wip: chore: minor improvements; mainly: dropped g_syscall_code_routing_table and added an m4 script to automatically create syscall tables (normal + ia32)

cmake/modules/CompilerFlags.cmake

@@ -25,7 +25,7 @@ if(NOT WIN32)
 		set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
 	endif()
 
-	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${FALCOSECURITY_LIBS_COMMON_FLAGS}")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${FALCOSECURITY_LIBS_COMMON_FLAGS} -std=gnu99")
 	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${FALCOSECURITY_LIBS_COMMON_FLAGS} -std=c++0x")
 
 	set(CMAKE_C_FLAGS_DEBUG "${FALCOSECURITY_LIBS_DEBUG_FLAGS}")

driver/.gitignore

@@ -0,0 +1 @@
+syscall_table.c

driver/CMakeLists.txt

@@ -60,6 +60,15 @@ configure_file(dkms.conf.in src/dkms.conf)
 configure_file(Makefile.in src/Makefile)
 configure_file(driver_config.h.in src/driver_config.h)
 
+# Find m4 executable to compile our syscall_table.m4 script into syscall_table.c
+find_program(M4_EXECUTABLE m4 DOC "The M4 macro processor, used to automatically generate syscall_table.c" REQUIRED)
+# Run at cmake time
+execute_process(COMMAND ${M4_EXECUTABLE} syscall_table.m4
+		OUTPUT_FILE syscall_table.c
+		WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
+# Keep it in sync with its m4 script
+set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS syscall_table.m4)
+
 set(DRIVER_SOURCES
 	dynamic_params_table.c
 	event_table.c

driver/bpf/fillers.h

@@ -2751,24 +2751,25 @@ FILLER(sys_unshare_e, true)
 
 FILLER(sys_generic, true)
 {
-	long *scap_id;
+	int sysdig_id;
 	int native_id;
 	int res;
+	const struct syscall_evt_pair *sc_evt;
 
 	native_id = bpf_syscall_get_nr(data->ctx);
-	scap_id = bpf_map_lookup_elem(&syscall_code_routing_table, &native_id);
-	if (!scap_id) {
+	sc_evt = get_syscall_info(native_id);
+	if (!sc_evt) {
 		bpf_printk("no routing for syscall %d\n", native_id);
 		return PPM_FAILURE_BUG;
 	}
-
-	if (*scap_id == PPM_SC_UNKNOWN)
+	sysdig_id = sc_evt->ppm_code;
+	if (sysdig_id == PPM_SC_UNKNOWN)
 		bpf_printk("no syscall for id %d\n", native_id);
 
 	/*
 	 * id
 	 */
-	res = bpf_val_to_ring(data, *scap_id);
+	res = bpf_val_to_ring(data, sysdig_id);
 	if (res != PPM_SUCCESS)
 		return res;
 

driver/bpf/maps.h

@@ -34,13 +34,6 @@ struct bpf_map_def __bpf_section("maps") tail_map = {
 	.max_entries = PPM_FILLER_MAX,
 };
 
-struct bpf_map_def __bpf_section("maps") syscall_code_routing_table = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(u32),
-	.value_size = sizeof(u64),
-	.max_entries = SYSCALL_TABLE_SIZE,
-};
-
 struct bpf_map_def __bpf_section("maps") syscall_table = {
 	.type = BPF_MAP_TYPE_ARRAY,
 	.key_size = sizeof(u32),

driver/bpf/types.h

@@ -171,19 +171,18 @@ struct perf_event_sample {
 
 #endif /* __KERNEL__ */
 
-enum scap_map_types {
+enum sysdig_map_types {
 	SCAP_PERF_MAP = 0,
 	SCAP_TAIL_MAP = 1,
-	SCAP_SYSCALL_CODE_ROUTING_TABLE = 2,
-	SCAP_SYSCALL_TABLE = 3,
-	SCAP_EVENT_INFO_TABLE = 4,
-	SCAP_FILLERS_TABLE = 5,
-	SCAP_FRAME_SCRATCH_MAP = 6,
-	SCAP_TMP_SCRATCH_MAP = 7,
-	SCAP_SETTINGS_MAP = 8,
-	SCAP_LOCAL_STATE_MAP = 9,
+	SCAP_SYSCALL_TABLE = 2,
+	SCAP_EVENT_INFO_TABLE = 3,
+	SCAP_FILLERS_TABLE = 4,
+	SCAP_FRAME_SCRATCH_MAP = 5,
+	SCAP_TMP_SCRATCH_MAP = 6,
+	SCAP_SETTINGS_MAP = 7,
+	SCAP_LOCAL_STATE_MAP = 8,
 #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
-	SCAP_STASH_MAP = 10,
+	SCAP_STASH_MAP = 9,
 #endif
 };
 

driver/main.c

@@ -89,7 +89,7 @@ struct event_data_t {
 		struct {
 			struct pt_regs *regs;
 			long id;
-			const enum ppm_syscall_code *cur_g_syscall_code_routing_table;
+			const struct syscall_evt_pair *cur_g_syscall_table;
 		} syscall_data;
 
 		struct {
@@ -1753,12 +1753,12 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 		if (event_datap->category == PPMC_SYSCALL) {
 			args.regs = event_datap->event_info.syscall_data.regs;
 			args.syscall_id = event_datap->event_info.syscall_data.id;
-			args.cur_g_syscall_code_routing_table = event_datap->event_info.syscall_data.cur_g_syscall_code_routing_table;
+			args.cur_g_syscall_table = event_datap->event_info.syscall_data.cur_g_syscall_table;
 			args.compat = event_datap->compat;
 		} else {
 			args.regs = NULL;
 			args.syscall_id = -1;
-			args.cur_g_syscall_code_routing_table = NULL;
+			args.cur_g_syscall_table = NULL;
 			args.compat = false;
 		}
 
@@ -1923,7 +1923,6 @@ TRACEPOINT_PROBE(syscall_enter_probe, struct pt_regs *regs, long id)
 {
 	long table_index;
 	const struct syscall_evt_pair *cur_g_syscall_table = g_syscall_table;
-	const enum ppm_syscall_code *cur_g_syscall_code_routing_table = g_syscall_code_routing_table;
 	bool compat = false;
 #ifdef __NR_socketcall
 	int socketcall_syscall = __NR_socketcall;
@@ -1942,7 +1941,6 @@ TRACEPOINT_PROBE(syscall_enter_probe, struct pt_regs *regs, long id)
 	if (unlikely(task_thread_info(current)->status & TS_COMPAT)) {
 #endif
 		cur_g_syscall_table = g_syscall_ia32_table;
-		cur_g_syscall_code_routing_table = g_syscall_ia32_code_routing_table;
 		socketcall_syscall = __NR_ia32_socketcall;
 		compat = true;
 	}
@@ -1980,7 +1978,7 @@ TRACEPOINT_PROBE(syscall_enter_probe, struct pt_regs *regs, long id)
 		event_data.category = PPMC_SYSCALL;
 		event_data.event_info.syscall_data.regs = regs;
 		event_data.event_info.syscall_data.id = id;
-		event_data.event_info.syscall_data.cur_g_syscall_code_routing_table = cur_g_syscall_code_routing_table;
+		event_data.event_info.syscall_data.cur_g_syscall_table = cur_g_syscall_table;
 		event_data.socketcall_syscall = socketcall_syscall;
 		event_data.compat = compat;
 
@@ -1996,7 +1994,6 @@ TRACEPOINT_PROBE(syscall_exit_probe, struct pt_regs *regs, long ret)
 	int id;
 	long table_index;
 	const struct syscall_evt_pair *cur_g_syscall_table = g_syscall_table;
-	const enum ppm_syscall_code *cur_g_syscall_code_routing_table = g_syscall_code_routing_table;
 	bool compat = false;
 #ifdef __NR_socketcall
 	int socketcall_syscall = __NR_socketcall;
@@ -2019,7 +2016,6 @@ TRACEPOINT_PROBE(syscall_exit_probe, struct pt_regs *regs, long ret)
 	if (unlikely((task_thread_info(current)->status & TS_COMPAT) && id != __NR_execve)) {
 #endif
 		cur_g_syscall_table = g_syscall_ia32_table;
-		cur_g_syscall_code_routing_table = g_syscall_ia32_code_routing_table;
 		socketcall_syscall = __NR_ia32_socketcall;
 		compat = true;
 	}
@@ -2057,7 +2053,7 @@ TRACEPOINT_PROBE(syscall_exit_probe, struct pt_regs *regs, long ret)
 		event_data.category = PPMC_SYSCALL;
 		event_data.event_info.syscall_data.regs = regs;
 		event_data.event_info.syscall_data.id = id;
-		event_data.event_info.syscall_data.cur_g_syscall_code_routing_table = cur_g_syscall_code_routing_table;
+		event_data.event_info.syscall_data.cur_g_syscall_table = cur_g_syscall_table;
 		event_data.socketcall_syscall = socketcall_syscall;
 		event_data.compat = compat;
 

driver/ppm.h

@@ -131,11 +131,9 @@ long ppm_strncpy_from_user(char *to, const char __user *from, unsigned long n);
 
 extern const struct syscall_evt_pair g_syscall_table[];
 extern const struct ppm_event_info g_event_info[];
-extern const enum ppm_syscall_code g_syscall_code_routing_table[];
 
 #if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION)
 extern const struct syscall_evt_pair g_syscall_ia32_table[];
-extern const enum ppm_syscall_code g_syscall_ia32_code_routing_table[];
 #endif
 
 #ifndef UDIG

driver/ppm_events.h

@@ -41,7 +41,7 @@ struct event_filler_arguments {
 	char *buffer; /* the buffer that will be filled with the data */
 	u32 buffer_size; /* the space in the ring buffer available for this event */
 	u32 syscall_id; /* the system call ID */
-	const enum ppm_syscall_code *cur_g_syscall_code_routing_table;
+	const struct syscall_evt_pair *cur_g_syscall_table;
 #ifdef PPM_ENABLE_SENTINEL
 	u32 sentinel;
 #endif

driver/ppm_events_public.h

@@ -1618,6 +1618,7 @@ struct ppm_evt_hdr {
 	uint32_t len; /* the event len, including the header */
 	uint16_t type; /* the event type */
 	uint32_t nparams; /* the number of parameters of the event */
+	uint8_t payload[]; /* Flexible array member for event payload, ie: both len headers + event data */
 };
 #if defined __sun
 #pragma pack()
@@ -1740,6 +1741,7 @@ struct syscall_evt_pair {
 	int flags;
 	enum ppm_event_type enter_event_type;
 	enum ppm_event_type exit_event_type;
+	enum ppm_syscall_code ppm_code;
 } _packed;
 
 #define SYSCALL_TABLE_SIZE 512

driver/ppm_fillers.c

@@ -119,7 +119,7 @@ int f_sys_generic(struct event_filler_arguments *args)
 {
 	int res;
 	long table_index = args->syscall_id - SYSCALL_TABLE_ID0;
-	const enum ppm_syscall_code *cur_g_syscall_code_routing_table = args->cur_g_syscall_code_routing_table;
+	const struct syscall_evt_pair *cur_g_syscall_table = args->cur_g_syscall_table;
 
 #ifdef _HAS_SOCKETCALL
 	if (unlikely(args->syscall_id == args->socketcall_syscall)) {
@@ -137,7 +137,7 @@ int f_sys_generic(struct event_filler_arguments *args)
 
 	if (likely(table_index >= 0 &&
 		   table_index <  SYSCALL_TABLE_SIZE)) {
-		enum ppm_syscall_code sc_code = cur_g_syscall_code_routing_table[table_index];
+		enum ppm_syscall_code sc_code = cur_g_syscall_table[table_index].ppm_code;
 
 		/*
 		 * ID