new(driver,userspace/libsinsp): added support for state modifying epoll_create and epoll_create1.

[FedeDP]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area driver-kmod
/area driver-bpf
/area libsinsp

Does this PR require a change in the driver versions?

Yep, because it adds a new event.

/version driver-SCHEMA-version-minor

What this PR does / why we need it:

Adds support for epoll_create and epoll_create1 syscalls, because they create a FD thus are needed for sinsp state.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new: support `epoll_create` and `epoll_create1` syscalls.

[FedeDP]

Github 503 :/

[jasondellaluce]

LGTM

[Andreagit97]

Probably we need to add them also in the modern probe
/hold

[LucaGuerra]

Would this case fit along the others in the creates_fd_generic test you recently added?

[FedeDP]

Would this case fit along the others in the creates_fd_generic test you recently added?

Done!

Probably we need to add them also in the modern probe

Done!

@LucaGuerra @Andreagit97

[hbrueckner]

Probably we need to add them also in the modern probe

Done!

Awesome @FedeDP . I will look later thru the patch set. Thanks.

[FedeDP]

But epoll_create1 tests are failing and i don't get why :/

[hbrueckner]

But epoll_create1 tests are failing and i don't get why :/

Looks like the syscall passes but does not create an event:

[ RUN      ] SyscallEnter.epoll_create1E
HALLO: fd=245 errno=Success
/root/git/falcosecurity/libs/test/modern_bpf/event_class/event_class.cpp:378: Failure
Failed
There is no event in the buffer.

with using printf("HALLO: fd=%i errno=%s\n", fd, strerror(errno));

[hbrueckner]

@FedeDP Tests pass on s390x:

# ./test/modern_bpf/bpf_test  |grep epoll
[ RUN      ] SyscallExit.epoll_create1X
[       OK ] SyscallExit.epoll_create1X (0 ms)
[ RUN      ] SyscallExit.epoll_createX
[       OK ] SyscallExit.epoll_createX (0 ms)
[ RUN      ] SyscallEnter.epoll_create1E
[       OK ] SyscallEnter.epoll_create1E (0 ms)
[ RUN      ] SyscallEnter.epoll_createE
[       OK ] SyscallEnter.epoll_createE (0 ms)

will review then later.

[hbrueckner]

@FedeDP Reviewed the modern bpf part. Few minor typos and we should map the flags to scap.

[FedeDP]

@hbrueckner fixed everything!

[hbrueckner]

@FedeDP only minor comments for kernel / bpf driver.

[hbrueckner]

@FedeDP other the minors above, this looks good to me.
/lgtm

[FedeDP]

Rebased on top of master.

[poiana]

LGTM label has been added.

Details

Git tree hash: 8daa64dbb061e4f2e87d90f356b29bbf5f80b615

[Andreagit97]

Amazing work as always!

[FedeDP]

@Andreagit97 thanks for your review! Addressed in latest commit!

[Andreagit97]

/approve

[poiana]

LGTM label has been added.

Details

Git tree hash: b57738ff9664e41821f9765b3a8adcd2cbccef33

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, hbrueckner, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[FedeDP]

/unhold