feat: add PPME_SYSCALL_FLOCK_E params to PPME_SYSCALL_FLOCK_X

ekoops · poiana · commit da77c772d6ac · 2025-06-20T07:09:16.000+02:00
Add `PPME_SYSCALL_FLOCK_E` parameters to `PPME_SYSCALL_FLOCK_X` event
definition and aligns all 3 kernel drivers to it.

Add new rules to scap file converter table to convert events in old
scap files to the new layout.

Add/update flock-related drivers, scap converter and sinsp parser
tests to account the new layout.

Signed-off-by: Leonardo Di Giovanna &lt;leonardodigiovanna1@gmail.com&gt;
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-3.37.0
+3.38.0
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -3239,7 +3239,7 @@ FILLER(sys_fchdir_e, true) {
 }
 
 FILLER(sys_fchdir_x, true) {
-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	long retval = bpf_syscall_get_retval(data->ctx);
 	int res = bpf_push_s64_to_ring(data, retval);
 	CHECK_RES(res);
@@ -5534,15 +5534,31 @@ FILLER(sys_socket_x, true) {
 
 FILLER(sys_flock_e, true) {
 	/* Parameter 1: fd (type: PT_FD) */
-	int32_t fd = (int32_t)bpf_syscall_get_argument(data, 0);
-	int res = bpf_push_s64_to_ring(data, (int64_t)fd);
+	int64_t fd = (int64_t)(int32_t)bpf_syscall_get_argument(data, 0);
+	int res = bpf_push_s64_to_ring(data, fd);
 	CHECK_RES(res);
 
 	/* Parameter 2: operation (type: PT_FLAGS32) */
 	int operation = bpf_syscall_get_argument(data, 1);
 	return bpf_push_u32_to_ring(data, flock_flags_to_scap(operation));
 }
 
+FILLER(sys_flock_x, true) {
+	/* Parameter 1: res (type: PT_ERRNO) */
+	long retval = bpf_syscall_get_retval(data->ctx);
+	int res = bpf_push_s64_to_ring(data, retval);
+	CHECK_RES(res);
+
+	/* Parameter 2: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)bpf_syscall_get_argument(data, 0);
+	res = bpf_push_s64_to_ring(data, fd);
+	CHECK_RES(res);
+
+	/* Parameter 3: operation (type: PT_FLAGS32) */
+	int operation = bpf_syscall_get_argument(data, 1);
+	return bpf_push_u32_to_ring(data, flock_flags_to_scap(operation));
+}
+
 FILLER(sys_ioctl_e, true) {
 	/* Parameter 1: fd (type: PT_FD) */
 	int32_t fd = (int32_t)bpf_syscall_get_argument(data, 0);
diff --git a/driver/event_table.c b/driver/event_table.c
@@ -1544,12 +1544,17 @@ const struct ppm_event_info g_event_info[] = {
                                    {"nstype", PT_FLAGS32, PF_HEX, clone_flags}}},
         [PPME_SYSCALL_FLOCK_E] = {"flock",
                                   EC_FILE | EC_SYSCALL,
-                                  EF_USES_FD,
+                                  EF_USES_FD | EF_TMP_CONVERTER_MANAGED,
                                   2,
                                   {{"fd", PT_FD, PF_NA},
                                    {"operation", PT_FLAGS32, PF_HEX, flock_flags}}},
-        [PPME_SYSCALL_FLOCK_X] =
-                {"flock", EC_FILE | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC}}},
+        [PPME_SYSCALL_FLOCK_X] = {"flock",
+                                  EC_FILE | EC_SYSCALL,
+                                  EF_USES_FD | EF_TMP_CONVERTER_MANAGED,
+                                  3,
+                                  {{"res", PT_ERRNO, PF_DEC},
+                                   {"fd", PT_FD, PF_NA},
+                                   {"operation", PT_FLAGS32, PF_HEX, flock_flags}}},
         [PPME_CPU_HOTPLUG_E] = {"cpu_hotplug",
                                 EC_SYSTEM | EC_METAEVENT,
                                 EF_SKIPPARSERESET | EF_MODIFIES_STATE,
diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -229,7 +229,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_SETNS_E] = {FILLER_REF(sys_setns_e)},
         [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_setns_x)},
         [PPME_SYSCALL_FLOCK_E] = {FILLER_REF(sys_flock_e)},
-        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_flock_x)},
         [PPME_CPU_HOTPLUG_E] = {FILLER_REF(cpu_hotplug_e)},
         [PPME_SOCKET_ACCEPT_5_E] = {FILLER_REF(sys_empty)},
         [PPME_SOCKET_ACCEPT_5_X] = {FILLER_REF(sys_accept_x)},
diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -160,7 +160,7 @@
 #define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
 #define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
-#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
 #define CPU_HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
 #define ACCEPT_E_SIZE HEADER_LEN
 #define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/flock.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/flock.bpf.c
@@ -22,8 +22,8 @@ int BPF_PROG(flock_e, struct pt_regs *regs, long id) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	/* Parameter 1: fd (type: PT_FD) */
-	int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_s64(&ringbuf, (int64_t)fd);
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);
 
 	/* Parameter 2: operation (type: PT_FLAGS32) */
 	unsigned long operation = extract__syscall_argument(regs, 1);
@@ -51,9 +51,17 @@ int BPF_PROG(flock_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: res (type: PT_ERRNO)*/
+	/* Parameter 1: res (type: PT_ERRNO) */
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: fd (type: PT_FD) */
+	int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s64(&ringbuf, fd);
+
+	/* Parameter 3: operation (type: PT_FLAGS32) */
+	unsigned long operation = extract__syscall_argument(regs, 1);
+	ringbuf__store_u32(&ringbuf, flock_flags_to_scap((int)operation));
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);
diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -7366,15 +7366,15 @@ int f_sys_getresuid_and_gid_x(struct event_filler_arguments *args) {
 }
 
 int f_sys_flock_e(struct event_filler_arguments *args) {
-	unsigned long val = 0;
-	int res = 0;
-	uint32_t flags = 0;
-	int32_t fd = 0;
+	unsigned long val;
+	int64_t fd;
+	int res;
+	uint32_t flags;
 
 	/* Parameter 1: fd (type: PT_FD) */
 	syscall_get_arguments_deprecated(args, 0, 1, &val);
-	fd = (int32_t)val;
-	res = val_to_ring(args, (int64_t)fd, 0, false, 0);
+	fd = (int64_t)(int32_t)val;
+	res = val_to_ring(args, fd, 0, false, 0);
 	CHECK_RES(res);
 
 	/* Parameter 2: operation (type: PT_FLAGS32) */
@@ -7386,6 +7386,33 @@ int f_sys_flock_e(struct event_filler_arguments *args) {
 	return add_sentinel(args);
 }
 
+int f_sys_flock_x(struct event_filler_arguments *args) {
+	int64_t retval;
+	int res;
+	unsigned long val;
+	int64_t fd;
+	uint32_t flags;
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	retval = (int64_t)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: fd (type: PT_FD) */
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	fd = (int64_t)(int32_t)val;
+	res = val_to_ring(args, fd, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 3: operation (type: PT_FLAGS32) */
+	syscall_get_arguments_deprecated(args, 1, 1, &val);
+	flags = flock_flags_to_scap((int)val);
+	res = val_to_ring(args, flags, 0, false, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 int f_sys_ioctl_e(struct event_filler_arguments *args) {
 	unsigned long val = 0;
 	int res = 0;
diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h
@@ -111,6 +111,7 @@ or GPL2.txt for full copies of the license.
 	FN(sys_setns_x)                      \
 	FN(sys_unshare_e)                    \
 	FN(sys_flock_e)                      \
+	FN(sys_flock_x)                      \
 	FN(cpu_hotplug_e)                    \
 	FN(sys_semop_x)                      \
 	FN(sys_semget_e)                     \
diff --git a/test/drivers/test_suites/syscall_exit_suite/flock_x.cpp b/test/drivers/test_suites/syscall_exit_suite/flock_x.cpp
@@ -32,8 +32,14 @@ TEST(SyscallExit, flockX) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	evt_test->assert_numeric_param(1, (int64_t)errno_value);
 
+	/* Parameter 2: fd (type: PT_FD) */
+	evt_test->assert_numeric_param(2, (int64_t)mock_fd);
+
+	/* Parameter 3: operation (type: PT_FLAGS32) */
+	evt_test->assert_numeric_param(3, (uint32_t)PPM_LOCK_EX);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(1);
+	evt_test->assert_num_params_pushed(3);
 }
 #endif
diff --git a/test/libscap/test_suites/engines/savefile/converter.cpp b/test/libscap/test_suites/engines/savefile/converter.cpp
@@ -2638,6 +2638,57 @@ TEST_F(convert_event_test, PPME_SYSCALL_SETNS_1_X_to_3_params_with_enter) {
 	        create_safe_scap_event(ts, tid, PPME_SYSCALL_SETNS_X, 3, res, fd, flags));
 }
 
+////////////////////////////
+// FLOCK
+////////////////////////////
+
+TEST_F(convert_event_test, PPME_SYSCALL_FLOCK_E_store) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t fd = 25;
+	constexpr uint32_t operation = 50;
+
+	const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_FLOCK_E, 2, fd, operation);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_FLOCK_1_X_to_3_params_no_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t res = 89;
+
+	// Defaulted to 0
+	constexpr int64_t fd = 0;
+	constexpr uint32_t operation = 0;
+
+	assert_single_conversion_success(
+	        conversion_result::CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_FLOCK_X, 1, res),
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_FLOCK_X, 3, res, fd, operation));
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_FLOCK_1_X_to_3_params_with_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t res = 89;
+	constexpr int64_t fd = 25;
+	constexpr uint32_t operation = 50;
+
+	// After the first conversion we should have the storage
+	const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_FLOCK_E, 2, fd, operation);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+
+	assert_single_conversion_success(
+	        conversion_result::CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_FLOCK_X, 1, res),
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_FLOCK_X, 3, res, fd, operation));
+}
+
 ////////////////////////////
 // FCHDIR
 ////////////////////////////
diff --git a/userspace/libscap/engine/savefile/converter/table.cpp b/userspace/libscap/engine/savefile/converter/table.cpp
@@ -274,6 +274,12 @@ const std::unordered_map<conversion_key, conversion_info> g_conversion_table = {
          conversion_info()
                  .action(C_ACTION_ADD_PARAMS)
                  .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})},
+        /*====================== FLOCK ======================*/
+        {conversion_key{PPME_SYSCALL_FLOCK_E, 2}, conversion_info().action(C_ACTION_STORE)},
+        {conversion_key{PPME_SYSCALL_FLOCK_X, 1},
+         conversion_info()
+                 .action(C_ACTION_ADD_PARAMS)
+                 .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})},
         /*====================== SETGID ======================*/
         {conversion_key{PPME_SYSCALL_SETGID_E, 1}, conversion_info().action(C_ACTION_STORE)},
         {conversion_key{PPME_SYSCALL_SETGID_X, 1},
diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
@@ -102,7 +102,7 @@ struct scap_vtable;
 // and handle the result
 //
 #define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION(8, 0, 0)
-#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 37, 0)
+#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 38, 0)
 
 //
 // This is the dimension we used before introducing the variable buffer size.
diff --git a/userspace/libscap/scap_event.c b/userspace/libscap/scap_event.c
@@ -549,6 +549,7 @@ int get_exit_event_fd_location(ppm_event_code etype) {
 	case PPME_SYSCALL_CLOSE_X:
 	case PPME_SYSCALL_GETDENTS_X:
 	case PPME_SYSCALL_GETDENTS64_X:
+	case PPME_SYSCALL_FLOCK_X:
 		location = 1;
 		break;
 	case PPME_SYSCALL_READ_X:
diff --git a/userspace/libsinsp/test/parsers/parse_flock.cpp b/userspace/libsinsp/test/parsers/parse_flock.cpp
@@ -0,0 +1,41 @@
+
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2025 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sinsp_with_test_input.h>
+
+TEST_F(sinsp_with_test_input, FLOCK_success) {
+	add_default_init_thread();
+	open_inspector();
+
+	int64_t return_value = 55;
+	int64_t fd = 10;
+	uint32_t operation = 1;
+	const auto evt = add_event_advance_ts(increasing_ts(),
+	                                      INIT_TID,
+	                                      PPME_SYSCALL_FLOCK_X,
+	                                      3,
+	                                      return_value,
+	                                      fd,
+	                                      operation);
+
+	// Check that the returned value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("res")->as<int64_t>(), return_value);
+
+	// Check that the fd value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("fd")->as<int64_t>(), fd);
+
+	// Check that the operation value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("operation")->as<uint32_t>(), operation);
+}
diff --git a/userspace/libsinsp/test/scap_files/converter_tests.cpp b/userspace/libsinsp/test/scap_files/converter_tests.cpp
@@ -1226,6 +1226,12 @@ TEST_F(scap_file_test, setns_x_check_final_converted_event) {
 	        create_safe_scap_event(ts, tid, PPME_SYSCALL_SETNS_X, 3, res, fd, nstype));
 }
 
+////////////////////////////
+// FLOCK
+////////////////////////////
+
+// We don't have scap-files with FLOCK events. Add it if we face a failure.
+
 ////////////////////////////
 // FCHDIR
 ////////////////////////////
