update(drivers): add cmd to exit events

Signed-off-by: rohith-raju <[email protected]>

driver/bpf/fillers.h

@@ -5568,7 +5568,12 @@ FILLER(sys_quotactl_x, true)
 		quota_fmt_out = quotactl_fmt_to_scap(tmp);
 	}
 
-	return bpf_push_u8_to_ring(data, quota_fmt_out);
+	/*
+	* cmd
+	*/
+	bpf_push_u8_to_ring(data, quota_fmt_out);
+
+	return bpf_push_u16_to_ring(data, cmd);
 }
 
 FILLER(sys_semget_e, true)
@@ -5634,6 +5639,22 @@ FILLER(sys_semctl_e, true)
 	return bpf_push_s32_to_ring(data, val);
 }
 
+FILLER (sys_semctl_x, true)
+{
+	unsigned long val = 0;
+	long retval;
+	int res;
+
+	/* Parameter 1: res (PT_ERRNO) */
+	retval = bpf_syscall_get_retval(data->ctx);
+	res =  bpf_push_s64_to_ring(data, (s64)retval);
+	CHECK_RES(res);
+
+	/* Parameter 2: cmd (PT_FLAGS16) */
+	val = bpf_syscall_get_argument(data, 2);
+	return bpf_push_u16_to_ring(data, semctl_cmd_to_scap(val));
+}
+
 FILLER(sys_ptrace_e, true)
 {
 

driver/event_table.c

@@ -241,7 +241,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_SENDFILE_E] = {"sendfile", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD, 4, {{"out_fd", PT_FD, PF_DEC}, {"in_fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC}, {"size", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_SENDFILE_X] = {"sendfile", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD, 2, {{"res", PT_ERRNO, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_QUOTACTL_E] = {"quotactl", EC_USER | EC_SYSCALL, EF_NONE, 4, {{"cmd", PT_FLAGS16, PF_DEC, quotactl_cmds }, {"type", PT_FLAGS8, PF_DEC, quotactl_types}, {"id", PT_UINT32, PF_DEC}, {"quota_fmt", PT_FLAGS8, PF_DEC, quotactl_quota_fmts } } },
-	[PPME_SYSCALL_QUOTACTL_X] = {"quotactl", EC_USER | EC_SYSCALL, EF_NONE, 14, {{"res", PT_ERRNO, PF_DEC}, {"special", PT_CHARBUF, PF_NA }, {"quotafilepath", PT_CHARBUF, PF_NA}, {"dqb_bhardlimit", PT_UINT64, PF_DEC }, {"dqb_bsoftlimit", PT_UINT64, PF_DEC }, {"dqb_curspace", PT_UINT64, PF_DEC }, {"dqb_ihardlimit", PT_UINT64, PF_DEC }, {"dqb_isoftlimit", PT_UINT64, PF_DEC }, {"dqb_btime", PT_RELTIME, PF_DEC }, {"dqb_itime", PT_RELTIME, PF_DEC }, {"dqi_bgrace", PT_RELTIME, PF_DEC }, {"dqi_igrace", PT_RELTIME, PF_DEC }, {"dqi_flags", PT_FLAGS8, PF_DEC, quotactl_dqi_flags }, {"quota_fmt_out", PT_FLAGS8, PF_DEC, quotactl_quota_fmts } } },
+	[PPME_SYSCALL_QUOTACTL_X] = {"quotactl", EC_USER | EC_SYSCALL, EF_NONE, 15, {{"res", PT_ERRNO, PF_DEC}, {"special", PT_CHARBUF, PF_NA }, {"quotafilepath", PT_CHARBUF, PF_NA}, {"dqb_bhardlimit", PT_UINT64, PF_DEC }, {"dqb_bsoftlimit", PT_UINT64, PF_DEC }, {"dqb_curspace", PT_UINT64, PF_DEC }, {"dqb_ihardlimit", PT_UINT64, PF_DEC }, {"dqb_isoftlimit", PT_UINT64, PF_DEC }, {"dqb_btime", PT_RELTIME, PF_DEC }, {"dqb_itime", PT_RELTIME, PF_DEC }, {"dqi_bgrace", PT_RELTIME, PF_DEC }, {"dqi_igrace", PT_RELTIME, PF_DEC }, {"dqi_flags", PT_FLAGS8, PF_DEC, quotactl_dqi_flags }, {"quota_fmt_out", PT_FLAGS8, PF_DEC, quotactl_quota_fmts }, {"cmd", PT_FLAGS16, PF_DEC, quotactl_cmds }} },
 	[PPME_SYSCALL_SETRESUID_E] = {"setresuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"ruid", PT_UID, PF_DEC }, {"euid", PT_UID, PF_DEC }, {"suid", PT_UID, PF_DEC } } },
 	[PPME_SYSCALL_SETRESUID_X] = {"setresuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SYSCALL_SETRESGID_E] = {"setresgid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"rgid", PT_GID, PF_DEC }, {"egid", PT_GID, PF_DEC }, {"sgid", PT_GID, PF_DEC } } },
@@ -303,7 +303,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_SEMOP_E] = {"semop", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"semid", PT_INT32, PF_DEC} } },
 	[PPME_SYSCALL_SEMOP_X] = {"semop", EC_PROCESS | EC_SYSCALL, EF_NONE, 8, {{"res", PT_ERRNO, PF_DEC}, {"nsops", PT_UINT32, PF_DEC}, {"sem_num_0", PT_UINT16, PF_DEC}, {"sem_op_0", PT_INT16, PF_DEC}, {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags}, {"sem_num_1", PT_UINT16, PF_DEC}, {"sem_op_1", PT_INT16, PF_DEC}, {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags} } },
 	[PPME_SYSCALL_SEMCTL_E] = {"semctl", EC_PROCESS | EC_SYSCALL, EF_NONE, 4, {{"semid", PT_INT32, PF_DEC}, {"semnum", PT_INT32, PF_DEC}, {"cmd", PT_FLAGS16, PF_HEX, semctl_commands}, {"val", PT_INT32, PF_DEC} } },
-	[PPME_SYSCALL_SEMCTL_X] = {"semctl", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	[PPME_SYSCALL_SEMCTL_X] = {"semctl", EC_PROCESS | EC_SYSCALL, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"cmd", PT_FLAGS16, PF_HEX, semctl_commands} } },
 	[PPME_SYSCALL_PPOLL_E] = {"ppoll", EC_WAIT | EC_SYSCALL, EF_WAITS, 3, {{"fds", PT_FDLIST, PF_DEC}, {"timeout", PT_RELTIME, PF_DEC}, {"sigmask", PT_SIGSET, PF_DEC} } },
 	[PPME_SYSCALL_PPOLL_X] = {"ppoll", EC_WAIT | EC_SYSCALL, EF_WAITS, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } },
 	[PPME_SYSCALL_MOUNT_E] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, mount_flags} } },

driver/fillers_table.c

@@ -227,7 +227,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_SEMOP_E] = {FILLER_REF(sys_single)},
 	[PPME_SYSCALL_SEMOP_X] = {FILLER_REF(sys_semop_x)},
 	[PPME_SYSCALL_SEMCTL_E] = {FILLER_REF(sys_semctl_e)},
-	[PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_single_x)},
+	[PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_semctl_x)},
 	[PPME_SYSCALL_PPOLL_E] = {FILLER_REF(sys_ppoll_e)},
 	[PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_poll_x)}, /* exit same for poll() and ppoll() */
 	[PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)},

driver/modern_bpf/definitions/events_dimensions.h

@@ -189,7 +189,7 @@
 #define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
 #define SEMGET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN 
 #define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
-#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
 #define SELECT_E_SIZE HEADER_LEN
 #define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define SPLICE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 4

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c

@@ -94,7 +94,7 @@ int BPF_PROG(quotactl_x,
 	unsigned long special_pointer = extract__syscall_argument(regs, 1);
 	auxmap__store_charbuf_param(auxmap, special_pointer, MAX_PATH, USER);
 
-	int32_t cmd = (int32_t)extract__syscall_argument(regs, 0);
+	uint32_t cmd = (uint32_t)extract__syscall_argument(regs, 0);
 	u16 scap_cmd = quotactl_cmd_to_scap(cmd);
 
 	/* The `addr` argument is the address of an optional, command-
@@ -242,6 +242,9 @@ int BPF_PROG(quotactl_x,
 	}
 	auxmap__store_u8_param(auxmap, quota_fmt_out);
 
+	/* Parameter 16: cmd (PT_FLAG16) */
+	auxmap__store_u16_param(auxmap, scap_cmd);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/semctl.bpf.c

@@ -70,6 +70,10 @@ int BPF_PROG(semctl_x,
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, (s64)ret);
 
+	/* Parameter 2: cmd (type: PT_FLAG16)*/
+	u16 cmd = (u16)extract__syscall_argument(regs, 2);
+	ringbuf__store_u16(&ringbuf, semctl_cmd_to_scap(cmd));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/ppm_fillers.c

@@ -6272,8 +6272,16 @@ int f_sys_quotactl_x(struct event_filler_arguments *args)
 		quota_fmt_out = quotactl_fmt_to_scap(quota_fmt_out);
 	}
 	res = val_to_ring(args, quota_fmt_out, 0, false, 0);
-	CHECK_RES(res);
+	if (unlikely(res != PPM_SUCCESS))
+		return res;
 
+	/*
+	* cmd
+	*/
+	res = val_to_ring(args, cmd, 0, false, 0);
+	if (unlikely(res != PPM_SUCCESS))
+	return res;
+
 	return add_sentinel(args);
 }
 
@@ -6673,6 +6681,25 @@ int f_sys_semctl_e(struct event_filler_arguments *args)
 	else
 		val = 0;
 	res = val_to_ring(args, val, 0, true, 0);
+	if (unlikely(res != PPM_SUCCESS))
+		return res;
+
+	return add_sentinel(args);
+}
+
+int f_sys_semctl_x(struct event_filler_arguments *args)
+{
+	unsigned long val = 0;
+	int res;
+
+	/* Parameter 1: res (PT_ERRNO) */
+	res = (int64_t) syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, res, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: cmd (PT_FLAGS16)*/
+	syscall_get_arguments_deprecated(args, 2, 1, &val);
+	res = val_to_ring(args, semctl_cmd_to_scap(val), 0, true ,0);
 	CHECK_RES(res);
 
 	return add_sentinel(args);

driver/ppm_fillers.h

@@ -97,6 +97,7 @@ or GPL2.txt for full copies of the license.
 	FN(sys_semop_x)				\
 	FN(sys_semget_e)			\
 	FN(sys_semctl_e)			\
+	FN(sys_semctl_x)            \
 	FN(sys_ppoll_e)				\
 	FN(sys_mount_e)				\
 	FN(sys_access_e)			\

test/drivers/test_suites/syscall_exit_suite/quotactl_x.cpp

@@ -81,9 +81,12 @@ TEST(SyscallExit, quotactlX)
 	/* Parameter 14: quota_fmt_out (type: PT_FLAGS8) */
 	evt_test->assert_numeric_param(14, (uint8_t)PPM_QFMT_NOT_USED);
 
+	/* Parameter 15: cmd (type: PT_FLAG16) */
+	evt_test->assert_numeric_param(15, (uint16_t)PPM_Q_SYNC);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(14);
+	evt_test->assert_num_params_pushed(15);
 }
 
 /// TODO: Probably we can add further tests on this exit event

test/drivers/test_suites/syscall_exit_suite/semctl_x.cpp

@@ -41,8 +41,11 @@ TEST(SyscallExit, semctlX)
 	/* Parameter 1: res (type: PT_ERRNO) */
 	evt_test->assert_numeric_param(1, (int64_t)errno_value);
 
+	/* Parameter 2: cmd (type: PT_FLAGS16) */
+	evt_test->assert_numeric_param(2, (uint16_t)PPM_SETVAL);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(1);
+	evt_test->assert_num_params_pushed(2);
 }
 #endif