new(driver,userspace): automatically generate syscall_info_table entries at startup time

driver/syscall_table.c

@@ -697,13 +697,13 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_shmat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMAT},
 #endif
 #ifdef __NR_rt_sigreturn
-	[__NR_rt_sigreturn - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGRETURN},
+	[__NR_rt_sigreturn - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGRETURN},
 #endif
 #ifdef __NR_fallocate
 	[__NR_fallocate - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FALLOCATE},
 #endif
 #ifdef __NR_newfstatat
-	[__NR_newfstatat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NEWFSSTAT},
+	[__NR_newfstatat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NEWFSTATAT},
 #endif
 #ifdef __NR_finit_module
 	[__NR_finit_module - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FINIT_MODULE},
@@ -720,6 +720,81 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_socketcall
 	[__NR_socketcall - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SOCKETCALL },
 #endif
+#ifdef __NR_fspick
+	[__NR_fspick - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSPICK},
+#endif
+#ifdef __NR_fsmount
+	[__NR_fsmount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSMOUNT},
+#endif
+#ifdef __NR_fsopen
+	[__NR_fsopen - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSOPEN},
+#endif
+#ifdef __NR_open_tree
+	[__NR_open_tree - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OPEN_TREE},
+#endif
+#ifdef __NR_move_mount
+	[__NR_move_mount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_MOUNT},
+#endif
+#ifdef __NR_mount_setattr
+	[__NR_mount_setattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOUNT_SETATTR},
+#endif
+#ifdef __NR_memfd_create
+	[__NR_memfd_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_CREATE},
+#endif
+#ifdef __NR_memfd_secret
+	[__NR_memfd_secret - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_SECRET},
+#endif
+#ifdef __NR_ioperm
+	[__NR_ioperm - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPERM},
+#endif
+#ifdef __NR_kexec_file_load
+	[__NR_kexec_file_load - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEXEC_FILE_LOAD},
+#endif
+#ifdef __NR_pidfd_getfd
+	[__NR_pidfd_getfd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_GET_FD},
+#endif
+#ifdef __NR_pidfd_open
+	[__NR_pidfd_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_OPEN},
+#endif
+#ifdef __NR_pidfd_send_signal
+	[__NR_pidfd_send_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_SEND_SIGNAL},
+#endif
+#ifdef __NR_pkey_alloc
+	[__NR_pkey_alloc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_ALLOC},
+#endif
+#ifdef __NR_pkey_mprotect
+	[__NR_pkey_mprotect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_MPROTECT},
+#endif
+#ifdef __NR_pkey_free
+	[__NR_pkey_free - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_FREE},
+#endif
+#ifdef __NR_landlock_create_ruleset
+	[__NR_landlock_create_ruleset - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_CREATE_RULESET},
+#endif
+#ifdef __NR_quotactl_fd
+	[__NR_quotactl_fd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_QUOTACTL_FD},
+#endif
+#ifdef __NR_landlock_restrict_self
+	[__NR_landlock_restrict_self - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_RESTRICT_SELF},
+#endif
+#ifdef __NR_landlock_add_rule
+	[__NR_landlock_add_rule - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_ADD_RULE},
+#endif
+#ifdef __NR_epoll_pwait2
+	[__NR_epoll_pwait2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_PWAIT2},
+#endif
+#ifdef __NR_migrate_pages
+	[__NR_migrate_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MIGRATE_PAGES},
+#endif
+#ifdef __NR_move_pages
+	[__NR_move_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_PAGES},
+#endif
+#ifdef __NR_preadv2
+	[__NR_preadv2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PREADV2},
+#endif
+#ifdef __NR_pwritev2
+	[__NR_pwritev2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PWRITEV2},
+#endif
 };
 
 #ifdef CONFIG_IA32_EMULATION
@@ -1319,13 +1394,13 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_ia32_shmat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMAT},
 #endif
 #ifdef __NR_ia32_rt_sigreturn
-	[__NR_ia32_rt_sigreturn - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGRETURN},
+	[__NR_ia32_rt_sigreturn - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGRETURN},
 #endif
 #ifdef __NR_ia32_fallocate
 	[__NR_ia32_fallocate - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FALLOCATE},
 #endif
 #ifdef __NR_ia32_newfstatat
-	[__NR_ia32_newfstatat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NEWFSSTAT},
+	[__NR_ia32_newfstatat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NEWFSTATAT},
 #endif
 #ifdef __NR_ia32_finit_module
 	[__NR_ia32_finit_module - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FINIT_MODULE},
@@ -1339,6 +1414,81 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_ia32_fadvise64
 	[__NR_ia32_fadvise64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FADVISE64},
 #endif
+#ifdef __NR_ia32_fspick
+	[__NR_ia32_fspick - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSPICK},
+#endif
+#ifdef __NR_ia32_fsmount
+	[__NR_ia32_fsmount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSMOUNT},
+#endif
+#ifdef __NR_ia32_fsopen
+	[__NR_ia32_fsopen - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSOPEN},
+#endif
+#ifdef __NR_ia32_open_tree
+	[__NR_ia32_open_tree - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OPEN_TREE},
+#endif
+#ifdef __NR_ia32_move_mount
+	[__NR_ia32_move_mount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_MOUNT},
+#endif
+#ifdef __NR_ia32_mount_setattr
+	[__NR_ia32_mount_setattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOUNT_SETATTR},
+#endif
+#ifdef __NR_ia32_memfd_create
+	[__NR_ia32_memfd_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_CREATE},
+#endif
+#ifdef __NR_ia32_memfd_secret
+	[__NR_ia32_memfd_secret - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_SECRET},
+#endif
+#ifdef __NR_ia32_ioperm
+	[__NR_ia32_ioperm - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPERM},
+#endif
+#ifdef __NR_ia32_kexec_file_load
+	[__NR_ia32_kexec_file_load - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEXEC_FILE_LOAD},
+#endif
+#ifdef __NR_ia32_pidfd_getfd
+	[__NR_ia32_pidfd_getfd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_GET_FD},
+#endif
+#ifdef __NR_ia32_pidfd_open
+	[__NR_ia32_pidfd_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_OPEN},
+#endif
+#ifdef __NR_ia32_pidfd_send_signal
+	[__NR_ia32_pidfd_send_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_SEND_SIGNAL},
+#endif
+#ifdef __NR_ia32_pkey_alloc
+	[__NR_ia32_pkey_alloc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_ALLOC},
+#endif
+#ifdef __NR_ia32_pkey_mprotect
+	[__NR_ia32_pkey_mprotect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_MPROTECT},
+#endif
+#ifdef __NR_ia32_pkey_free
+	[__NR_ia32_pkey_free - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_FREE},
+#endif
+#ifdef __NR_ia32_landlock_create_ruleset
+	[__NR_ia32_landlock_create_ruleset - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_CREATE_RULESET},
+#endif
+#ifdef __NR_ia32_quotactl_fd
+	[__NR_ia32_quotactl_fd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_QUOTACTL_FD},
+#endif
+#ifdef __NR_ia32_landlock_restrict_self
+	[__NR_ia32_landlock_restrict_self - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_RESTRICT_SELF},
+#endif
+#ifdef __NR_ia32_landlock_add_rule
+	[__NR_ia32_landlock_add_rule - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_ADD_RULE},
+#endif
+#ifdef __NR_ia32_epoll_pwait2
+	[__NR_ia32_epoll_pwait2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_PWAIT2},
+#endif
+#ifdef __NR_ia32_migrate_pages
+	[__NR_ia32_migrate_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MIGRATE_PAGES},
+#endif
+#ifdef __NR_ia32_move_pages
+	[__NR_ia32_move_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_PAGES},
+#endif
+#ifdef __NR_ia32_preadv2
+	[__NR_ia32_preadv2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PREADV2},
+#endif
+#ifdef __NR_ia32_pwritev2
+	[__NR_ia32_pwritev2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PWRITEV2},
+#endif	
 };
 
 #endif /* CONFIG_IA32_EMULATION */

userspace/libscap/examples/01-open/scap_open.c

@@ -44,24 +44,25 @@ limitations under the License.
 #define PRINT_SYSCALLS_OPTION "--print_syscalls"
 #define PRINT_HELP_OPTION "--help"
 
-extern const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX];
 extern const struct ppm_event_info g_event_info[PPM_EVENT_MAX];
 extern const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE];
 
+static const struct ppm_syscall_desc *g_syscall_info_table;
+
 /* Engine params */
-struct scap_bpf_engine_params bpf_params = {0};
-struct scap_kmod_engine_params kmod_params = {0};
-struct scap_modern_bpf_engine_params modern_bpf_params = {0};
-struct scap_savefile_engine_params savefile_params = {0};
+static struct scap_bpf_engine_params bpf_params;
+static struct scap_kmod_engine_params kmod_params;
+static struct scap_modern_bpf_engine_params modern_bpf_params;
+static struct scap_savefile_engine_params savefile_params;
 
 /* Configuration variables set through CLI. */
-uint64_t num_events = UINT64_MAX; /* max number of events to catch. */
-int evt_type = -1;		  /* event type to print. */
-bool ppm_sc_is_set = 0;
-bool tp_is_set = 0;
-unsigned long buffer_bytes_dim = DEFAULT_DRIVER_BUFFER_BYTES_DIM;
+static uint64_t num_events = UINT64_MAX; /* max number of events to catch. */
+static int evt_type = -1;		  /* event type to print. */
+static bool ppm_sc_is_set = 0;
+static bool tp_is_set = 0;
+static unsigned long buffer_bytes_dim = DEFAULT_DRIVER_BUFFER_BYTES_DIM;
 
-int simple_set[] = {
+static int simple_set[] = {
 	PPM_SC_ACCEPT,
 	PPM_SC_ACCEPT4,
 	PPM_SC_BIND,
@@ -146,14 +147,14 @@ int simple_set[] = {
 };
 
 /* Generic global variables. */
-scap_open_args oargs = {.engine_name = UNKNOWN_ENGINE};			    /* scap oargs used in `scap_open`. */
-uint64_t g_nevts = 0;							    /* total number of events captured. */
-scap_t* g_h = NULL;							    /* global scap handler. */
-uint16_t* lens16 = NULL;						    /* pointer used to print the length of event params. */
-char* valptr = NULL; /* pointer used to print the value of event params. */ /* pointer used to print the value of event params. */
-struct timeval tval_start, tval_end, tval_result;
-unsigned long number_of_timeouts = 0; /* Times in which there were no events in the buffer. */
-unsigned long number_of_scap_next = 0; /* Times in which the 'scap-next' method is called. */
+static scap_open_args oargs = {.engine_name = UNKNOWN_ENGINE};			    /* scap oargs used in `scap_open`. */
+static uint64_t g_nevts = 0;							    /* total number of events captured. */
+static scap_t* g_h = NULL;							    /* global scap handler. */
+static uint16_t* lens16 = NULL;						    /* pointer used to print the length of event params. */
+static char* valptr = NULL; /* pointer used to print the value of event params. */ /* pointer used to print the value of event params. */
+static struct timeval tval_start, tval_end, tval_result;
+static unsigned long number_of_timeouts; /* Times in which there were no events in the buffer. */
+static unsigned long number_of_scap_next; /* Times in which the 'scap-next' method is called. */
 
 /*=============================== PRINT SUPPORTED SYSCALLS ===========================*/
 
@@ -302,7 +303,7 @@ bool validate_syscalls()
 		/* If the syscall has `UF_NEVER_DROP` flag we must have its name inside the
 		 * `g_syscall_info_table`.
 		 */
-		if((g_syscall_table[syscall_id].flags & UF_NEVER_DROP) && !g_syscall_info_table[ppm_syscall_code].name)
+		if((g_syscall_table[syscall_id].flags & UF_NEVER_DROP) && g_syscall_info_table[ppm_syscall_code].name[0] == 0)
 		{
 			printf("ERROR: the syscall with real id `%d` has a `UF_NEVER_DROP` syscall in `g_syscall_table` but not a name in the `g_syscall_info_table`.\n", syscall_id);
 			success = false;
@@ -990,6 +991,8 @@ int main(int argc, char** argv)
 		return EXIT_FAILURE;
 	}
 
+	g_syscall_info_table = scap_get_syscall_info_table();
+
 	parse_CLI_options(argc, argv);
 
 	print_scap_source();

userspace/libscap/scap-int.h

@@ -302,9 +302,7 @@ int32_t scap_os_getpid_global(struct scap_engine_handle engine, int64_t *pid, ch
 
 extern const struct syscall_evt_pair g_syscall_table[];
 extern const struct ppm_event_info g_event_info[];
-extern const struct ppm_syscall_desc g_syscall_info_table[];
 extern const struct ppm_event_entry g_ppm_events[];
-extern bool validate_info_table_size();
 
 //
 // udig stuff

userspace/libscap/scap.c

@@ -1248,6 +1248,19 @@ int scap_get_events_from_ppm_sc(IN uint32_t ppm_sc_array[PPM_SC_MAX], OUT uint32
 	return SCAP_SUCCESS;
 }
 
+int scap_native_id_to_ppm_sc(int native_id)
+{
+#ifdef __linux__
+	if (native_id < 0 || native_id >= SYSCALL_TABLE_SIZE)
+	{
+		return -1;
+	}
+	return g_syscall_table[native_id].ppm_sc;
+#else
+	return -1;
+#endif
+}
+
 int scap_get_modifies_state_tracepoints(OUT uint32_t tp_array[TP_VAL_MAX])
 {
 	if(tp_array == NULL)

userspace/libscap/scap.h

@@ -522,8 +522,7 @@ typedef struct scap_dumper scap_dumper_t;
 */
 struct ppm_syscall_desc {
 	enum ppm_event_category category; /**< System call category. */
-	enum ppm_event_flags flags;
-	char *name; /**< System call name, e.g. 'open'. */
+	char name[PPM_MAX_NAME_LEN]; /**< System call name, e.g. 'open'. */
 };
 
 /*!
@@ -848,6 +847,11 @@ int scap_get_modifies_state_ppm_sc(OUT uint32_t ppm_sc_array[PPM_SC_MAX]);
 */
 int scap_get_events_from_ppm_sc(IN uint32_t ppm_sc_array[PPM_SC_MAX], OUT uint32_t events_array[PPM_EVENT_MAX]);
 
+/*!
+  \brief Convert a native syscall nr to ppm_sc
+*/
+int scap_native_id_to_ppm_sc(int native_id);
+
 /*!
   \brief Returns the set of minimum tracepoints required by `libsinsp` state.
 */

userspace/libscap/scap_event.c

@@ -35,7 +35,6 @@ limitations under the License.
 //
 const struct ppm_event_info* scap_get_event_info_table()
 {
-	ASSERT(validate_info_table_size());
 	return g_event_info;
 }