Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update(drivers): add cmd to exit events #1419

Merged
merged 2 commits into from
Nov 24, 2023
Merged

update(drivers): add cmd to exit events #1419

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
14d85dd
update: add cmd to bpf exit event
Rohith-Raju Nov 22, 2023
03a4c1b
update: address review requests
Rohith-Raju Nov 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion driver/SCHEMA_VERSION
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.13.0
2.14.0
10 changes: 6 additions & 4 deletions driver/bpf/fillers.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5778,11 +5778,13 @@ FILLER(sys_bpf_e, true)

FILLER(sys_bpf_x, true)
{
/*
* fd
*/
/* Parameter 1: fd (type: PT_DEC) */
long fd = bpf_syscall_get_retval(data->ctx);
return bpf_push_s64_to_ring(data, fd);
bpf_push_s64_to_ring(data, fd);

/* Parameter 2: cmd (type: PT_INT64) */
Andreagit97 marked this conversation as resolved.
Show resolved Hide resolved
int32_t cmd = (int32_t)bpf_syscall_get_argument(data, 0);
return bpf_push_s64_to_ring(data,(int64_t)cmd);
Andreagit97 marked this conversation as resolved.
Show resolved Hide resolved
}

FILLER(sys_unlinkat_x, true)
Expand Down
4 changes: 2 additions & 2 deletions driver/event_table.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -347,7 +347,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SYSCALL_SETPGID_E] = {"setpgid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"pid", PT_PID, PF_DEC}, {"pgid", PT_PID, PF_DEC} } },
[PPME_SYSCALL_SETPGID_X] = {"setpgid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_PID, PF_DEC} } },
[PPME_SYSCALL_BPF_E] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_OLD_VERSION, 1, {{"cmd", PT_INT64, PF_DEC} } },
[PPME_SYSCALL_BPF_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_OLD_VERSION, 1, {{"res_or_fd", PT_DYN, PF_DEC, bpf_dynamic_param, PPM_BPF_IDX_MAX} } },
[PPME_SYSCALL_BPF_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_OLD_VERSION, 1, {{"res_or_fd", PT_DYN, PF_DEC, bpf_dynamic_param, PPM_BPF_IDX_MAX}} },
[PPME_SYSCALL_SECCOMP_E] = {"seccomp", EC_OTHER | EC_SYSCALL, EF_NONE, 2, {{"op", PT_UINT64, PF_DEC}, {"flags", PT_UINT64, PF_HEX} } },
[PPME_SYSCALL_SECCOMP_X] = {"seccomp", EC_OTHER | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
[PPME_SYSCALL_UNLINK_2_E] = {"unlink", EC_FILE | EC_SYSCALL, EF_NONE, 0},
Expand Down Expand Up @@ -419,7 +419,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SYSCALL_DUP_1_E] = {"dup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
[PPME_SYSCALL_DUP_1_X] = {"dup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC} } },
[PPME_SYSCALL_BPF_2_E] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, {{"cmd", PT_INT64, PF_DEC} } },
[PPME_SYSCALL_BPF_2_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, { {"fd", PT_FD, PF_DEC} } },
[PPME_SYSCALL_BPF_2_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 2, { {"fd", PT_FD, PF_DEC}, {"cmd",PT_INT64, PF_DEC} } },
Andreagit97 marked this conversation as resolved.
Show resolved Hide resolved
[PPME_SYSCALL_MLOCK2_E] = {"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 0},
[PPME_SYSCALL_MLOCK2_X] = {"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX, mlock2_flags}}},
[PPME_SYSCALL_FSCONFIG_E] = {"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_NONE, 0},
Expand Down
2 changes: 1 addition & 1 deletion driver/modern_bpf/definitions/events_dimensions.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@
#define PIPE_E_SIZE HEADER_LEN
#define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
#define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
Expand Down
5 changes: 5 additions & 0 deletions driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,11 @@ int BPF_PROG(bpf_x,
/* Parameter 1: fd (type: PT_FD) */
ringbuf__store_s64(&ringbuf, ret);

/* Parameter 2: cmd (type: PT_INT64) */
int32_t cmd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)cmd);


/*=============================== COLLECT PARAMETERS ===========================*/

ringbuf__submit_event(&ringbuf);
Expand Down
15 changes: 10 additions & 5 deletions driver/ppm_fillers.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6721,16 +6721,21 @@ int f_sys_bpf_e(struct event_filler_arguments *args)

int f_sys_bpf_x(struct event_filler_arguments *args)
{
int res;
int64_t fd;
int res = 0;
int64_t fd = 0;
unsigned long val = 0;
int32_t cmd = 0;

/*
* fd
*/
/* Parameter 1: fd (type: PT_DEC) */
fd = (int64_t)syscall_get_return_value(current, args->regs);
res = val_to_ring(args, fd, 0, false, 0);
CHECK_RES(res);

/* Parameter 2: cmd (type: PT_INT64) */
syscall_get_arguments_deprecated(args, 0, 1, &val);
cmd = (int32_t)val;
res = val_to_ring(args, (int64_t)cmd, 0, false, 0);
CHECK_RES(res);
return add_sentinel(args);
}

Expand Down
88 changes: 85 additions & 3 deletions test/drivers/test_suites/syscall_exit_suite/bpf_x.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@

#include <linux/sched.h>
#include <linux/bpf.h>
#include <sys/mman.h>

TEST(SyscallExit, bpfX)
TEST(SyscallExit, bpfX_invalid_cmd)
{
auto evt_test = get_syscall_event_test(__NR_bpf, EXIT_EVENT);

Expand Down Expand Up @@ -72,8 +73,89 @@ TEST(SyscallExit, bpfX)
/* Parameter 1: fd (type: PT_FD) */
evt_test->assert_numeric_param(1, (int64_t)errno_value);

/* Parameter 2: cmd (type: PT_FD) */
evt_test->assert_numeric_param(2, (int64_t)cmd);

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(2);
}


TEST(SyscallExit, bpfX_MAP_CREATE)
{
auto evt_test = get_syscall_event_test(__NR_bpf, EXIT_EVENT);

evt_test->enable_capture();

/*=============================== TRIGGER SYSCALL ===========================*/

int32_t cmd = BPF_MAP_CREATE;
union bpf_attr attr = {
.map_type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(int),
.value_size = sizeof(int),
.max_entries = 1024
};
//
int *ret = (int*) mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
Andreagit97 marked this conversation as resolved.
Show resolved Hide resolved
/* Here we need to call the `bpf` from a child because the main process throws lots of
* `bpf` syscalls to manage the bpf drivers.
*/
struct clone_args cl_args = {0};
cl_args.exit_signal = SIGCHLD;
pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args));

if(ret_pid == 0)
{
/* When BPF_MAP_CREATE is used, the new file descriptor associated with the eBPF map is returned.*/

*ret = syscall(__NR_bpf, cmd, &attr, sizeof(attr));
/* In this way in the father we know if the call was successful or not. */
if(*ret != -1)
{
exit(EXIT_SUCCESS);
}
else
{
exit(EXIT_FAILURE);
}
}

assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1);
/* Catch the child before doing anything else. */
int status = 0;
int options = 0;
assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1);
int fd = *ret;
if (munmap(ret, sizeof(ret) != -1)){
//munmap returns -1 when failed
FAIL() << "Shared memory failed to clear..."<<std::endl;
};

/*=============================== TRIGGER SYSCALL ===========================*/

evt_test->disable_capture();

evt_test->assert_event_presence(ret_pid);

if(HasFatalFailure())
{
return;
}

evt_test->parse_event();

evt_test->assert_header();

/*=============================== ASSERT PARAMETERS ===========================*/

/* Parameter 1: fd (type: PT_FD) */
evt_test->assert_numeric_param(1, (int64_t)fd);
evt_test->assert_numeric_param(2, (int64_t)cmd);

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(1);
evt_test->assert_num_params_pushed(2);
}
#endif
#endif