feat: extend PPME_SYSCALL_INOTIFY_INIT_X with enter parameters

ekoops · poiana · commit 269bf4fb1b57 · 2025-06-27T13:26:59.000+02:00
Add `PPME_SYSCALL_INOTIFY_INIT_E` parameters to
`PPME_SYSCALL_INOTIFY_INIT_X` event definition and align all 3 kernel
drivers to it.

Add new rules to scap file converter table to convert events in old
scap files to the new layout.

Add/update inotify_init-related drivers, scap converter and sinsp
parser tests to account the new layout.

Signed-off-by: Leonardo Di Giovanna &lt;leonardodigiovanna1@gmail.com&gt;
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-3.57.0
+3.58.0
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -4011,6 +4011,17 @@ FILLER(sys_inotify_init_e, true) {
 	return bpf_push_u8_to_ring(data, 0);
 }
 
+FILLER(sys_inotify_init_x, true) {
+	/* Parameter 1: res (type: PT_FD) */
+	int64_t retval = (int64_t)(int32_t)bpf_syscall_get_retval(data->ctx);
+	int res = bpf_push_s64_to_ring(data, retval);
+	CHECK_RES(res);
+
+	/* Parameter 2: flags (type: PT_UINT8) */
+	/* Send `0` to unify handling with inotify_init1. */
+	return bpf_push_u8_to_ring(data, 0);
+}
+
 FILLER(sys_inotify_init1_x, true) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	long retval = bpf_syscall_get_retval(data->ctx);
diff --git a/driver/event_table.c b/driver/event_table.c
@@ -816,14 +816,16 @@ const struct ppm_event_info g_event_info[] = {
                                             {"flags", PT_UINT8, PF_HEX}}},
         [PPME_SYSCALL_INOTIFY_INIT_E] = {"inotify_init",
                                          EC_IPC | EC_SYSCALL,
-                                         EF_CREATES_FD | EF_MODIFIES_STATE,
+                                         EF_CREATES_FD | EF_MODIFIES_STATE |
+                                                 EF_TMP_CONVERTER_MANAGED,
                                          1,
                                          {{"flags", PT_UINT8, PF_HEX}}},
         [PPME_SYSCALL_INOTIFY_INIT_X] = {"inotify_init",
                                          EC_IPC | EC_SYSCALL,
-                                         EF_CREATES_FD | EF_MODIFIES_STATE,
-                                         1,
-                                         {{"res", PT_FD, PF_DEC}}},
+                                         EF_CREATES_FD | EF_MODIFIES_STATE |
+                                                 EF_TMP_CONVERTER_MANAGED,
+                                         2,
+                                         {{"res", PT_FD, PF_DEC}, {"flags", PT_UINT8, PF_HEX}}},
         [PPME_SYSCALL_GETRLIMIT_E] = {"getrlimit",
                                       EC_PROCESS | EC_SYSCALL,
                                       EF_TMP_CONVERTER_MANAGED,
diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -146,7 +146,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
                                            {{AF_ID_USEDEFAULT, 0}, {AF_ID_USEDEFAULT, 0}}},
         [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_timerfd_create_x)},
         [PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_REF(sys_inotify_init_e)},
-        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_single_x)},
+        [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_inotify_init_x)},
         [PPME_SYSCALL_GETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
         [PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_x)},
         [PPME_SYSCALL_SETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -93,7 +93,7 @@
 #define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
 #define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 3
 #define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
-#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
 #define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
 #define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
 #define SETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init.bpf.c
@@ -53,6 +53,11 @@ int BPF_PROG(inotify_init_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_FD) */
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: flags (type: PT_UINT8) */
+	/* Send `0` to unify handling with inotify_init1. */
+	uint8_t flags = 0;
+	ringbuf__store_u8(&ringbuf, flags);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);
diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -6557,6 +6557,23 @@ int f_sys_inotify_init_e(struct event_filler_arguments *args) {
 	return add_sentinel(args);
 }
 
+int f_sys_inotify_init_x(struct event_filler_arguments *args) {
+	int64_t retval;
+	int res;
+
+	/* Parameter 1: res (type: PT_FD) */
+	retval = (int64_t)(int32_t)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: flags (type: PT_UINT8) */
+	/* Send `0` to unify handling with inotify_init1. */
+	res = val_to_ring(args, 0, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 int f_sys_inotify_init1_x(struct event_filler_arguments *args) {
 	int res = 0;
 	unsigned long val = 0;
diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h
@@ -210,6 +210,7 @@ or GPL2.txt for full copies of the license.
 	FN(sys_pipe2_x)                      \
 	FN(sys_timerfd_create_x)             \
 	FN(sys_inotify_init_e)               \
+	FN(sys_inotify_init_x)               \
 	FN(sys_inotify_init1_x)              \
 	FN(sys_eventfd2_e)                   \
 	FN(sys_eventfd2_x)                   \
diff --git a/test/drivers/test_suites/syscall_exit_suite/inotify_init_x.cpp b/test/drivers/test_suites/syscall_exit_suite/inotify_init_x.cpp
@@ -31,8 +31,12 @@ TEST(SyscallExit, inotify_initX) {
 	/* Parameter 1: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(1, (int64_t)fd);
 
+	/* Parameter 2: flags (type: PT_FLAGS8) */
+	/* All drivers always send 0. */
+	evt_test->assert_numeric_param(2, (uint8_t)0);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(1);
+	evt_test->assert_num_params_pushed(2);
 }
 #endif
diff --git a/test/libscap/test_suites/engines/savefile/converter.cpp b/test/libscap/test_suites/engines/savefile/converter.cpp
@@ -558,6 +558,54 @@ TEST_F(convert_event_test, PPME_SYSCALL_TIMERFD_CREATE_X_1_to_3_params_with_ente
 	                               flags));
 }
 
+////////////////////////////
+// INOTIFY_INIT
+////////////////////////////
+
+TEST_F(convert_event_test, PPME_SYSCALL_INOTIFY_INIT_E_store) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr uint8_t flags = 20;
+
+	const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_INOTIFY_INIT_E, 2, flags);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_INOTIFY_INIT_X_1_to_2_params_no_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t res = 89;
+
+	// Defaulted to 0
+	constexpr uint8_t flags = 0;
+
+	assert_single_conversion_success(
+	        conversion_result::CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_INOTIFY_INIT_X, 1, res),
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_INOTIFY_INIT_X, 2, res, flags));
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_INOTIFY_INIT_X_1_to_2_params_with_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr uint8_t flags = 20;
+	constexpr int64_t res = 89;
+
+	// After the first conversion we should have the storage
+	const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_INOTIFY_INIT_E, 2, flags);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+
+	assert_single_conversion_success(
+	        conversion_result::CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_INOTIFY_INIT_X, 1, res),
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_INOTIFY_INIT_X, 2, res, flags));
+}
+
 ////////////////////////////
 // GETRLIMIT
 ////////////////////////////
diff --git a/test/libsinsp_e2e/process.cpp b/test/libsinsp_e2e/process.cpp
@@ -362,7 +362,11 @@ TEST_F(sys_call_test, process_inotify) {
 			callnum++;
 		} else if(type == PPME_SYSCALL_INOTIFY_INIT1_E) {
 			callnum++;
-		} else if(type == PPME_SYSCALL_INOTIFY_INIT_X || type == PPME_SYSCALL_INOTIFY_INIT1_X) {
+		} else if(type == PPME_SYSCALL_INOTIFY_INIT_X) {
+			EXPECT_EQ(fd, std::stoi(e->get_param_value_str("res", false)));
+			EXPECT_EQ(0, std::stoi(e->get_param_value_str("flags")));
+			callnum++;
+		} else if(type == PPME_SYSCALL_INOTIFY_INIT1_X) {
 			EXPECT_EQ(fd, std::stoi(e->get_param_value_str("res", false)));
 			callnum++;
 		} else if(name.find("read") != std::string::npos && e->get_direction() == SCAP_ED_IN) {
diff --git a/userspace/libscap/engine/gvisor/fillers.cpp b/userspace/libscap/engine/gvisor/fillers.cpp
@@ -1394,13 +1394,15 @@ int32_t fill_event_inotify_init_e(scap_sized_buffer scap_buf,
 int32_t fill_event_inotify_init_x(scap_sized_buffer scap_buf,
                                   size_t* event_size,
                                   char* scap_err,
-                                  int64_t res) {
+                                  int64_t res,
+                                  uint8_t flags) {
 	return scap_event_encode_params(scap_buf,
 	                                event_size,
 	                                scap_err,
 	                                PPME_SYSCALL_INOTIFY_INIT_X,
-	                                1,
-	                                res);
+	                                2,
+	                                res,
+	                                flags);
 }
 
 // PPME_SYSCALL_SOCKETPAIR_E
diff --git a/userspace/libscap/engine/gvisor/fillers.h b/userspace/libscap/engine/gvisor/fillers.h
@@ -501,7 +501,8 @@ int32_t fill_event_inotify_init_e(scap_sized_buffer scap_buf,
 int32_t fill_event_inotify_init_x(scap_sized_buffer scap_buf,
                                   size_t* event_size,
                                   char* scap_err,
-                                  int64_t res);
+                                  int64_t res,
+                                  uint8_t flags);
 
 int32_t fill_event_socketpair_e(scap_sized_buffer scap_buf,
                                 size_t* event_size,
diff --git a/userspace/libscap/engine/gvisor/parsers.cpp b/userspace/libscap/engine/gvisor/parsers.cpp
@@ -1896,7 +1896,8 @@ static parse_result parse_inotify_init(uint32_t id,
 		ret.status = scap_gvisor::fillers::fill_event_inotify_init_x(scap_buf,
 		                                                             &ret.size,
 		                                                             scap_err,
-		                                                             gvisor_evt.exit().result());
+		                                                             gvisor_evt.exit().result(),
+		                                                             gvisor_evt.flags());
 	} else {
 		ret.status = scap_gvisor::fillers::fill_event_inotify_init_e(scap_buf,
 		                                                             &ret.size,
diff --git a/userspace/libscap/engine/savefile/converter/table.cpp b/userspace/libscap/engine/savefile/converter/table.cpp
@@ -79,6 +79,10 @@ const std::unordered_map<conversion_key, conversion_info> g_conversion_table = {
          conversion_info()
                  .action(C_ACTION_ADD_PARAMS)
                  .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})},
+        /*====================== INOTIFY_INIT ======================*/
+        {conversion_key{PPME_SYSCALL_INOTIFY_INIT_E, 1}, conversion_info().action(C_ACTION_STORE)},
+        {conversion_key{PPME_SYSCALL_INOTIFY_INIT_X, 1},
+         conversion_info().action(C_ACTION_ADD_PARAMS).instrs({{C_INSTR_FROM_ENTER, 0}})},
         /*====================== GETRLIMIT ======================*/
         {conversion_key{PPME_SYSCALL_GETRLIMIT_E, 1}, conversion_info().action(C_ACTION_STORE)},
         {conversion_key{PPME_SYSCALL_GETRLIMIT_X, 3},
diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
@@ -102,7 +102,7 @@ struct scap_vtable;
 // and handle the result
 //
 #define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION(8, 0, 0)
-#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 57, 0)
+#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 58, 0)
 
 //
 // This is the dimension we used before introducing the variable buffer size.
diff --git a/userspace/libsinsp/test/events_file.ut.cpp b/userspace/libsinsp/test/events_file.ut.cpp
@@ -286,7 +286,7 @@ TEST_F(sinsp_with_test_input, creates_fd_generic) {
 
 	fd = 7;
 	add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_E, 1, (uint8_t)0);
-	evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_X, 1, fd);
+	evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_X, 2, fd, (uint8_t)0);
 	ASSERT_EQ(get_field_as_string(evt, "fd.type"), "inotify");
 	ASSERT_EQ(get_field_as_string(evt, "fd.typechar"), "i");
 	ASSERT_EQ(get_field_as_string(evt, "fd.num"), "7");
@@ -550,7 +550,7 @@ TEST_F(sinsp_with_test_input, inotify_init) {
 	uint8_t flags = 79;
 
 	add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_E, 1, flags);
-	evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_X, 1, res);
+	evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_X, 2, res, flags);
 
 	ASSERT_EQ(get_field_as_string(evt, "fd.num"), std::to_string(res));
 	ASSERT_EQ(get_field_as_string(evt, "fd.type"), "inotify");
diff --git a/userspace/libsinsp/test/parsers/parse_inotify_init.cpp b/userspace/libsinsp/test/parsers/parse_inotify_init.cpp
@@ -0,0 +1,46 @@
+
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2025 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sinsp_with_test_input.h>
+
+TEST_F(sinsp_with_test_input, INOTIFY_INIT_success) {
+	add_default_init_thread();
+	open_inspector();
+
+	constexpr int64_t return_value = 60;
+	constexpr uint8_t flags = 0;
+
+	const auto evt = add_event_advance_ts(increasing_ts(),
+	                                      INIT_TID,
+	                                      PPME_SYSCALL_INOTIFY_INIT_X,
+	                                      2,
+	                                      return_value,
+	                                      flags);
+
+	// Check that the returned value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("res")->as<int64_t>(), return_value);
+	// Check that the flags value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("flags")->as<uint8_t>(), flags);
+
+	// Check that fd info associated with the event are as expected.
+	auto fdinfo = evt->get_fd_info();
+	ASSERT_TRUE(fdinfo);
+
+	// Check that fd info associated with the thread are as expected.
+	const auto init_tinfo = m_inspector.m_thread_manager->get_thread_ref(INIT_TID, false).get();
+	ASSERT_TRUE(init_tinfo);
+	fdinfo = init_tinfo->get_fd(return_value);
+	ASSERT_TRUE(fdinfo);
+}
diff --git a/userspace/libsinsp/test/scap_files/converter_tests.cpp b/userspace/libsinsp/test/scap_files/converter_tests.cpp
@@ -78,6 +78,7 @@ TEST_F(scap_file_test, same_number_of_events) {
 	        {PPME_SYSCALL_ACCESS_E, 350},     {PPME_SYSCALL_ACCESS_X, 350},
 	        {PPME_SYSCALL_MPROTECT_E, 584},   {PPME_SYSCALL_MPROTECT_X, 584},
 	        {PPME_SYSCALL_UMOUNT2_E, 2},      {PPME_SYSCALL_UMOUNT2_X, 2},
+	        {PPME_SYSCALL_INOTIFY_INIT_E, 1}, {PPME_SYSCALL_INOTIFY_INIT_X, 1},
 	        // Add further checks regarding the expected number of events in this scap file here.
 	});
 
@@ -333,6 +334,35 @@ TEST_F(scap_file_test, nanosleep_x_check_final_converted_event) {
 
 // We don't have scap-files with TIMERFD_CREATE events. Add it if we face a failure.
 
+////////////////////////////
+// INOTIFY_INIT
+////////////////////////////
+
+TEST_F(scap_file_test, inotify_init_x_check_final_converted_event) {
+	open_filename("kexec_x86.scap");
+
+	// Inside the scap-file the event `161340` is the following:
+	// - type=PPME_SYSCALL_INOTIFY_INIT_X,
+	// - ts=1687889193632611044
+	// - tid=107370
+	// - args=res=4(<i>)
+	//
+	// And its corresponding enter event `161339` is the following:
+	// - type=PPME_SYSCALL_INOTIFY_INIT_E
+	// - ts=1687889193632606569
+	// - tid=107370
+	// - args=flags=0
+	//
+	// Let's see the new PPME_SYSCALL_INOTIFY_INIT_X event!
+	constexpr uint64_t ts = 1687889193632611044;
+	constexpr int64_t tid = 107370;
+	constexpr int64_t res = 4;
+	constexpr uint8_t flags = 0;
+
+	assert_event_presence(
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_INOTIFY_INIT_X, 2, res, flags));
+}
+
 ////////////////////////////
 // GETRLIMIT
 ////////////////////////////
