feat: add PPME_SYSCALL_PPOLL_E params to PPME_SYSCALL_PPOLL_X

ekoops · ekoops · commit 00662e0e3436 · 2025-06-20T15:27:58.000+02:00
Add `PPME_SYSCALL_PPOLL_E` parameters to `PPME_SYSCALL_PPOLL_X` event
definition and aligns all 3 kernel drivers to it.

Add new rules to scap file converter table to convert events in old
scap files to the new layout.

Add/update ppoll-related drivers, scap converter and sinsp parser
tests to account the new layout.

Signed-off-by: Leonardo Di Giovanna &lt;leonardodigiovanna1@gmail.com&gt;
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-3.40.0
+3.41.0
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -5419,15 +5419,12 @@ FILLER(sys_mount_e, true) {
 }
 
 FILLER(sys_ppoll_e, true) {
-	unsigned long val;
-	int res;
-
 	/* Parameter 1: fds (type: PT_FDLIST) */
-	res = bpf_poll_parse_fds(data, true);
+	int res = bpf_poll_parse_fds(data, true);
 	CHECK_RES(res);
 
 	/* Parameter 2: timeout (type: PT_RELTIME) */
-	val = bpf_syscall_get_argument(data, 2);
+	unsigned long val = bpf_syscall_get_argument(data, 2);
 	res = timespec_parse(data, val);
 	CHECK_RES(res);
 
@@ -5439,13 +5436,25 @@ FILLER(sys_ppoll_e, true) {
 }
 
 FILLER(sys_ppoll_x, true) {
-	/* Parameter 1: ret (type: PT_FD) */
+	/* Parameter 1: res (type: PT_ERRNO) */
 	long retval = bpf_syscall_get_retval(data->ctx);
 	int res = bpf_push_s64_to_ring(data, (int64_t)retval);
 	CHECK_RES(res);
 
 	/* Parameter 2: fds (type: PT_FDLIST) */
-	return bpf_poll_parse_fds(data, false);
+	res = bpf_poll_parse_fds(data, false);
+	CHECK_RES(res);
+
+	/* Parameter 3: timeout (type: PT_RELTIME) */
+	unsigned long val = bpf_syscall_get_argument(data, 2);
+	res = timespec_parse(data, val);
+	CHECK_RES(res);
+
+	/* Parameter 4: sigmask (type: PT_SIGSET) */
+	long unsigned int sigmask[1] = {0};
+	unsigned long sigmask_pointer = bpf_syscall_get_argument(data, 3);
+	bpf_probe_read_user(&sigmask, sizeof(sigmask), (void *)sigmask_pointer);
+	return bpf_push_u32_to_ring(data, sigmask[0]);
 }
 
 FILLER(sys_semop_x, true) {
diff --git a/driver/event_table.c b/driver/event_table.c
@@ -1625,16 +1625,19 @@ const struct ppm_event_info g_event_info[] = {
                                     {"val", PT_INT32, PF_DEC}}},
         [PPME_SYSCALL_PPOLL_E] = {"ppoll",
                                   EC_WAIT | EC_SYSCALL,
-                                  EF_WAITS,
+                                  EF_WAITS | EF_TMP_CONVERTER_MANAGED,
                                   3,
                                   {{"fds", PT_FDLIST, PF_DEC},
                                    {"timeout", PT_RELTIME, PF_DEC},
                                    {"sigmask", PT_SIGSET, PF_DEC}}},
         [PPME_SYSCALL_PPOLL_X] = {"ppoll",
                                   EC_WAIT | EC_SYSCALL,
-                                  EF_WAITS,
-                                  2,
-                                  {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC}}},
+                                  EF_WAITS | EF_TMP_CONVERTER_MANAGED,
+                                  4,
+                                  {{"res", PT_ERRNO, PF_DEC},
+                                   {"fds", PT_FDLIST, PF_DEC},
+                                   {"timeout", PT_RELTIME, PF_DEC},
+                                   {"sigmask", PT_SIGSET, PF_DEC}}},
         [PPME_SYSCALL_MOUNT_E] = {"mount",
                                   EC_FILE | EC_SYSCALL,
                                   EF_MODIFIES_STATE,
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ppoll.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ppoll.bpf.c
@@ -87,7 +87,7 @@ int BPF_PROG(ppoll_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: ret (type: PT_FD) */
+	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
 	/* Get the `fds_pointer` and the number of `fds` from the syscall arguments */
@@ -97,6 +97,38 @@ int BPF_PROG(ppoll_x, struct pt_regs *regs, long ret) {
 	/* Parameter 2: fds (type: PT_FDLIST) */
 	auxmap__store_fdlist_param(auxmap, fds_pointer, nfds, RETURNED_EVENTS);
 
+	/* Parameter 3: timeout (type: PT_RELTIME) */
+	uint64_t nanosec = 0;
+	unsigned long ts_pointer = extract__syscall_argument(regs, 2);
+	if(!bpf_in_ia32_syscall()) {
+		if(bpf_core_type_exists(struct __kernel_timespec)) {
+			struct __kernel_timespec ts = {0};
+			bpf_probe_read_user(&ts,
+			                    bpf_core_type_size(struct __kernel_timespec),
+			                    (void *)ts_pointer);
+			nanosec = ((uint64_t)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
+		} else {
+			struct modern_bpf__kernel_timespec ts = {0};
+			bpf_probe_read_user(&ts, sizeof(ts), (void *)ts_pointer);
+			nanosec = ((uint64_t)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
+		}
+	} else {
+		struct modern_bpf__kernel_timespec_ia32 ts = {0};
+		bpf_probe_read_user(&ts, sizeof(ts), (void *)ts_pointer);
+		nanosec = ((uint32_t)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
+	}
+	auxmap__store_u64_param(auxmap, nanosec);
+
+	/* Parameter 4: sigmask (type: PT_SIGSET) */
+	long unsigned int sigmask[1] = {0};
+	unsigned long sigmask_pointer = extract__syscall_argument(regs, 3);
+	if(bpf_probe_read_user(&sigmask, sizeof(sigmask), (void *)sigmask_pointer)) {
+		/* In case of invalid pointer, return 0 */
+		auxmap__store_u32_param(auxmap, (uint32_t)0);
+	} else {
+		auxmap__store_u32_param(auxmap, (uint32_t)sigmask[0]);
+	}
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);
diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -4162,8 +4162,8 @@ static int timespec_parse(struct event_filler_arguments *args, unsigned long val
 }
 
 int f_sys_ppoll_e(struct event_filler_arguments *args) {
-	unsigned long val = 0;
-	int res = 0;
+	int res;
+	unsigned long val;
 
 	/* Parameter 1: fds (type: PT_FDLIST) */
 	res = poll_parse_fds(args, true);
@@ -4188,16 +4188,30 @@ int f_sys_ppoll_e(struct event_filler_arguments *args) {
 int f_sys_ppoll_x(struct event_filler_arguments *args) {
 	int64_t retval;
 	int res;
+	unsigned long val;
 
-	/* Parameter 1: ret (type: PT_FD) */
-	retval = (int64_t)(long)syscall_get_return_value(current, args->regs);
+	/* Parameter 1: res (type: PT_ERRNO) */
+	retval = (int64_t)syscall_get_return_value(current, args->regs);
 	res = val_to_ring(args, retval, 0, false, 0);
 	CHECK_RES(res);
 
 	/* Parameter 2: fds (type: PT_FDLIST) */
 	res = poll_parse_fds(args, false);
 	CHECK_RES(res);
 
+	/* Parameter 3: timeout (type: PT_RELTIME) */
+	syscall_get_arguments_deprecated(args, 2, 1, &val);
+	res = timespec_parse(args, val);
+	CHECK_RES(res);
+
+	/* Parameter 4: sigmask (type: PT_SIGSET) */
+	syscall_get_arguments_deprecated(args, 3, 1, &val);
+	if(val == (unsigned long)NULL || ppm_copy_from_user(&val, (void __user *)val, sizeof(val))) {
+		val = 0;
+	}
+	res = val_to_ring(args, (uint32_t)val, 0, false, 0);
+	CHECK_RES(res);
+
 	return add_sentinel(args);
 }
 
diff --git a/test/drivers/test_suites/syscall_exit_suite/ppoll_x.cpp b/test/drivers/test_suites/syscall_exit_suite/ppoll_x.cpp
@@ -46,8 +46,16 @@ TEST(SyscallExit, ppollX) {
 	/* The pointer is NULL so we should have no `fd` collected */
 	evt_test->assert_fd_list(2, NULL, (uint16_t)0);
 
+	/* Parameter 2: timeout (type: PT_RELTIME) */
+	/* The pointer is NULL so we should have `0` */
+	evt_test->assert_numeric_param(3, (uint64_t)0);
+
+	/* Parameter 3: sigmask (type: PT_SIGSET) */
+	/* The pointer is NULL so we should have `0` */
+	evt_test->assert_numeric_param(4, (uint32_t)0);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(2);
+	evt_test->assert_num_params_pushed(4);
 }
 #endif
diff --git a/test/libscap/test_suites/engines/savefile/converter.cpp b/test/libscap/test_suites/engines/savefile/converter.cpp
@@ -2870,6 +2870,96 @@ TEST_F(convert_event_test, PPME_SYSCALL_SEMCTL_X_1_to_5_params_with_enter) {
 	                                                        val));
 }
 
+////////////////////////////
+// PPOLL
+////////////////////////////
+
+TEST_F(convert_event_test, PPME_SYSCALL_PPOLL_E_store) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr uint8_t fds[] = {0x1, 0x0, 0x16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0};
+	constexpr uint64_t timeout = 30;
+	constexpr uint32_t sigmask = 31;
+
+	const auto evt = create_safe_scap_event(ts,
+	                                        tid,
+	                                        PPME_SYSCALL_PPOLL_E,
+	                                        3,
+	                                        scap_const_sized_buffer{fds, sizeof(fds)},
+	                                        timeout,
+	                                        sigmask);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_PPOLL_X_2_to_4_params_no_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t res = 89;
+	constexpr uint8_t fds[] = {0x1, 0x0, 0x16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0};
+
+	// Defaulted to 0
+	constexpr uint64_t timeout = 0;
+	constexpr uint32_t sigmask = 0;
+
+	assert_single_conversion_success(
+	        conversion_result::CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts,
+	                               tid,
+	                               PPME_SYSCALL_PPOLL_X,
+	                               2,
+	                               res,
+	                               scap_const_sized_buffer{fds, sizeof(fds)}),
+	        create_safe_scap_event(ts,
+	                               tid,
+	                               PPME_SYSCALL_PPOLL_X,
+	                               4,
+	                               res,
+	                               scap_const_sized_buffer{fds, sizeof(fds)},
+	                               timeout,
+	                               sigmask));
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_PPOLL_X_2_to_4_params_with_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr uint8_t fds[] = {0x1, 0x0, 0x16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0};
+	constexpr uint64_t timeout = 30;
+	constexpr uint32_t sigmask = 31;
+	constexpr int64_t res = 89;
+
+	// After the first conversion we should have the storage
+	const auto evt = create_safe_scap_event(ts,
+	                                        tid,
+	                                        PPME_SYSCALL_PPOLL_E,
+	                                        3,
+	                                        scap_const_sized_buffer{fds, sizeof(fds)},
+	                                        timeout,
+	                                        sigmask);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+
+	assert_single_conversion_success(
+	        conversion_result::CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts,
+	                               tid,
+	                               PPME_SYSCALL_PPOLL_X,
+	                               2,
+	                               res,
+	                               scap_const_sized_buffer{fds, sizeof(fds)}),
+	        create_safe_scap_event(ts,
+	                               tid,
+	                               PPME_SYSCALL_PPOLL_X,
+	                               4,
+	                               res,
+	                               scap_const_sized_buffer{fds, sizeof(fds)},
+	                               timeout,
+	                               sigmask));
+}
+
 ////////////////////////////
 // SEMGET
 ////////////////////////////
diff --git a/test/libsinsp_e2e/sys_call_test.cpp b/test/libsinsp_e2e/sys_call_test.cpp
@@ -1385,7 +1385,8 @@ TEST_F(sys_call_test, ppoll_timeout) {
 			string fds = e->get_param_value_str("fds");
 
 			EXPECT_TRUE(fds == "3:p0 4:p4" || fds == "4:p0 5:p4");
-
+			EXPECT_EQ("1000000", e->get_param_value_str("timeout", false));
+			EXPECT_EQ("SIGHUP SIGCHLD", e->get_param_value_str("sigmask", false));
 			callnum++;
 		}
 	};
@@ -2087,6 +2088,8 @@ TEST_F(sys_call_test32, ppoll_timeout) {
 				FAIL();
 			}
 
+			EXPECT_EQ("1000000", e->get_param_value_str("timeout", false));
+			EXPECT_EQ("SIGHUP SIGCHLD", e->get_param_value_str("sigmask", false));
 			callnum++;
 		}
 	};
diff --git a/userspace/libscap/engine/savefile/converter/converter.cpp b/userspace/libscap/engine/savefile/converter/converter.cpp
@@ -142,6 +142,7 @@ static inline uint8_t get_size_bytes_from_type(enum ppm_param_type t) {
 	case PT_UID:
 	case PT_GID:
 	case PT_MODE:
+	case PT_SIGSET:
 		return 4;
 
 	case PT_INT64:
diff --git a/userspace/libscap/engine/savefile/converter/table.cpp b/userspace/libscap/engine/savefile/converter/table.cpp
@@ -293,6 +293,12 @@ const std::unordered_map<conversion_key, conversion_info> g_conversion_table = {
                           {C_INSTR_FROM_ENTER, 1},
                           {C_INSTR_FROM_ENTER, 2},
                           {C_INSTR_FROM_ENTER, 3}})},
+        /*====================== PPOLL ======================*/
+        {conversion_key{PPME_SYSCALL_PPOLL_E, 3}, conversion_info().action(C_ACTION_STORE)},
+        {conversion_key{PPME_SYSCALL_PPOLL_X, 2},
+         conversion_info()
+                 .action(C_ACTION_ADD_PARAMS)
+                 .instrs({{C_INSTR_FROM_ENTER, 1}, {C_INSTR_FROM_ENTER, 2}})},
         /*====================== SEMGET ======================*/
         {conversion_key{PPME_SYSCALL_SEMGET_E, 3}, conversion_info().action(C_ACTION_STORE)},
         {conversion_key{PPME_SYSCALL_SEMGET_X, 1},
diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
@@ -102,7 +102,7 @@ struct scap_vtable;
 // and handle the result
 //
 #define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION(8, 0, 0)
-#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 40, 0)
+#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 41, 0)
 
 //
 // This is the dimension we used before introducing the variable buffer size.
diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -159,7 +159,7 @@ void sinsp_parser::process_event(sinsp_evt &evt, sinsp_parser_verdict &verdict)
 		break;
 	case PPME_SYSCALL_SELECT_E:
 	case PPME_SYSCALL_POLL_X:
-	case PPME_SYSCALL_PPOLL_E:
+	case PPME_SYSCALL_PPOLL_X:
 	case PPME_SYSCALL_EPOLLWAIT_X:
 		parse_select_poll_ppoll_epollwait(evt);
 		break;
@@ -4211,6 +4211,7 @@ void sinsp_parser::parse_select_poll_ppoll_epollwait(sinsp_evt &evt) {
 	}
 	*(uint64_t *)evt.get_tinfo()->get_last_event_data() = evt.get_ts();
 }
+
 void sinsp_parser::parse_fcntl_enter(sinsp_evt &evt) {
 	if(evt.get_tinfo() == nullptr) {
 		return;
diff --git a/userspace/libsinsp/test/parsers/parse_ppoll.cpp b/userspace/libsinsp/test/parsers/parse_ppoll.cpp
@@ -0,0 +1,47 @@
+
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2025 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sinsp_with_test_input.h>
+#include <vector>
+
+TEST_F(sinsp_with_test_input, PPOLL_parse) {
+	add_default_init_thread();
+	open_inspector();
+
+	constexpr int64_t return_value = 55;
+	const std::vector<uint8_t> fds{0x1, 0x0, 0x16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0};
+	constexpr uint64_t timeout = 1000;
+	constexpr uint32_t sigmask = 500;
+	const auto evt = add_event_advance_ts(increasing_ts(),
+	                                      INIT_TID,
+	                                      PPME_SYSCALL_PPOLL_X,
+	                                      4,
+	                                      return_value,
+	                                      scap_const_sized_buffer{fds.data(), fds.size()},
+	                                      timeout,
+	                                      sigmask);
+
+	// Check that the returned value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("res")->as<int64_t>(), return_value);
+
+	// Check that the fds value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("fds")->as<std::vector<uint8_t>>(), fds);
+
+	// Check that the timeout value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("timeout")->as<uint64_t>(), timeout);
+
+	// Check that the sigmask value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("sigmask")->as<uint32_t>(), sigmask);
+}
diff --git a/userspace/libsinsp/test/scap_files/converter_tests.cpp b/userspace/libsinsp/test/scap_files/converter_tests.cpp

Original file line number	Diff line number	Diff line change
`@@ -1385,7 +1385,8 @@ TEST_F(sys_call_test, ppoll_timeout) {`
`1385`	`1385`	`string fds = e->get_param_value_str("fds");`
`1386`	`1386`
`1387`	`1387`	`EXPECT_TRUE(fds == "3:p0 4:p4" \|\| fds == "4:p0 5:p4");`
`1388`		`-`
	`1388`	`+ EXPECT_EQ("1000000", e->get_param_value_str("timeout", false));`
	`1389`	`+ EXPECT_EQ("SIGHUP SIGCHLD", e->get_param_value_str("sigmask", false));`
`1389`	`1390`	`callnum++;`
`1390`	`1391`	`}`
`1391`	`1392`	`};`
`@@ -2087,6 +2088,8 @@ TEST_F(sys_call_test32, ppoll_timeout) {`
`2087`	`2088`	`FAIL();`
`2088`	`2089`	`}`
`2089`	`2090`
	`2091`	`+ EXPECT_EQ("1000000", e->get_param_value_str("timeout", false));`
	`2092`	`+ EXPECT_EQ("SIGHUP SIGCHLD", e->get_param_value_str("sigmask", false));`
`2090`	`2093`	`callnum++;`
`2091`	`2094`	`}`
`2092`	`2095`	`};`