feat: add PPME_SYSCALL_SEMOP_E params to PPME_SYSCALL_SEMOP_X

ekoops · ekoops · commit f4c4710e66a6 · 2025-06-20T09:53:20.000+02:00
Add `PPME_SYSCALL_SEMOP_E` parameters to `PPME_SYSCALL_SEMOP_X` event
definition and aligns all 3 kernel drivers to it.

Add new rules to scap file converter table to convert events in old
scap files to the new layout.

Add/update semop-related drivers, scap converter and sinsp parser
tests to account the new layout.

Signed-off-by: Leonardo Di Giovanna &lt;leonardodigiovanna1@gmail.com&gt;
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-3.38.0
+3.39.0
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -5498,7 +5498,12 @@ FILLER(sys_semop_x, true) {
 	CHECK_RES(res);
 
 	/* Parameter 8: sem_flg_1 (type: PT_FLAGS16) */
-	return bpf_push_u16_to_ring(data, semop_flags_to_scap(sops[1].sem_flg));
+	res = bpf_push_u16_to_ring(data, semop_flags_to_scap(sops[1].sem_flg));
+	CHECK_RES(res);
+
+	/* Parameter 9: semid (type: PT_INT32) */
+	int32_t initval = (int32_t)bpf_syscall_get_argument(data, 0);
+	return bpf_push_s32_to_ring(data, initval);
 }
 
 FILLER(sys_socket_x, true) {
diff --git a/driver/event_table.c b/driver/event_table.c
@@ -1588,20 +1588,24 @@ const struct ppm_event_info g_event_info[] = {
                                       {"queuepct", PT_UINT8, PF_DEC},
                                       {"queuelen", PT_UINT32, PF_DEC},
                                       {"queuemax", PT_UINT32, PF_DEC}}},
-        [PPME_SYSCALL_SEMOP_E] =
-                {"semop", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"semid", PT_INT32, PF_DEC}}},
+        [PPME_SYSCALL_SEMOP_E] = {"semop",
+                                  EC_PROCESS | EC_SYSCALL,
+                                  EF_TMP_CONVERTER_MANAGED,
+                                  1,
+                                  {{"semid", PT_INT32, PF_DEC}}},
         [PPME_SYSCALL_SEMOP_X] = {"semop",
                                   EC_PROCESS | EC_SYSCALL,
-                                  EF_NONE,
-                                  8,
+                                  EF_TMP_CONVERTER_MANAGED,
+                                  9,
                                   {{"res", PT_ERRNO, PF_DEC},
                                    {"nsops", PT_UINT32, PF_DEC},
                                    {"sem_num_0", PT_UINT16, PF_DEC},
                                    {"sem_op_0", PT_INT16, PF_DEC},
                                    {"sem_flg_0", PT_FLAGS16, PF_HEX, semop_flags},
                                    {"sem_num_1", PT_UINT16, PF_DEC},
                                    {"sem_op_1", PT_INT16, PF_DEC},
-                                   {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags}}},
+                                   {"sem_flg_1", PT_FLAGS16, PF_HEX, semop_flags},
+                                   {"semid", PT_INT32, PF_DEC}}},
         [PPME_SYSCALL_SEMCTL_E] = {"semctl",
                                    EC_PROCESS | EC_SYSCALL,
                                    EF_NONE,
diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -164,7 +164,7 @@
 #define CPU_HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
 #define ACCEPT_E_SIZE HEADER_LEN
 #define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
-#define SEMOP_X_SIZE HEADER_LEN + sizeof(int16_t) * 2 + sizeof(int64_t) + sizeof(uint16_t) * 4 + sizeof(uint32_t) + PARAM_LEN * 8
+#define SEMOP_X_SIZE HEADER_LEN + sizeof(int16_t) * 2 + sizeof(int32_t) + sizeof(int64_t) + sizeof(uint16_t) * 4 + sizeof(uint32_t) + PARAM_LEN * 9
 #define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
 #define SEMCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/semop.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/semop.bpf.c
@@ -21,7 +21,7 @@ int BPF_PROG(semop_e, struct pt_regs *regs, long id) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: semid (type: PT_INT32)*/
+	/* Parameter 1: semid (type: PT_INT32) */
 	int32_t semid = (int32_t)extract__syscall_argument(regs, 0);
 	ringbuf__store_s32(&ringbuf, semid);
 
@@ -92,6 +92,10 @@ int BPF_PROG(semop_x, struct pt_regs *regs, long ret) {
 	/* Parameter 8: sem_flg_1 (type: PT_FLAGS16) */
 	ringbuf__store_u16(&ringbuf, semop_flags_to_scap(sops[1].sem_flg));
 
+	/* Parameter 9: semid (type: PT_INT32) */
+	int32_t semid = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_s32(&ringbuf, semid);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);
diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -7726,6 +7726,7 @@ int f_sys_semop_x(struct event_filler_arguments *args) {
 	long retval = 0;
 	struct sembuf *sops_pointer = NULL;
 	struct sembuf sops[2] = {0};
+	unsigned long val;
 
 	/* Parameter 1: res (type: PT_ERRNO) */
 	retval = (int64_t)syscall_get_return_value(current, args->regs);
@@ -7782,6 +7783,11 @@ int f_sys_semop_x(struct event_filler_arguments *args) {
 	res = val_to_ring(args, semop_flags_to_scap(sops[1].sem_flg), 0, true, 0);
 	CHECK_RES(res);
 
+	/* Parameter 9: semid (type: PT_INT32) */
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	res = val_to_ring(args, (int32_t)val, 0, true, 0);
+	CHECK_RES(res);
+
 	return add_sentinel(args);
 }
 
diff --git a/test/drivers/test_suites/syscall_enter_suite/semop_e.cpp b/test/drivers/test_suites/syscall_enter_suite/semop_e.cpp
@@ -32,7 +32,7 @@ TEST(SyscallEnter, semopE) {
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	/* Parameter 1: semid (type: PT_INT32)*/
+	/* Parameter 1: semid (type: PT_INT32) */
 	evt_test->assert_numeric_param(1, (int32_t)semid);
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
diff --git a/test/drivers/test_suites/syscall_exit_suite/semop_x.cpp b/test/drivers/test_suites/syscall_exit_suite/semop_x.cpp
@@ -57,9 +57,12 @@ TEST(SyscallExit, semopX_null_pointer) {
 	/* Parameter 8: sem_flg_1 (type: PT_FLAGS16) */
 	evt_test->assert_numeric_param(8, (uint16_t)0);
 
+	/* Parameter 9: semid (type: PT_INT32) */
+	evt_test->assert_numeric_param(9, (int32_t)semid);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(8);
+	evt_test->assert_num_params_pushed(9);
 }
 
 #if defined(__NR_semget) && defined(__NR_semctl)
@@ -133,9 +136,12 @@ TEST(SyscallExit, semopX_wrong_nops) {
 	/* Parameter 8: sem_flg_1 (type: PT_FLAGS16) */
 	evt_test->assert_numeric_param(8, (uint16_t)0);
 
+	/* Parameter 9: semid (type: PT_INT32) */
+	evt_test->assert_numeric_param(9, (int32_t)semid);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(8);
+	evt_test->assert_num_params_pushed(9);
 }
 
 TEST(SyscallExit, semopX_1_operation) {
@@ -206,9 +212,12 @@ TEST(SyscallExit, semopX_1_operation) {
 	/* Parameter 8: sem_flg_1 (type: PT_FLAGS16) */
 	evt_test->assert_numeric_param(8, (uint16_t)0);
 
+	/* Parameter 9: semid (type: PT_INT32) */
+	evt_test->assert_numeric_param(9, (int32_t)semid);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(8);
+	evt_test->assert_num_params_pushed(9);
 }
 
 TEST(SyscallExit, semopX_2_operation) {
@@ -280,9 +289,12 @@ TEST(SyscallExit, semopX_2_operation) {
 	/* Parameter 8: sem_flg_1 (type: PT_FLAGS16) */
 	evt_test->assert_numeric_param(8, (uint16_t)PPM_IPC_NOWAIT);
 
+	/* Parameter 9: semid (type: PT_INT32) */
+	evt_test->assert_numeric_param(9, (int32_t)semid);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(8);
+	evt_test->assert_num_params_pushed(9);
 }
 
 #endif
diff --git a/test/libscap/test_suites/engines/savefile/converter.cpp b/test/libscap/test_suites/engines/savefile/converter.cpp
@@ -2689,6 +2689,114 @@ TEST_F(convert_event_test, PPME_SYSCALL_FLOCK_1_X_to_3_params_with_enter) {
 	        create_safe_scap_event(ts, tid, PPME_SYSCALL_FLOCK_X, 3, res, fd, operation));
 }
 
+////////////////////////////
+// SEMOP
+////////////////////////////
+
+TEST_F(convert_event_test, PPME_SYSCALL_SEMOP_E_store) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int32_t semid = 25;
+
+	const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_SEMOP_E, 1, semid);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_SEMOP_8_X_to_9_params_no_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int64_t res = 89;
+	constexpr uint32_t nsops = 20;
+	constexpr uint16_t sem_num_0 = 21;
+	constexpr int16_t sem_op_0 = 22;
+	constexpr uint16_t sem_flg_0 = 23;
+	constexpr uint16_t sem_num_1 = 24;
+	constexpr int16_t sem_op_1 = 25;
+	constexpr uint16_t sem_flg_1 = 26;
+
+	// Defaulted to 0
+	constexpr int32_t semid = 0;
+
+	assert_single_conversion_success(conversion_result::CONVERSION_COMPLETED,
+	                                 create_safe_scap_event(ts,
+	                                                        tid,
+	                                                        PPME_SYSCALL_SEMOP_X,
+	                                                        8,
+	                                                        res,
+	                                                        nsops,
+	                                                        sem_num_0,
+	                                                        sem_op_0,
+	                                                        sem_flg_0,
+	                                                        sem_num_1,
+	                                                        sem_op_1,
+	                                                        sem_flg_1),
+	                                 create_safe_scap_event(ts,
+	                                                        tid,
+	                                                        PPME_SYSCALL_SEMOP_X,
+	                                                        9,
+	                                                        res,
+	                                                        nsops,
+	                                                        sem_num_0,
+	                                                        sem_op_0,
+	                                                        sem_flg_0,
+	                                                        sem_num_1,
+	                                                        sem_op_1,
+	                                                        sem_flg_1,
+	                                                        semid));
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_SEMOP_1_X_to_3_params_with_enter) {
+	constexpr uint64_t ts = 12;
+	constexpr int64_t tid = 25;
+
+	constexpr int32_t semid = 27;
+	constexpr int64_t res = 89;
+	constexpr uint32_t nsops = 20;
+	constexpr uint16_t sem_num_0 = 21;
+	constexpr int16_t sem_op_0 = 22;
+	constexpr uint16_t sem_flg_0 = 23;
+	constexpr uint16_t sem_num_1 = 24;
+	constexpr int16_t sem_op_1 = 25;
+	constexpr uint16_t sem_flg_1 = 26;
+
+	// Defaulted to 0
+
+	// After the first conversion we should have the storage
+	const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_FLOCK_E, 1, semid);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+
+	assert_single_conversion_success(conversion_result::CONVERSION_COMPLETED,
+	                                 create_safe_scap_event(ts,
+	                                                        tid,
+	                                                        PPME_SYSCALL_SEMOP_X,
+	                                                        8,
+	                                                        res,
+	                                                        nsops,
+	                                                        sem_num_0,
+	                                                        sem_op_0,
+	                                                        sem_flg_0,
+	                                                        sem_num_1,
+	                                                        sem_op_1,
+	                                                        sem_flg_1),
+	                                 create_safe_scap_event(ts,
+	                                                        tid,
+	                                                        PPME_SYSCALL_SEMOP_X,
+	                                                        9,
+	                                                        res,
+	                                                        nsops,
+	                                                        sem_num_0,
+	                                                        sem_op_0,
+	                                                        sem_flg_0,
+	                                                        sem_num_1,
+	                                                        sem_op_1,
+	                                                        sem_flg_1,
+	                                                        semid));
+}
+
 ////////////////////////////
 // FCHDIR
 ////////////////////////////
diff --git a/userspace/libscap/engine/savefile/converter/table.cpp b/userspace/libscap/engine/savefile/converter/table.cpp
@@ -280,6 +280,10 @@ const std::unordered_map<conversion_key, conversion_info> g_conversion_table = {
          conversion_info()
                  .action(C_ACTION_ADD_PARAMS)
                  .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})},
+        /*====================== SEMOP ======================*/
+        {conversion_key{PPME_SYSCALL_SEMOP_E, 1}, conversion_info().action(C_ACTION_STORE)},
+        {conversion_key{PPME_SYSCALL_SEMOP_X, 8},
+         conversion_info().action(C_ACTION_ADD_PARAMS).instrs({{C_INSTR_FROM_ENTER, 0}})},
         /*====================== SETGID ======================*/
         {conversion_key{PPME_SYSCALL_SETGID_E, 1}, conversion_info().action(C_ACTION_STORE)},
         {conversion_key{PPME_SYSCALL_SETGID_X, 1},
diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
@@ -102,7 +102,7 @@ struct scap_vtable;
 // and handle the result
 //
 #define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION(8, 0, 0)
-#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 38, 0)
+#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 39, 0)
 
 //
 // This is the dimension we used before introducing the variable buffer size.
diff --git a/userspace/libsinsp/test/parsers/parse_semop.cpp b/userspace/libsinsp/test/parsers/parse_semop.cpp
@@ -0,0 +1,63 @@
+
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2025 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sinsp_with_test_input.h>
+
+TEST_F(sinsp_with_test_input, SEMOP_parse) {
+	add_default_init_thread();
+	open_inspector();
+
+	constexpr int64_t return_value = 55;
+	constexpr uint32_t nsops = 20;
+	constexpr uint16_t sem_num_0 = 21;
+	constexpr int16_t sem_op_0 = 22;
+	constexpr uint16_t sem_flg_0 = 23;
+	constexpr uint16_t sem_num_1 = 24;
+	constexpr int16_t sem_op_1 = 25;
+	constexpr uint16_t sem_flg_1 = 26;
+	constexpr int32_t semid = 27;
+	const auto evt = add_event_advance_ts(increasing_ts(),
+	                                      INIT_TID,
+	                                      PPME_SYSCALL_SEMOP_X,
+	                                      9,
+	                                      return_value,
+	                                      nsops,
+	                                      sem_num_0,
+	                                      sem_op_0,
+	                                      sem_flg_0,
+	                                      sem_num_1,
+	                                      sem_op_1,
+	                                      sem_flg_1,
+	                                      semid);
+
+	// Check that the returned value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("res")->as<int64_t>(), return_value);
+	// Check that the nsops value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("nsops")->as<uint32_t>(), nsops);
+	// Check that the sem_num_0 value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("sem_num_0")->as<uint16_t>(), sem_num_0);
+	// Check that the sem_op_0 value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("sem_op_0")->as<int16_t>(), sem_op_0);
+	// Check that the sem_flg_0 value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("sem_flg_0")->as<uint16_t>(), sem_flg_0);
+	// Check that the sem_num_1 value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("sem_num_1")->as<uint16_t>(), sem_num_1);
+	// Check that the sem_op_1 value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("sem_op_1")->as<int16_t>(), sem_op_1);
+	// Check that the sem_flg_1 value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("sem_flg_1")->as<uint16_t>(), sem_flg_1);
+	// Check that the semid value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("semid")->as<int32_t>(), semid);
+}
diff --git a/userspace/libsinsp/test/scap_files/converter_tests.cpp b/userspace/libsinsp/test/scap_files/converter_tests.cpp
@@ -1232,6 +1232,14 @@ TEST_F(scap_file_test, setns_x_check_final_converted_event) {
 
 // We don't have scap-files with FLOCK events. Add it if we face a failure.
 
+////////////////////////////
+// SEMOP
+////////////////////////////
+
+// We don't have scap-files with SEMOP events (scap_2013 contains only PPME_GENERIC_* events
+// originated from unsupported semop events, but since they formally have another event type, we
+// cannot leverage them) . Add it if we face a failure.
+
 ////////////////////////////
 // FCHDIR
 ////////////////////////////
