diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION index 7ec1d6db40..ccbccc3dc6 100644 --- a/driver/SCHEMA_VERSION +++ b/driver/SCHEMA_VERSION @@ -1 +1 @@ -2.1.0 +2.2.0 diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 2bfdf489ac..6bef353fcd 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -3676,6 +3676,44 @@ FILLER(sys_fsconfig_x, true) return res; } +FILLER(sys_epoll_create_e, true) +{ + unsigned long size; + + /* + * size + */ + size = bpf_syscall_get_argument(data, 0); + return bpf_val_to_ring(data, size); +} + +FILLER(sys_epoll_create_x, true) +{ + unsigned long retval; + + retval = bpf_syscall_get_retval(data->ctx); + return bpf_val_to_ring(data, retval); +} + +FILLER(sys_epoll_create1_e, true) +{ + unsigned long flags; + + /* + * flags + */ + flags = bpf_syscall_get_argument(data, 0); + return bpf_val_to_ring(data, epoll_create1_flags_to_scap(flags)); +} + +FILLER(sys_epoll_create1_x, true) +{ + unsigned long retval; + + retval = bpf_syscall_get_retval(data->ctx); + return bpf_val_to_ring(data, retval); +} + FILLER(sys_sendfile_e, true) { unsigned long val; diff --git a/driver/event_table.c b/driver/event_table.c index 32c79d9f5c..1a2de74582 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -383,9 +383,13 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = { /* PPME_SYSCALL_BPF_2_E */{"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, {{"cmd", PT_INT64, PF_DEC} } }, /* PPME_SYSCALL_BPF_2_X */{"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, { {"fd", PT_FD, PF_DEC} } }, /* PPME_SYSCALL_MLOCK2_E */{"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 0}, - /* PPME_SYSCALL_MLOCK2_X */{"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX, mlockall_flags}}}, + /* PPME_SYSCALL_MLOCK2_X */{"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX, mlock2_flags}}}, /* PPME_SYSCALL_FSCONFIG_E */{"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_NONE, 0}, /* PPME_SYSCALL_FSCONFIG_X */{"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_USES_FD, 7, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"cmd", PT_ENUMFLAGS32, PF_DEC, fsconfig_cmds}, {"key", PT_CHARBUF, PF_NA}, {"value_bytebuf", PT_BYTEBUF, PF_NA}, {"value_charbuf", PT_CHARBUF, PF_NA}, {"aux", PT_INT32, PF_DEC}}}, + /* PPME_SYSCALL_EPOLL_CREATE_E */{"epoll_create", EC_WAIT | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, { {"size", PT_INT32, PF_DEC} } }, + /* PPME_SYSCALL_EPOLL_CREATE_X */{"epoll_create", EC_WAIT | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, { {"res", PT_ERRNO, PF_DEC} } }, + /* PPME_SYSCALL_EPOLL_CREATE1_E */{"epoll_create1", EC_WAIT | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, epoll_create1_flags} } }, + /* PPME_SYSCALL_EPOLL_CREATE1_X */{"epoll_create1", EC_WAIT | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } }, /* NB: Starting from scap version 1.2, event types will no longer be changed when an event is modified, and the only kind of change permitted for pre-existent events is adding parameters. * New event types are allowed only for new syscalls or new internal events. diff --git a/driver/fillers_table.c b/driver/fillers_table.c index f3a711db0a..3083a7f063 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -337,5 +337,9 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_MLOCK2_X] = {FILLER_REF(sys_mlock2_x)}, [PPME_SYSCALL_FSCONFIG_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_FSCONFIG_X] = {FILLER_REF(sys_fsconfig_x)}, + [PPME_SYSCALL_EPOLL_CREATE_E] = {FILLER_REF(sys_epoll_create_e)}, + [PPME_SYSCALL_EPOLL_CREATE_X] = {FILLER_REF(sys_epoll_create_x)}, + [PPME_SYSCALL_EPOLL_CREATE1_E] = {FILLER_REF(sys_epoll_create1_e)}, + [PPME_SYSCALL_EPOLL_CREATE1_X] = {FILLER_REF(sys_epoll_create1_x)}, #endif /* WDIG */ }; diff --git a/driver/flags_table.c b/driver/flags_table.c index 96c3fe2a18..aa567c6b3e 100644 --- a/driver/flags_table.c +++ b/driver/flags_table.c @@ -629,5 +629,10 @@ const struct ppm_name_value fsconfig_cmds[] = { {"FSCONFIG_SET_FD", PPM_FSCONFIG_SET_FD}, {"FSCONFIG_CMD_CREATE", PPM_FSCONFIG_CMD_CREATE}, {"FSCONFIG_CMD_RECONFIGURE", PPM_FSCONFIG_CMD_RECONFIGURE}, - {0,0}, + {0, 0}, +}; + +const struct ppm_name_value epoll_create1_flags[] = { + {"EPOLL_CLOEXEC", PPM_EPOLL_CLOEXEC}, + {0, 0}, }; \ No newline at end of file diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 89eac5dd77..9ad42068ee 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -124,6 +124,10 @@ #define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2 #define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN #define FSCONFIG_E_SIZE HEADER_LEN +#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN +#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN +#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN +#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN /* Generic tracepoints events. */ #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4 diff --git a/driver/modern_bpf/definitions/missing_definitions.h b/driver/modern_bpf/definitions/missing_definitions.h index 5b558a9a72..ca0217d87e 100644 --- a/driver/modern_bpf/definitions/missing_definitions.h +++ b/driver/modern_bpf/definitions/missing_definitions.h @@ -659,6 +659,12 @@ #define S_IWOTH 00002 #define S_IXOTH 00001 +////////////////////////// +// epoll_create1 flags +////////////////////////// + +#define EPOLL_CLOEXEC 02000000 + /*=============================== FLAGS ===========================*/ /*=============================== PROTOCOL/ADDRESS FAMILIES ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c new file mode 100644 index 0000000000..efcc98484d --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c @@ -0,0 +1,67 @@ +/* +* Copyright (C) 2022 The Falco Authors. +* +* This file is dual licensed under either the MIT or GPL 2. See MIT.txt +* or GPL2.txt for full copies of the license. +*/ + +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(epoll_create_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE_E_SIZE)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_EPOLL_CREATE_E, EPOLL_CREATE_E_SIZE); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: size (type: PT_INT32) */ + s32 size = (s32)extract__syscall_argument(regs, 0); + ringbuf__store_s32(&ringbuf, size); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(epoll_create_x, + struct pt_regs *regs, + long ret) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE_X_SIZE)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_EPOLL_CREATE_X, EPOLL_CREATE_X_SIZE); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + ringbuf__store_s64(&ringbuf, ret); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c new file mode 100644 index 0000000000..cb4d7167bb --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c @@ -0,0 +1,67 @@ +/* +* Copyright (C) 2022 The Falco Authors. +* +* This file is dual licensed under either the MIT or GPL 2. See MIT.txt +* or GPL2.txt for full copies of the license. + */ + +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(epoll_create1_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE1_E_SIZE)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_EPOLL_CREATE1_E, EPOLL_CREATE1_E_SIZE); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: flags (type: PT_FLAGS32) */ + s32 flags = (s32)extract__syscall_argument(regs, 0); + ringbuf__store_u32(&ringbuf, epoll_create1_flags_to_scap(flags)); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(epoll_create1_x, + struct pt_regs *regs, + long ret) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE1_X_SIZE)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_EPOLL_CREATE1_X, EPOLL_CREATE1_X_SIZE); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + ringbuf__store_s64(&ringbuf, ret); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 4e799b107e..0e30892085 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -705,6 +705,11 @@ or GPL2.txt for full copies of the license. #define PPM_FSCONFIG_CMD_CREATE 6 #define PPM_FSCONFIG_CMD_RECONFIGURE 7 +/* + * Epoll_create1 flags + */ +#define PPM_EPOLL_CLOEXEC (1 << 0) + /* * SuS says limits have to be unsigned. * Which makes a ton more sense anyway. @@ -1170,7 +1175,11 @@ enum ppm_event_type { PPME_SYSCALL_MLOCK2_X = 371, PPME_SYSCALL_FSCONFIG_E = 372, PPME_SYSCALL_FSCONFIG_X = 373, - PPM_EVENT_MAX = 374 + PPME_SYSCALL_EPOLL_CREATE_E = 374, + PPME_SYSCALL_EPOLL_CREATE_X = 375, + PPME_SYSCALL_EPOLL_CREATE1_E = 376, + PPME_SYSCALL_EPOLL_CREATE1_X = 377, + PPM_EVENT_MAX = 378 }; /*@}*/ @@ -1849,6 +1858,7 @@ extern const struct ppm_name_value io_uring_register_opcodes[]; extern const struct ppm_name_value mlockall_flags[]; extern const struct ppm_name_value mlock2_flags[]; extern const struct ppm_name_value fsconfig_cmds[]; +extern const struct ppm_name_value epoll_create1_flags[]; extern const struct ppm_param_info sockopt_dynamic_param[]; extern const struct ppm_param_info ptrace_dynamic_param[]; diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index d2a39885a8..c4636212cc 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -5239,7 +5239,6 @@ int f_sys_fsconfig_x(struct event_filler_arguments *args) unsigned long value_pointer = 0; unsigned long aux = 0; - /* Parameter 1: ret (type: PT_ERRNO) */ ret = (int64_t)syscall_get_return_value(current, args->regs); res = val_to_ring(args, ret, 0, false, 0); @@ -5349,6 +5348,60 @@ int f_sys_fsconfig_x(struct event_filler_arguments *args) return add_sentinel(args); } +int f_sys_epoll_create_e(struct event_filler_arguments *args) +{ + unsigned long size; + int res; + + /* + * size + */ + syscall_get_arguments_deprecated(current, args->regs, 0, 1, &size); + res = val_to_ring(args, size, 0, false, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + +int f_sys_epoll_create_x(struct event_filler_arguments *args) +{ + int64_t retval; + int res; + + retval = (int64_t)syscall_get_return_value(current, args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + +int f_sys_epoll_create1_e(struct event_filler_arguments *args) +{ + unsigned long flags; + int res; + + /* + * flags + */ + syscall_get_arguments_deprecated(current, args->regs, 0, 1, &flags); + res = val_to_ring(args, epoll_create1_flags_to_scap(flags), 0, false, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + +int f_sys_epoll_create1_x(struct event_filler_arguments *args) +{ + int64_t retval; + int res; + + retval = (int64_t)syscall_get_return_value(current, args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + int f_sys_dup_e(struct event_filler_arguments *args) { int res; diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index 209a72adde..29e7683449 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -126,14 +126,18 @@ or GPL2.txt for full copies of the license. FN(sys_dup_e) \ FN(sys_dup_x) \ FN(sched_prog_exec) \ - FN(sched_prog_exec_2) \ - FN(sched_prog_exec_3) \ - FN(sched_prog_exec_4) \ + FN(sched_prog_exec_2) \ + FN(sched_prog_exec_3) \ + FN(sched_prog_exec_4) \ FN(sched_prog_fork) \ - FN(sched_prog_fork_2) \ - FN(sched_prog_fork_3) \ + FN(sched_prog_fork_2) \ + FN(sched_prog_fork_3) \ FN(sys_mlock2_x) \ FN(sys_fsconfig_x) \ + FN(sys_epoll_create_e) \ + FN(sys_epoll_create_x) \ + FN(sys_epoll_create1_e) \ + FN(sys_epoll_create1_x) \ FN(terminate_filler) #define FILLER_ENUM_FN(x) PPM_FILLER_##x, diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index 222b5c47bd..4ce243b0b5 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -1881,6 +1881,16 @@ static __always_inline u32 dup3_flags_to_scap(unsigned long flags) return res; } +static __always_inline uint32_t epoll_create1_flags_to_scap(uint32_t flags) +{ + uint32_t res = 0; +#ifdef EPOLL_CLOEXEC + if (flags & EPOLL_CLOEXEC) + res |= PPM_EPOLL_CLOEXEC; +#endif + return res; +} + #endif // !WDIG #endif /* PPM_FLAG_HELPERS_H_ */ diff --git a/driver/syscall_table.c b/driver/syscall_table.c index c5a0ec210b..1a7d4e7bfb 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -417,6 +417,12 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #endif #ifdef __NR_fsconfig [__NR_fsconfig - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FSCONFIG_E, PPME_SYSCALL_FSCONFIG_X, PPM_SC_FSCONFIG}, +#endif +#ifdef __NR_epoll_create + [__NR_epoll_create - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE_E, PPME_SYSCALL_EPOLL_CREATE_X, PPM_SC_EPOLL_CREATE}, +#endif +#ifdef __NR_epoll_create1 + [__NR_epoll_create1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE1_E, PPME_SYSCALL_EPOLL_CREATE1_X, PPM_SC_EPOLL_CREATE1}, #endif [__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, [__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, @@ -579,7 +585,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_utimensat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UTIMENSAT}, [__NR_timerfd_settime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMERFD_SETTIME}, [__NR_timerfd_gettime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMERFD_GETTIME}, - [__NR_epoll_create1 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_CREATE1}, [__NR_rt_tgsigqueueinfo - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_TGSIGQUEUEINFO}, [__NR_perf_event_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PERF_EVENT_OPEN}, #ifdef __NR_fanotify_init @@ -891,9 +896,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #ifdef __NR_uselib [__NR_uselib - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_USELIB}, #endif -#ifdef __NR_epoll_create - [__NR_epoll_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_CREATE}, -#endif #ifdef __NR_lchown [__NR_lchown - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LCHOWN}, #endif @@ -1218,6 +1220,12 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = { #endif #ifdef __NR_ia32_fsconfig [__NR_ia32_fsconfig - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FSCONFIG_E, PPME_SYSCALL_FSCONFIG_X, PPM_SC_FSCONFIG}, +#endif +#ifdef __NR_ia32_epoll_create + [__NR_ia32_epoll_create - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE_E, PPME_SYSCALL_EPOLL_CREATE_X, PPM_SC_EPOLL_CREATE}, +#endif +#ifdef __NR_ia32_epoll_create1 + [__NR_ia32_epoll_create1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE1_E, PPME_SYSCALL_EPOLL_CREATE1_X, PPM_SC_EPOLL_CREATE1}, #endif [__NR_ia32_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, [__NR_ia32_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, @@ -1380,7 +1388,6 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = { [__NR_ia32_utimensat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UTIMENSAT}, [__NR_ia32_timerfd_settime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMERFD_SETTIME}, [__NR_ia32_timerfd_gettime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMERFD_GETTIME}, - [__NR_ia32_epoll_create1 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_CREATE1}, [__NR_ia32_rt_tgsigqueueinfo - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_TGSIGQUEUEINFO}, [__NR_ia32_perf_event_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PERF_EVENT_OPEN}, #ifdef __NR_ia32_fanotify_init @@ -1680,9 +1687,6 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = { #ifdef __NR_ia32_pselect6 [__NR_ia32_pselect6 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PSELECT6}, #endif -#ifdef __NR_ia32_epoll_create - [__NR_ia32_epoll_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_CREATE}, -#endif #ifdef __NR_ia32_lchown [__NR_ia32_lchown - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LCHOWN}, #endif diff --git a/test/modern_bpf/test_suites/syscall_enter_suite/epoll_create1_e.cpp b/test/modern_bpf/test_suites/syscall_enter_suite/epoll_create1_e.cpp new file mode 100644 index 0000000000..846d5c6373 --- /dev/null +++ b/test/modern_bpf/test_suites/syscall_enter_suite/epoll_create1_e.cpp @@ -0,0 +1,42 @@ +#include "../../event_class/event_class.h" +#include + +#if defined(__NR_epoll_create1) && defined(__NR_close) +TEST(SyscallEnter, epoll_create1E) +{ + auto evt_test = get_syscall_event_test(__NR_epoll_create1, ENTER_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int32_t flags = EPOLL_CLOEXEC; + int32_t fd = syscall(__NR_epoll_create1, flags); + assert_syscall_state(SYSCALL_SUCCESS, "epoll_create1", fd, NOT_EQUAL, -1); + syscall(__NR_close, fd); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: flags (type: PT_FLAGS32) */ + evt_test->assert_numeric_param(1, PPM_EPOLL_CLOEXEC); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(1); +} +#endif diff --git a/test/modern_bpf/test_suites/syscall_enter_suite/epoll_create_e.cpp b/test/modern_bpf/test_suites/syscall_enter_suite/epoll_create_e.cpp new file mode 100644 index 0000000000..cdd90bc87e --- /dev/null +++ b/test/modern_bpf/test_suites/syscall_enter_suite/epoll_create_e.cpp @@ -0,0 +1,41 @@ +#include "../../event_class/event_class.h" + +#if defined(__NR_epoll_create) && defined(__NR_close) +TEST(SyscallEnter, epoll_createE) +{ + auto evt_test = get_syscall_event_test(__NR_epoll_create, ENTER_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int32_t size = 1024; + int32_t fd = syscall(__NR_epoll_create, size); + assert_syscall_state(SYSCALL_SUCCESS, "epoll_create", fd, NOT_EQUAL, -1); + syscall(__NR_close, fd); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: size (type: PT_INT32) */ + evt_test->assert_numeric_param(1, size); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(1); +} +#endif diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/epoll_create1_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/epoll_create1_x.cpp new file mode 100644 index 0000000000..e3051a2e81 --- /dev/null +++ b/test/modern_bpf/test_suites/syscall_exit_suite/epoll_create1_x.cpp @@ -0,0 +1,41 @@ +#include "../../event_class/event_class.h" + +#if defined(__NR_epoll_create1) && defined(__NR_close) +TEST(SyscallExit, epoll_create1X) +{ + auto evt_test = get_syscall_event_test(__NR_epoll_create1, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int32_t flags = 0; + int32_t fd = syscall(__NR_epoll_create1, flags); + assert_syscall_state(SYSCALL_SUCCESS, "epoll_create1", fd, NOT_EQUAL, -1); + syscall(__NR_close, fd); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + evt_test->assert_numeric_param(1, (int64_t)fd); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(1); +} +#endif diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/epoll_create_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/epoll_create_x.cpp new file mode 100644 index 0000000000..f9856ae40a --- /dev/null +++ b/test/modern_bpf/test_suites/syscall_exit_suite/epoll_create_x.cpp @@ -0,0 +1,41 @@ +#include "../../event_class/event_class.h" + +#if defined(__NR_epoll_create) && defined(__NR_close) +TEST(SyscallExit, epoll_createX) +{ + auto evt_test = get_syscall_event_test(__NR_epoll_create, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int32_t size = 1024; + int32_t fd = syscall(__NR_epoll_create, size); + assert_syscall_state(SYSCALL_SUCCESS, "epoll_create", fd, NOT_EQUAL, -1); + syscall(__NR_close, fd); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + evt_test->assert_numeric_param(1, (int64_t)fd); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(1); +} +#endif diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index cae00e93ee..0e76fa91c8 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -177,6 +177,10 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SOCKET_SHUTDOWN_X] = "shutdown_x", [PPME_SYSCALL_FSCONFIG_E] = "fsconfig_e", [PPME_SYSCALL_FSCONFIG_X] = "fsconfig_x", + [PPME_SYSCALL_EPOLL_CREATE_E] = "epoll_create_e", + [PPME_SYSCALL_EPOLL_CREATE_X] = "epoll_create_x", + [PPME_SYSCALL_EPOLL_CREATE1_E] = "epoll_create1_e", + [PPME_SYSCALL_EPOLL_CREATE1_X] = "epoll_create1_x", }; /* Some events can require more than one bpf program to collect all the data. */ diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp index 29bb209d43..46c4e60afa 100644 --- a/userspace/libsinsp/parsers.cpp +++ b/userspace/libsinsp/parsers.cpp @@ -431,6 +431,10 @@ void sinsp_parser::process_event(sinsp_evt *evt) case PPME_SYSCALL_IO_URING_SETUP_X: parse_single_param_fd_exit(evt, SCAP_FD_IOURING); break; + case PPME_SYSCALL_EPOLL_CREATE_X: + case PPME_SYSCALL_EPOLL_CREATE1_X: + parse_single_param_fd_exit(evt, SCAP_FD_EVENTPOLL); + break; case PPME_SYSCALL_GETRLIMIT_X: case PPME_SYSCALL_SETRLIMIT_X: parse_getrlimit_setrlimit_exit(evt); diff --git a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp index bb27c49545..797a6aa1fd 100644 --- a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp +++ b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp @@ -263,6 +263,14 @@ std::set ordered_sinsp_state_ppm_sc_set{ #ifdef __NR_vfork PPM_SC_VFORK, #endif + +#ifdef __NR_epoll_create + PPM_SC_EPOLL_CREATE, +#endif + +#ifdef __NR_epoll_create1 + PPM_SC_EPOLL_CREATE1, +#endif }; /* This test asserts that `enforce_sinsp_state_ppm_sc` correctly retrieves diff --git a/userspace/libsinsp/test/sinsp.ut.cpp b/userspace/libsinsp/test/sinsp.ut.cpp index f10fe25319..733c321656 100644 --- a/userspace/libsinsp/test/sinsp.ut.cpp +++ b/userspace/libsinsp/test/sinsp.ut.cpp @@ -706,6 +706,18 @@ TEST_F(sinsp_with_test_input, creates_fd_generic) ASSERT_EQ(get_field_as_string(evt, "fd.type"), "io_uring"); ASSERT_EQ(get_field_as_string(evt, "fd.typechar"), "r"); ASSERT_EQ(get_field_as_string(evt, "fd.num"), "10"); + + add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_EPOLL_CREATE_E, 1, 0); + evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_EPOLL_CREATE_X, 1, 11); + ASSERT_EQ(get_field_as_string(evt, "fd.type"), "eventpoll"); + ASSERT_EQ(get_field_as_string(evt, "fd.typechar"), "l"); + ASSERT_EQ(get_field_as_string(evt, "fd.num"), "11"); + + add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_EPOLL_CREATE1_E, 1, 0); + evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_EPOLL_CREATE1_X, 1, 12); + ASSERT_EQ(get_field_as_string(evt, "fd.type"), "eventpoll"); + ASSERT_EQ(get_field_as_string(evt, "fd.typechar"), "l"); + ASSERT_EQ(get_field_as_string(evt, "fd.num"), "12"); } TEST_F(sinsp_with_test_input, spawn_process) diff --git a/userspace/libsinsp/test/table/event_table.cpp b/userspace/libsinsp/test/table/event_table.cpp index c508479377..10188dd04f 100644 --- a/userspace/libsinsp/test/table/event_table.cpp +++ b/userspace/libsinsp/test/table/event_table.cpp @@ -2,7 +2,7 @@ #include /* These numbers must be updated when we add new events */ -#define SYSCALL_EVENTS_NUM 328 +#define SYSCALL_EVENTS_NUM 332 #define TRACEPOINT_EVENTS_NUM 6 #define METAEVENTS_NUM 19 #define PLUGIN_EVENTS_NUM 1