | 6 +- 16 files changed, 372 insertions(+), 9 deletions(-) create mode 100644 driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c create mode 100644 test/drivers/test_suites/syscall_enter_suite/newfstatat_e.cpp create mode 100644 test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index aebee43ed5..d79b521dce 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7290,4 +7290,35 @@ FILLER(sys_mknodat_x, true) uint32_t dev = bpf_syscall_get_argument(data, 3); return bpf_push_u32_to_ring(data, bpf_encode_dev(dev)); } + +FILLER(sys_newfstatat_x, true) +{ + unsigned long val; + + /* Parameter 1: ret (type: PT_ERRNO) */ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, retval); + CHECK_RES(res); + + /* Parameter 2: fd (type: PT_FD) */ + int32_t fd = (int32_t)bpf_syscall_get_argument(data, 0); + if (fd == AT_FDCWD) + fd = PPM_AT_FDCWD; + res = bpf_push_s64_to_ring(data, (int64_t)fd); + CHECK_RES(res); + + /* Parameter 3: path (type: PT_CHARBUF) */ + val = bpf_syscall_get_argument(data, 1); + res = bpf_val_to_ring(data, val); + CHECK_RES(res); + + /* Parameter 4: stat (type: PT_BYTEBUF) */ + /*val = bpf_syscall_get_argument(data, 2); + res = bpf_push_u32_to_ring(data, val); + CHECK_RES(res);*/ + + /* Parameter 5: flags (type: PT_FLAGS32) */ + uint32_t flags = bpf_syscall_get_argument(data, 3); + return bpf_push_u32_to_ring(data, newfstatat_flags_to_scap(flags)); +} #endif diff --git a/driver/event_stats.h b/driver/event_stats.h index 787364804a..bbb9b3afa5 100644 --- a/driver/event_stats.h +++ b/driver/event_stats.h @@ -10,7 +10,7 @@ or GPL2.txt for full copies of the license. #pragma once /* These numbers must be updated when we add new events in the event table */ -#define SYSCALL_EVENTS_NUM 370 +#define SYSCALL_EVENTS_NUM 372 #define TRACEPOINT_EVENTS_NUM 6 #define METAEVENTS_NUM 20 #define PLUGIN_EVENTS_NUM 1 diff --git a/driver/event_table.c b/driver/event_table.c index f1ef41f9f2..38e645b7d4 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -470,6 +470,8 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_MKNOD_X] = {"mknod", EC_OTHER | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA},{"mode", PT_MODE, PF_OCT, mknod_mode},{"dev", PT_UINT32, PF_DEC}}}, [PPME_SYSCALL_MKNODAT_E] = {"mknodat", EC_OTHER | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_MKNODAT_X] = {"mknodat", EC_OTHER | EC_SYSCALL, EF_USES_FD, 5, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)},{"mode", PT_MODE, PF_OCT, mknod_mode},{"dev", PT_UINT32, PF_DEC}}}, + [PPME_SYSCALL_NEWFSTATAT_E] = {"newfstatat", EC_FILE | EC_SYSCALL, EF_NONE, 0}, + [PPME_SYSCALL_NEWFSTATAT_X] = {"newfstatat", EC_FILE | EC_SYSCALL, EF_USES_FD, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, newfstatat_flags}}}, }; #pragma GCC diagnostic pop diff --git a/driver/fillers_table.c b/driver/fillers_table.c index eb917f9a19..07a9fd945f 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -354,6 +354,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_MKNOD_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_MKNOD_X] = {FILLER_REF(sys_mknod_x)}, [PPME_SYSCALL_MKNODAT_E] = {FILLER_REF(sys_empty)}, - [PPME_SYSCALL_MKNODAT_X] = {FILLER_REF(sys_mknodat_x)} + [PPME_SYSCALL_MKNODAT_X] = {FILLER_REF(sys_mknodat_x)}, + [PPME_SYSCALL_NEWFSTATAT_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_NEWFSTATAT_X] = {FILLER_REF(sys_newfstatat_x)} }; #pragma GCC diagnostic pop diff --git a/driver/flags_table.c b/driver/flags_table.c index 595d3f2448..7b00743dc3 100644 --- a/driver/flags_table.c +++ b/driver/flags_table.c @@ -507,6 +507,13 @@ const struct ppm_name_value linkat_flags[] = { {0, 0}, }; +const struct ppm_name_value newfstatat_flags[] = { + {"AT_EMPTY_PATH", PPM_AT_EMPTY_PATH}, + {"AT_NO_AUTOMOUNT", PPM_AT_NO_AUTOMOUNT}, + {"AT_SYMLINK_NOFOLLOW", PPM_AT_SYMLINK_NOFOLLOW}, + {0, 0}, +}; + const struct ppm_name_value chmod_mode[] = { {"S_IXOTH", PPM_S_IXOTH}, {"S_IWOTH", PPM_S_IWOTH}, diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index b8e11e689a..9ca5df8cb4 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -246,6 +246,7 @@ #define FINIT_MODULE_E_SIZE HEADER_LEN #define MKNOD_E_SIZE HEADER_LEN #define MKNODAT_E_SIZE HEADER_LEN +#define NEWFSTATAT_E_SIZE HEADER_LEN /* Generic tracepoints events. */ #define SCHED_SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c new file mode 100644 index 0000000000..5a8a95b3fc --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c @@ -0,0 +1,92 @@ +// SPDX-License-Identifier: GPL-2.0-only OR MIT +/* + * Copyright (C) 2023 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(newfstatat_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, NEWFSTATAT_E_SIZE, PPME_SYSCALL_NEWFSTATAT_E)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + // Here we have no parameters to collect. + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; + + +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(newfstatat_x, + struct pt_regs *regs, + long ret) +{ + struct auxiliary_map *auxmap = auxmap__get(); + if(!auxmap) + { + return 0; + } + + auxmap__preload_event_header(auxmap, PPME_SYSCALL_NEWFSTATAT_X); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: ret (type: PT_ERRNO) */ + auxmap__store_s64_param(auxmap, ret); + + /* Parameter 2: dirfd (type: PT_FD) */ + int32_t dirfd = (int32_t)extract__syscall_argument(regs, 0); + if(dirfd == AT_FDCWD) + { + dirfd = PPM_AT_FDCWD; + } + auxmap__store_s64_param(auxmap, (int64_t)dirfd); + + /* Parameter 3: path (type: PT_CHARBUF) */ + unsigned long path_pointer = extract__syscall_argument(regs, 1); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); + + /* Parameter 4: path (type: PT_BYTEBUF) */ + unsigned long buf_pointer = extract__syscall_argument(regs, 2); + auxmap__store_charbuf_param(auxmap, buf_pointer, MAX_PATH, USER); + + /* Parameter 5: dev (type: PT_FLAGS32) */ + uint32_t flags = (uint32_t)extract__syscall_argument(regs, 3); + auxmap__store_u32_param(auxmap, newfstatat_flags_to_scap(flags)); + + + /*=============================== COLLECT PARAMETERS ===========================*/ + + auxmap__finalize_event_header(auxmap); + + auxmap__submit_event(auxmap, ctx); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ \ No newline at end of file diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 24c2547314..24d2e34a00 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -290,6 +290,13 @@ or GPL2.txt for full copies of the license. #define PPM_AT_SYMLINK_FOLLOW 0x400 #define PPM_AT_EMPTY_PATH 0x1000 +/* + * newfstatat() flags + */ +#define PPM_AT_NO_AUTOMOUNT 0x800 +#define PPM_AT_SYMLINK_NOFOLLOW 0x100 + + /* * rlimit resources */ @@ -1413,7 +1420,9 @@ typedef enum { PPME_SYSCALL_MKNOD_X = 415, PPME_SYSCALL_MKNODAT_E = 416, PPME_SYSCALL_MKNODAT_X = 417, - PPM_EVENT_MAX = 418 + PPME_SYSCALL_NEWFSTATAT_E = 418, + PPME_SYSCALL_NEWFSTATAT_X = 419, + PPM_EVENT_MAX = 420 } ppm_event_code; /*@}*/ @@ -2136,6 +2145,7 @@ extern const struct ppm_name_value access_flags[]; extern const struct ppm_name_value pf_flags[]; extern const struct ppm_name_value unlinkat_flags[]; extern const struct ppm_name_value linkat_flags[]; +extern const struct ppm_name_value newfstatat_flags[]; extern const struct ppm_name_value chmod_mode[]; extern const struct ppm_name_value mknod_mode[]; extern const struct ppm_name_value renameat2_flags[]; diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 231059c53a..2e8ae8b4b6 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8075,3 +8075,41 @@ int f_sys_mknodat_x(struct event_filler_arguments *args) return add_sentinel(args); } + +int f_sys_newfstatat_x(struct event_filler_arguments *args) +{ + unsigned long val; + int res; + int32_t fd; + long retval; + + /* Parameter 1: ret (type: PT_ERRNO) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); + + /* Parameter 2: dirfd (type: PT_FD) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + fd = (int32_t)val; + if (fd == AT_FDCWD) + fd = PPM_AT_FDCWD; + res = val_to_ring(args, (int64_t)fd, 0, true, 0); + CHECK_RES(res); + + /* Parameter 3: path (type: PT_CHARBUF) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + /* Parameter 4: stat (type: PT_BYTEBUF) */ + /*syscall_get_arguments_deprecated(args, 2, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res);*/ + + /* Parameter 5: flags (type: PT_FLAGS32) */ + syscall_get_arguments_deprecated(args, 3, 1, &val); + res = val_to_ring(args, newfstatat_flags_to_scap(val), 0, true, 0); + CHECK_RES(res); + + return add_sentinel(args); +} diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index 5efbdd873f..68c431f1d2 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -187,6 +187,7 @@ or GPL2.txt for full copies of the license. FN(sys_finit_module_x) \ FN(sys_mknod_x) \ FN(sys_mknodat_x) \ + FN(sys_newfstatat_x) \ FN(terminate_filler) #define FILLER_ENUM_FN(x) PPM_FILLER_##x, diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index fe36991890..e261bfc15a 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -1781,6 +1781,26 @@ static __always_inline uint32_t linkat_flags_to_scap(int32_t flags) return res; } +static __always_inline uint32_t newfstatat_flags_to_scap(int32_t flags) +{ + uint32_t res = 0; + + if (flags & AT_SYMLINK_NOFOLLOW) + res |= PPM_AT_SYMLINK_NOFOLLOW; + +#ifdef AT_EMPTY_PATH + if (flags & AT_EMPTY_PATH) + res |= PPM_AT_EMPTY_PATH; +#endif + +#ifdef AT_NO_AUTOMOUNT + if (flags & AT_NO_AUTOMOUNT) + res |= PPM_AT_NO_AUTOMOUNT; +#endif + + return res; +} + static __always_inline uint32_t chmod_mode_to_scap(unsigned long modes) { uint32_t res = 0; diff --git a/driver/syscall_table.c b/driver/syscall_table.c index 7180ee293e..78c532418d 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -421,6 +421,9 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #endif #ifdef __NR_mknodat [__NR_mknodat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MKNODAT_E, PPME_SYSCALL_MKNODAT_X, PPM_SC_MKNODAT}, +#endif +#ifdef __NR_newfstatat + [__NR_newfstatat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_NEWFSTATAT_E, PPME_SYSCALL_NEWFSTATAT_X, PPM_SC_NEWFSTATAT}, #endif [__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, [__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, @@ -667,9 +670,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #ifdef __NR_fallocate [__NR_fallocate - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FALLOCATE}, #endif -#ifdef __NR_newfstatat - [__NR_newfstatat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NEWFSTATAT}, -#endif #ifdef __NR_sigaltstack [__NR_sigaltstack - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGALTSTACK}, #endif diff --git a/test/drivers/test_suites/syscall_enter_suite/newfstatat_e.cpp b/test/drivers/test_suites/syscall_enter_suite/newfstatat_e.cpp new file mode 100644 index 0000000000..0a4db0cc92 --- /dev/null +++ b/test/drivers/test_suites/syscall_enter_suite/newfstatat_e.cpp @@ -0,0 +1,44 @@ +#include "../../event_class/event_class.h" + +#ifdef __NR_newfstatat +TEST(SyscallEnter, newfstatatE) +{ + auto evt_test = get_syscall_event_test(__NR_newfstatat, ENTER_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + //int dirfd = AT_FDCWD; + int dirfd = -1; + const char* pathname = "mock_path"; + struct stat buffer; + int flags = AT_EMPTY_PATH | AT_NO_AUTOMOUNT | AT_SYMLINK_NOFOLLOW; + + assert_syscall_state(SYSCALL_FAILURE, "newfstatat", syscall(__NR_newfstatat, dirfd, pathname, &buffer, flags)); + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + // Here we have no parameters to assert. + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(0); + +} +#endif \ No newline at end of file diff --git a/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp new file mode 100644 index 0000000000..c2238c0351 --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp @@ -0,0 +1,111 @@ +#include "../../event_class/event_class.h" + +#ifdef __NR_newfstatat +TEST(SyscallExit, newfstatatX_success) +{ + auto evt_test = get_syscall_event_test(__NR_newfstatat, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int dirfd = AT_FDCWD; + const char* pathname = "."; + struct stat buffer; + int flags = AT_NO_AUTOMOUNT | AT_SYMLINK_NOFOLLOW; + + int32_t res = syscall(__NR_newfstatat, dirfd, pathname, &buffer, flags); + assert_syscall_state(SYSCALL_SUCCESS, "newfstatat", res, NOT_EQUAL, -1); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + evt_test->assert_numeric_param(1, (int64_t)res); + + /* Parameter 2: dirfd (type: PT_FD) */ + evt_test->assert_numeric_param(2, (int64_t)PPM_AT_FDCWD); + + /* Parameter 3: name (type: PT_FSPATH) */ + evt_test->assert_charbuf_param(3, pathname); + + /* Parameter 4: stat (type: PT_BYTEBUF) */ + //evt_test->assert_numeric_param(4, ); + + /* Parameter 4: flags (type: PT_FLAGS32) */ + evt_test->assert_numeric_param(4, (uint32_t)PPM_AT_NO_AUTOMOUNT | PPM_AT_SYMLINK_NOFOLLOW); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} + +TEST(SyscallExit, newfstatatX_failure) +{ + auto evt_test = get_syscall_event_test(__NR_newfstatat, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int dirfd = AT_FDCWD; + const char* pathname = "mock_path"; + struct stat buffer; + int flags = AT_NO_AUTOMOUNT | AT_SYMLINK_NOFOLLOW; + + int32_t res = syscall(__NR_newfstatat, dirfd, pathname, &buffer, flags); + assert_syscall_state(SYSCALL_FAILURE, "newfstatat", res); + int64_t errno_value = -errno; + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + evt_test->assert_numeric_param(1, (int64_t)errno_value); + + /* Parameter 2: dirfd (type: PT_FD) */ + evt_test->assert_numeric_param(2, (int64_t)PPM_AT_FDCWD); + + /* Parameter 3: name (type: PT_FSPATH) */ + evt_test->assert_charbuf_param(3, pathname); + + /* Parameter 4: stat (type: PT_BYTEBUF) */ + //evt_test->assert_numeric_param(4, ); + + /* Parameter 4: flags (type: PT_FLAGS32) */ + evt_test->assert_numeric_param(4, (uint32_t)PPM_AT_NO_AUTOMOUNT | PPM_AT_SYMLINK_NOFOLLOW); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} + +#endif \ No newline at end of file diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index 7d62332652..9a2d8bce81 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -326,7 +326,9 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SYSCALL_MKNOD_E] = "mknod_e", [PPME_SYSCALL_MKNOD_X] = "mknod_x", [PPME_SYSCALL_MKNODAT_E] = "mknodat_e", - [PPME_SYSCALL_MKNODAT_X] = "mknodat_x" + [PPME_SYSCALL_MKNODAT_X] = "mknodat_x", + [PPME_SYSCALL_NEWFSTATAT_E] = "newfstatat_e", + [PPME_SYSCALL_NEWFSTATAT_X] = "newfstatat_x" }; /* Some events can require more than one bpf program to collect all the data. */ diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c index 0733ce1ae0..00fec6d5c5 100644 --- a/userspace/libscap/linux/scap_ppm_sc.c +++ b/userspace/libscap/linux/scap_ppm_sc.c @@ -30,8 +30,8 @@ limitations under the License. * NOTE: first 2 lines are automatically bumped by syscalls-bumper. */ static const ppm_sc_code *g_events_to_sc_map[] = { - [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_MULTIPLEXER, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, -1}, - [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_MULTIPLEXER, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, -1}, + [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_MULTIPLEXER, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, -1}, + [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_MULTIPLEXER, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, -1}, [PPME_SYSCALL_OPEN_E] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_OPEN_X] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_CLOSE_E] = (ppm_sc_code[]){PPM_SC_CLOSE, -1}, @@ -448,6 +448,8 @@ static const ppm_sc_code *g_events_to_sc_map[] = { [PPME_SYSCALL_MKNOD_X] = (ppm_sc_code[]){PPM_SC_MKNOD, -1}, [PPME_SYSCALL_MKNODAT_E] = (ppm_sc_code[]){PPM_SC_MKNODAT, -1}, [PPME_SYSCALL_MKNODAT_X] = (ppm_sc_code[]){PPM_SC_MKNODAT, -1}, + [PPME_SYSCALL_NEWFSTATAT_E] = (ppm_sc_code[]){PPM_SC_NEWFSTATAT, -1}, + [PPME_SYSCALL_NEWFSTATAT_X] = (ppm_sc_code[]){PPM_SC_NEWFSTATAT, -1}, }; #if defined(__GNUC__) || (__STDC_VERSION__ >=201112L) From 1cd6f073c0e01bfbc8f3fe418a67447faa7dcb19 Mon Sep 17 00:00:00 2001 From: Gianmatteo Palmieri Date: Thu, 18 Jan 2024 14:11:05 +0000 Subject: [PATCH 2/6] fix(driver): don't send buffer pointer to userspace Signed-off-by: Gianmatteo Palmieri --- driver/bpf/fillers.h | 2 +- .../events/syscall_dispatched_events/newfstatat.bpf.c | 6 +++--- driver/ppm_fillers.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index d79b521dce..329f0bcaa7 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7307,7 +7307,7 @@ FILLER(sys_newfstatat_x, true) res = bpf_push_s64_to_ring(data, (int64_t)fd); CHECK_RES(res); - /* Parameter 3: path (type: PT_CHARBUF) */ + /* Parameter 3: path (type: PT_RELPATH) */ val = bpf_syscall_get_argument(data, 1); res = bpf_val_to_ring(data, val); CHECK_RES(res); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c index 5a8a95b3fc..ca3fd76d05 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c @@ -67,13 +67,13 @@ int BPF_PROG(newfstatat_x, } auxmap__store_s64_param(auxmap, (int64_t)dirfd); - /* Parameter 3: path (type: PT_CHARBUF) */ + /* Parameter 3: path (type: PT_RELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /* Parameter 4: path (type: PT_BYTEBUF) */ - unsigned long buf_pointer = extract__syscall_argument(regs, 2); - auxmap__store_charbuf_param(auxmap, buf_pointer, MAX_PATH, USER); + /*unsigned long buf_pointer = extract__syscall_argument(regs, 2); + auxmap__store_charbuf_param(auxmap, buf_pointer);*/ /* Parameter 5: dev (type: PT_FLAGS32) */ uint32_t flags = (uint32_t)extract__syscall_argument(regs, 3); diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 2e8ae8b4b6..83e701ada8 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8096,7 +8096,7 @@ int f_sys_newfstatat_x(struct event_filler_arguments *args) res = val_to_ring(args, (int64_t)fd, 0, true, 0); CHECK_RES(res); - /* Parameter 3: path (type: PT_CHARBUF) */ + /* Parameter 3: path (type: PT_RELPATH) */ syscall_get_arguments_deprecated(args, 1, 1, &val); res = val_to_ring(args, val, 0, true, 0); CHECK_RES(res); From 75c26152ea62dff8f2784f98355a8cee308c6834 Mon Sep 17 00:00:00 2001 From: Gianmatteo Palmieri Date: Thu, 18 Jan 2024 17:06:33 +0000 Subject: [PATCH 3/6] chore(driver): bump schema version Signed-off-by: Gianmatteo Palmieri --- driver/SCHEMA_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION index edcfe40d19..68e69e405e 100644 --- a/driver/SCHEMA_VERSION +++ b/driver/SCHEMA_VERSION @@ -1 +1 @@ -2.14.0 +2.15.0 From e3923d99a246792ccc51f03227db3ef4dded9f20 Mon Sep 17 00:00:00 2001 From: Gianmatteo Palmieri Date: Fri, 19 Jan 2024 13:20:24 +0000 Subject: [PATCH 4/6] fix: indentation issues Signed-off-by: Gianmatteo Palmieri --- .../newfstatat.bpf.c | 2 +- driver/ppm_fillers.c | 164 +++++++++--------- .../syscall_enter_suite/newfstatat_e.cpp | 6 +- .../syscall_exit_suite/newfstatat_x.cpp | 10 +- 4 files changed, 91 insertions(+), 91 deletions(-) diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c index ca3fd76d05..ffd9e27187 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c @@ -71,7 +71,7 @@ int BPF_PROG(newfstatat_x, unsigned long path_pointer = extract__syscall_argument(regs, 1); auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); - /* Parameter 4: path (type: PT_BYTEBUF) */ + /* Parameter 4: path (type: PT_BYTEBUF) */ /*unsigned long buf_pointer = extract__syscall_argument(regs, 2); auxmap__store_charbuf_param(auxmap, buf_pointer);*/ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 83e701ada8..de33fd2e82 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8011,105 +8011,105 @@ int f_sys_finit_module_x(struct event_filler_arguments *args) int f_sys_mknod_x(struct event_filler_arguments *args) { - unsigned long val; - int res; - long retval; + unsigned long val; + int res; + long retval; - /* Parameter 1: ret (type: PT_ERRNO) */ - retval = (int64_t) syscall_get_return_value(current,args->regs); - res = val_to_ring(args, retval, 0, false, 0); - CHECK_RES(res); + /* Parameter 1: ret (type: PT_ERRNO) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); - /* Parameter 2: path (type: PT_CHARBUF) */ - syscall_get_arguments_deprecated(args, 0, 1, &val); - res = val_to_ring(args, val, 0, true, 0); - CHECK_RES(res); + /* Parameter 2: path (type: PT_CHARBUF) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); - /* Parameter 3: mode (type: PT_MODE) */ - syscall_get_arguments_deprecated(args, 1, 1, &val); - res = val_to_ring(args, mknod_mode_to_scap(val), 0, false, 0); - CHECK_RES(res); + /* Parameter 3: mode (type: PT_MODE) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, mknod_mode_to_scap(val), 0, false, 0); + CHECK_RES(res); - /* Parameter 4: dev (type: PT_UINT32) */ - syscall_get_arguments_deprecated(args, 2, 1, &val); - res = val_to_ring(args, new_encode_dev(val), 0, false, 0); - CHECK_RES(res); + /* Parameter 4: dev (type: PT_UINT32) */ + syscall_get_arguments_deprecated(args, 2, 1, &val); + res = val_to_ring(args, new_encode_dev(val), 0, false, 0); + CHECK_RES(res); - return add_sentinel(args); + return add_sentinel(args); } int f_sys_mknodat_x(struct event_filler_arguments *args) { - unsigned long val; - int res; - int32_t fd; - long retval; + unsigned long val; + int res; + int32_t fd; + long retval; - /* Parameter 1: ret (type: PT_ERRNO) */ - retval = (int64_t) syscall_get_return_value(current,args->regs); - res = val_to_ring(args, retval, 0, false, 0); - CHECK_RES(res); + /* Parameter 1: ret (type: PT_ERRNO) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); - /* Parameter 2: dirfd (type: PT_FD) */ - syscall_get_arguments_deprecated(args, 0, 1, &val); - fd = (int32_t)val; - if (fd == AT_FDCWD) - fd = PPM_AT_FDCWD; - res = val_to_ring(args, (int64_t)fd, 0, true, 0); - CHECK_RES(res); + /* Parameter 2: dirfd (type: PT_FD) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + fd = (int32_t)val; + if (fd == AT_FDCWD) + fd = PPM_AT_FDCWD; + res = val_to_ring(args, (int64_t)fd, 0, true, 0); + CHECK_RES(res); - /* Parameter 2: path (type: PT_CHARBUF) */ - syscall_get_arguments_deprecated(args, 1, 1, &val); - res = val_to_ring(args, val, 0, true, 0); - CHECK_RES(res); + /* Parameter 2: path (type: PT_CHARBUF) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); - /* Parameter 3: mode (type: PT_MODE) */ - syscall_get_arguments_deprecated(args, 2, 1, &val); - res = val_to_ring(args, mknod_mode_to_scap(val), 0, false, 0); - CHECK_RES(res); + /* Parameter 3: mode (type: PT_MODE) */ + syscall_get_arguments_deprecated(args, 2, 1, &val); + res = val_to_ring(args, mknod_mode_to_scap(val), 0, false, 0); + CHECK_RES(res); - /* Parameter 4: dev (type: PT_UINT32) */ - syscall_get_arguments_deprecated(args, 3, 1, &val); - res = val_to_ring(args, new_encode_dev(val), 0, false, 0); - CHECK_RES(res); + /* Parameter 4: dev (type: PT_UINT32) */ + syscall_get_arguments_deprecated(args, 3, 1, &val); + res = val_to_ring(args, new_encode_dev(val), 0, false, 0); + CHECK_RES(res); - return add_sentinel(args); + return add_sentinel(args); } int f_sys_newfstatat_x(struct event_filler_arguments *args) { - unsigned long val; - int res; - int32_t fd; - long retval; - - /* Parameter 1: ret (type: PT_ERRNO) */ - retval = (int64_t) syscall_get_return_value(current,args->regs); - res = val_to_ring(args, retval, 0, false, 0); - CHECK_RES(res); - - /* Parameter 2: dirfd (type: PT_FD) */ - syscall_get_arguments_deprecated(args, 0, 1, &val); - fd = (int32_t)val; - if (fd == AT_FDCWD) - fd = PPM_AT_FDCWD; - res = val_to_ring(args, (int64_t)fd, 0, true, 0); - CHECK_RES(res); - - /* Parameter 3: path (type: PT_RELPATH) */ - syscall_get_arguments_deprecated(args, 1, 1, &val); - res = val_to_ring(args, val, 0, true, 0); - CHECK_RES(res); - - /* Parameter 4: stat (type: PT_BYTEBUF) */ - /*syscall_get_arguments_deprecated(args, 2, 1, &val); - res = val_to_ring(args, val, 0, true, 0); - CHECK_RES(res);*/ - - /* Parameter 5: flags (type: PT_FLAGS32) */ - syscall_get_arguments_deprecated(args, 3, 1, &val); - res = val_to_ring(args, newfstatat_flags_to_scap(val), 0, true, 0); - CHECK_RES(res); - - return add_sentinel(args); + unsigned long val; + int res; + int32_t fd; + long retval; + + /* Parameter 1: ret (type: PT_ERRNO) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); + + /* Parameter 2: dirfd (type: PT_FD) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + fd = (int32_t)val; + if (fd == AT_FDCWD) + fd = PPM_AT_FDCWD; + res = val_to_ring(args, (int64_t)fd, 0, true, 0); + CHECK_RES(res); + + /* Parameter 3: path (type: PT_RELPATH) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + /* Parameter 4: stat (type: PT_BYTEBUF) */ + /*syscall_get_arguments_deprecated(args, 2, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res);*/ + + /* Parameter 5: flags (type: PT_FLAGS32) */ + syscall_get_arguments_deprecated(args, 3, 1, &val); + res = val_to_ring(args, newfstatat_flags_to_scap(val), 0, true, 0); + CHECK_RES(res); + + return add_sentinel(args); } diff --git a/test/drivers/test_suites/syscall_enter_suite/newfstatat_e.cpp b/test/drivers/test_suites/syscall_enter_suite/newfstatat_e.cpp index 0a4db0cc92..4e5c285998 100644 --- a/test/drivers/test_suites/syscall_enter_suite/newfstatat_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/newfstatat_e.cpp @@ -8,10 +8,10 @@ TEST(SyscallEnter, newfstatatE) /*=============================== TRIGGER SYSCALL ===========================*/ - //int dirfd = AT_FDCWD; - int dirfd = -1; + //int dirfd = AT_FDCWD; + int dirfd = -1; const char* pathname = "mock_path"; - struct stat buffer; + struct stat buffer; int flags = AT_EMPTY_PATH | AT_NO_AUTOMOUNT | AT_SYMLINK_NOFOLLOW; assert_syscall_state(SYSCALL_FAILURE, "newfstatat", syscall(__NR_newfstatat, dirfd, pathname, &buffer, flags)); diff --git a/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp index c2238c0351..c4c8e44d73 100644 --- a/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp @@ -9,9 +9,9 @@ TEST(SyscallExit, newfstatatX_success) /*=============================== TRIGGER SYSCALL ===========================*/ - int dirfd = AT_FDCWD; + int dirfd = AT_FDCWD; const char* pathname = "."; - struct stat buffer; + struct stat buffer; int flags = AT_NO_AUTOMOUNT | AT_SYMLINK_NOFOLLOW; int32_t res = syscall(__NR_newfstatat, dirfd, pathname, &buffer, flags); @@ -62,14 +62,14 @@ TEST(SyscallExit, newfstatatX_failure) /*=============================== TRIGGER SYSCALL ===========================*/ - int dirfd = AT_FDCWD; + int dirfd = AT_FDCWD; const char* pathname = "mock_path"; - struct stat buffer; + struct stat buffer; int flags = AT_NO_AUTOMOUNT | AT_SYMLINK_NOFOLLOW; int32_t res = syscall(__NR_newfstatat, dirfd, pathname, &buffer, flags); assert_syscall_state(SYSCALL_FAILURE, "newfstatat", res); - int64_t errno_value = -errno; + int64_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ From 545e23375c2c016625e8ab476117bcab7d70381e Mon Sep 17 00:00:00 2001 From: Gianmatteo Palmieri Date: Tue, 23 Jan 2024 11:49:57 +0000 Subject: [PATCH 5/6] chore(driver): remove unnecessary comments Signed-off-by: Gianmatteo Palmieri --- driver/bpf/fillers.h | 7 +------ .../events/syscall_dispatched_events/newfstatat.bpf.c | 6 +----- driver/ppm_fillers.c | 7 +------ .../test_suites/syscall_exit_suite/newfstatat_x.cpp | 6 ------ 4 files changed, 3 insertions(+), 23 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 329f0bcaa7..27dac483d4 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7312,12 +7312,7 @@ FILLER(sys_newfstatat_x, true) res = bpf_val_to_ring(data, val); CHECK_RES(res); - /* Parameter 4: stat (type: PT_BYTEBUF) */ - /*val = bpf_syscall_get_argument(data, 2); - res = bpf_push_u32_to_ring(data, val); - CHECK_RES(res);*/ - - /* Parameter 5: flags (type: PT_FLAGS32) */ + /* Parameter 4: flags (type: PT_FLAGS32) */ uint32_t flags = bpf_syscall_get_argument(data, 3); return bpf_push_u32_to_ring(data, newfstatat_flags_to_scap(flags)); } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c index ffd9e27187..9f63846190 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/newfstatat.bpf.c @@ -71,11 +71,7 @@ int BPF_PROG(newfstatat_x, unsigned long path_pointer = extract__syscall_argument(regs, 1); auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); - /* Parameter 4: path (type: PT_BYTEBUF) */ - /*unsigned long buf_pointer = extract__syscall_argument(regs, 2); - auxmap__store_charbuf_param(auxmap, buf_pointer);*/ - - /* Parameter 5: dev (type: PT_FLAGS32) */ + /* Parameter 4: dev (type: PT_FLAGS32) */ uint32_t flags = (uint32_t)extract__syscall_argument(regs, 3); auxmap__store_u32_param(auxmap, newfstatat_flags_to_scap(flags)); diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index de33fd2e82..7f88746a4e 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8101,12 +8101,7 @@ int f_sys_newfstatat_x(struct event_filler_arguments *args) res = val_to_ring(args, val, 0, true, 0); CHECK_RES(res); - /* Parameter 4: stat (type: PT_BYTEBUF) */ - /*syscall_get_arguments_deprecated(args, 2, 1, &val); - res = val_to_ring(args, val, 0, true, 0); - CHECK_RES(res);*/ - - /* Parameter 5: flags (type: PT_FLAGS32) */ + /* Parameter 4: flags (type: PT_FLAGS32) */ syscall_get_arguments_deprecated(args, 3, 1, &val); res = val_to_ring(args, newfstatat_flags_to_scap(val), 0, true, 0); CHECK_RES(res); diff --git a/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp index c4c8e44d73..ad72ba7b58 100644 --- a/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/newfstatat_x.cpp @@ -43,9 +43,6 @@ TEST(SyscallExit, newfstatatX_success) /* Parameter 3: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(3, pathname); - /* Parameter 4: stat (type: PT_BYTEBUF) */ - //evt_test->assert_numeric_param(4, ); - /* Parameter 4: flags (type: PT_FLAGS32) */ evt_test->assert_numeric_param(4, (uint32_t)PPM_AT_NO_AUTOMOUNT | PPM_AT_SYMLINK_NOFOLLOW); @@ -97,9 +94,6 @@ TEST(SyscallExit, newfstatatX_failure) /* Parameter 3: name (type: PT_FSPATH) */ evt_test->assert_charbuf_param(3, pathname); - /* Parameter 4: stat (type: PT_BYTEBUF) */ - //evt_test->assert_numeric_param(4, ); - /* Parameter 4: flags (type: PT_FLAGS32) */ evt_test->assert_numeric_param(4, (uint32_t)PPM_AT_NO_AUTOMOUNT | PPM_AT_SYMLINK_NOFOLLOW); From 2fd4a7ef8e292ad757908edbd2907c1591fb6800 Mon Sep 17 00:00:00 2001 From: Gianmatteo Palmieri Date: Tue, 23 Jan 2024 11:58:21 +0000 Subject: [PATCH 6/6] chore(driver): add comment about flag definition Signed-off-by: Gianmatteo Palmieri --- driver/ppm_flag_helpers.h | 1 + 1 file changed, 1 insertion(+) diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index e261bfc15a..acc3282268 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -1785,6 +1785,7 @@ static __always_inline uint32_t newfstatat_flags_to_scap(int32_t flags) { uint32_t res = 0; + /* AT_SYMLINK_NOFOLLOW was introduced in kernel 2.6.16, we don't need to check if it's defined */ if (flags & AT_SYMLINK_NOFOLLOW) res |= PPM_AT_SYMLINK_NOFOLLOW;