update: retain original parameter order

Signed-off-by: rohith-raju <[email protected]>
falcosecurity · Oct 16, 2023 · a630808 · a630808
1 parent 757b912
commit a630808
Show file tree

Hide file tree

Showing 8 changed files with 88 additions and 78 deletions.
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-2.12.2
+2.12.3
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -1089,11 +1089,6 @@ FILLER(sys_setrlrimit_x, true)
 	res = bpf_push_s64_to_ring(data, retval);
 	CHECK_RES(res);
 
-	/* Parameter 2: resource (type: PT_ERRNO) */
-	unsigned long resource = bpf_syscall_get_argument(data, 0);
-	res = bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource));
-	CHECK_RES(res);
-
 	/*
 	 * Copy the user structure and extract cur and max
 	 */
@@ -1112,12 +1107,17 @@ FILLER(sys_setrlrimit_x, true)
 		max = -1;
 	}
 
-	/* Parameter 3: cur (type: PT_ERRNO) */
+	/* Parameter 2: cur (type: PT_ERRNO) */
 	res = bpf_push_s64_to_ring(data, cur);
 	CHECK_RES(res);
 
-	/* Parameter 4: max (type: PT_ERRNO) */
-	return bpf_push_s64_to_ring(data, max);
+	/* Parameter 3: max (type: PT_ERRNO) */
+	res = bpf_push_s64_to_ring(data, max);
+	CHECK_RES(res);
+
+	/* Parameter 4: resource (type: PT_ERRNO) */
+	unsigned long resource = bpf_syscall_get_argument(data, 0);
+	return bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource));
 }
 
 FILLER(sys_connect_e, true)
@@ -3864,23 +3864,11 @@ FILLER(sys_prlimit_x, true)
 	s64 oldmax;
 	int res;
 
-	/*
-	 * res
-	 */
+	/* Parameter 1: res */
 	retval = bpf_syscall_get_retval(data->ctx);
 	res = bpf_push_s64_to_ring(data, retval);
 	CHECK_RES(res);
 
-	/* Parameter 1: pid */
-	pid_t pid = bpf_syscall_get_argument(data, 0);
-	res = bpf_push_s64_to_ring(data, (s64)pid);
-	CHECK_RES(res);
-
-	/* Parameter 2: resource */
-	unsigned long resource = bpf_syscall_get_argument(data, 1);
-	res = bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource));
-	CHECK_RES(res);
-
 	/*
 	 * Copy the user structure and extract cur and max
 	 */
@@ -3907,20 +3895,30 @@ FILLER(sys_prlimit_x, true)
 		oldmax = rl.rlim_max;
 	}
 
-	/* Parameter 3: newcur */
+	/* Parameter 2: newcur */
 	res = bpf_push_s64_to_ring(data, newcur);
 	CHECK_RES(res);
 
-	/* Parameter 4: newmax */
+	/* Parameter 3: newmax */
 	res = bpf_push_s64_to_ring(data, newmax);
 	CHECK_RES(res);
 
-	/* Parameter 5: oldcur */
+	/* Parameter 4: oldcur */
 	res = bpf_push_s64_to_ring(data, oldcur);
 	CHECK_RES(res);
 
 	/* Parameter 5: oldmax */
-	return bpf_push_s64_to_ring(data, oldmax);
+	res = bpf_push_s64_to_ring(data, oldmax);
+	CHECK_RES(res);
+
+	/* Parameter 6: pid */
+	pid_t pid = bpf_syscall_get_argument(data, 0);
+	res = bpf_push_s64_to_ring(data, (s64)pid);
+	CHECK_RES(res);
+
+	/* Parameter 7: resource */
+	unsigned long resource = bpf_syscall_get_argument(data, 1);
+	return bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource));
 }
 
 FILLER(sys_pwritev_e, true)

diff --git a/driver/event_table.c b/driver/event_table.c
@@ -193,9 +193,9 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_GETRLIMIT_E] = {"getrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
 	[PPME_SYSCALL_GETRLIMIT_X] = {"getrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
 	[PPME_SYSCALL_SETRLIMIT_E] = {"setrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
-	[PPME_SYSCALL_SETRLIMIT_X] = {"setrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
+	[PPME_SYSCALL_SETRLIMIT_X] = {"setrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC},{"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
 	[PPME_SYSCALL_PRLIMIT_E] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 2, {{"pid", PT_PID, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
-	[PPME_SYSCALL_PRLIMIT_X] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 7, {{"res", PT_ERRNO, PF_DEC}, {"pid", PT_INT64, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC}} },
+	[PPME_SYSCALL_PRLIMIT_X] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 7, {{"res", PT_ERRNO, PF_DEC}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC}, {"pid", PT_INT64, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
 	[PPME_SCHEDSWITCH_1_E] = {"switch", EC_SCHEDULER | EC_TRACEPOINT, EF_SKIPPARSERESET | EF_OLD_VERSION, 1, {{"next", PT_PID, PF_DEC} } },
 	[PPME_SCHEDSWITCH_1_X] = {"NA", EC_UNKNOWN, EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION, 0},
 	[PPME_DROP_E] = {"drop", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET, 1, {{"ratio", PT_UINT32, PF_DEC} } },

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c
@@ -62,22 +62,14 @@ int BPF_PROG(prlimit64_x,
 	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: pid (type: PT_PID) */
-	pid_t pid = (s32)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (s64)pid);
-
-	/* Parameter 3: resource (type: PT_ENUMFLAGS8) */
-	unsigned long resource = extract__syscall_argument(regs, 1);
-	ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource));
-
 	struct rlimit new_rlimit = {0};
 	unsigned long rlimit_pointer = extract__syscall_argument(regs, 2);
 	bpf_probe_read_user((void *)&new_rlimit, bpf_core_type_size(struct rlimit), (void *)rlimit_pointer);
 
-	/* Parameter 4: newcur (type: PT_INT64) */
+	/* Parameter 2: newcur (type: PT_INT64) */
 	ringbuf__store_s64(&ringbuf, new_rlimit.rlim_cur);
 
-	/* Parameter 5: newmax (type: PT_INT64) */
+	/* Parameter 3: newmax (type: PT_INT64) */
 	ringbuf__store_s64(&ringbuf, new_rlimit.rlim_max);
 
 	/* We take the old `rlimit` only if the syscall is successful otherwise this
@@ -90,12 +82,20 @@ int BPF_PROG(prlimit64_x,
 		bpf_probe_read_user((void *)&old_rlimit, bpf_core_type_size(struct rlimit), (void *)rlimit_pointer);
 	}
 
-	/* Parameter 6: oldcur (type: PT_INT64) */
+	/* Parameter 4: oldcur (type: PT_INT64) */
 	ringbuf__store_s64(&ringbuf, old_rlimit.rlim_cur);
 
-	/* Parameter 7: oldmax (type: PT_INT64) */
+	/* Parameter 5: oldmax (type: PT_INT64) */
 	ringbuf__store_s64(&ringbuf, old_rlimit.rlim_max);
 
+	/* Parameter 6: pid (type: PT_PID) */
+	pid_t pid = (s32)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, (s64)pid);
+
+	/* Parameter 7: resource (type: PT_ENUMFLAGS8) */
+	unsigned long resource = extract__syscall_argument(regs, 1);
+	ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setrlimit.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setrlimit.bpf.c
@@ -58,20 +58,20 @@ int BPF_PROG(setrlimit_x,
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: resource (type: PT_ENUMFLAGS8) */
-	unsigned long resource = extract__syscall_argument(regs, 0);
-	ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource));
-
 	struct rlimit rl = {0};
 	unsigned long rlimit_pointer = extract__syscall_argument(regs, 1);
 	bpf_probe_read_user((void *)&rl, bpf_core_type_size(struct rlimit), (void *)rlimit_pointer);
 
-	/* Parameter 3: cur (type: PT_INT64)*/
+	/* Parameter 2: cur (type: PT_INT64)*/
 	ringbuf__store_s64(&ringbuf, rl.rlim_cur);
 
-	/* Parameter 4: max (type: PT_INT64)*/
+	/* Parameter 3: max (type: PT_INT64)*/
 	ringbuf__store_s64(&ringbuf, rl.rlim_max);
 
+	/* Parameter 4: resource (type: PT_ENUMFLAGS8) */
+	unsigned long resource = extract__syscall_argument(regs, 0);
+	ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -4170,7 +4170,7 @@ int f_sys_getrlimit_x(struct event_filler_arguments *args) {
 	int64_t cur;
 	int64_t max;
 
-	/* Parameter 1: res */
+	/* Parameter 1: res (type: PT_ERRNO) */
 	retval = (int64_t)(long)syscall_get_return_value(current, args->regs);
 	res = val_to_ring(args, retval, 0, false, 0);
 	CHECK_RES(res);
@@ -4208,11 +4208,11 @@ int f_sys_getrlimit_x(struct event_filler_arguments *args) {
 		max = -1;
 	}
 
-	/* Parameter 2: cur */
+	/* Parameter 2: cur (type: PT_INT64) */
 	res = val_to_ring(args, cur, 0, false, 0);
 	CHECK_RES(res);
 
-	/* Parameter 3: max */
+	/* Parameter 3: max (type: PT_INT64)*/
 	res = val_to_ring(args, max, 0, false, 0);
 	CHECK_RES(res);
 
@@ -4233,16 +4233,11 @@ int f_sys_setrlrimit_x(struct event_filler_arguments *args)
 	int64_t cur;
 	int64_t max;
 
-	/* Parameter 1: res */
+	/* Parameter 1: res (type: PT_ERRNO) */
 	retval = (int64_t)(long)syscall_get_return_value(current, args->regs);
 	res = val_to_ring(args, retval, 0, false, 0);
 	CHECK_RES(res);
 
-	/* Parameter 2: resource */
-	syscall_get_arguments_deprecated(args, 0, 1, &val);
-	res = val_to_ring(args, rlimit_resource_to_scap(val), 0, false, 0);
-	CHECK_RES(res);
-
 	/*
 	 * Copy the user structure and extract cur and max
 	 */
@@ -4269,14 +4264,19 @@ int f_sys_setrlrimit_x(struct event_filler_arguments *args)
 		max = -1;
 	}
 
-	/* Parameter 3: cur */
+	/* Parameter 2: (type: PT_INT64) */
 	res = val_to_ring(args, cur, 0, false, 0);
 	CHECK_RES(res);
 
-	/* Parameter 4: max */
+	/* Parameter 3: max (type: PT_INT64) */
 	res = val_to_ring(args, max, 0, false, 0);
 	CHECK_RES(res);
 
+	/* Parameter 4: resource (type: PT_ENUMFLAGS8) */
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	res = val_to_ring(args, rlimit_resource_to_scap(val), 0, false, 0);
+	CHECK_RES(res);
+
 	return add_sentinel(args);
 }
 
@@ -4315,9 +4315,7 @@ int f_sys_prlimit_x(struct event_filler_arguments *args)
 	int64_t oldmax;
 	pid_t pid = 0;
 
-	/*
-	 * res
-	 */
+	/* Parameter 1: res (type: PT_ERRNO) */
 	retval = (int64_t)(long)syscall_get_return_value(current, args->regs);
 	res = val_to_ring(args, retval, 0, false, 0);
 	CHECK_RES(res);
@@ -4386,22 +4384,35 @@ int f_sys_prlimit_x(struct event_filler_arguments *args)
 		}
 	}
 #endif
-	/* Parameter 3: newcur (PT_INT64)*/
+	/* Parameter 2: newcur (type: PT_INT64) */
 	res = val_to_ring(args, newcur, 0, false, 0);
 	CHECK_RES(res);
+	CHECK_RES(res);
 
-	/* Parameter 4: newmax (PT_INT64)*/
+	/* Parameter 3: newmax (type: PT_INT64) */
 	res = val_to_ring(args, newmax, 0, false, 0);
 	CHECK_RES(res);
+	CHECK_RES(res);
 
-	/* Parameter 5: oldcur (PT_INT64)*/
+	/* Parameter 4: oldcur (type: PT_INT64) */
 	res = val_to_ring(args, oldcur, 0, false, 0);
 	CHECK_RES(res);
 
-	/* Parameter 6: oldmax (PT_INT64)*/
+	/* Parameter 5: oldmax (type: PT_INT64) */
 	res = val_to_ring(args, oldmax, 0, false, 0);
 	CHECK_RES(res);
 
+	/* Parameter 6: pid (type: PT_INT64) */
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	pid = (s32)val;
+	res = val_to_ring(args, (s64)pid, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 7: resource (type: PT_ENUMFLAGS8) */
+	syscall_get_arguments_deprecated(args, 1, 1, &val);
+	res = val_to_ring(args, rlimit_resource_to_scap(val), 0, false, 0);
+	CHECK_RES(res);
+
 	return add_sentinel(args);
 }
 

diff --git a/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp
@@ -46,23 +46,23 @@ TEST(SyscallExit, prlimit64X)
 	/* Parameter 1: res (type: PT_ERRNO) */
 	evt_test->assert_numeric_param(1, (int64_t)0);
 
-	/* Parameter 2: pid (type: PT_INT64) */
-	evt_test->assert_numeric_param(2, (int64_t)pid);
+	/* Parameter 2: newcur (type: PT_INT64) */
+	evt_test->assert_numeric_param(2, (int64_t)file_rlimit.rlim_cur);
 
-	/* Parameter 3: resource (type: PT_ENUMFLAGS8) */
-	evt_test->assert_numeric_param(3, (uint8_t)PPM_RLIMIT_NOFILE);
+	/* Parameter 3: newmax (type: PT_INT64) */
+	evt_test->assert_numeric_param(3, (int64_t)file_rlimit.rlim_max);
 
-	/* Parameter 4: newcur (type: PT_INT64) */
+	/* Parameter 4: oldcur (type: PT_INT64) */
 	evt_test->assert_numeric_param(4, (int64_t)file_rlimit.rlim_cur);
 
-	/* Parameter 5: newmax (type: PT_INT64) */
+	/* Parameter 5: oldmax (type: PT_INT64) */
 	evt_test->assert_numeric_param(5, (int64_t)file_rlimit.rlim_max);
 
-	/* Parameter 6: oldcur (type: PT_INT64) */
-	evt_test->assert_numeric_param(6, (int64_t)file_rlimit.rlim_cur);
+	/* Parameter 6: pid (type: PT_INT64) */
+	evt_test->assert_numeric_param(6, (int64_t)pid);
 
-	/* Parameter 7: oldmax (type: PT_INT64) */
-	evt_test->assert_numeric_param(7, (int64_t)file_rlimit.rlim_max);
+	/* Parameter 7: resource (type: PT_ENUMFLAGS8) */
+	evt_test->assert_numeric_param(7, (uint8_t)PPM_RLIMIT_NOFILE);
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 

diff --git a/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp b/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp
@@ -39,13 +39,14 @@ TEST(SyscallExit, setrlimitX)
 	/* Parameter 1: res (type: PT_ERRNO) */
 	evt_test->assert_numeric_param(1, (int64_t)errno_value);
 
-	evt_test->assert_numeric_param(2, (uint8_t)resource);
-
 	/* Parameter 2: cur (type: PT_INT64) */
-	evt_test->assert_numeric_param(3, (int64_t)rlim.rlim_cur);
+	evt_test->assert_numeric_param(2, (int64_t)rlim.rlim_cur);
 
 	/* Parameter 3: max (type: PT_INT64) */
-	evt_test->assert_numeric_param(4, (int64_t)rlim.rlim_max);
+	evt_test->assert_numeric_param(3, (int64_t)rlim.rlim_max);
+
+	/* Parameter 4: resource (type: PT_ENUMFLAGS8) */
+	evt_test->assert_numeric_param(4, (uint8_t)resource);
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/