falcosecurity · poiana · Oct 31, 2022 · Sep 12, 2022 · Sep 13, 2022 · Sep 13, 2022
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-2.1.0
+2.2.0
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -3676,6 +3676,44 @@ FILLER(sys_fsconfig_x, true)
 	return res;
 }
 
+FILLER(sys_epoll_create_e, true)
+{
+	unsigned long size;
+
+	/*
+	 * size
+	 */
+	size = bpf_syscall_get_argument(data, 0);
+	return bpf_val_to_ring(data, size);
+}
+
+FILLER(sys_epoll_create_x, true)
+{
+	unsigned long retval;
+
+	retval = bpf_syscall_get_retval(data->ctx);
+	return bpf_val_to_ring(data, retval);
+}
+
+FILLER(sys_epoll_create1_e, true)
+{
+	unsigned long flags;
+
+	/*
+	 * flags
+	 */
+	flags = bpf_syscall_get_argument(data, 0);
+	return bpf_val_to_ring(data, epoll_create1_flags_to_scap(flags));
+}
+
+FILLER(sys_epoll_create1_x, true)
+{
+	unsigned long retval;
+
+	retval = bpf_syscall_get_retval(data->ctx);
+	return bpf_val_to_ring(data, retval);
+}
+
 FILLER(sys_sendfile_e, true)
 {
 	unsigned long val;

diff --git a/driver/event_table.c b/driver/event_table.c
@@ -383,9 +383,13 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_BPF_2_E */{"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, {{"cmd", PT_INT64, PF_DEC} } },
 	/* PPME_SYSCALL_BPF_2_X */{"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, { {"fd", PT_FD, PF_DEC} } },
 	/* PPME_SYSCALL_MLOCK2_E */{"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 0},
-	/* PPME_SYSCALL_MLOCK2_X */{"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX, mlockall_flags}}},
+	/* PPME_SYSCALL_MLOCK2_X */{"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX, mlock2_flags}}},
 	/* PPME_SYSCALL_FSCONFIG_E */{"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_NONE, 0},
 	/* PPME_SYSCALL_FSCONFIG_X */{"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_USES_FD, 7, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"cmd", PT_ENUMFLAGS32, PF_DEC, fsconfig_cmds}, {"key", PT_CHARBUF, PF_NA}, {"value_bytebuf", PT_BYTEBUF, PF_NA}, {"value_charbuf", PT_CHARBUF, PF_NA}, {"aux", PT_INT32, PF_DEC}}},
+	/* PPME_SYSCALL_EPOLL_CREATE_E */{"epoll_create", EC_WAIT | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, { {"size", PT_INT32, PF_DEC} } },
+	/* PPME_SYSCALL_EPOLL_CREATE_X */{"epoll_create", EC_WAIT | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, { {"res", PT_ERRNO, PF_DEC} } },
+	/* PPME_SYSCALL_EPOLL_CREATE1_E */{"epoll_create1", EC_WAIT | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, epoll_create1_flags} } },
+	/* PPME_SYSCALL_EPOLL_CREATE1_X */{"epoll_create1", EC_WAIT | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 
 	/* NB: Starting from scap version 1.2, event types will no longer be changed when an event is modified, and the only kind of change permitted for pre-existent events is adding parameters.
 	 *     New event types are allowed only for new syscalls or new internal events.

diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -337,5 +337,9 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_MLOCK2_X] = {FILLER_REF(sys_mlock2_x)},
 	[PPME_SYSCALL_FSCONFIG_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_FSCONFIG_X] = {FILLER_REF(sys_fsconfig_x)},
+	[PPME_SYSCALL_EPOLL_CREATE_E] = {FILLER_REF(sys_epoll_create_e)},
+	[PPME_SYSCALL_EPOLL_CREATE_X] = {FILLER_REF(sys_epoll_create_x)},
+	[PPME_SYSCALL_EPOLL_CREATE1_E] = {FILLER_REF(sys_epoll_create1_e)},
+	[PPME_SYSCALL_EPOLL_CREATE1_X] = {FILLER_REF(sys_epoll_create1_x)},
 #endif /* WDIG */
 };
diff --git a/driver/flags_table.c b/driver/flags_table.c
@@ -629,5 +629,10 @@ const struct ppm_name_value fsconfig_cmds[] = {
 	{"FSCONFIG_SET_FD", PPM_FSCONFIG_SET_FD},
 	{"FSCONFIG_CMD_CREATE", PPM_FSCONFIG_CMD_CREATE},
 	{"FSCONFIG_CMD_RECONFIGURE", PPM_FSCONFIG_CMD_RECONFIGURE},
-	{0,0},
+	{0, 0},
+};
+
+const struct ppm_name_value epoll_create1_flags[] = {
+	{"EPOLL_CLOEXEC", PPM_EPOLL_CLOEXEC},
+	{0, 0},
 };
diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -124,6 +124,10 @@
 #define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
 #define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define FSCONFIG_E_SIZE HEADER_LEN
+#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
+#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 
 /* Generic tracepoints events. */
 #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4

diff --git a/driver/modern_bpf/definitions/missing_definitions.h b/driver/modern_bpf/definitions/missing_definitions.h
@@ -659,6 +659,12 @@
 #define S_IWOTH 00002
 #define S_IXOTH 00001
 
+//////////////////////////
+// epoll_create1 flags
+//////////////////////////
+
+#define EPOLL_CLOEXEC 02000000
+
 /*=============================== FLAGS ===========================*/
 
 /*=============================== PROTOCOL/ADDRESS FAMILIES ===========================*/

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c
@@ -0,0 +1,67 @@
+/*
+* Copyright (C) 2022 The Falco Authors.
+*
+* This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+* or GPL2.txt for full copies of the license.
+*/
+
+#include <helpers/interfaces/fixed_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(epoll_create_e,
+	    struct pt_regs *regs,
+	    long id)
+{
+       struct ringbuf_struct ringbuf;
+       if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE_E_SIZE))
+       {
+	       return 0;
+       }
+
+       ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_EPOLL_CREATE_E, EPOLL_CREATE_E_SIZE);
+
+       /*=============================== COLLECT PARAMETERS  ===========================*/
+
+       /* Parameter 1: size (type: PT_INT32) */
+       s32 size = (s32)extract__syscall_argument(regs, 0);
+       ringbuf__store_s32(&ringbuf, size);
+
+       /*=============================== COLLECT PARAMETERS  ===========================*/
+
+       ringbuf__submit_event(&ringbuf);
+
+       return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(epoll_create_x,
+	    struct pt_regs *regs,
+	    long ret)
+{
+       struct ringbuf_struct ringbuf;
+       if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE_X_SIZE))
+       {
+	       return 0;
+       }
+
+       ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_EPOLL_CREATE_X, EPOLL_CREATE_X_SIZE);
+
+       /*=============================== COLLECT PARAMETERS  ===========================*/
+
+       /* Parameter 1: res (type: PT_ERRNO)*/
+       ringbuf__store_s64(&ringbuf, ret);
+
+       /*=============================== COLLECT PARAMETERS  ===========================*/
+
+       ringbuf__submit_event(&ringbuf);
+
+       return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c
@@ -0,0 +1,67 @@
+/*
+* Copyright (C) 2022 The Falco Authors.
+*
+* This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+* or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(epoll_create1_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE1_E_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_EPOLL_CREATE1_E, EPOLL_CREATE1_E_SIZE);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: flags (type: PT_FLAGS32) */
+	s32 flags = (s32)extract__syscall_argument(regs, 0);
+	ringbuf__store_u32(&ringbuf, epoll_create1_flags_to_scap(flags));
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(epoll_create1_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, EPOLL_CREATE1_X_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_EPOLL_CREATE1_X, EPOLL_CREATE1_X_SIZE);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO)*/
+	ringbuf__store_s64(&ringbuf, ret);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/
diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
@@ -705,6 +705,11 @@ or GPL2.txt for full copies of the license.
 #define PPM_FSCONFIG_CMD_CREATE	6
 #define PPM_FSCONFIG_CMD_RECONFIGURE	7
 
+/*
+ * Epoll_create1 flags
+ */
+#define PPM_EPOLL_CLOEXEC       (1 << 0)
+
 /*
  * SuS says limits have to be unsigned.
  * Which makes a ton more sense anyway.
@@ -1170,7 +1175,11 @@ enum ppm_event_type {
 	PPME_SYSCALL_MLOCK2_X = 371,
 	PPME_SYSCALL_FSCONFIG_E = 372,
 	PPME_SYSCALL_FSCONFIG_X = 373,
-	PPM_EVENT_MAX = 374
+	PPME_SYSCALL_EPOLL_CREATE_E = 374,
+	PPME_SYSCALL_EPOLL_CREATE_X = 375,
+	PPME_SYSCALL_EPOLL_CREATE1_E = 376,
+	PPME_SYSCALL_EPOLL_CREATE1_X = 377,
+	PPM_EVENT_MAX = 378
 };
 /*@}*/
 
@@ -1849,6 +1858,7 @@ extern const struct ppm_name_value io_uring_register_opcodes[];
 extern const struct ppm_name_value mlockall_flags[];
 extern const struct ppm_name_value mlock2_flags[];
 extern const struct ppm_name_value fsconfig_cmds[];
+extern const struct ppm_name_value epoll_create1_flags[];
 
 extern const struct ppm_param_info sockopt_dynamic_param[];
 extern const struct ppm_param_info ptrace_dynamic_param[];

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -5239,7 +5239,6 @@ int f_sys_fsconfig_x(struct event_filler_arguments *args)
 	unsigned long value_pointer = 0;
 	unsigned long aux = 0;
 
-
 	/* Parameter 1: ret (type: PT_ERRNO) */
 	ret = (int64_t)syscall_get_return_value(current, args->regs);
 	res = val_to_ring(args, ret, 0, false, 0);
@@ -5349,6 +5348,60 @@ int f_sys_fsconfig_x(struct event_filler_arguments *args)
 	return add_sentinel(args);
 }
 
+int f_sys_epoll_create_e(struct event_filler_arguments *args)
+{
+	unsigned long size;
+	int res;
+
+	/*
+	 * size
+	 */
+	syscall_get_arguments_deprecated(current, args->regs, 0, 1, &size);
+	res = val_to_ring(args, size, 0, false, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
+int f_sys_epoll_create_x(struct event_filler_arguments *args)
+{
+	int64_t retval;
+	int res;
+
+	retval = (int64_t)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
+int f_sys_epoll_create1_e(struct event_filler_arguments *args)
+{
+	unsigned long flags;
+	int res;
+
+	/*
+	 * flags
+	 */
+	syscall_get_arguments_deprecated(current, args->regs, 0, 1, &flags);
+	res = val_to_ring(args, epoll_create1_flags_to_scap(flags), 0, false, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
+int f_sys_epoll_create1_x(struct event_filler_arguments *args)
+{
+	int64_t retval;
+	int res;
+
+	retval = (int64_t)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 int f_sys_dup_e(struct event_filler_arguments *args)
 {
 	int res;

diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h
@@ -126,14 +126,18 @@ or GPL2.txt for full copies of the license.
 	FN(sys_dup_e)				\
 	FN(sys_dup_x)				\
 	FN(sched_prog_exec)			\
-	FN(sched_prog_exec_2)		\
-	FN(sched_prog_exec_3)		\
-	FN(sched_prog_exec_4)		\
+	FN(sched_prog_exec_2)		        \
+	FN(sched_prog_exec_3)		        \
+	FN(sched_prog_exec_4)		        \
 	FN(sched_prog_fork)			\
-	FN(sched_prog_fork_2)		\
-	FN(sched_prog_fork_3)		\
+	FN(sched_prog_fork_2)		        \
+	FN(sched_prog_fork_3)		        \
 	FN(sys_mlock2_x)			\
         FN(sys_fsconfig_x)			\
+        FN(sys_epoll_create_e)                  \
+        FN(sys_epoll_create_x)                  \
+        FN(sys_epoll_create1_e)                 \
+        FN(sys_epoll_create1_x)                 \
 	FN(terminate_filler)
 
 #define FILLER_ENUM_FN(x) PPM_FILLER_##x,

diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h
@@ -1881,6 +1881,16 @@ static __always_inline u32 dup3_flags_to_scap(unsigned long flags)
 	return res;
 }
 
+static __always_inline uint32_t epoll_create1_flags_to_scap(uint32_t flags)
+{
+	uint32_t res = 0;
+#ifdef EPOLL_CLOEXEC
+	if (flags & EPOLL_CLOEXEC)
+		res |= PPM_EPOLL_CLOEXEC;
+#endif
+	return res;
+}
+
 #endif // !WDIG
 
 #endif /* PPM_FLAG_HELPERS_H_ */