fix(userspace/libsinsp): remove state handling for PPM_SYSCALL_UNLINK

terror96 · terror96 · commit 427b42fe7221 · 2025-07-30T12:03:26.000+03:00
and PPM_SYSCALL_UNLINKAT

The new driver does not emit `PPM_SYSCALL_UNLINK` and
`PPM_SYSCALL_UNLINKAT` events anymore, and there is no longer need
to handle the old version of the events. This update removes the
state handling and adds conversion rules for the scap files.

Signed-off-by: Tero Kauppinen &lt;tero.kauppinen@est.tech&gt;
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-3.66.0
+3.67.0
diff --git a/driver/event_table.c b/driver/event_table.c
@@ -648,17 +648,26 @@ const struct ppm_event_info g_event_info[] = {
                                     {"newpath", PT_CHARBUF, PF_NA}}},
         [PPME_SYSCALL_LINKAT_X] =
                 {"linkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC}}},
-        [PPME_SYSCALL_UNLINK_E] =
-                {"unlink", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"path", PT_FSPATH, PF_NA}}},
-        [PPME_SYSCALL_UNLINK_X] =
-                {"unlink", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC}}},
+        [PPME_SYSCALL_UNLINK_E] = {"unlink",
+                                   EC_FILE | EC_SYSCALL,
+                                   EF_OLD_VERSION | EF_TMP_CONVERTER_MANAGED,
+                                   1,
+                                   {{"path", PT_FSPATH, PF_NA}}},
+        [PPME_SYSCALL_UNLINK_X] = {"unlink",
+                                   EC_FILE | EC_SYSCALL,
+                                   EF_OLD_VERSION | EF_TMP_CONVERTER_MANAGED,
+                                   1,
+                                   {{"res", PT_ERRNO, PF_DEC}}},
         [PPME_SYSCALL_UNLINKAT_E] = {"unlinkat",
                                      EC_FILE | EC_SYSCALL,
-                                     EF_OLD_VERSION,
+                                     EF_OLD_VERSION | EF_TMP_CONVERTER_MANAGED,
                                      2,
                                      {{"dirfd", PT_FD, PF_DEC}, {"name", PT_CHARBUF, PF_NA}}},
-        [PPME_SYSCALL_UNLINKAT_X] =
-                {"unlinkat", EC_FILE | EC_SYSCALL, EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC}}},
+        [PPME_SYSCALL_UNLINKAT_X] = {"unlinkat",
+                                     EC_FILE | EC_SYSCALL,
+                                     EF_OLD_VERSION | EF_TMP_CONVERTER_MANAGED,
+                                     1,
+                                     {{"res", PT_ERRNO, PF_DEC}}},
         [PPME_SYSCALL_PREAD_E] = {"pread",
                                   EC_IO_READ | EC_SYSCALL,
                                   EF_USES_FD | EF_READS_FROM_FD | EF_TMP_CONVERTER_MANAGED,
diff --git a/test/libscap/test_suites/engines/savefile/converter.cpp b/test/libscap/test_suites/engines/savefile/converter.cpp
@@ -153,6 +153,114 @@ TEST_F(convert_event_test, PPME_SYSCALL_READ_X_to_4_params_with_enter) {
 	                               size));
 }
 
+////////////////////////////
+// UNLINK
+////////////////////////////
+
+TEST_F(convert_event_test, PPME_SYSCALL_UNLINK_X_1_to_2_X_2_params_no_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t res = 89;
+
+	// Set to empty.
+	constexpr auto path = empty_value<char *>();
+
+	SCAP_EMPTY_PARAMS_SET(empty_params_set, 1);
+
+	assert_single_conversion_success(
+	        CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_UNLINK_X, 1, res),
+	        create_safe_scap_event_with_empty_params(ts,
+	                                                 tid,
+	                                                 PPME_SYSCALL_UNLINK_2_X,
+	                                                 &empty_params_set,
+	                                                 2,
+	                                                 res,
+	                                                 path));
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_UNLINK_X_1_to_2_X_2_params_with_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t res = 89;
+	constexpr char path[] = "/etc/ld.so.preload";
+
+	// After the first conversion we should have the storage
+	const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_UNLINK_E, 1, path);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+
+	assert_single_conversion_success(
+	        CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_UNLINK_X, 1, res),
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_UNLINK_2_X, 2, res, path));
+}
+
+////////////////////////////
+// UNLINKAT
+////////////////////////////
+
+TEST_F(convert_event_test, PPME_SYSCALL_UNLINKAT_X_1_to_2_X_4_params_no_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t res = 89;
+
+	// Set to empty.
+	constexpr auto dirfd = empty_value<int64_t>();
+	constexpr auto name = empty_value<char *>();
+	constexpr auto flags = empty_value<uint32_t>();
+
+	SCAP_EMPTY_PARAMS_SET(empty_params_set, 1, 2, 3);
+
+	assert_single_conversion_success(
+	        CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_UNLINKAT_X, 1, res),
+	        create_safe_scap_event_with_empty_params(ts,
+	                                                 tid,
+	                                                 PPME_SYSCALL_UNLINKAT_2_X,
+	                                                 &empty_params_set,
+	                                                 4,
+	                                                 res,
+	                                                 dirfd,
+	                                                 name,
+	                                                 flags));
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_UNLINKAT_X_1_to_2_X_4_params_with_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t res = 89;
+	constexpr int64_t dirfd = 25;
+	constexpr char name[] = "/etc/ld.so.preload";
+
+	// Set to empty.
+	constexpr auto flags = empty_value<uint32_t>();
+
+	SCAP_EMPTY_PARAMS_SET(empty_params_set, 3);
+
+	// After the first conversion we should have the storage
+	const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_UNLINKAT_E, 2, dirfd, name);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+
+	assert_single_conversion_success(
+	        CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_UNLINKAT_X, 1, res),
+	        create_safe_scap_event_with_empty_params(ts,
+	                                                 tid,
+	                                                 PPME_SYSCALL_UNLINKAT_2_X,
+	                                                 &empty_params_set,
+	                                                 4,
+	                                                 res,
+	                                                 dirfd,
+	                                                 name,
+	                                                 flags));
+}
+
 ////////////////////////////
 // PREAD
 ////////////////////////////
diff --git a/userspace/libscap/engine/savefile/converter/table.cpp b/userspace/libscap/engine/savefile/converter/table.cpp
@@ -32,6 +32,25 @@ const std::unordered_map<conversion_key, conversion_info> g_conversion_table = {
          conversion_info()
                  .action(C_ACTION_ADD_PARAMS)
                  .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})},
+        /*====================== UNLINK ======================*/
+        {conversion_key{PPME_SYSCALL_UNLINK_E, 1}, conversion_info().action(C_ACTION_STORE)},
+        {conversion_key{PPME_SYSCALL_UNLINK_X, 1},
+         conversion_info()
+                 .desired_type(PPME_SYSCALL_UNLINK_2_X)
+                 .action(C_ACTION_CHANGE_TYPE)
+                 .instrs({{C_INSTR_FROM_OLD, 0}, {C_INSTR_FROM_ENTER, 0, CIF_FALLBACK_TO_EMPTY}})},
+        /*====================== UNLINKAT ======================*/
+        {conversion_key{PPME_SYSCALL_UNLINKAT_E, 2}, conversion_info().action(C_ACTION_STORE)},
+        {conversion_key{PPME_SYSCALL_UNLINKAT_X, 1},
+         conversion_info()
+                 .desired_type(PPME_SYSCALL_UNLINKAT_2_X)
+                 .action(C_ACTION_CHANGE_TYPE)
+                 .instrs({
+                         {C_INSTR_FROM_OLD, 0},
+                         {C_INSTR_FROM_ENTER, 0, CIF_FALLBACK_TO_EMPTY},
+                         {C_INSTR_FROM_ENTER, 1, CIF_FALLBACK_TO_EMPTY},
+                         {C_INSTR_FROM_EMPTY, 0},  // flags
+                 })},
         /*====================== PREAD ======================*/
         {conversion_key{PPME_SYSCALL_PREAD_E, 3}, conversion_info().action(C_ACTION_STORE)},
         {conversion_key{PPME_SYSCALL_PREAD_X, 2},
diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
@@ -102,7 +102,7 @@ struct scap_vtable;
 // and handle the result
 //
 #define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION(8, 0, 0)
-#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 66, 0)
+#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 67, 0)
 
 //
 // This is the dimension we used before introducing the variable buffer size.
diff --git a/userspace/libsinsp/event.cpp b/userspace/libsinsp/event.cpp
@@ -1721,21 +1721,15 @@ uint64_t sinsp_evt::get_lastevent_ts() const {
 }
 
 void sinsp_evt::save_enter_event_params(sinsp_evt *enter_evt) {
-	static std::vector<const char *> path_param = {"path"};
 	static std::vector<const char *> oldpath_newpath_param = {"oldpath", "newpath"};
 	static std::vector<const char *> name_param = {"name"};
 
 	std::vector<const char *> *pnames = NULL;
 	switch(get_type()) {
-	case PPME_SYSCALL_UNLINK_X:
-		pnames = &path_param;
-		break;
-
 	case PPME_SYSCALL_LINK_X:
 	case PPME_SYSCALL_LINKAT_X:
 		pnames = &oldpath_newpath_param;
 		break;
-	case PPME_SYSCALL_UNLINKAT_X:
 	case PPME_SYSCALL_OPENAT_X:
 		pnames = &name_param;
 		break;
diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -103,16 +103,12 @@ void sinsp_parser::process_event(sinsp_evt &evt, sinsp_parser_verdict &verdict)
 	case PPME_SYSCALL_OPENAT2_E:
 	case PPME_SYSCALL_LINK_E:
 	case PPME_SYSCALL_LINKAT_E:
-	case PPME_SYSCALL_UNLINK_E:
-	case PPME_SYSCALL_UNLINKAT_E:
 	case PPME_SYSCALL_EXECVE_19_E:
 	case PPME_SYSCALL_EXECVEAT_E:
 		store_event(evt);
 		break;
 	case PPME_SYSCALL_LINK_X:
 	case PPME_SYSCALL_LINKAT_X:
-	case PPME_SYSCALL_UNLINK_X:
-	case PPME_SYSCALL_UNLINKAT_X:
 		parse_fspath_related_exit(evt);
 		break;
 	case PPME_SYSCALL_READ_X:
diff --git a/userspace/libsinsp/sinsp_filtercheck_event.cpp b/userspace/libsinsp/sinsp_filtercheck_event.cpp
@@ -724,7 +724,7 @@ uint8_t* sinsp_filter_check_event::extract_abspath(sinsp_evt* evt, uint32_t* len
 			dirfdarg = "newdir";
 			patharg = "newpath";
 		}
-	} else if(etype == PPME_SYSCALL_UNLINKAT_E || etype == PPME_SYSCALL_UNLINKAT_2_X) {
+	} else if(etype == PPME_SYSCALL_UNLINKAT_2_X) {
 		dirfdarg = "dirfd";
 		patharg = "name";
 	} else if(etype == PPME_SYSCALL_MKDIRAT_X) {
@@ -758,9 +758,15 @@ uint8_t* sinsp_filter_check_event::extract_abspath(sinsp_evt* evt, uint32_t* len
 		return 0;
 	}
 
-	int64_t dirfd = evt->get_param(dirfdargidx)->as<int64_t>();
+	// Make sure that the parameters are not empty.
+	const auto dirfd_param = evt->get_param(dirfdargidx);
+	const auto path_param = evt->get_param(pathargidx);
+	if(dirfd_param->empty() || path_param->empty()) {
+		return 0;
+	}
 
-	std::string_view path = evt->get_param(pathargidx)->as<std::string_view>();
+	const auto dirfd = dirfd_param->as<int64_t>();
+	const auto path = path_param->as<std::string_view>();
 
 	string sdir;
 
diff --git a/userspace/libsinsp/sinsp_filtercheck_fspath.cpp b/userspace/libsinsp/sinsp_filtercheck_fspath.cpp
@@ -162,10 +162,6 @@ void sinsp_filter_check_fspath::create_fspath_checks() {
 	m_path_checks->emplace(PPME_SYSCALL_RMDIR_2_X, evt_arg_path);
 	m_success_checks->emplace(PPME_SYSCALL_RMDIR_2_X, evt_arg_res_eq_0);
 
-	m_success_checks->emplace(PPME_SYSCALL_UNLINK_X, evt_arg_res_eq_0);
-
-	m_success_checks->emplace(PPME_SYSCALL_UNLINKAT_X, evt_arg_res_eq_0);
-
 	m_path_checks->emplace(PPME_SYSCALL_UNLINK_2_X, evt_arg_path);
 	m_success_checks->emplace(PPME_SYSCALL_UNLINK_2_X, evt_arg_res_eq_0);
 
@@ -315,14 +311,6 @@ uint8_t* sinsp_filter_check_fspath::extract_single(sinsp_evt* evt,
 
 		// For some event types we need to get the values from the enter event instead.
 		switch(evt->get_type()) {
-		case PPME_SYSCALL_UNLINK_X:
-			enter_param = evt->get_enter_evt_param("path");
-			if(!enter_param.has_value()) {
-				return NULL;
-			}
-			m_tstr = enter_param.value();
-			break;
-		case PPME_SYSCALL_UNLINKAT_X:
 		case PPME_SYSCALL_OPENAT_X:
 			enter_param = evt->get_enter_evt_param("name");
 			if(!enter_param.has_value()) {
diff --git a/userspace/libsinsp/test/events_fspath.ut.cpp b/userspace/libsinsp/test/events_fspath.ut.cpp
@@ -311,18 +311,6 @@ TEST_F(fspath, rmdir_2) {
 	test_failed_exit(PPME_SYSCALL_RMDIR_2_X, 2, failed_res, path);
 }
 
-TEST_F(fspath, unlink) {
-	test_enter(PPME_SYSCALL_UNLINK_E, 1, path);
-	test_exit_path(path, path, PPME_SYSCALL_UNLINK_X, 1, res);
-	test_failed_exit(PPME_SYSCALL_UNLINK_X, 1, failed_res);
-}
-
-TEST_F(fspath, unlinkat) {
-	test_enter(PPME_SYSCALL_UNLINKAT_E, 2, evt_dirfd, name);
-	test_exit_path(resolved_name, name, PPME_SYSCALL_UNLINKAT_X, 1, res);
-	test_failed_exit(PPME_SYSCALL_UNLINKAT_X, 1, failed_res);
-}
-
 TEST_F(fspath, unlink_2) {
 	test_enter(PPME_SYSCALL_UNLINK_2_E, 0);
 	test_exit_path(path, path, PPME_SYSCALL_UNLINK_2_X, 2, res, path);
