Skip to content

Commit 5f249d1

Browse files
ekoopspoiana
ekoops
authored and
poiana
committed
feat: extend SEMCTL_X and SEMGET_X with enter parameters
Add `PPME_SYSCALL_SEMCTL_E`/`PPME_SYSCALL_SEMGET_E` parameters to `PPME_SYSCALL_SEMCTL_X`/`PPME_SYSCALL_SEMGET_X` event definitions and aligns all 3 kernel drivers to it. Add new rules to scap file converter table to convert events in old scap files to the new layout. Add/update semctl/semget-related drivers, scap converter and sinsp parser tests to account for the new layouts. Signed-off-by: Leonardo Di Giovanna <[email protected]>
1 parent 2f1bd46 commit 5f249d1

File tree

17 files changed

+458
-64
lines changed

17 files changed

+458
-64
lines changed

driver/SCHEMA_VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
3.39.0
1+
3.40.0

driver/bpf/fillers.h

Lines changed: 58 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -6481,58 +6481,89 @@ FILLER(sys_setresuid_x, true) {
64816481
}
64826482

64836483
FILLER(sys_semget_e, true) {
6484-
unsigned long val;
6485-
int res;
6484+
/* Parameter 1: key (type: PT_INT32) */
6485+
unsigned long val = bpf_syscall_get_argument(data, 0);
6486+
int res = bpf_push_s32_to_ring(data, val);
6487+
CHECK_RES(res);
64866488

6487-
/*
6488-
* key
6489-
*/
6490-
val = bpf_syscall_get_argument(data, 0);
6489+
/* Parameter 2: nsems (type: PT_INT32) */
6490+
val = bpf_syscall_get_argument(data, 1);
64916491
res = bpf_push_s32_to_ring(data, val);
64926492
CHECK_RES(res);
64936493

6494-
/*
6495-
* nsems
6496-
*/
6494+
/* Parameter 3: semflg (type: PT_FLAGS32) */
6495+
val = bpf_syscall_get_argument(data, 2);
6496+
return bpf_push_u32_to_ring(data, semget_flags_to_scap(val));
6497+
}
6498+
6499+
FILLER(sys_semget_x, true) {
6500+
/* Parameter 1: res (type: PT_ERRNO) */
6501+
long retval = bpf_syscall_get_retval(data->ctx);
6502+
int res = bpf_push_s64_to_ring(data, retval);
6503+
CHECK_RES(res);
6504+
6505+
/* Parameter 2: key (type: PT_INT32) */
6506+
unsigned long val = bpf_syscall_get_argument(data, 0);
6507+
res = bpf_push_s32_to_ring(data, val);
6508+
CHECK_RES(res);
6509+
6510+
/* Parameter 3: nsems (type: PT_INT32) */
64976511
val = bpf_syscall_get_argument(data, 1);
64986512
res = bpf_push_s32_to_ring(data, val);
64996513
CHECK_RES(res);
65006514

6501-
/*
6502-
* semflg
6503-
*/
6515+
/* Parameter 4: semflg (type: PT_FLAGS32) */
65046516
val = bpf_syscall_get_argument(data, 2);
65056517
return bpf_push_u32_to_ring(data, semget_flags_to_scap(val));
65066518
}
65076519

65086520
FILLER(sys_semctl_e, true) {
6509-
unsigned long val;
6510-
int res;
6521+
/* Parameter 1: semid (type: PT_INT32) */
6522+
unsigned long val = bpf_syscall_get_argument(data, 0);
6523+
int res = bpf_push_s32_to_ring(data, val);
6524+
CHECK_RES(res);
65116525

6512-
/*
6513-
* semid
6514-
*/
6515-
val = bpf_syscall_get_argument(data, 0);
6526+
/* Parameter 2: semnum (type: PT_INT32) */
6527+
val = bpf_syscall_get_argument(data, 1);
65166528
res = bpf_push_s32_to_ring(data, val);
65176529
CHECK_RES(res);
65186530

6519-
/*
6520-
* semnum
6521-
*/
6531+
/* Parameter 3: cmd (type: PT_FLAGS16) */
6532+
val = bpf_syscall_get_argument(data, 2);
6533+
res = bpf_push_u16_to_ring(data, semctl_cmd_to_scap(val));
6534+
CHECK_RES(res);
6535+
6536+
/* Parameter 4: val (type: PT_INT32) */
6537+
if(val == SETVAL)
6538+
val = bpf_syscall_get_argument(data, 3);
6539+
else
6540+
val = 0;
6541+
6542+
return bpf_push_s32_to_ring(data, val);
6543+
}
6544+
6545+
FILLER(sys_semctl_x, true) {
6546+
/* Parameter 1: res (type: PT_ERRNO) */
6547+
long retval = bpf_syscall_get_retval(data->ctx);
6548+
int res = bpf_push_s64_to_ring(data, retval);
6549+
CHECK_RES(res);
6550+
6551+
/* Parameter 2: semid (type: PT_INT32) */
6552+
unsigned long val = bpf_syscall_get_argument(data, 0);
6553+
res = bpf_push_s32_to_ring(data, val);
6554+
CHECK_RES(res);
6555+
6556+
/* Parameter 3: semnum (type: PT_INT32) */
65226557
val = bpf_syscall_get_argument(data, 1);
65236558
res = bpf_push_s32_to_ring(data, val);
65246559
CHECK_RES(res);
65256560

6526-
/*
6527-
* cmd
6528-
*/
6561+
/* Parameter 4: cmd (type: PT_FLAGS16) */
65296562
val = bpf_syscall_get_argument(data, 2);
65306563
res = bpf_push_u16_to_ring(data, semctl_cmd_to_scap(val));
65316564
CHECK_RES(res);
65326565

6533-
/*
6534-
* optional argument semun/val
6535-
*/
6566+
/* Parameter 5: val (type: PT_INT32) */
65366567
if(val == SETVAL)
65376568
val = bpf_syscall_get_argument(data, 3);
65386569
else

driver/event_table.c

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1608,14 +1608,21 @@ const struct ppm_event_info g_event_info[] = {
16081608
{"semid", PT_INT32, PF_DEC}}},
16091609
[PPME_SYSCALL_SEMCTL_E] = {"semctl",
16101610
EC_PROCESS | EC_SYSCALL,
1611-
EF_NONE,
1611+
EF_TMP_CONVERTER_MANAGED,
16121612
4,
16131613
{{"semid", PT_INT32, PF_DEC},
16141614
{"semnum", PT_INT32, PF_DEC},
16151615
{"cmd", PT_FLAGS16, PF_HEX, semctl_commands},
16161616
{"val", PT_INT32, PF_DEC}}},
1617-
[PPME_SYSCALL_SEMCTL_X] =
1618-
{"semctl", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
1617+
[PPME_SYSCALL_SEMCTL_X] = {"semctl",
1618+
EC_PROCESS | EC_SYSCALL,
1619+
EF_TMP_CONVERTER_MANAGED,
1620+
5,
1621+
{{"res", PT_ERRNO, PF_DEC},
1622+
{"semid", PT_INT32, PF_DEC},
1623+
{"semnum", PT_INT32, PF_DEC},
1624+
{"cmd", PT_FLAGS16, PF_HEX, semctl_commands},
1625+
{"val", PT_INT32, PF_DEC}}},
16191626
[PPME_SYSCALL_PPOLL_E] = {"ppoll",
16201627
EC_WAIT | EC_SYSCALL,
16211628
EF_WAITS,
@@ -1659,13 +1666,19 @@ const struct ppm_event_info g_event_info[] = {
16591666
[PPME_K8S_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
16601667
[PPME_SYSCALL_SEMGET_E] = {"semget",
16611668
EC_PROCESS | EC_SYSCALL,
1662-
EF_NONE,
1669+
EF_TMP_CONVERTER_MANAGED,
16631670
3,
16641671
{{"key", PT_INT32, PF_HEX},
16651672
{"nsems", PT_INT32, PF_DEC},
16661673
{"semflg", PT_FLAGS32, PF_HEX, semget_flags}}},
1667-
[PPME_SYSCALL_SEMGET_X] =
1668-
{"semget", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC}}},
1674+
[PPME_SYSCALL_SEMGET_X] = {"semget",
1675+
EC_PROCESS | EC_SYSCALL,
1676+
EF_TMP_CONVERTER_MANAGED,
1677+
4,
1678+
{{"res", PT_ERRNO, PF_DEC},
1679+
{"key", PT_INT32, PF_HEX},
1680+
{"nsems", PT_INT32, PF_DEC},
1681+
{"semflg", PT_FLAGS32, PF_HEX, semget_flags}}},
16691682
[PPME_SYSCALL_ACCESS_E] = {"access",
16701683
EC_FILE | EC_SYSCALL,
16711684
EF_NONE,

driver/fillers_table.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
236236
[PPME_SYSCALL_SEMOP_E] = {FILLER_REF(sys_single)},
237237
[PPME_SYSCALL_SEMOP_X] = {FILLER_REF(sys_semop_x)},
238238
[PPME_SYSCALL_SEMCTL_E] = {FILLER_REF(sys_semctl_e)},
239-
[PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_single_x)},
239+
[PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_semctl_x)},
240240
[PPME_SYSCALL_PPOLL_E] = {FILLER_REF(sys_ppoll_e)},
241241
[PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_ppoll_x)},
242242
[PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)},
@@ -245,7 +245,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
245245
APT_REG,
246246
{{AF_ID_RETVAL}, {0}, {1}, {2}}},
247247
[PPME_SYSCALL_SEMGET_E] = {FILLER_REF(sys_semget_e)},
248-
[PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_single_x)},
248+
[PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_semget_x)},
249249
[PPME_SYSCALL_ACCESS_E] = {FILLER_REF(sys_access_e)},
250250
[PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
251251
[PPME_SYSCALL_CHROOT_E] = {FILLER_REF(sys_empty)},

driver/modern_bpf/definitions/events_dimensions.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -166,10 +166,10 @@
166166
#define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
167167
#define SEMOP_X_SIZE HEADER_LEN + sizeof(int16_t) * 2 + sizeof(int32_t) + sizeof(int64_t) + sizeof(uint16_t) * 4 + sizeof(uint32_t) + PARAM_LEN * 9
168168
#define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
169-
#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
169+
#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 5
170170
#define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
171171
#define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
172-
#define SEMGET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
172+
#define SEMGET_X_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 4
173173
#define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
174174
#define CHROOT_E_SIZE HEADER_LEN
175175
#define SETSID_E_SIZE HEADER_LEN

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/semctl.bpf.c

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,25 @@ int BPF_PROG(semctl_x, struct pt_regs *regs, long ret) {
6161
/* Parameter 1: res (type: PT_ERRNO) */
6262
ringbuf__store_s64(&ringbuf, (int64_t)ret);
6363

64+
/* Parameter 2: semid (type: PT_INT32) */
65+
int32_t semid = (int32_t)extract__syscall_argument(regs, 0);
66+
ringbuf__store_s32(&ringbuf, semid);
67+
68+
/* Parameter 3: semnum (type: PT_INT32) */
69+
int32_t semnum = (int32_t)extract__syscall_argument(regs, 1);
70+
ringbuf__store_s32(&ringbuf, semnum);
71+
72+
/* Parameter 4: cmd (type: PT_FLAGS16) */
73+
uint16_t cmd = (uint16_t)extract__syscall_argument(regs, 2);
74+
ringbuf__store_u16(&ringbuf, semctl_cmd_to_scap(cmd));
75+
76+
/* Parameter 5: val (type: PT_INT32) */
77+
int32_t val = 0;
78+
if(cmd == SETVAL) {
79+
val = (int32_t)extract__syscall_argument(regs, 3);
80+
}
81+
ringbuf__store_s32(&ringbuf, val);
82+
6483
/*=============================== COLLECT PARAMETERS ===========================*/
6584

6685
ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/semget.bpf.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,18 @@ int BPF_PROG(semget_x, struct pt_regs *regs, long ret) {
5454
/* Parameter 1: res (type: PT_ERRNO) */
5555
ringbuf__store_s64(&ringbuf, (int64_t)ret);
5656

57+
/* Parameter 2: key (type: PT_INT32) */
58+
int32_t key = (int32_t)extract__syscall_argument(regs, 0);
59+
ringbuf__store_s32(&ringbuf, key);
60+
61+
/* Parameter 3: nsems (type: PT_INT32) */
62+
int32_t nsems = (int32_t)extract__syscall_argument(regs, 1);
63+
ringbuf__store_s32(&ringbuf, nsems);
64+
65+
/* Parameter 4: semflg (type: PT_FLAGS32) */
66+
uint32_t semflg = (uint32_t)extract__syscall_argument(regs, 2);
67+
ringbuf__store_u32(&ringbuf, semget_flags_to_scap(semflg));
68+
5769
/*=============================== COLLECT PARAMETERS ===========================*/
5870

5971
ringbuf__submit_event(&ringbuf);

driver/ppm_fillers.c

Lines changed: 71 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -7795,23 +7795,45 @@ int f_sys_semget_e(struct event_filler_arguments *args) {
77957795
unsigned long val;
77967796
int res;
77977797

7798-
/*
7799-
* key
7800-
*/
7798+
/* Parameter 1: key (type: PT_INT32) */
78017799
syscall_get_arguments_deprecated(args, 0, 1, &val);
78027800
res = val_to_ring(args, val, 0, true, 0);
78037801
CHECK_RES(res);
78047802

7805-
/*
7806-
* nsems
7807-
*/
7803+
/* Parameter 2: nsems (type: PT_INT32) */
78087804
syscall_get_arguments_deprecated(args, 1, 1, &val);
78097805
res = val_to_ring(args, val, 0, true, 0);
78107806
CHECK_RES(res);
78117807

7812-
/*
7813-
* semflg
7814-
*/
7808+
/* Parameter 3: semflg (type: PT_FLAGS32) */
7809+
syscall_get_arguments_deprecated(args, 2, 1, &val);
7810+
res = val_to_ring(args, semget_flags_to_scap(val), 0, true, 0);
7811+
CHECK_RES(res);
7812+
7813+
return add_sentinel(args);
7814+
}
7815+
7816+
int f_sys_semget_x(struct event_filler_arguments *args) {
7817+
int64_t retval;
7818+
unsigned long val;
7819+
int res;
7820+
7821+
/* Parameter 1: res (type: PT_ERRNO) */
7822+
retval = (int64_t)syscall_get_return_value(current, args->regs);
7823+
res = val_to_ring(args, retval, 0, false, 0);
7824+
CHECK_RES(res);
7825+
7826+
/* Parameter 2: key (type: PT_INT32) */
7827+
syscall_get_arguments_deprecated(args, 0, 1, &val);
7828+
res = val_to_ring(args, val, 0, true, 0);
7829+
CHECK_RES(res);
7830+
7831+
/* Parameter 3: nsems (type: PT_INT32) */
7832+
syscall_get_arguments_deprecated(args, 1, 1, &val);
7833+
res = val_to_ring(args, val, 0, true, 0);
7834+
CHECK_RES(res);
7835+
7836+
/* Parameter 4: semflg (type: PT_FLAGS32) */
78157837
syscall_get_arguments_deprecated(args, 2, 1, &val);
78167838
res = val_to_ring(args, semget_flags_to_scap(val), 0, true, 0);
78177839
CHECK_RES(res);
@@ -7823,30 +7845,58 @@ int f_sys_semctl_e(struct event_filler_arguments *args) {
78237845
unsigned long val;
78247846
int res;
78257847

7826-
/*
7827-
* semid
7828-
*/
7848+
/* Parameter 1: semid (type: PT_INT32) */
78297849
syscall_get_arguments_deprecated(args, 0, 1, &val);
78307850
res = val_to_ring(args, val, 0, true, 0);
78317851
CHECK_RES(res);
78327852

7833-
/*
7834-
* semnum
7835-
*/
7853+
/* Parameter 2: semnum (type: PT_INT32) */
78367854
syscall_get_arguments_deprecated(args, 1, 1, &val);
78377855
res = val_to_ring(args, val, 0, true, 0);
78387856
CHECK_RES(res);
78397857

7840-
/*
7841-
* cmd
7842-
*/
7858+
/* Parameter 3: cmd (type: PT_FLAGS16) */
78437859
syscall_get_arguments_deprecated(args, 2, 1, &val);
78447860
res = val_to_ring(args, semctl_cmd_to_scap(val), 0, true, 0);
78457861
CHECK_RES(res);
78467862

7847-
/*
7848-
* optional argument semun/val
7849-
*/
7863+
/* Parameter 4: val (type: PT_INT32) */
7864+
if(val == SETVAL)
7865+
syscall_get_arguments_deprecated(args, 3, 1, &val);
7866+
else
7867+
val = 0;
7868+
res = val_to_ring(args, val, 0, true, 0);
7869+
CHECK_RES(res);
7870+
7871+
return add_sentinel(args);
7872+
}
7873+
7874+
int f_sys_semctl_x(struct event_filler_arguments *args) {
7875+
int64_t retval;
7876+
int res;
7877+
unsigned long val;
7878+
7879+
/* Parameter 1: res (type: PT_ERRNO) */
7880+
retval = (int64_t)syscall_get_return_value(current, args->regs);
7881+
res = val_to_ring(args, retval, 0, false, 0);
7882+
CHECK_RES(res);
7883+
7884+
/* Parameter 2: semid (type: PT_INT32) */
7885+
syscall_get_arguments_deprecated(args, 0, 1, &val);
7886+
res = val_to_ring(args, val, 0, true, 0);
7887+
CHECK_RES(res);
7888+
7889+
/* Parameter 3: semnum (type: PT_INT32) */
7890+
syscall_get_arguments_deprecated(args, 1, 1, &val);
7891+
res = val_to_ring(args, val, 0, true, 0);
7892+
CHECK_RES(res);
7893+
7894+
/* Parameter 4: cmd (type: PT_FLAGS16) */
7895+
syscall_get_arguments_deprecated(args, 2, 1, &val);
7896+
res = val_to_ring(args, semctl_cmd_to_scap(val), 0, true, 0);
7897+
CHECK_RES(res);
7898+
7899+
/* Parameter 5: val (type: PT_INT32) */
78507900
if(val == SETVAL)
78517901
syscall_get_arguments_deprecated(args, 3, 1, &val);
78527902
else

driver/ppm_fillers.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,9 @@ or GPL2.txt for full copies of the license.
115115
FN(cpu_hotplug_e) \
116116
FN(sys_semop_x) \
117117
FN(sys_semget_e) \
118+
FN(sys_semget_x) \
118119
FN(sys_semctl_e) \
120+
FN(sys_semctl_x) \
119121
FN(sys_ppoll_e) \
120122
FN(sys_ppoll_x) \
121123
FN(sys_mount_e) \

0 commit comments

Comments
 (0)