From 6e693ebb059d3973cb388da894628e395ade2d1d Mon Sep 17 00:00:00 2001 From: Leonardo Di Giovanna Date: Thu, 11 Sep 2025 09:56:34 +0200 Subject: [PATCH 1/3] feat!: drop modern probe `sys_enter` and remaining syscall enter progs Drop modern probe `sys_enter` dispatcher, the syscall enter tail call table and remaining enter event programs (i.e. `generic_e` and `connect_e_raw_tp`) not generating events related to TOCTOU mitigation. This is motivated by the fact that, in the current implementation, enter events information are a subset of the one exported by exit events. As `PPME_GENERIC_E` and network enter events resulting from socketcall invocations are not generated anymore by the modern probe, skip `generic_e.cpp` and `socketcall_e.cpp` tests if the modern probe is used as engine. BREAKING CHANGE: drop non-TOCTOU syscall enter progs in modern probe Signed-off-by: Leonardo Di Giovanna --- driver/modern_bpf/helpers/base/stats.h | 3 - .../helpers/interfaces/syscalls_dispatcher.h | 27 - .../helpers/interfaces/toctou_mitigation.h | 31 +- .../helpers/store/auxmap_store_params.h | 3 +- .../helpers/store/ringbuf_store_params.h | 3 +- driver/modern_bpf/maps/maps.h | 12 - .../attached/dispatchers/syscall_enter.bpf.c | 94 ---- .../syscall_dispatched_events/connect.bpf.c | 35 -- .../syscall_dispatched_events/generic.bpf.c | 45 +- .../syscall_enter_suite/generic_e.cpp | 6 + .../syscall_enter_suite/socketcall_e.cpp | 28 + userspace/libpman/include/libpman.h | 24 +- userspace/libpman/src/events_prog_table.c | 486 ++++++------------ userspace/libpman/src/events_prog_table.h | 3 +- userspace/libpman/src/lifecycle.c | 54 +- userspace/libpman/src/maps.c | 45 +- userspace/libpman/src/programs.c | 23 - userspace/libpman/src/sc_set.c | 9 +- userspace/libpman/src/state.h | 2 +- userspace/libpman/src/stats.c | 4 +- 20 files changed, 275 insertions(+), 662 deletions(-) delete mode 100644 driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c diff --git a/driver/modern_bpf/helpers/base/stats.h b/driver/modern_bpf/helpers/base/stats.h index ed1482f247..9217fb5dd7 100644 --- a/driver/modern_bpf/helpers/base/stats.h +++ b/driver/modern_bpf/helpers/base/stats.h @@ -32,9 +32,6 @@ static __always_inline void compute_event_types_stats(uint16_t event_type, case PPME_SOCKET_CONNECT_E: counter->n_drops_buffer_connect_enter++; break; - case PPME_SYSCALL_BPF_2_E: - counter->n_drops_buffer_other_interest_enter++; - break; case PPME_PROCEXIT_1_E: counter->n_drops_buffer_proc_exit++; break; diff --git a/driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h b/driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h index 5d28be9ffa..44cb1989f9 100644 --- a/driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h +++ b/driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h @@ -13,33 +13,6 @@ #include #include -static __always_inline bool syscalls_dispatcher__sampling_logic_enter(uint32_t syscall_id) { - /* If dropping mode is not enabled we don't perform any sampling. Notice that: - * - false: means don't drop the syscall - * - true: means drop the syscall - */ - if(!maps__get_dropping_mode()) { - return false; - } - - uint8_t sampling_flag = maps__64bit_sampling_syscall_table(syscall_id); - - if(sampling_flag == UF_NEVER_DROP) { - return false; - } - - if(sampling_flag == UF_ALWAYS_DROP) { - return true; - } - - // If we are in the sampling period we drop the event. - if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) { - return true; - } - - return false; -} - static __always_inline bool syscalls_dispatcher__64bit_interesting_syscall(uint32_t syscall_id) { return maps__interesting_syscall_64bit(syscall_id); } diff --git a/driver/modern_bpf/helpers/interfaces/toctou_mitigation.h b/driver/modern_bpf/helpers/interfaces/toctou_mitigation.h index aa302c9df3..d4a7411441 100644 --- a/driver/modern_bpf/helpers/interfaces/toctou_mitigation.h +++ b/driver/modern_bpf/helpers/interfaces/toctou_mitigation.h @@ -11,6 +11,33 @@ #include #include +static __always_inline bool toctou_mitigation__sampling_logic_enter(uint32_t syscall_id) { + /* If dropping mode is not enabled we don't perform any sampling. Notice that: + * - false: means don't drop the syscall + * - true: means drop the syscall + */ + if(!maps__get_dropping_mode()) { + return false; + } + + uint8_t sampling_flag = maps__64bit_sampling_syscall_table(syscall_id); + + if(sampling_flag == UF_NEVER_DROP) { + return false; + } + + if(sampling_flag == UF_ALWAYS_DROP) { + return true; + } + + // If we are in the sampling period we drop the event. + if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) { + return true; + } + + return false; +} + /** * @brief Tell if the event related to the specified 64 bit system call should be droppped or not. * @@ -41,7 +68,7 @@ static __always_inline int toctou_mitigation__64bit_should_drop(uint32_t syscall return 1; } - if(syscalls_dispatcher__sampling_logic_enter(syscall_id)) { + if(toctou_mitigation__sampling_logic_enter(syscall_id)) { return 1; } @@ -86,7 +113,7 @@ static __always_inline int toctou_mitigation__ia32_should_drop(uint32_t syscall_ return 1; } - if(syscalls_dispatcher__sampling_logic_enter(syscall_id)) { + if(toctou_mitigation__sampling_logic_enter(syscall_id)) { return 1; } diff --git a/driver/modern_bpf/helpers/store/auxmap_store_params.h b/driver/modern_bpf/helpers/store/auxmap_store_params.h index e7441b13df..fcf9daa730 100644 --- a/driver/modern_bpf/helpers/store/auxmap_store_params.h +++ b/driver/modern_bpf/helpers/store/auxmap_store_params.h @@ -121,7 +121,8 @@ static __always_inline void auxmap__finalize_event_header(struct auxiliary_map * static __always_inline void auxmap__submit_event(struct auxiliary_map *auxmap) { struct ringbuf_map *rb = maps__get_ringbuf_map(); if(!rb) { - // this should never happen because we check it in sys_enter/sys_exit + /* This should never happen in tail-called exit programs because we check it in `sys_exit` + * dispatcher. It can happen in TOCTOU mitigation programs. */ bpf_printk("FAILURE: unable to obtain the ring buffer"); return; } diff --git a/driver/modern_bpf/helpers/store/ringbuf_store_params.h b/driver/modern_bpf/helpers/store/ringbuf_store_params.h index 135d2e9dfb..c07bb4fe7f 100644 --- a/driver/modern_bpf/helpers/store/ringbuf_store_params.h +++ b/driver/modern_bpf/helpers/store/ringbuf_store_params.h @@ -98,7 +98,8 @@ static __always_inline uint32_t ringbuf__reserve_space(struct ringbuf_struct *ri uint16_t event_type) { struct ringbuf_map *rb = maps__get_ringbuf_map(); if(!rb) { - // this should never happen because we check it in sys_enter/sys_exit + /* This should never happen in tail-called exit programs because we check it in `sys_exit` + * dispatcher. It can happen in TOCTOU mitigation programs. */ bpf_printk("FAILURE: unable to obtain the ring buffer"); return 0; } diff --git a/driver/modern_bpf/maps/maps.h b/driver/modern_bpf/maps/maps.h index 63a105d3b3..3ec27b8656 100644 --- a/driver/modern_bpf/maps/maps.h +++ b/driver/modern_bpf/maps/maps.h @@ -80,18 +80,6 @@ __weak void *socket_file_ops = NULL; /*=============================== BPF_MAP_TYPE_PROG_ARRAY ===============================*/ -/** - * @brief This tail table is used by the syscall_enter_disptacher. - * Given the syscall_id, it calls the right bpf program to manage - * the syscall enter event. - */ -struct { - __uint(type, BPF_MAP_TYPE_PROG_ARRAY); - __uint(max_entries, SYSCALL_TABLE_SIZE); - __type(key, uint32_t); - __type(value, uint32_t); -} syscall_enter_tail_table __weak SEC(".maps"); - /** * @brief This tail table is used by the syscall_exit_disptacher. * Given the syscall_id, it calls the right bpf program to manage diff --git a/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c b/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c deleted file mode 100644 index e06a93ac78..0000000000 --- a/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c +++ /dev/null @@ -1,94 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only OR MIT -/* - * Copyright (C) 2023 The Falco Authors. - * - * This file is dual licensed under either the MIT or GPL 2. See MIT.txt - * or GPL2.txt for full copies of the license. - */ - -#include - -/* From linux tree: /include/trace/events/syscall.h - * TP_PROTO(struct pt_regs *regs, long id), - */ -SEC("tp_btf/sys_enter") -int BPF_PROG(sys_enter, struct pt_regs* regs, long syscall_id) { - int socketcall_syscall_id = -1; - - if(bpf_in_ia32_syscall()) { -#if defined(__TARGET_ARCH_x86) - if(syscall_id == __NR_ia32_socketcall) { - socketcall_syscall_id = __NR_ia32_socketcall; - } else { - syscall_id = maps__ia32_to_64(syscall_id); - // syscalls defined only on 32 bits are dropped here. - if(syscall_id == (uint32_t)-1) { - return 0; - } - } -#else - return 0; -#endif - } else { -#ifdef __NR_socketcall - socketcall_syscall_id = __NR_socketcall; -#endif - } - - // We convert it here in this way the syscall will be treated exactly as the original one. - bool is_socketcall_connect = false; - if(syscall_id == socketcall_syscall_id) { - int socketcall_call = (int)extract__syscall_argument(regs, 0); - syscall_id = syscalls_dispatcher__convert_socketcall_call_to_syscall_id(socketcall_call); - if(syscall_id == -1) { - // We can't do anything since modern bpf filler jump table is syscall indexed - return 0; - } -#ifdef __NR_connect - if(syscall_id == __NR_connect) { - is_socketcall_connect = true; - } -#endif // __NR_connect - } - - if(!is_socketcall_connect) { - // The following system calls are already handled by TOCTOU mitigation programs and will not - // have an entry in the syscall enter tail table, so simply return early, avoiding wasting - // resources on any additional filtering logic. - switch(syscall_id) { -#ifdef __NR_connect - case __NR_connect: - return 0; -#endif // __NR_connect -#ifdef __NR_creat - case __NR_creat: - return 0; -#endif // __NR_creat -#ifdef __NR_open - case __NR_open: - return 0; -#endif // __NR_open -#ifdef __NR_openat - case __NR_openat: - return 0; -#endif // __NR_openat -#ifdef __NR_openat2 - case __NR_openat2: - return 0; -#endif // __NR_openat2 - default: - break; - } - } - - if(!syscalls_dispatcher__64bit_interesting_syscall(syscall_id)) { - return 0; - } - - if(syscalls_dispatcher__sampling_logic_enter(syscall_id)) { - return 0; - } - - bpf_tail_call(ctx, &syscall_enter_tail_table, syscall_id); - return 0; -} diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c index 17382c5815..0ccb156c2e 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c @@ -9,41 +9,6 @@ #include #include -/*=============================== ENTER EVENT ===========================*/ - -SEC("tp_btf/sys_enter") -int BPF_PROG(connect_e_raw_tp, struct pt_regs *regs, long id) { - struct auxiliary_map *auxmap = auxmap__get(); - if(!auxmap) { - return 0; - } - auxmap__preload_event_header(auxmap, PPME_SOCKET_CONNECT_E); - - /*=============================== COLLECT PARAMETERS ===========================*/ - - unsigned long args[3] = {0}; - extract__network_args(args, 3, regs); - - /* Parameter 1: fd (type: PT_FD) */ - int64_t socket_fd = (int64_t)(int32_t)args[0]; - auxmap__store_s64_param(auxmap, socket_fd); - - /* Parameter 2: addr (type: PT_SOCKADDR) */ - unsigned long usrsockaddr = args[1]; - uint16_t usrsockaddr_len = (uint16_t)args[2]; - auxmap__store_sockaddr_param(auxmap, usrsockaddr, usrsockaddr_len); - - /*=============================== COLLECT PARAMETERS ===========================*/ - - auxmap__finalize_event_header(auxmap); - - auxmap__submit_event(auxmap); - - return 0; -} - -/*=============================== ENTER EVENT ===========================*/ - /*=============================== EXIT EVENT ===========================*/ SEC("tp_btf/sys_exit") diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/generic.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/generic.bpf.c index 94511047ee..455065a269 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/generic.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/generic.bpf.c @@ -8,45 +8,6 @@ #include -/*=============================== ENTER EVENT ===========================*/ - -SEC("tp_btf/sys_enter") -int BPF_PROG(generic_e, struct pt_regs *regs, long id) { - struct ringbuf_struct ringbuf; - if(!ringbuf__reserve_space(&ringbuf, SYSCALL_E_SIZE, PPME_GENERIC_E)) { - return 0; - } - - ringbuf__store_event_header(&ringbuf); - - /*=============================== COLLECT PARAMETERS ===========================*/ - - // We are already in a tail-called filler. - // if we are in ia32 syscall sys_{enter,exit} already - // validated the converted 32bit->64bit syscall ID for us, - // otherwise the event would've been discarded. -#if defined(__TARGET_ARCH_x86) - if(bpf_in_ia32_syscall()) { - id = maps__ia32_to_64(id); - } -#endif - - /* Parameter 1: ID (type: PT_SYSCALLID) */ - /* This is the PPM_SC code obtained from the syscall id. */ - ringbuf__store_u16(&ringbuf, maps__get_ppm_sc(id)); - - /* Parameter 2: nativeID (type: PT_UINT16) */ - ringbuf__store_u16(&ringbuf, id); - - /*=============================== COLLECT PARAMETERS ===========================*/ - - ringbuf__submit_event(&ringbuf); - - return 0; -} - -/*=============================== ENTER EVENT ===========================*/ - /*=============================== EXIT EVENT ===========================*/ SEC("tp_btf/sys_exit") @@ -61,10 +22,8 @@ int BPF_PROG(generic_x, struct pt_regs *regs, long ret) { /*=============================== COLLECT PARAMETERS ===========================*/ uint32_t id = extract__syscall_id(regs); - // We are already in a tail-called filler. - // if we are in ia32 syscall sys_{enter,exit} already - // validated the converted 32bit->64bit syscall ID for us, - // otherwise the event would've been discarded. + // We are already in a tail-called filler. If we are in ia-32 syscall sys_exit already validated + // the converted 32bit->64bit syscall ID for us, otherwise the event would've been discarded. #if defined(__TARGET_ARCH_x86) if(bpf_in_ia32_syscall()) { id = maps__ia32_to_64(id); diff --git a/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp b/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp index e85b0e26e1..46a9d65c7b 100644 --- a/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp @@ -7,6 +7,12 @@ TEST(SyscallEnter, genericE) { */ auto evt_test = get_syscall_event_test(__NR_uname, ENTER_EVENT); + // TODO(ekoops): remove this test once we completely remove generic enter events detection in + // all 3 drivers. + if(evt_test->is_modern_bpf_engine()) { + GTEST_SKIP() << "Modern eBPF probe doesn't support anymore generic enter events detection"; + } + evt_test->enable_capture(); /*=============================== TRIGGER SYSCALL ===========================*/ diff --git a/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp b/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp index fa7d4b7840..186d351528 100644 --- a/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp @@ -10,6 +10,13 @@ TEST(SyscallEnter, socketcall_connectE) { auto evt_test = get_syscall_event_test(__NR_connect, ENTER_EVENT); + // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in + // all 3 drivers. + if(evt_test->is_modern_bpf_engine()) { + GTEST_SKIP() + << "Modern eBPF probe doesn't support anymore socketcall enter events detection"; + } + evt_test->enable_capture(); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -57,6 +64,13 @@ TEST(SyscallEnter, socketcall_wrong_code_socketcall_interesting) { // We send a wrong code so the event will be dropped auto evt_test = get_syscall_event_test(__NR_socketcall, ENTER_EVENT); + // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in + // all 3 drivers. + if(evt_test->is_modern_bpf_engine()) { + GTEST_SKIP() + << "Modern eBPF probe doesn't support anymore socketcall enter events detection"; + } + evt_test->enable_capture(); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -80,6 +94,13 @@ TEST(SyscallEnter, socketcall_wrong_code_socketcall_not_interesting) { // Same as the previous test auto evt_test = get_syscall_event_test(__NR_setsockopt, ENTER_EVENT); + // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in + // all 3 drivers. + if(evt_test->is_modern_bpf_engine()) { + GTEST_SKIP() + << "Modern eBPF probe doesn't support anymore socketcall enter events detection"; + } + evt_test->enable_capture(); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -103,6 +124,13 @@ TEST(SyscallEnter, socketcall_null_pointer_and_wrong_code_socketcall_interesting // We send a wrong code so the event will be dropped auto evt_test = get_syscall_event_test(__NR_socketcall, ENTER_EVENT); + // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in + // all 3 drivers. + if(evt_test->is_modern_bpf_engine()) { + GTEST_SKIP() + << "Modern eBPF probe doesn't support anymore socketcall enter events detection"; + } + evt_test->enable_capture(); /*=============================== TRIGGER SYSCALL ===========================*/ diff --git a/userspace/libpman/include/libpman.h b/userspace/libpman/include/libpman.h index eb9fa42c8a..1c9290b624 100644 --- a/userspace/libpman/include/libpman.h +++ b/userspace/libpman/include/libpman.h @@ -138,20 +138,6 @@ int pman_attach_syscall_exit_dispatcher(void); */ int pman_detach_syscall_exit_dispatcher(void); -/** - * @brief Attach only the syscall_enter_dispatcher - * - * @return `0` on success, `errno` in case of error. - */ -int pman_attach_syscall_enter_dispatcher(void); - -/** - * @brief Detach only the syscall_enter_dispatcher - * - * @return `0` on success, `errno` in case of error. - */ -int pman_detach_syscall_enter_dispatcher(void); - /** * @brief Attach only the sched_process_exit tracepoint * @@ -488,14 +474,8 @@ uint64_t pman_get_probe_schema_ver(void); int pman_fill_syscall_exit_extra_tail_table(void); /** - * @brief The syscall dispatchers will look into these tables - * to understand which programs they have to call. We have 2 - * different tables one for syscall enter events and the other - * for syscall exit events: - * - * -> SYSCALL ENTER TAIL TABLE - * syscall_enter_tail_table(syscall_id, enter_program_fd). - * Returns the fd of the right bpf program to call. + * @brief The syscall exit dispatcher will look into this table + * to understand which programs it has to call: * * -> SYSCALL EXIT TAIL TABLE * syscall_exit_tail_table(syscall_id, exit_program_fd). diff --git a/userspace/libpman/src/events_prog_table.c b/userspace/libpman/src/events_prog_table.c index 4563b2a150..10b182b432 100644 --- a/userspace/libpman/src/events_prog_table.c +++ b/userspace/libpman/src/events_prog_table.c @@ -18,335 +18,169 @@ limitations under the License. #include "events_prog_table.h" /* - * For every event here we have the name of the corresponding bpf program. + * For every exit event here we have the name of the corresponding bpf program. * We can have multiple names in case we need to check the right program * that needs to be loaded, eg: because of different bpf features. */ -event_prog_t event_prog_table[PPM_EVENT_MAX][MAX_FEATURE_CHECKS] = { - [PPME_GENERIC_E] = {{false, "generic_e", 0}}, - [PPME_GENERIC_X] = {{false, "generic_x", 0}}, - [PPME_SYSCALL_GETCWD_E] = {{true, NULL}}, - [PPME_SYSCALL_GETCWD_X] = {{false, "getcwd_x", 0}}, - [PPME_SYSCALL_GETDENTS_E] = {{true, NULL}}, - [PPME_SYSCALL_GETDENTS_X] = {{false, "getdents_x", 0}}, - [PPME_SYSCALL_GETDENTS64_E] = {{true, NULL}}, - [PPME_SYSCALL_GETDENTS64_X] = {{false, "getdents64_x", 0}}, - [PPME_SYSCALL_EPOLLWAIT_E] = {{true, NULL}}, - [PPME_SYSCALL_EPOLLWAIT_X] = {{false, "epoll_wait_x", 0}}, - [PPME_SOCKET_GETPEERNAME_E] = {{true, NULL}}, - [PPME_SOCKET_GETPEERNAME_X] = {{false, "getpeername_x", 0}}, - [PPME_SOCKET_GETSOCKNAME_E] = {{true, NULL}}, - [PPME_SOCKET_GETSOCKNAME_X] = {{false, "getsockname_x", 0}}, - [PPME_SYSCALL_MKDIR_2_E] = {{true, NULL}}, - [PPME_SYSCALL_MKDIR_2_X] = {{false, "mkdir_x", 0}}, - [PPME_SYSCALL_MMAP_E] = {{true, NULL}}, - [PPME_SYSCALL_MMAP_X] = {{false, "mmap_x", 0}}, - [PPME_SYSCALL_MUNMAP_E] = {{true, NULL}}, - [PPME_SYSCALL_MUNMAP_X] = {{false, "munmap_x", 0}}, - [PPME_SYSCALL_OPEN_E] = {{true, NULL}}, - [PPME_SYSCALL_OPEN_X] = {{false, "open_x", 0}}, - [PPME_SYSCALL_OPENAT_2_E] = {{true, NULL}}, - [PPME_SYSCALL_OPENAT_2_X] = {{false, "openat_x", 0}}, - [PPME_SYSCALL_OPENAT2_E] = {{true, NULL}}, - [PPME_SYSCALL_OPENAT2_X] = {{false, "openat2_x", 0}}, - [PPME_SYSCALL_OPEN_BY_HANDLE_AT_E] = {{true, NULL}}, - [PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {{false, "open_by_handle_at_x", 0}}, - [PPME_SYSCALL_CLOSE_E] = {{true, NULL}}, - [PPME_SYSCALL_CLOSE_X] = {{false, "close_x", 0}}, - [PPME_SYSCALL_COPY_FILE_RANGE_E] = {{true, NULL}}, - [PPME_SYSCALL_COPY_FILE_RANGE_X] = {{false, "copy_file_range_x", 0}}, - [PPME_SYSCALL_CREAT_E] = {{true, NULL}}, - [PPME_SYSCALL_CREAT_X] = {{false, "creat_x", 0}}, - [PPME_SYSCALL_DUP_1_E] = {{true, NULL}}, - [PPME_SYSCALL_DUP_1_X] = {{false, "dup_x", 0}}, - [PPME_SYSCALL_DUP2_E] = {{true, NULL}}, - [PPME_SYSCALL_DUP2_X] = {{false, "dup2_x", 0}}, - [PPME_SYSCALL_DUP3_E] = {{true, NULL}}, - [PPME_SYSCALL_DUP3_X] = {{false, "dup3_x", 0}}, - [PPME_SYSCALL_CHDIR_E] = {{true, NULL}}, - [PPME_SYSCALL_CHDIR_X] = {{false, "chdir_x", 0}}, - [PPME_SYSCALL_CHMOD_E] = {{true, NULL}}, - [PPME_SYSCALL_CHMOD_X] = {{false, "chmod_x", 0}}, - [PPME_SYSCALL_CHROOT_E] = {{true, NULL}}, - [PPME_SYSCALL_CHROOT_X] = {{false, "chroot_x", 0}}, - [PPME_SYSCALL_FCHDIR_E] = {{true, NULL}}, - [PPME_SYSCALL_FCHDIR_X] = {{false, "fchdir_x", 0}}, - [PPME_SYSCALL_FCHMOD_E] = {{true, NULL}}, - [PPME_SYSCALL_FCHMOD_X] = {{false, "fchmod_x", 0}}, - [PPME_SYSCALL_FCHMODAT_E] = {{true, NULL}}, - [PPME_SYSCALL_FCHMODAT_X] = {{false, "fchmodat_x", 0}}, - [PPME_SYSCALL_MKDIRAT_E] = {{true, NULL}}, - [PPME_SYSCALL_MKDIRAT_X] = {{false, "mkdirat_x", 0}}, - [PPME_SYSCALL_RMDIR_2_E] = {{true, NULL}}, - [PPME_SYSCALL_RMDIR_2_X] = {{false, "rmdir_x", 0}}, - [PPME_SYSCALL_EVENTFD_E] = {{true, NULL}}, - [PPME_SYSCALL_EVENTFD_X] = {{false, "eventfd_x", 0}}, - [PPME_SYSCALL_INOTIFY_INIT_E] = {{true, NULL}}, - [PPME_SYSCALL_INOTIFY_INIT_X] = {{false, "inotify_init_x", 0}}, - [PPME_SYSCALL_TIMERFD_CREATE_E] = {{true, NULL}}, - [PPME_SYSCALL_TIMERFD_CREATE_X] = {{false, "timerfd_create_x", 0}}, - [PPME_SYSCALL_USERFAULTFD_E] = {{true, NULL}}, - [PPME_SYSCALL_USERFAULTFD_X] = {{false, "userfaultfd_x", 0}}, - [PPME_SYSCALL_SIGNALFD_E] = {{true, NULL}}, - [PPME_SYSCALL_SIGNALFD_X] = {{false, "signalfd_x", 0}}, - [PPME_SYSCALL_KILL_E] = {{true, NULL}}, - [PPME_SYSCALL_KILL_X] = {{false, "kill_x", 0}}, - [PPME_SYSCALL_TGKILL_E] = {{true, NULL}}, - [PPME_SYSCALL_TGKILL_X] = {{false, "tgkill_x", 0}}, - [PPME_SYSCALL_TKILL_E] = {{true, NULL}}, - [PPME_SYSCALL_TKILL_X] = {{false, "tkill_x", 0}}, - [PPME_SYSCALL_SECCOMP_E] = {{true, NULL}}, - [PPME_SYSCALL_SECCOMP_X] = {{false, "seccomp_x", 0}}, - [PPME_SYSCALL_PTRACE_E] = {{true, NULL}}, - [PPME_SYSCALL_PTRACE_X] = {{false, "ptrace_x", 0}}, - [PPME_SYSCALL_CAPSET_E] = {{true, NULL}}, - [PPME_SYSCALL_CAPSET_X] = {{false, "capset_x", 0}}, - [PPME_SOCKET_SOCKET_E] = {{true, NULL}}, - [PPME_SOCKET_SOCKET_X] = {{false, "socket_x", 0}}, - [PPME_SOCKET_CONNECT_E] = {{false, "connect_e_raw_tp", 0}}, - [PPME_SOCKET_CONNECT_X] = {{false, "connect_x", 0}}, - [PPME_SOCKET_SOCKETPAIR_E] = {{true, NULL}}, - [PPME_SOCKET_SOCKETPAIR_X] = {{false, "socketpair_x", 0}}, - [PPME_SOCKET_ACCEPT_5_E] = {{true, NULL}}, - [PPME_SOCKET_ACCEPT_5_X] = {{false, "accept_x", 0}}, - [PPME_SOCKET_BIND_E] = {{true, NULL}}, - [PPME_SOCKET_BIND_X] = {{false, "bind_x", 0}}, - [PPME_SOCKET_LISTEN_E] = {{true, NULL}}, - [PPME_SOCKET_LISTEN_X] = {{false, "listen_x", 0}}, - [PPME_SYSCALL_EXECVE_19_E] = {{true, NULL}}, - [PPME_SYSCALL_EXECVE_19_X] = {{false, "execve_x", 0}}, - [PPME_SYSCALL_EXECVEAT_E] = {{true, NULL}}, - [PPME_SYSCALL_EXECVEAT_X] = {{false, "execveat_x", 0}}, - [PPME_SYSCALL_CLONE_20_E] = {{true, NULL}}, - [PPME_SYSCALL_CLONE_20_X] = {{false, "clone_x", 0}}, - [PPME_SYSCALL_CLONE3_E] = {{true, NULL}}, - [PPME_SYSCALL_CLONE3_X] = {{false, "clone3_x", 0}}, - [PPME_SYSCALL_FORK_20_E] = {{true, NULL}}, - [PPME_SYSCALL_FORK_20_X] = {{false, "fork_x", 0}}, - [PPME_SYSCALL_VFORK_20_E] = {{true, NULL}}, - [PPME_SYSCALL_VFORK_20_X] = {{false, "vfork_x", 0}}, - [PPME_SYSCALL_RENAME_E] = {{true, NULL}}, - [PPME_SYSCALL_RENAME_X] = {{false, "rename_x", 0}}, - [PPME_SYSCALL_RENAMEAT_E] = {{true, NULL}}, - [PPME_SYSCALL_RENAMEAT_X] = {{false, "renameat_x", 0}}, - [PPME_SYSCALL_RENAMEAT2_E] = {{true, NULL}}, - [PPME_SYSCALL_RENAMEAT2_X] = {{false, "renameat2_x", 0}}, - [PPME_SYSCALL_PIPE_E] = {{true, NULL}}, - [PPME_SYSCALL_PIPE_X] = {{false, "pipe_x", 0}}, - [PPME_SYSCALL_READV_E] = {{true, NULL}}, - [PPME_SYSCALL_READV_X] = {{false, "readv_x", 0}}, - [PPME_SYSCALL_PREADV_E] = {{true, NULL}}, - [PPME_SYSCALL_PREADV_X] = {{false, "preadv_x", 0}}, - [PPME_SYSCALL_PREAD_E] = {{true, NULL}}, - [PPME_SYSCALL_PREAD_X] = {{false, "pread64_x", 0}}, - [PPME_SYSCALL_BPF_2_E] = {{true, NULL}}, - [PPME_SYSCALL_BPF_2_X] = {{false, "bpf_x", 0}}, - [PPME_SYSCALL_FLOCK_E] = {{true, NULL}}, - [PPME_SYSCALL_FLOCK_X] = {{false, "flock_x", 0}}, - [PPME_SYSCALL_IOCTL_3_E] = {{true, NULL}}, - [PPME_SYSCALL_IOCTL_3_X] = {{false, "ioctl_x", 0}}, - [PPME_SYSCALL_QUOTACTL_E] = {{true, NULL}}, - [PPME_SYSCALL_QUOTACTL_X] = {{false, "quotactl_x", 0}}, - [PPME_SYSCALL_UNSHARE_E] = {{true, NULL}}, - [PPME_SYSCALL_UNSHARE_X] = {{false, "unshare_x", 0}}, - [PPME_SYSCALL_MOUNT_E] = {{true, NULL}}, - [PPME_SYSCALL_MOUNT_X] = {{false, "mount_x", 0}}, - [PPME_SYSCALL_UMOUNT2_E] = {{true, NULL}}, - [PPME_SYSCALL_UMOUNT2_X] = {{false, "umount2_x", 0}}, - [PPME_SYSCALL_LINK_2_E] = {{true, NULL}}, - [PPME_SYSCALL_LINK_2_X] = {{false, "link_x", 0}}, - [PPME_SYSCALL_LINKAT_2_E] = {{true, NULL}}, - [PPME_SYSCALL_LINKAT_2_X] = {{false, "linkat_x", 0}}, - [PPME_SYSCALL_SYMLINK_E] = {{true, NULL}}, - [PPME_SYSCALL_SYMLINK_X] = {{false, "symlink_x", 0}}, - [PPME_SYSCALL_SYMLINKAT_E] = {{true, NULL}}, - [PPME_SYSCALL_SYMLINKAT_X] = {{false, "symlinkat_x", 0}}, - [PPME_SYSCALL_UNLINK_2_E] = {{true, NULL}}, - [PPME_SYSCALL_UNLINK_2_X] = {{false, "unlink_x", 0}}, - [PPME_SYSCALL_UNLINKAT_2_E] = {{true, NULL}}, - [PPME_SYSCALL_UNLINKAT_2_X] = {{false, "unlinkat_x", 0}}, - [PPME_SYSCALL_SETGID_E] = {{true, NULL}}, - [PPME_SYSCALL_SETGID_X] = {{false, "setgid_x", 0}}, - [PPME_SYSCALL_SETUID_E] = {{true, NULL}}, - [PPME_SYSCALL_SETUID_X] = {{false, "setuid_x", 0}}, - [PPME_SYSCALL_SETNS_E] = {{true, NULL}}, - [PPME_SYSCALL_SETNS_X] = {{false, "setns_x", 0}}, - [PPME_SYSCALL_SETPGID_E] = {{true, NULL}}, - [PPME_SYSCALL_SETPGID_X] = {{false, "setpgid_x", 0}}, - [PPME_SYSCALL_SETRESGID_E] = {{true, NULL}}, - [PPME_SYSCALL_SETRESGID_X] = {{false, "setresgid_x", 0}}, - [PPME_SYSCALL_SETRESUID_E] = {{true, NULL}}, - [PPME_SYSCALL_SETRESUID_X] = {{false, "setresuid_x", 0}}, - [PPME_SYSCALL_SETSID_E] = {{true, NULL}}, - [PPME_SYSCALL_SETSID_X] = {{false, "setsid_x", 0}}, - [PPME_SYSCALL_SETRLIMIT_E] = {{true, NULL}}, - [PPME_SYSCALL_SETRLIMIT_X] = {{false, "setrlimit_x", 0}}, - [PPME_SYSCALL_PRLIMIT_E] = {{true, NULL}}, - [PPME_SYSCALL_PRLIMIT_X] = {{false, "prlimit64_x", 0}}, - [PPME_SOCKET_SETSOCKOPT_E] = {{true, NULL}}, - [PPME_SOCKET_SETSOCKOPT_X] = {{false, "setsockopt_x", 0}}, - [PPME_SOCKET_SENDMSG_E] = {{true, NULL}}, - [PPME_SOCKET_SENDMSG_X] = {{false, "sendmsg_x", 0}}, - [PPME_SOCKET_SENDTO_E] = {{true, NULL}}, - [PPME_SOCKET_SENDTO_X] = {{false, "sendto_x", 0}}, - [PPME_SOCKET_RECVMSG_E] = {{true, NULL}}, - [PPME_SOCKET_RECVMSG_X] = {{false, "recvmsg_x", 0}}, - [PPME_SOCKET_RECVFROM_E] = {{true, NULL}}, - [PPME_SOCKET_RECVFROM_X] = {{false, "recvfrom_x", 0}}, - [PPME_SYSCALL_FCNTL_E] = {{true, NULL}}, - [PPME_SYSCALL_FCNTL_X] = {{false, "fcntl_x", 0}}, - [PPME_SOCKET_SHUTDOWN_E] = {{true, NULL}}, - [PPME_SOCKET_SHUTDOWN_X] = {{false, "shutdown_x", 0}}, - [PPME_SYSCALL_FSCONFIG_E] = {{true, NULL}}, - [PPME_SYSCALL_FSCONFIG_X] = {{false, "fsconfig_x", 0}}, - [PPME_SYSCALL_EPOLL_CREATE_E] = {{true, NULL}}, - [PPME_SYSCALL_EPOLL_CREATE_X] = {{false, "epoll_create_x", 0}}, - [PPME_SYSCALL_EPOLL_CREATE1_E] = {{true, NULL}}, - [PPME_SYSCALL_EPOLL_CREATE1_X] = {{false, "epoll_create1_x", 0}}, - [PPME_SYSCALL_ACCESS_E] = {{true, NULL}}, - [PPME_SYSCALL_ACCESS_X] = {{false, "access_x", 0}}, - [PPME_SOCKET_GETSOCKOPT_E] = {{true, NULL}}, - [PPME_SOCKET_GETSOCKOPT_X] = {{false, "getsockopt_x", 0}}, - [PPME_SYSCALL_MPROTECT_E] = {{true, NULL}}, - [PPME_SYSCALL_MPROTECT_X] = {{false, "mprotect_x", 0}}, - [PPME_SYSCALL_GETUID_E] = {{true, NULL}}, - [PPME_SYSCALL_GETUID_X] = {{false, "getuid_x", 0}}, - [PPME_SYSCALL_GETGID_E] = {{true, NULL}}, - [PPME_SYSCALL_GETGID_X] = {{false, "getgid_x", 0}}, - [PPME_SYSCALL_GETEUID_E] = {{true, NULL}}, - [PPME_SYSCALL_GETEUID_X] = {{false, "geteuid_x", 0}}, - [PPME_SYSCALL_GETEGID_E] = {{true, NULL}}, - [PPME_SYSCALL_GETEGID_X] = {{false, "getegid_x", 0}}, - [PPME_SYSCALL_MLOCK_E] = {{true, NULL}}, - [PPME_SYSCALL_MLOCK_X] = {{false, "mlock_x", 0}}, - [PPME_SYSCALL_MLOCK2_E] = {{true, NULL}}, - [PPME_SYSCALL_MLOCK2_X] = {{false, "mlock2_x", 0}}, - [PPME_SYSCALL_MUNLOCK_E] = {{true, NULL}}, - [PPME_SYSCALL_MUNLOCK_X] = {{false, "munlock_x", 0}}, - [PPME_SYSCALL_MLOCKALL_E] = {{true, NULL}}, - [PPME_SYSCALL_MLOCKALL_X] = {{false, "mlockall_x", 0}}, - [PPME_SYSCALL_MUNLOCKALL_E] = {{true, NULL}}, - [PPME_SYSCALL_MUNLOCKALL_X] = {{false, "munlockall_x", 0}}, - [PPME_SYSCALL_READ_E] = {{true, NULL}}, - [PPME_SYSCALL_READ_X] = {{false, "read_x", 0}}, - [PPME_SYSCALL_IO_URING_ENTER_E] = {{true, NULL}}, - [PPME_SYSCALL_IO_URING_ENTER_X] = {{false, "io_uring_enter_x", 0}}, - [PPME_SYSCALL_IO_URING_REGISTER_E] = {{true, NULL}}, - [PPME_SYSCALL_IO_URING_REGISTER_X] = {{false, "io_uring_register_x", 0}}, - [PPME_SYSCALL_IO_URING_SETUP_E] = {{true, NULL}}, - [PPME_SYSCALL_IO_URING_SETUP_X] = {{false, "io_uring_setup_x", 0}}, - [PPME_SYSCALL_POLL_E] = {{true, NULL}}, - [PPME_SYSCALL_POLL_X] = {{false, "poll_x", 0}}, - [PPME_SYSCALL_PPOLL_E] = {{true, NULL}}, - [PPME_SYSCALL_PPOLL_X] = {{false, "ppoll_x", 0}}, - [PPME_SYSCALL_MMAP2_E] = {{true, NULL}}, - [PPME_SYSCALL_MMAP2_X] = {{false, "mmap2_x", 0}}, - [PPME_SYSCALL_SEMGET_E] = {{true, NULL}}, - [PPME_SYSCALL_SEMGET_X] = {{false, "semget_x", 0}}, - [PPME_SYSCALL_SEMCTL_E] = {{true, NULL}}, - [PPME_SYSCALL_SEMCTL_X] = {{false, "semctl_x", 0}}, - [PPME_SYSCALL_SELECT_E] = {{true, NULL}}, - [PPME_SYSCALL_SELECT_X] = {{false, "select_x", 0}}, - [PPME_SYSCALL_SPLICE_E] = {{true, NULL}}, - [PPME_SYSCALL_SPLICE_X] = {{false, "splice_x", 0}}, - [PPME_SOCKET_RECVMMSG_E] = {{true, NULL}}, - [PPME_SOCKET_RECVMMSG_X] = {{false, "recvmmsg_x", BPF_FUNC_loop}, - {false, "recvmmsg_old_x", 0}}, - [PPME_SOCKET_SENDMMSG_E] = {{true, NULL}}, - [PPME_SOCKET_SENDMMSG_X] = {{false, "sendmmsg_x", BPF_FUNC_loop}, - {false, "sendmmsg_old_x", 0}}, - [PPME_SYSCALL_SEMOP_E] = {{true, NULL}}, - [PPME_SYSCALL_SEMOP_X] = {{false, "semop_x", 0}}, - [PPME_SYSCALL_GETRESUID_E] = {{true, NULL}}, - [PPME_SYSCALL_GETRESUID_X] = {{false, "getresuid_x", 0}}, - [PPME_SYSCALL_SENDFILE_E] = {{true, NULL}}, - [PPME_SYSCALL_SENDFILE_X] = {{false, "sendfile_x", 0}}, - [PPME_SYSCALL_FUTEX_E] = {{true, NULL}}, - [PPME_SYSCALL_FUTEX_X] = {{false, "futex_x", 0}}, - [PPME_SYSCALL_STAT_E] = {{true, NULL}}, - [PPME_SYSCALL_STAT_X] = {{false, "stat_x", 0}}, - [PPME_SYSCALL_LSTAT_E] = {{true, NULL}}, - [PPME_SYSCALL_LSTAT_X] = {{false, "lstat_x", 0}}, - [PPME_SYSCALL_FSTAT_E] = {{true, NULL}}, - [PPME_SYSCALL_FSTAT_X] = {{false, "fstat_x", 0}}, - [PPME_SYSCALL_LSEEK_E] = {{true, NULL}}, - [PPME_SYSCALL_LSEEK_X] = {{false, "lseek_x", 0}}, - [PPME_SYSCALL_LLSEEK_E] = {{true, NULL}}, - [PPME_SYSCALL_LLSEEK_X] = {{false, "llseek_x", 0}}, - [PPME_SYSCALL_WRITE_E] = {{true, NULL}}, - [PPME_SYSCALL_WRITE_X] = {{false, "write_x", 0}}, - [PPME_SYSCALL_WRITEV_E] = {{true, NULL}}, - [PPME_SYSCALL_WRITEV_X] = {{false, "writev_x", 0}}, - [PPME_SYSCALL_PWRITEV_E] = {{true, NULL}}, - [PPME_SYSCALL_PWRITEV_X] = {{false, "pwritev_x", 0}}, - [PPME_SYSCALL_PWRITE_E] = {{true, NULL}}, - [PPME_SYSCALL_PWRITE_X] = {{false, "pwrite64_x", 0}}, - [PPME_SYSCALL_GETRESGID_E] = {{true, NULL}}, - [PPME_SYSCALL_GETRESGID_X] = {{false, "getresgid_x", 0}}, - [PPME_SYSCALL_CHOWN_E] = {{true, NULL}}, - [PPME_SYSCALL_CHOWN_X] = {{false, "chown_x", 0}}, - [PPME_SYSCALL_LCHOWN_E] = {{true, NULL}}, - [PPME_SYSCALL_LCHOWN_X] = {{false, "lchown_x", 0}}, - [PPME_SYSCALL_FCHOWN_E] = {{true, NULL}}, - [PPME_SYSCALL_FCHOWN_X] = {{false, "fchown_x", 0}}, - [PPME_SYSCALL_FCHOWNAT_E] = {{true, NULL}}, - [PPME_SYSCALL_FCHOWNAT_X] = {{false, "fchownat_x", 0}}, - [PPME_SYSCALL_BRK_4_E] = {{true, NULL}}, - [PPME_SYSCALL_BRK_4_X] = {{false, "brk_x", 0}}, - [PPME_SYSCALL_GETRLIMIT_E] = {{true, NULL}}, - [PPME_SYSCALL_GETRLIMIT_X] = {{false, "getrlimit_x", 0}}, - [PPME_SOCKET_SEND_E] = {{true, NULL}}, - [PPME_SOCKET_SEND_X] = {{false, "send_x", 0}}, - [PPME_SOCKET_RECV_E] = {{true, NULL}}, - [PPME_SOCKET_RECV_X] = {{false, "recv_x", 0}}, - [PPME_SYSCALL_NANOSLEEP_E] = {{true, NULL}}, - [PPME_SYSCALL_NANOSLEEP_X] = {{false, "nanosleep_x", 0}}, - [PPME_SYSCALL_UMOUNT_1_E] = {{true, NULL}}, - [PPME_SYSCALL_UMOUNT_1_X] = {{false, "umount_x", 0}}, - [PPME_SOCKET_ACCEPT4_6_E] = {{true, NULL}}, - [PPME_SOCKET_ACCEPT4_6_X] = {{false, "accept4_x", 0}}, - [PPME_SYSCALL_PIPE2_E] = {{true, NULL}}, - [PPME_SYSCALL_PIPE2_X] = {{false, "pipe2_x", 0}}, - [PPME_SYSCALL_INOTIFY_INIT1_E] = {{true, NULL}}, - [PPME_SYSCALL_INOTIFY_INIT1_X] = {{false, "inotify_init1_x", 0}}, - [PPME_SYSCALL_EVENTFD2_E] = {{true, NULL}}, - [PPME_SYSCALL_EVENTFD2_X] = {{false, "eventfd2_x", 0}}, - [PPME_SYSCALL_SIGNALFD4_E] = {{true, NULL}}, - [PPME_SYSCALL_SIGNALFD4_X] = {{false, "signalfd4_x", 0}}, - [PPME_SYSCALL_PRCTL_E] = {{true, NULL}}, - [PPME_SYSCALL_PRCTL_X] = {{false, "prctl_x", 0}}, - [PPME_SYSCALL_MEMFD_CREATE_E] = {{true, NULL}}, - [PPME_SYSCALL_MEMFD_CREATE_X] = {{false, "memfd_create_x", 0}}, - [PPME_SYSCALL_PIDFD_GETFD_E] = {{true, NULL}}, - [PPME_SYSCALL_PIDFD_GETFD_X] = {{false, "pidfd_getfd_x", 0}}, - [PPME_SYSCALL_PIDFD_OPEN_E] = {{true, NULL}}, - [PPME_SYSCALL_PIDFD_OPEN_X] = {{false, "pidfd_open_x", 0}}, - [PPME_SYSCALL_INIT_MODULE_E] = {{true, NULL}}, - [PPME_SYSCALL_INIT_MODULE_X] = {{false, "init_module_x", 0}}, - [PPME_SYSCALL_FINIT_MODULE_E] = {{true, NULL}}, - [PPME_SYSCALL_FINIT_MODULE_X] = {{false, "finit_module_x", 0}}, - [PPME_SYSCALL_MKNOD_E] = {{true, NULL}}, - [PPME_SYSCALL_MKNOD_X] = {{false, "mknod_x", 0}}, - [PPME_SYSCALL_MKNODAT_E] = {{true, NULL}}, - [PPME_SYSCALL_MKNODAT_X] = {{false, "mknodat_x", 0}}, - [PPME_SYSCALL_NEWFSTATAT_E] = {{true, NULL}}, - [PPME_SYSCALL_NEWFSTATAT_X] = {{false, "newfstatat_x", 0}}, - [PPME_SYSCALL_PROCESS_VM_READV_E] = {{true, NULL}}, - [PPME_SYSCALL_PROCESS_VM_READV_X] = {{false, "process_vm_readv_x", 0}}, - [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = {{true, NULL}}, - [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {{false, "process_vm_writev_x", 0}}, - [PPME_SYSCALL_DELETE_MODULE_E] = {{true, NULL}}, - [PPME_SYSCALL_DELETE_MODULE_X] = {{false, "delete_module_x", 0}}, - [PPME_SYSCALL_SETREUID_E] = {{true, NULL}}, - [PPME_SYSCALL_SETREUID_X] = {{false, "setreuid_x", 0}}, - [PPME_SYSCALL_SETREGID_E] = {{true, NULL}}, - [PPME_SYSCALL_SETREGID_X] = {{false, "setregid_x", 0}}, - // TODO(ekoops): remove the following entries once the sys_enter dispatcher is dropped. - // The following entries are added in order to avoid the common generic_e enter event - // handler to be used as a fallback for the corresponding event types. - [PPME_SYSCALL_STAT64_E] = {{true, NULL}}, - [PPME_SYSCALL_LSTAT64_E] = {{true, NULL}}, - [PPME_SYSCALL_FSTAT64_E] = {{true, NULL}}, +event_prog_t exit_event_progs_table[PPM_EVENT_MAX][MAX_FEATURE_CHECKS] = { + [PPME_GENERIC_X] = {{"generic_x", 0}}, + [PPME_SYSCALL_GETCWD_X] = {{"getcwd_x", 0}}, + [PPME_SYSCALL_GETDENTS_X] = {{"getdents_x", 0}}, + [PPME_SYSCALL_GETDENTS64_X] = {{"getdents64_x", 0}}, + [PPME_SYSCALL_EPOLLWAIT_X] = {{"epoll_wait_x", 0}}, + [PPME_SOCKET_GETPEERNAME_X] = {{"getpeername_x", 0}}, + [PPME_SOCKET_GETSOCKNAME_X] = {{"getsockname_x", 0}}, + [PPME_SYSCALL_MKDIR_2_X] = {{"mkdir_x", 0}}, + [PPME_SYSCALL_MMAP_X] = {{"mmap_x", 0}}, + [PPME_SYSCALL_MUNMAP_X] = {{"munmap_x", 0}}, + [PPME_SYSCALL_OPEN_X] = {{"open_x", 0}}, + [PPME_SYSCALL_OPENAT_2_X] = {{"openat_x", 0}}, + [PPME_SYSCALL_OPENAT2_X] = {{"openat2_x", 0}}, + [PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {{"open_by_handle_at_x", 0}}, + [PPME_SYSCALL_CLOSE_X] = {{"close_x", 0}}, + [PPME_SYSCALL_COPY_FILE_RANGE_X] = {{"copy_file_range_x", 0}}, + [PPME_SYSCALL_CREAT_X] = {{"creat_x", 0}}, + [PPME_SYSCALL_DUP_1_X] = {{"dup_x", 0}}, + [PPME_SYSCALL_DUP2_X] = {{"dup2_x", 0}}, + [PPME_SYSCALL_DUP3_X] = {{"dup3_x", 0}}, + [PPME_SYSCALL_CHDIR_X] = {{"chdir_x", 0}}, + [PPME_SYSCALL_CHMOD_X] = {{"chmod_x", 0}}, + [PPME_SYSCALL_CHROOT_X] = {{"chroot_x", 0}}, + [PPME_SYSCALL_FCHDIR_X] = {{"fchdir_x", 0}}, + [PPME_SYSCALL_FCHMOD_X] = {{"fchmod_x", 0}}, + [PPME_SYSCALL_FCHMODAT_X] = {{"fchmodat_x", 0}}, + [PPME_SYSCALL_MKDIRAT_X] = {{"mkdirat_x", 0}}, + [PPME_SYSCALL_RMDIR_2_X] = {{"rmdir_x", 0}}, + [PPME_SYSCALL_EVENTFD_X] = {{"eventfd_x", 0}}, + [PPME_SYSCALL_INOTIFY_INIT_X] = {{"inotify_init_x", 0}}, + [PPME_SYSCALL_TIMERFD_CREATE_X] = {{"timerfd_create_x", 0}}, + [PPME_SYSCALL_USERFAULTFD_X] = {{"userfaultfd_x", 0}}, + [PPME_SYSCALL_SIGNALFD_X] = {{"signalfd_x", 0}}, + [PPME_SYSCALL_KILL_X] = {{"kill_x", 0}}, + [PPME_SYSCALL_TGKILL_X] = {{"tgkill_x", 0}}, + [PPME_SYSCALL_TKILL_X] = {{"tkill_x", 0}}, + [PPME_SYSCALL_SECCOMP_X] = {{"seccomp_x", 0}}, + [PPME_SYSCALL_PTRACE_X] = {{"ptrace_x", 0}}, + [PPME_SYSCALL_CAPSET_X] = {{"capset_x", 0}}, + [PPME_SOCKET_SOCKET_X] = {{"socket_x", 0}}, + [PPME_SOCKET_CONNECT_X] = {{"connect_x", 0}}, + [PPME_SOCKET_SOCKETPAIR_X] = {{"socketpair_x", 0}}, + [PPME_SOCKET_ACCEPT_5_X] = {{"accept_x", 0}}, + [PPME_SOCKET_BIND_X] = {{"bind_x", 0}}, + [PPME_SOCKET_LISTEN_X] = {{"listen_x", 0}}, + [PPME_SYSCALL_EXECVE_19_X] = {{"execve_x", 0}}, + [PPME_SYSCALL_EXECVEAT_X] = {{"execveat_x", 0}}, + [PPME_SYSCALL_CLONE_20_X] = {{"clone_x", 0}}, + [PPME_SYSCALL_CLONE3_X] = {{"clone3_x", 0}}, + [PPME_SYSCALL_FORK_20_X] = {{"fork_x", 0}}, + [PPME_SYSCALL_VFORK_20_X] = {{"vfork_x", 0}}, + [PPME_SYSCALL_RENAME_X] = {{"rename_x", 0}}, + [PPME_SYSCALL_RENAMEAT_X] = {{"renameat_x", 0}}, + [PPME_SYSCALL_RENAMEAT2_X] = {{"renameat2_x", 0}}, + [PPME_SYSCALL_PIPE_X] = {{"pipe_x", 0}}, + [PPME_SYSCALL_READV_X] = {{"readv_x", 0}}, + [PPME_SYSCALL_PREADV_X] = {{"preadv_x", 0}}, + [PPME_SYSCALL_PREAD_X] = {{"pread64_x", 0}}, + [PPME_SYSCALL_BPF_2_X] = {{"bpf_x", 0}}, + [PPME_SYSCALL_FLOCK_X] = {{"flock_x", 0}}, + [PPME_SYSCALL_IOCTL_3_X] = {{"ioctl_x", 0}}, + [PPME_SYSCALL_QUOTACTL_X] = {{"quotactl_x", 0}}, + [PPME_SYSCALL_UNSHARE_X] = {{"unshare_x", 0}}, + [PPME_SYSCALL_MOUNT_X] = {{"mount_x", 0}}, + [PPME_SYSCALL_UMOUNT2_X] = {{"umount2_x", 0}}, + [PPME_SYSCALL_LINK_2_X] = {{"link_x", 0}}, + [PPME_SYSCALL_LINKAT_2_X] = {{"linkat_x", 0}}, + [PPME_SYSCALL_SYMLINK_X] = {{"symlink_x", 0}}, + [PPME_SYSCALL_SYMLINKAT_X] = {{"symlinkat_x", 0}}, + [PPME_SYSCALL_UNLINK_2_X] = {{"unlink_x", 0}}, + [PPME_SYSCALL_UNLINKAT_2_X] = {{"unlinkat_x", 0}}, + [PPME_SYSCALL_SETGID_X] = {{"setgid_x", 0}}, + [PPME_SYSCALL_SETUID_X] = {{"setuid_x", 0}}, + [PPME_SYSCALL_SETNS_X] = {{"setns_x", 0}}, + [PPME_SYSCALL_SETPGID_X] = {{"setpgid_x", 0}}, + [PPME_SYSCALL_SETRESGID_X] = {{"setresgid_x", 0}}, + [PPME_SYSCALL_SETRESUID_X] = {{"setresuid_x", 0}}, + [PPME_SYSCALL_SETSID_X] = {{"setsid_x", 0}}, + [PPME_SYSCALL_SETRLIMIT_X] = {{"setrlimit_x", 0}}, + [PPME_SYSCALL_PRLIMIT_X] = {{"prlimit64_x", 0}}, + [PPME_SOCKET_SETSOCKOPT_X] = {{"setsockopt_x", 0}}, + [PPME_SOCKET_SENDMSG_X] = {{"sendmsg_x", 0}}, + [PPME_SOCKET_SENDTO_X] = {{"sendto_x", 0}}, + [PPME_SOCKET_RECVMSG_X] = {{"recvmsg_x", 0}}, + [PPME_SOCKET_RECVFROM_X] = {{"recvfrom_x", 0}}, + [PPME_SYSCALL_FCNTL_X] = {{"fcntl_x", 0}}, + [PPME_SOCKET_SHUTDOWN_X] = {{"shutdown_x", 0}}, + [PPME_SYSCALL_FSCONFIG_X] = {{"fsconfig_x", 0}}, + [PPME_SYSCALL_EPOLL_CREATE_X] = {{"epoll_create_x", 0}}, + [PPME_SYSCALL_EPOLL_CREATE1_X] = {{"epoll_create1_x", 0}}, + [PPME_SYSCALL_ACCESS_X] = {{"access_x", 0}}, + [PPME_SOCKET_GETSOCKOPT_X] = {{"getsockopt_x", 0}}, + [PPME_SYSCALL_MPROTECT_X] = {{"mprotect_x", 0}}, + [PPME_SYSCALL_GETUID_X] = {{"getuid_x", 0}}, + [PPME_SYSCALL_GETGID_X] = {{"getgid_x", 0}}, + [PPME_SYSCALL_GETEUID_X] = {{"geteuid_x", 0}}, + [PPME_SYSCALL_GETEGID_X] = {{"getegid_x", 0}}, + [PPME_SYSCALL_MLOCK_X] = {{"mlock_x", 0}}, + [PPME_SYSCALL_MLOCK2_X] = {{"mlock2_x", 0}}, + [PPME_SYSCALL_MUNLOCK_X] = {{"munlock_x", 0}}, + [PPME_SYSCALL_MLOCKALL_X] = {{"mlockall_x", 0}}, + [PPME_SYSCALL_MUNLOCKALL_X] = {{"munlockall_x", 0}}, + [PPME_SYSCALL_READ_X] = {{"read_x", 0}}, + [PPME_SYSCALL_IO_URING_ENTER_X] = {{"io_uring_enter_x", 0}}, + [PPME_SYSCALL_IO_URING_REGISTER_X] = {{"io_uring_register_x", 0}}, + [PPME_SYSCALL_IO_URING_SETUP_X] = {{"io_uring_setup_x", 0}}, + [PPME_SYSCALL_POLL_X] = {{"poll_x", 0}}, + [PPME_SYSCALL_PPOLL_X] = {{"ppoll_x", 0}}, + [PPME_SYSCALL_MMAP2_X] = {{"mmap2_x", 0}}, + [PPME_SYSCALL_SEMGET_X] = {{"semget_x", 0}}, + [PPME_SYSCALL_SEMCTL_X] = {{"semctl_x", 0}}, + [PPME_SYSCALL_SELECT_X] = {{"select_x", 0}}, + [PPME_SYSCALL_SPLICE_X] = {{"splice_x", 0}}, + [PPME_SOCKET_RECVMMSG_X] = {{"recvmmsg_x", BPF_FUNC_loop}, {"recvmmsg_old_x", 0}}, + [PPME_SOCKET_SENDMMSG_X] = {{"sendmmsg_x", BPF_FUNC_loop}, {"sendmmsg_old_x", 0}}, + [PPME_SYSCALL_SEMOP_X] = {{"semop_x", 0}}, + [PPME_SYSCALL_GETRESUID_X] = {{"getresuid_x", 0}}, + [PPME_SYSCALL_SENDFILE_X] = {{"sendfile_x", 0}}, + [PPME_SYSCALL_FUTEX_X] = {{"futex_x", 0}}, + [PPME_SYSCALL_STAT_X] = {{"stat_x", 0}}, + [PPME_SYSCALL_LSTAT_X] = {{"lstat_x", 0}}, + [PPME_SYSCALL_FSTAT_X] = {{"fstat_x", 0}}, + [PPME_SYSCALL_LSEEK_X] = {{"lseek_x", 0}}, + [PPME_SYSCALL_LLSEEK_X] = {{"llseek_x", 0}}, + [PPME_SYSCALL_WRITE_X] = {{"write_x", 0}}, + [PPME_SYSCALL_WRITEV_X] = {{"writev_x", 0}}, + [PPME_SYSCALL_PWRITEV_X] = {{"pwritev_x", 0}}, + [PPME_SYSCALL_PWRITE_X] = {{"pwrite64_x", 0}}, + [PPME_SYSCALL_GETRESGID_X] = {{"getresgid_x", 0}}, + [PPME_SYSCALL_CHOWN_X] = {{"chown_x", 0}}, + [PPME_SYSCALL_LCHOWN_X] = {{"lchown_x", 0}}, + [PPME_SYSCALL_FCHOWN_X] = {{"fchown_x", 0}}, + [PPME_SYSCALL_FCHOWNAT_X] = {{"fchownat_x", 0}}, + [PPME_SYSCALL_BRK_4_X] = {{"brk_x", 0}}, + [PPME_SYSCALL_GETRLIMIT_X] = {{"getrlimit_x", 0}}, + [PPME_SOCKET_SEND_X] = {{"send_x", 0}}, + [PPME_SOCKET_RECV_X] = {{"recv_x", 0}}, + [PPME_SYSCALL_NANOSLEEP_X] = {{"nanosleep_x", 0}}, + [PPME_SYSCALL_UMOUNT_1_X] = {{"umount_x", 0}}, + [PPME_SOCKET_ACCEPT4_6_X] = {{"accept4_x", 0}}, + [PPME_SYSCALL_PIPE2_X] = {{"pipe2_x", 0}}, + [PPME_SYSCALL_INOTIFY_INIT1_X] = {{"inotify_init1_x", 0}}, + [PPME_SYSCALL_EVENTFD2_X] = {{"eventfd2_x", 0}}, + [PPME_SYSCALL_SIGNALFD4_X] = {{"signalfd4_x", 0}}, + [PPME_SYSCALL_PRCTL_X] = {{"prctl_x", 0}}, + [PPME_SYSCALL_MEMFD_CREATE_X] = {{"memfd_create_x", 0}}, + [PPME_SYSCALL_PIDFD_GETFD_X] = {{"pidfd_getfd_x", 0}}, + [PPME_SYSCALL_PIDFD_OPEN_X] = {{"pidfd_open_x", 0}}, + [PPME_SYSCALL_INIT_MODULE_X] = {{"init_module_x", 0}}, + [PPME_SYSCALL_FINIT_MODULE_X] = {{"finit_module_x", 0}}, + [PPME_SYSCALL_MKNOD_X] = {{"mknod_x", 0}}, + [PPME_SYSCALL_MKNODAT_X] = {{"mknodat_x", 0}}, + [PPME_SYSCALL_NEWFSTATAT_X] = {{"newfstatat_x", 0}}, + [PPME_SYSCALL_PROCESS_VM_READV_X] = {{"process_vm_readv_x", 0}}, + [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {{"process_vm_writev_x", 0}}, + [PPME_SYSCALL_DELETE_MODULE_X] = {{"delete_module_x", 0}}, + [PPME_SYSCALL_SETREUID_X] = {{"setreuid_x", 0}}, + [PPME_SYSCALL_SETREGID_X] = {{"setregid_x", 0}}, }; ttm_progs_t ttm_progs_table[TTM_MAX] = { diff --git a/userspace/libpman/src/events_prog_table.h b/userspace/libpman/src/events_prog_table.h index c34c1d67b4..675989fbbf 100644 --- a/userspace/libpman/src/events_prog_table.h +++ b/userspace/libpman/src/events_prog_table.h @@ -23,7 +23,6 @@ limitations under the License. #include typedef struct { - bool disabled; /* TODO(ekoops): remove this once we remove the sys_enter dispatcher. */ char *name; enum bpf_func_id feat; } event_prog_t; @@ -32,7 +31,7 @@ typedef struct { #define MAX_FEATURE_CHECKS 3 // Defined in events_prog_table.c -extern event_prog_t event_prog_table[PPM_EVENT_MAX][MAX_FEATURE_CHECKS]; +extern event_prog_t exit_event_progs_table[PPM_EVENT_MAX][MAX_FEATURE_CHECKS]; // 64-bit system call TOCTOU mitigation program info. typedef struct { diff --git a/userspace/libpman/src/lifecycle.c b/userspace/libpman/src/lifecycle.c index 9b04a0d10e..095faf4bb0 100644 --- a/userspace/libpman/src/lifecycle.c +++ b/userspace/libpman/src/lifecycle.c @@ -49,7 +49,12 @@ int pman_prepare_progs_before_loading() { */ errno = 0; for(int ev = 0; ev < PPM_EVENT_MAX; ev++) { - event_prog_t *progs = event_prog_table[ev]; + // We dropped the support for programs generating enter events, except for the ones managing + // TOCTOU mitigation (handled separately below). + if(PPME_IS_ENTER(ev)) { + continue; + } + event_prog_t *progs = exit_event_progs_table[ev]; int idx, chosen_idx = -1; for(idx = 0; idx < MAX_FEATURE_CHECKS && progs[idx].name != NULL; idx++) { bool should_disable = chosen_idx != -1; @@ -160,40 +165,39 @@ static int bpf_prog_fd_or_default(const struct bpf_program *prog) { } static void pman_save_attached_progs() { - g_state.attached_progs_fds[0] = bpf_program__fd(g_state.skel->progs.sys_enter); - g_state.attached_progs_fds[1] = bpf_program__fd(g_state.skel->progs.sys_exit); - g_state.attached_progs_fds[2] = bpf_program__fd(g_state.skel->progs.sched_proc_exit); - g_state.attached_progs_fds[3] = bpf_program__fd(g_state.skel->progs.sched_switch); + g_state.attached_progs_fds[0] = bpf_program__fd(g_state.skel->progs.sys_exit); + g_state.attached_progs_fds[1] = bpf_program__fd(g_state.skel->progs.sched_proc_exit); + g_state.attached_progs_fds[2] = bpf_program__fd(g_state.skel->progs.sched_switch); #ifdef CAPTURE_SCHED_PROC_EXEC - g_state.attached_progs_fds[4] = bpf_program__fd(g_state.skel->progs.sched_p_exec); + g_state.attached_progs_fds[3] = bpf_program__fd(g_state.skel->progs.sched_p_exec); #endif #ifdef CAPTURE_SCHED_PROC_FORK - g_state.attached_progs_fds[5] = bpf_program__fd(g_state.skel->progs.sched_p_fork); + g_state.attached_progs_fds[4] = bpf_program__fd(g_state.skel->progs.sched_p_fork); #endif #ifdef CAPTURE_PAGE_FAULTS - g_state.attached_progs_fds[6] = bpf_program__fd(g_state.skel->progs.pf_user); - g_state.attached_progs_fds[7] = bpf_program__fd(g_state.skel->progs.pf_kernel); + g_state.attached_progs_fds[5] = bpf_program__fd(g_state.skel->progs.pf_user); + g_state.attached_progs_fds[6] = bpf_program__fd(g_state.skel->progs.pf_kernel); #endif - g_state.attached_progs_fds[8] = bpf_program__fd(g_state.skel->progs.signal_deliver); - g_state.attached_progs_fds[9] = bpf_program__fd(g_state.skel->progs.connect_e); - g_state.attached_progs_fds[10] = + g_state.attached_progs_fds[7] = bpf_program__fd(g_state.skel->progs.signal_deliver); + g_state.attached_progs_fds[8] = bpf_program__fd(g_state.skel->progs.connect_e); + g_state.attached_progs_fds[9] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_compat_connect_e); - g_state.attached_progs_fds[11] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_connect_e); - g_state.attached_progs_fds[12] = bpf_program__fd(g_state.skel->progs.creat_e); - g_state.attached_progs_fds[13] = + g_state.attached_progs_fds[10] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_connect_e); + g_state.attached_progs_fds[11] = bpf_program__fd(g_state.skel->progs.creat_e); + g_state.attached_progs_fds[12] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_compat_creat_e); - g_state.attached_progs_fds[14] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_creat_e); - g_state.attached_progs_fds[15] = bpf_program__fd(g_state.skel->progs.open_e); - g_state.attached_progs_fds[16] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_compat_open_e); - g_state.attached_progs_fds[17] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_open_e); - g_state.attached_progs_fds[18] = bpf_program__fd(g_state.skel->progs.openat_e); - g_state.attached_progs_fds[19] = + g_state.attached_progs_fds[13] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_creat_e); + g_state.attached_progs_fds[14] = bpf_program__fd(g_state.skel->progs.open_e); + g_state.attached_progs_fds[15] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_compat_open_e); + g_state.attached_progs_fds[16] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_open_e); + g_state.attached_progs_fds[17] = bpf_program__fd(g_state.skel->progs.openat_e); + g_state.attached_progs_fds[18] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_compat_openat_e); - g_state.attached_progs_fds[20] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_openat_e); - g_state.attached_progs_fds[21] = bpf_program__fd(g_state.skel->progs.openat2_e); - g_state.attached_progs_fds[22] = + g_state.attached_progs_fds[19] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_openat_e); + g_state.attached_progs_fds[20] = bpf_program__fd(g_state.skel->progs.openat2_e); + g_state.attached_progs_fds[21] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_compat_openat2_e); - g_state.attached_progs_fds[23] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_openat2_e); + g_state.attached_progs_fds[22] = bpf_prog_fd_or_default(g_state.skel->progs.ia32_openat2_e); } int pman_load_probe() { diff --git a/userspace/libpman/src/maps.c b/userspace/libpman/src/maps.c index ab3372c858..ca2e59f0ad 100644 --- a/userspace/libpman/src/maps.c +++ b/userspace/libpman/src/maps.c @@ -278,13 +278,6 @@ static int add_bpf_program_to_tail_table(int tail_table_fd, const char* bpf_prog } int pman_fill_syscalls_tail_table() { - const int syscall_enter_tail_table_fd = - bpf_map__fd(g_state.skel->maps.syscall_enter_tail_table); - if(syscall_enter_tail_table_fd <= 0) { - pman_print_error("unable to get the syscall enter tail table"); - return errno; - } - const int syscall_exit_tail_table_fd = bpf_map__fd(g_state.skel->maps.syscall_exit_tail_table); if(syscall_exit_tail_table_fd <= 0) { pman_print_error("unable to get the syscall exit tail table"); @@ -293,7 +286,6 @@ int pman_fill_syscalls_tail_table() { for(int syscall_id = 0; syscall_id < SYSCALL_TABLE_SIZE; syscall_id++) { /* Get event type from `g_syscall_table` */ - int enter_event_type = g_syscall_table[syscall_id].enter_event_type; int exit_event_type = g_syscall_table[syscall_id].exit_event_type; /* If the syscall is generic, the exit_event would be `0`, so @@ -306,41 +298,24 @@ int pman_fill_syscalls_tail_table() { exit_event_type = PPME_GENERIC_X; } - /* At the end of the work, we should always have a corresponding bpf program for every - * event (except for enter events generated by TOCTOU mitigation programs, which we - * explicitly check in the below code). Until we miss some syscalls, this is not true so we - * manage these cases as generic events. We need to remove this workaround when all syscalls - * will be implemented. + /* At the end of the work, we should always have a corresponding bpf tail-called program for + * every exit event. Until we miss some syscalls, this is not true so we manage these cases + * as generic events. We need to remove this workaround when all syscalls will be + * implemented. */ - if(!event_prog_table[enter_event_type]->disabled) { - const event_prog_t* enter_prog = - (const event_prog_t*)&event_prog_table[enter_event_type]; - if(enter_prog->name == NULL) { - enter_prog = (const event_prog_t*)&event_prog_table[PPME_GENERIC_E]; - } - - if(add_bpf_program_to_tail_table(syscall_enter_tail_table_fd, - enter_prog->name, - syscall_id)) { - goto clean_fill_syscalls_tail_table; - } - } - - const event_prog_t* exit_prog = (const event_prog_t*)&event_prog_table[exit_event_type]; + const event_prog_t* exit_prog = + (const event_prog_t*)&exit_event_progs_table[exit_event_type]; if(exit_prog->name == NULL) { - exit_prog = (const event_prog_t*)&event_prog_table[PPME_GENERIC_X]; + exit_prog = (const event_prog_t*)&exit_event_progs_table[PPME_GENERIC_X]; } if(add_bpf_program_to_tail_table(syscall_exit_tail_table_fd, exit_prog->name, syscall_id)) { - goto clean_fill_syscalls_tail_table; + const int last_errno = errno; + close(syscall_exit_tail_table_fd); + return last_errno; } } return 0; - -clean_fill_syscalls_tail_table: - close(syscall_enter_tail_table_fd); - close(syscall_exit_tail_table_fd); - return errno; } int pman_fill_syscall_exit_extra_tail_table() { diff --git a/userspace/libpman/src/programs.c b/userspace/libpman/src/programs.c index a116e27c56..3dacf62db1 100644 --- a/userspace/libpman/src/programs.c +++ b/userspace/libpman/src/programs.c @@ -26,20 +26,6 @@ limitations under the License. /*=============================== ATTACH PROGRAMS ===============================*/ -int pman_attach_syscall_enter_dispatcher() { - /* The program is already attached. */ - if(g_state.skel->links.sys_enter != NULL) { - return 0; - } - - g_state.skel->links.sys_enter = bpf_program__attach(g_state.skel->progs.sys_enter); - if(!g_state.skel->links.sys_enter) { - pman_print_error("failed to attach the 'sys_enter' program"); - return errno; - } - return 0; -} - int pman_attach_syscall_exit_dispatcher() { /* The program is already attached. */ if(g_state.skel->links.sys_exit != NULL) { @@ -269,15 +255,6 @@ int pman_attach_openat2_toctou_mitigation_progs() { /*=============================== DETACH PROGRAMS ===============================*/ -int pman_detach_syscall_enter_dispatcher() { - if(g_state.skel->links.sys_enter && bpf_link__destroy(g_state.skel->links.sys_enter)) { - pman_print_error("failed to detach the 'sys_enter' program"); - return errno; - } - g_state.skel->links.sys_enter = NULL; - return 0; -} - int pman_detach_syscall_exit_dispatcher() { if(g_state.skel->links.sys_exit && bpf_link__destroy(g_state.skel->links.sys_exit)) { pman_print_error("failed to detach the 'sys_exit' program"); diff --git a/userspace/libpman/src/sc_set.c b/userspace/libpman/src/sc_set.c index df51d7b1f4..261a359c42 100644 --- a/userspace/libpman/src/sc_set.c +++ b/userspace/libpman/src/sc_set.c @@ -52,7 +52,6 @@ int pman_enforce_sc_set(bool *sc_set) { } /* Special tracepoints, their attachment depends on interesting syscalls */ - bool sys_enter = false; bool sys_exit = false; bool sched_prog_fork = false; bool sched_prog_exec = false; @@ -77,7 +76,6 @@ int pman_enforce_sc_set(bool *sc_set) { if(!sc_set[sc]) { ret = ret ?: pman_mark_single_64bit_syscall(syscall_id, false); } else { - sys_enter = true; sys_exit = true; ret = ret ?: pman_mark_single_64bit_syscall(syscall_id, true); } @@ -158,12 +156,7 @@ int pman_enforce_sc_set(bool *sc_set) { else ret = ret ?: pman_detach_openat_toctou_mitigation_progs(); - /* sys_enter and sys_exit dispatchers section. */ - if(sys_enter) - ret = ret ?: pman_attach_syscall_enter_dispatcher(); - else - ret = ret ?: pman_detach_syscall_enter_dispatcher(); - + /* sys_exit dispatcher section. */ if(sys_exit) ret = ret ?: pman_attach_syscall_exit_dispatcher(); else diff --git a/userspace/libpman/src/state.h b/userspace/libpman/src/state.h index eb03ea7076..6f0918e702 100644 --- a/userspace/libpman/src/state.h +++ b/userspace/libpman/src/state.h @@ -31,7 +31,7 @@ limitations under the License. /* Pay attention this need to be bumped every time we add a new bpf program that is directly * attached into the kernel */ -#define MODERN_BPF_PROG_ATTACHED_MAX 24 +#define MODERN_BPF_PROG_ATTACHED_MAX 23 #define BPF_LOG_BIG_BUF_SIZE \ (UINT32_MAX >> 8) /* Recommended log buffer size, taken from libbpf. Used for verifier logs */ diff --git a/userspace/libpman/src/stats.c b/userspace/libpman/src/stats.c index 2355511840..519fbc1d20 100644 --- a/userspace/libpman/src/stats.c +++ b/userspace/libpman/src/stats.c @@ -276,8 +276,8 @@ struct metrics_v2 *pman_get_metrics_v2(uint32_t flags, uint32_t *nstats, int32_t /* At the time of writing (Apr 2, 2023) libbpf stats are only available on a per program * granularity. This means we cannot measure the statistics for each filler/tail-call * individually. Hopefully someone upstreams such capabilities to libbpf one day :) Meanwhile, - * we can simulate perf comparisons between future LSM hooks and sys enter and exit tracepoints - * via leveraging syscall selection mechanisms `handle->curr_sc_set`. + * we can simulate perf comparisons between future LSM hooks and tracepoints by leveraging + * syscall selection mechanisms `handle->curr_sc_set`. */ if((flags & METRICS_V2_LIBBPF_STATS)) { int fd = 0; From eb1e8989219cdfb224a1f09c61f485b1e68ab401 Mon Sep 17 00:00:00 2001 From: Leonardo Di Giovanna Date: Thu, 11 Sep 2025 14:19:42 +0200 Subject: [PATCH 2/3] feat(driver)!: use `syscall_enter` probe only for TOCTOU mitigation In kmod probe, update `syscall_enter` probe to only allow execution of fillers related to TOCTOU mitigation, disabling the generation of any other enter event. This is motivated by the fact that, for all other enter events, the corresponding exit events already contain the same kind of information. Contextually, update the fillers table by removing any filler information related to enter events, excluding (1) the entries related to TOCTOU mitigation and (2) the `PPME_GENERIC_E` entry (as it still used by legacy bpf probe code). Finally, remove any `PPME_GENERIC_E` event related code and skip `generic_e.cpp` and `socketcall_e` tests when run while using the kmod engine. BREAKING CHANGE: update fillers table and drop non-TOCTOU syscall enter fillers in kmod probe Signed-off-by: Leonardo Di Giovanna --- driver/fillers_table.c | 167 +----------------- driver/main.c | 86 +++++---- driver/ppm_events_public.h | 1 - driver/ppm_fillers.c | 8 - .../syscall_enter_suite/generic_e.cpp | 3 +- .../syscall_enter_suite/socketcall_e.cpp | 16 +- 6 files changed, 62 insertions(+), 219 deletions(-) diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 40b3bee103..b4dc3f2874 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -15,376 +15,217 @@ or GPL2.txt for full copies of the license. #endif /* __KERNEL__ */ #if defined(__KERNEL__) -#define FILLER_REF(x) f_##x, 0, PPM_FILLER_##x +#define FILLER_REF(x) f_##x, PPM_FILLER_##x #else -#define FILLER_REF(x) 0, 0, PPM_FILLER_##x +#define FILLER_REF(x) 0, PPM_FILLER_##x #endif /* __KERNEL__ */ -/* TODO(ekoops): remove this once we remove the sys_enter dispatcher. */ -#define FILLER_DISABLED 0, 1, 0 - #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wmissing-field-initializers" const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { + // TODO(ekoops): remove `PPME_GENERIC_E` entry once we limit legacy bpf probe sys_enter + // dispatcher for TOCTOU mitigation. [PPME_GENERIC_E] = {FILLER_REF(sys_generic)}, [PPME_GENERIC_X] = {FILLER_REF(sys_generic)}, [PPME_SYSCALL_OPEN_E] = {FILLER_REF(sys_open_e)}, [PPME_SYSCALL_OPEN_X] = {FILLER_REF(sys_open_x)}, - [PPME_SYSCALL_CLOSE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_CLOSE_X] = {FILLER_REF(sys_close_x)}, - [PPME_SYSCALL_READ_E] = {FILLER_DISABLED}, [PPME_SYSCALL_READ_X] = {FILLER_REF(sys_read_x)}, - [PPME_SYSCALL_WRITE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_WRITE_X] = {FILLER_REF(sys_write_x)}, [PPME_PROCEXIT_1_E] = {FILLER_REF(sys_procexit_e)}, - [PPME_SOCKET_SOCKET_E] = {FILLER_DISABLED}, [PPME_SOCKET_SOCKET_X] = {FILLER_REF(sys_socket_x)}, - [PPME_SOCKET_BIND_E] = {FILLER_DISABLED}, [PPME_SOCKET_BIND_X] = {FILLER_REF(sys_socket_bind_x)}, [PPME_SOCKET_CONNECT_E] = {FILLER_REF(sys_connect_e)}, [PPME_SOCKET_CONNECT_X] = {FILLER_REF(sys_connect_x)}, - [PPME_SOCKET_LISTEN_E] = {FILLER_DISABLED}, [PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_listen_x)}, - [PPME_SOCKET_SEND_E] = {FILLER_DISABLED}, [PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)}, - [PPME_SOCKET_SENDTO_E] = {FILLER_DISABLED}, [PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_sendto_x)}, - [PPME_SOCKET_RECV_E] = {FILLER_DISABLED}, [PPME_SOCKET_RECV_X] = {FILLER_REF(sys_recv_x)}, - [PPME_SOCKET_RECVFROM_E] = {FILLER_DISABLED}, [PPME_SOCKET_RECVFROM_X] = {FILLER_REF(sys_recvfrom_x)}, - [PPME_SOCKET_SHUTDOWN_E] = {FILLER_DISABLED}, [PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_shutdown_x)}, - [PPME_SOCKET_GETSOCKNAME_E] = {FILLER_DISABLED}, [PPME_SOCKET_GETSOCKNAME_X] = {FILLER_REF(sys_empty)}, - [PPME_SOCKET_GETPEERNAME_E] = {FILLER_DISABLED}, [PPME_SOCKET_GETPEERNAME_X] = {FILLER_REF(sys_empty)}, - [PPME_SOCKET_SOCKETPAIR_E] = {FILLER_DISABLED}, [PPME_SOCKET_SOCKETPAIR_X] = {FILLER_REF(sys_socketpair_x)}, - [PPME_SOCKET_SETSOCKOPT_E] = {FILLER_DISABLED}, [PPME_SOCKET_SETSOCKOPT_X] = {FILLER_REF(sys_setsockopt_x)}, - [PPME_SOCKET_GETSOCKOPT_E] = {FILLER_DISABLED}, [PPME_SOCKET_GETSOCKOPT_X] = {FILLER_REF(sys_getsockopt_x)}, - [PPME_SOCKET_SENDMSG_E] = {FILLER_DISABLED}, [PPME_SOCKET_SENDMSG_X] = {FILLER_REF(sys_sendmsg_x)}, - [PPME_SOCKET_SENDMMSG_E] = {FILLER_DISABLED}, [PPME_SOCKET_SENDMMSG_X] = {FILLER_REF(sys_sendmmsg_x)}, - [PPME_SOCKET_RECVMSG_E] = {FILLER_DISABLED}, [PPME_SOCKET_RECVMSG_X] = {FILLER_REF(sys_recvmsg_x)}, - [PPME_SOCKET_RECVMMSG_E] = {FILLER_DISABLED}, [PPME_SOCKET_RECVMMSG_X] = {FILLER_REF(sys_recvmmsg_x)}, [PPME_SYSCALL_CREAT_E] = {FILLER_REF(sys_creat_e)}, [PPME_SYSCALL_CREAT_X] = {FILLER_REF(sys_creat_x)}, - [PPME_SYSCALL_PIPE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PIPE_X] = {FILLER_REF(sys_pipe_x)}, - [PPME_SYSCALL_EVENTFD_E] = {FILLER_DISABLED}, [PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_eventfd_x)}, - [PPME_SYSCALL_FUTEX_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_futex_x)}, - [PPME_SYSCALL_STAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_STAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}}, - [PPME_SYSCALL_LSTAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_LSTAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}}, - [PPME_SYSCALL_FSTAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_fstat_x)}, - [PPME_SYSCALL_STAT64_E] = {FILLER_DISABLED}, [PPME_SYSCALL_STAT64_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}}, - [PPME_SYSCALL_LSTAT64_E] = {FILLER_DISABLED}, [PPME_SYSCALL_LSTAT64_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}}, - [PPME_SYSCALL_FSTAT64_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FSTAT64_X] = {FILLER_REF(sys_single_x)}, - [PPME_SYSCALL_EPOLLWAIT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_epoll_wait_x)}, - [PPME_SYSCALL_POLL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_POLL_X] = {FILLER_REF(sys_poll_x)}, - [PPME_SYSCALL_SELECT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SELECT_X] = {FILLER_REF(sys_single_x)}, - [PPME_SYSCALL_NEWSELECT_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_NEWSELECT_X] = {FILLER_REF(sys_single_x)}, - [PPME_SYSCALL_LSEEK_E] = {FILLER_DISABLED}, [PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_lseek_x)}, - [PPME_SYSCALL_LLSEEK_E] = {FILLER_DISABLED}, [PPME_SYSCALL_LLSEEK_X] = {FILLER_REF(sys_single_x)}, - [PPME_SYSCALL_GETCWD_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETCWD_X] = {FILLER_REF(sys_getcwd_x)}, - [PPME_SYSCALL_CHDIR_E] = {FILLER_DISABLED}, [PPME_SYSCALL_CHDIR_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}}, - [PPME_SYSCALL_FCHDIR_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FCHDIR_X] = {FILLER_REF(sys_fchdir_x)}, - [PPME_SYSCALL_UNLINK_E] = {FILLER_DISABLED}, [PPME_SYSCALL_UNLINK_X] = {FILLER_REF(sys_single_x)}, - [PPME_SYSCALL_UNLINKAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_UNLINKAT_X] = {FILLER_REF(sys_single_x)}, - [PPME_SYSCALL_PREAD_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PREAD_X] = {FILLER_REF(sys_pread64_x)}, - [PPME_SYSCALL_PWRITE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_pwrite64_x)}, - [PPME_SYSCALL_READV_E] = {FILLER_DISABLED}, [PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_x)}, - [PPME_SYSCALL_WRITEV_E] = {FILLER_DISABLED}, [PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_x)}, - [PPME_SYSCALL_PREADV_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_preadv_x)}, - [PPME_SYSCALL_PWRITEV_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_pwritev_x)}, - [PPME_SYSCALL_DUP_1_E] = {FILLER_DISABLED}, [PPME_SYSCALL_DUP_1_X] = {FILLER_REF(sys_dup_x)}, - [PPME_SYSCALL_DUP2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_DUP2_X] = {FILLER_REF(sys_dup2_x)}, - [PPME_SYSCALL_DUP3_E] = {FILLER_DISABLED}, [PPME_SYSCALL_DUP3_X] = {FILLER_REF(sys_dup3_x)}, - [PPME_SYSCALL_SIGNALFD_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_signalfd_x)}, - [PPME_SYSCALL_KILL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_kill_x)}, - [PPME_SYSCALL_TKILL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_tkill_x)}, - [PPME_SYSCALL_TGKILL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_tgkill_x)}, - [PPME_SYSCALL_NANOSLEEP_E] = {FILLER_DISABLED}, [PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_nanosleep_x)}, - [PPME_SYSCALL_TIMERFD_CREATE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_timerfd_create_x)}, - [PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_inotify_init_x)}, - [PPME_SYSCALL_GETRLIMIT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_x)}, - [PPME_SYSCALL_SETRLIMIT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETRLIMIT_X] = {FILLER_REF(sys_setrlimit_x)}, - [PPME_SYSCALL_PRLIMIT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PRLIMIT_X] = {FILLER_REF(sys_prlimit_x)}, [PPME_DROP_E] = {FILLER_REF(sched_drop)}, [PPME_DROP_X] = {FILLER_REF(sched_drop)}, - [PPME_SYSCALL_FCNTL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FCNTL_X] = {FILLER_REF(sys_fcntl_x)}, #ifdef CAPTURE_CONTEXT_SWITCHES [PPME_SCHEDSWITCH_6_E] = {FILLER_REF(sched_switch_e)}, #endif - [PPME_SYSCALL_BRK_4_E] = {FILLER_DISABLED}, [PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_x)}, - [PPME_SYSCALL_MMAP_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_mmap_x)}, - [PPME_SYSCALL_MMAP2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_mmap2_x)}, - [PPME_SYSCALL_MUNMAP_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_munmap_x)}, - [PPME_SYSCALL_SPLICE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_splice_x)}, - [PPME_SYSCALL_PTRACE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PTRACE_X] = {FILLER_REF(sys_ptrace_x)}, - [PPME_SYSCALL_IOCTL_3_E] = {FILLER_DISABLED}, [PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_ioctl_x)}, - [PPME_SYSCALL_RENAME_E] = {FILLER_DISABLED}, [PPME_SYSCALL_RENAME_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1}}}, - [PPME_SYSCALL_RENAMEAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_RENAMEAT_X] = {FILLER_REF(sys_renameat_x)}, - [PPME_SYSCALL_SYMLINK_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SYMLINK_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1}}}, - [PPME_SYSCALL_SYMLINKAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SYMLINKAT_X] = {FILLER_REF(sys_symlinkat_x)}, - [PPME_SYSCALL_SENDFILE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SENDFILE_X] = {FILLER_REF(sys_sendfile_x)}, - [PPME_SYSCALL_QUOTACTL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_QUOTACTL_X] = {FILLER_REF(sys_quotactl_x)}, - [PPME_SYSCALL_SETRESUID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_setresuid_x)}, - [PPME_SYSCALL_SETRESGID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_setresgid_x)}, [PPME_SCAPEVENT_E] = {FILLER_REF(sys_scapevent_e)}, - [PPME_SYSCALL_SETUID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_setuid_x)}, - [PPME_SYSCALL_SETGID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_setgid_x)}, - [PPME_SYSCALL_GETUID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}}, - [PPME_SYSCALL_GETEUID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETEUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}}, - [PPME_SYSCALL_GETGID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}}, - [PPME_SYSCALL_GETEGID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETEGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}}, - [PPME_SYSCALL_GETRESUID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETRESUID_X] = {FILLER_REF(sys_getresuid_and_gid_x)}, - [PPME_SYSCALL_GETRESGID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETRESGID_X] = {FILLER_REF(sys_getresuid_and_gid_x)}, - [PPME_SYSCALL_CLONE_20_E] = {FILLER_DISABLED}, [PPME_SYSCALL_CLONE_20_X] = {FILLER_REF(proc_startupdate)}, - [PPME_SYSCALL_FORK_20_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FORK_20_X] = {FILLER_REF(proc_startupdate)}, - [PPME_SYSCALL_VFORK_20_E] = {FILLER_DISABLED}, [PPME_SYSCALL_VFORK_20_X] = {FILLER_REF(proc_startupdate)}, #ifdef CAPTURE_SIGNAL_DELIVERIES [PPME_SIGNALDELIVER_E] = {FILLER_REF(sys_signaldeliver_e)}, #endif - [PPME_SYSCALL_GETDENTS_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_getdents_x)}, - [PPME_SYSCALL_GETDENTS64_E] = {FILLER_DISABLED}, [PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_getdents64_x)}, - [PPME_SYSCALL_SETNS_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_setns_x)}, - [PPME_SYSCALL_FLOCK_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_flock_x)}, [PPME_CPU_HOTPLUG_E] = {FILLER_REF(cpu_hotplug_e)}, - [PPME_SOCKET_ACCEPT_5_E] = {FILLER_DISABLED}, [PPME_SOCKET_ACCEPT_5_X] = {FILLER_REF(sys_accept_x)}, - [PPME_SYSCALL_SEMOP_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SEMOP_X] = {FILLER_REF(sys_semop_x)}, - [PPME_SYSCALL_SEMCTL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_semctl_x)}, - [PPME_SYSCALL_PPOLL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_ppoll_x)}, - [PPME_SYSCALL_MOUNT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_mount_x), 4, APT_REG, {{AF_ID_RETVAL}, {0}, {1}, {2}}}, - [PPME_SYSCALL_SEMGET_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_semget_x)}, - [PPME_SYSCALL_ACCESS_E] = {FILLER_DISABLED}, [PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_access_x)}, - [PPME_SYSCALL_CHROOT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_CHROOT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}}, - [PPME_SYSCALL_SETSID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETSID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}}, - [PPME_SYSCALL_SETPGID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_setpgid_x)}, - [PPME_SYSCALL_MKDIR_2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_mkdir_x)}, - [PPME_SYSCALL_RMDIR_2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_RMDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}}, - [PPME_SYSCALL_UNSHARE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_unshare_x)}, - [PPME_SYSCALL_EXECVE_19_E] = {FILLER_DISABLED}, [PPME_SYSCALL_EXECVE_19_X] = {FILLER_REF(proc_startupdate)}, #ifdef CAPTURE_PAGE_FAULTS [PPME_PAGE_FAULT_E] = {FILLER_REF(sys_pagefault_e)}, #endif - [PPME_SYSCALL_BPF_2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_BPF_2_X] = {FILLER_REF(sys_bpf_x)}, - [PPME_SYSCALL_SECCOMP_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_seccomp_x)}, - [PPME_SYSCALL_UNLINK_2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_UNLINK_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}}, - [PPME_SYSCALL_UNLINKAT_2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_UNLINKAT_2_X] = {FILLER_REF(sys_unlinkat_x)}, - [PPME_SYSCALL_MKDIRAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MKDIRAT_X] = {FILLER_REF(sys_mkdirat_x)}, [PPME_SYSCALL_OPENAT_2_E] = {FILLER_REF(sys_openat_e)}, [PPME_SYSCALL_OPENAT_2_X] = {FILLER_REF(sys_openat_x)}, - [PPME_SYSCALL_LINK_2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_LINK_2_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1}}}, - [PPME_SYSCALL_LINKAT_2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_LINKAT_2_X] = {FILLER_REF(sys_linkat_x)}, - [PPME_SYSCALL_FCHMODAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FCHMODAT_X] = {FILLER_REF(sys_fchmodat_x)}, - [PPME_SYSCALL_CHMOD_E] = {FILLER_DISABLED}, [PPME_SYSCALL_CHMOD_X] = {FILLER_REF(sys_chmod_x)}, - [PPME_SYSCALL_FCHMOD_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FCHMOD_X] = {FILLER_REF(sys_fchmod_x)}, - [PPME_SYSCALL_RENAMEAT2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_RENAMEAT2_X] = {FILLER_REF(sys_renameat2_x)}, - [PPME_SYSCALL_USERFAULTFD_E] = {FILLER_DISABLED}, [PPME_SYSCALL_USERFAULTFD_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}}, [PPME_SYSCALL_OPENAT2_E] = {FILLER_REF(sys_openat2_e)}, [PPME_SYSCALL_OPENAT2_X] = {FILLER_REF(sys_openat2_x)}, - [PPME_SYSCALL_MPROTECT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MPROTECT_X] = {FILLER_REF(sys_mprotect_x)}, - [PPME_SYSCALL_EXECVEAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_EXECVEAT_X] = {FILLER_REF(proc_startupdate)}, - [PPME_SYSCALL_COPY_FILE_RANGE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_COPY_FILE_RANGE_X] = {FILLER_REF(sys_copy_file_range_x)}, - [PPME_SYSCALL_CLONE3_E] = {FILLER_DISABLED}, [PPME_SYSCALL_CLONE3_X] = {FILLER_REF(proc_startupdate)}, - [PPME_SYSCALL_OPEN_BY_HANDLE_AT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {FILLER_REF(sys_open_by_handle_at_x)}, - [PPME_SYSCALL_IO_URING_SETUP_E] = {FILLER_DISABLED}, [PPME_SYSCALL_IO_URING_SETUP_X] = {FILLER_REF(sys_io_uring_setup_x)}, - [PPME_SYSCALL_IO_URING_ENTER_E] = {FILLER_DISABLED}, [PPME_SYSCALL_IO_URING_ENTER_X] = {FILLER_REF(sys_io_uring_enter_x)}, - [PPME_SYSCALL_IO_URING_REGISTER_E] = {FILLER_DISABLED}, [PPME_SYSCALL_IO_URING_REGISTER_X] = {FILLER_REF(sys_io_uring_register_x)}, - [PPME_SYSCALL_MLOCK_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MLOCK_X] = {FILLER_REF(sys_mlock_x)}, - [PPME_SYSCALL_MUNLOCK_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MUNLOCK_X] = {FILLER_REF(sys_munlock_x)}, - [PPME_SYSCALL_MLOCKALL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MLOCKALL_X] = {FILLER_REF(sys_mlockall_x)}, - [PPME_SYSCALL_MUNLOCKALL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MUNLOCKALL_X] = {FILLER_REF(sys_munlockall_x)}, - [PPME_SYSCALL_CAPSET_E] = {FILLER_DISABLED}, [PPME_SYSCALL_CAPSET_X] = {FILLER_REF(sys_capset_x)}, - [PPME_SYSCALL_MLOCK2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MLOCK2_X] = {FILLER_REF(sys_mlock2_x)}, - [PPME_SYSCALL_FSCONFIG_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FSCONFIG_X] = {FILLER_REF(sys_fsconfig_x)}, - [PPME_SYSCALL_EPOLL_CREATE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_EPOLL_CREATE_X] = {FILLER_REF(sys_epoll_create_x)}, - [PPME_SYSCALL_EPOLL_CREATE1_E] = {FILLER_DISABLED}, [PPME_SYSCALL_EPOLL_CREATE1_X] = {FILLER_REF(sys_epoll_create1_x)}, - [PPME_SYSCALL_CHOWN_E] = {FILLER_DISABLED}, [PPME_SYSCALL_CHOWN_X] = {FILLER_REF(sys_chown_x)}, - [PPME_SYSCALL_LCHOWN_E] = {FILLER_DISABLED}, [PPME_SYSCALL_LCHOWN_X] = {FILLER_REF(sys_lchown_x)}, - [PPME_SYSCALL_FCHOWN_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FCHOWN_X] = {FILLER_REF(sys_fchown_x)}, - [PPME_SYSCALL_FCHOWNAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FCHOWNAT_X] = {FILLER_REF(sys_fchownat_x)}, - [PPME_SYSCALL_UMOUNT_1_E] = {FILLER_DISABLED}, [PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)}, - [PPME_SOCKET_ACCEPT4_6_E] = {FILLER_DISABLED}, [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept4_x)}, - [PPME_SYSCALL_UMOUNT2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_UMOUNT2_X] = {FILLER_REF(sys_umount2_x)}, - [PPME_SYSCALL_PIPE2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PIPE2_X] = {FILLER_REF(sys_pipe2_x)}, - [PPME_SYSCALL_INOTIFY_INIT1_E] = {FILLER_DISABLED}, [PPME_SYSCALL_INOTIFY_INIT1_X] = {FILLER_REF(sys_inotify_init1_x)}, - [PPME_SYSCALL_EVENTFD2_E] = {FILLER_DISABLED}, [PPME_SYSCALL_EVENTFD2_X] = {FILLER_REF(sys_eventfd2_x)}, - [PPME_SYSCALL_SIGNALFD4_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SIGNALFD4_X] = {FILLER_REF(sys_signalfd4_x)}, - [PPME_SYSCALL_PRCTL_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PRCTL_X] = {FILLER_REF(sys_prctl_x)}, - [PPME_SYSCALL_MEMFD_CREATE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MEMFD_CREATE_X] = {FILLER_REF(sys_memfd_create_x)}, - [PPME_SYSCALL_PIDFD_GETFD_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PIDFD_GETFD_X] = {FILLER_REF(sys_pidfd_getfd_x)}, - [PPME_SYSCALL_PIDFD_OPEN_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PIDFD_OPEN_X] = {FILLER_REF(sys_pidfd_open_x)}, - [PPME_SYSCALL_INIT_MODULE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_INIT_MODULE_X] = {FILLER_REF(sys_init_module_x)}, - [PPME_SYSCALL_FINIT_MODULE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_FINIT_MODULE_X] = {FILLER_REF(sys_finit_module_x)}, - [PPME_SYSCALL_MKNOD_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MKNOD_X] = {FILLER_REF(sys_mknod_x)}, - [PPME_SYSCALL_MKNODAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_MKNODAT_X] = {FILLER_REF(sys_mknodat_x)}, - [PPME_SYSCALL_NEWFSTATAT_E] = {FILLER_DISABLED}, [PPME_SYSCALL_NEWFSTATAT_X] = {FILLER_REF(sys_newfstatat_x)}, - [PPME_SYSCALL_PROCESS_VM_READV_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PROCESS_VM_READV_X] = {FILLER_REF(sys_process_vm_readv_x)}, - [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = {FILLER_DISABLED}, [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {FILLER_REF(sys_process_vm_writev_x)}, - [PPME_SYSCALL_DELETE_MODULE_E] = {FILLER_DISABLED}, [PPME_SYSCALL_DELETE_MODULE_X] = {FILLER_REF(sys_delete_module_x)}, - [PPME_SYSCALL_SETREUID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETREUID_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1}}}, - [PPME_SYSCALL_SETREGID_E] = {FILLER_DISABLED}, [PPME_SYSCALL_SETREGID_X] = {FILLER_REF(sys_autofill), 3, APT_REG, diff --git a/driver/main.c b/driver/main.c index 4cadec2e24..2c7bc611d5 100644 --- a/driver/main.c +++ b/driver/main.c @@ -1918,8 +1918,7 @@ static int record_event_consumer(struct ppm_consumer_t *consumer, default: if(likely(g_ppm_events[event_type].filler_callback)) { cbres = g_ppm_events[event_type].filler_callback(&args); - /* TODO(ekoops): remove this once we remove the sys_enter dispatcher. */ - } else if(!g_ppm_events[event_type].disabled) { + } else { pr_err("corrupted filler for event type %d: NULL callback\n", event_type); ASSERT(0); } @@ -2082,18 +2081,13 @@ TRACEPOINT_PROBE(syscall_enter_probe, struct pt_regs *regs, long id) { struct event_data_t event_data = {}; const struct syscall_evt_pair *event_pair = NULL; long table_index = 0; - int socketcall_syscall_id = -1; /* Just to be extra-safe */ if(id < 0) { return; } - event_data.category = PPMC_SYSCALL; - event_data.event_info.syscall_data.regs = regs; - event_data.extract_socketcall_params = false; - - /* This could be overwritten if we are in a socket call */ + /* These could be overwritten if we are in ia-32 emulation mode. */ event_data.event_info.syscall_data.id = id; event_data.compat = false; @@ -2102,52 +2096,68 @@ TRACEPOINT_PROBE(syscall_enter_probe, struct pt_regs *regs, long id) { // We try to convert the 32-bit id into the 64-bit one. #if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION) event_data.compat = true; - if(id == __NR_ia32_socketcall) { - socketcall_syscall_id = __NR_ia32_socketcall; - } else { - event_data.event_info.syscall_data.id = g_ia32_64_map[id]; - // syscalls defined only on 32 bits are dropped here. - if(event_data.event_info.syscall_data.id == -1) { - return; - } + event_data.event_info.syscall_data.id = g_ia32_64_map[id]; + // syscalls defined only on 32 bits are dropped here. + if(event_data.event_info.syscall_data.id == -1) { + return; } #else // Unsupported arch return; -#endif - } else { -#ifdef __NR_socketcall - socketcall_syscall_id = __NR_socketcall; #endif } + // This tracepoint is used only for system calls requiring enter event generation for TOCTOU + // mitigation. For any other system call, just return. + switch(event_data.event_info.syscall_data.id) { +#ifdef __NR_connect + case __NR_connect: + break; +#endif // __NR_connect +#ifdef __NR_creat + case __NR_creat: + break; +#endif // __NR_creat +#ifdef __NR_open + case __NR_open: + break; +#endif // __NR_open +#ifdef __NR_openat + case __NR_openat: + break; +#endif // __NR_openat +#ifdef __NR_openat2 + case __NR_openat2: + break; +#endif // __NR_openat2 + default: + return; + } + g_n_tracepoint_hit_inc(); - // Now all syscalls on 32-bit should be converted to 64-bit apart from `socketcall`. - // This one deserves special treatment. - if(event_data.event_info.syscall_data.id == socketcall_syscall_id) { - if(manage_socketcall(&event_data, socketcall_syscall_id, false) == NULL) { - return; - } - } + event_data.category = PPMC_SYSCALL; + event_data.event_info.syscall_data.regs = regs; + event_data.extract_socketcall_params = false; - /* We need to set here the `syscall_id` because it could change in case of socketcalls */ table_index = event_data.event_info.syscall_data.id - SYSCALL_TABLE_ID0; if(unlikely(table_index < 0 || table_index >= SYSCALL_TABLE_SIZE)) { return; } event_pair = &g_syscall_table[table_index]; - if(event_pair->flags & UF_USED) - record_event_all_consumers(event_pair->enter_event_type, - event_pair->flags, - &event_data, - KMOD_PROG_SYS_ENTER); - else - record_event_all_consumers(PPME_GENERIC_E, - UF_ALWAYS_DROP, - &event_data, - KMOD_PROG_SYS_ENTER); + if(unlikely((event_pair->flags & UF_USED) == 0)) { + pr_err("Event associated to syscall ID %ld doesn't have an UF_USED flag. This is a bug, " + "as the syscall_enter probe is meant only for calling fillers for system calls " + "supporting TOCTOU mitigation through enter event generation\n", + event_data.event_info.syscall_data.id); + return; + } + + record_event_all_consumers(event_pair->enter_event_type, + event_pair->flags, + &event_data, + KMOD_PROG_SYS_ENTER); } static __always_inline bool kmod_drop_syscall_exit_events(long ret, ppm_event_code evt_type) { diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index f9d364ed0e..898fa86244 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -2359,7 +2359,6 @@ typedef int (*filler_callback_t)(struct event_filler_arguments *args); struct ppm_event_entry { filler_callback_t filler_callback; - uint8_t disabled; /* TODO(ekoops): remove this once we remove the sys_enter dispatcher. */ enum ppm_filler_id filler_id; uint16_t n_autofill_args; enum autofill_paramtype paramtype; diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 20a55082b9..54ac90bc30 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -115,14 +115,6 @@ int f_sys_generic(struct event_filler_arguments *args) { */ res = val_to_ring(args, sc_code, 0, false, 0); CHECK_RES(res); - - if(args->event_type == PPME_GENERIC_E) { - /* - * nativeID - */ - res = val_to_ring(args, args->syscall_id, 0, false, 0); - CHECK_RES(res); - } } else { ASSERT(false); res = val_to_ring(args, (uint64_t) "", 0, false, 0); diff --git a/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp b/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp index 46a9d65c7b..c42c2f4e7b 100644 --- a/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp @@ -10,7 +10,8 @@ TEST(SyscallEnter, genericE) { // TODO(ekoops): remove this test once we completely remove generic enter events detection in // all 3 drivers. if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() << "Modern eBPF probe doesn't support anymore generic enter events detection"; + GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore generic enter events " + "detection"; } evt_test->enable_capture(); diff --git a/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp b/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp index 186d351528..c2a3f03fe0 100644 --- a/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp @@ -13,8 +13,8 @@ TEST(SyscallEnter, socketcall_connectE) { // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in // all 3 drivers. if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() - << "Modern eBPF probe doesn't support anymore socketcall enter events detection"; + GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore socketcall enter events " + "detection"; } evt_test->enable_capture(); @@ -67,8 +67,8 @@ TEST(SyscallEnter, socketcall_wrong_code_socketcall_interesting) { // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in // all 3 drivers. if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() - << "Modern eBPF probe doesn't support anymore socketcall enter events detection"; + GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore socketcall enter events " + "detection"; } evt_test->enable_capture(); @@ -97,8 +97,8 @@ TEST(SyscallEnter, socketcall_wrong_code_socketcall_not_interesting) { // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in // all 3 drivers. if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() - << "Modern eBPF probe doesn't support anymore socketcall enter events detection"; + GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore socketcall enter events " + "detection"; } evt_test->enable_capture(); @@ -127,8 +127,8 @@ TEST(SyscallEnter, socketcall_null_pointer_and_wrong_code_socketcall_interesting // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in // all 3 drivers. if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() - << "Modern eBPF probe doesn't support anymore socketcall enter events detection"; + GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore socketcall enter events " + "detection"; } evt_test->enable_capture(); From fc865db58e45874f446c014744cf57b8cb71f7b8 Mon Sep 17 00:00:00 2001 From: Leonardo Di Giovanna Date: Thu, 11 Sep 2025 16:29:19 +0200 Subject: [PATCH 3/3] feat(driver/bpf)!: use `sys_enter` probe only for TOCTOU mitigation In legacy bpf probe, update `sys_enter` probe to only allow execution of fillers related to TOCTOU mitigation, disabling the generation of any other enter event. This is motivated by the fact that, for all other enter events, the corresponding exit events already contain the same kind of information. Contextually, update the fillers table by removing the entry related to `PPME_GENERIC_E` enter event, as it is not anymore used by any driver. any filler information related to enter events, excluding the entries related to TOCTOU mitigation. Finally, remove any `PPME_GENERIC_E` event related code and delete `generic_e.cpp` and `socketcall_e.cpp` files, as contained tests are related to events not generated anymore by any engine. BREAKING CHANGE: update fillers table and drop non-TOCTOU syscall enter fillers in legacy bpf probe Signed-off-by: Leonardo Di Giovanna --- driver/bpf/fillers.h | 33 +--- driver/bpf/probe.c | 109 ++++++------- driver/fillers_table.c | 3 - .../syscall_enter_suite/generic_e.cpp | 50 ------ .../syscall_enter_suite/socketcall_e.cpp | 148 ------------------ 5 files changed, 54 insertions(+), 289 deletions(-) delete mode 100644 test/drivers/test_suites/syscall_enter_suite/generic_e.cpp delete mode 100644 test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 4bdc155033..781810e2a4 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -3055,45 +3055,26 @@ FILLER(sys_unshare_x, true) { } FILLER(sys_generic, true) { - int scap_id; - int native_id; - int res; - const struct syscall_evt_pair *sc_evt; - - native_id = bpf_syscall_get_nr(data->ctx); + int native_id = bpf_syscall_get_nr(data->ctx); - // We are already in a tail-called filler. - // if we are in ia32 syscall sys_{enter,exit} already - // validated the converted 32bit->64bit syscall ID for us, - // otherwise the event would've been discarded. + // We are already in a tail-called filler. If we are in ia-32 syscall sys_exit already validated + // the converted 32bit->64bit syscall ID for us, otherwise the event would've been discarded. if(bpf_in_ia32_syscall()) { native_id = convert_ia32_to_64(native_id); } - sc_evt = get_syscall_info(native_id); + const struct syscall_evt_pair *sc_evt = get_syscall_info(native_id); if(!sc_evt) { bpf_printk("no routing for syscall %d\n", native_id); return PPM_FAILURE_BUG; } - scap_id = sc_evt->ppm_sc; + int scap_id = sc_evt->ppm_sc; if(scap_id == PPM_SC_UNKNOWN) bpf_printk("no syscall for id %d\n", native_id); - /* - * id - */ - res = bpf_push_u16_to_ring(data, scap_id); - CHECK_RES(res); - - if(data->state->tail_ctx.evt_type == PPME_GENERIC_E) { - /* - * native id - */ - res = bpf_push_u16_to_ring(data, native_id); - } - - return res; + /* Parameter 1: ID (type: PT_SYSCALLID) */ + return bpf_push_u16_to_ring(data, scap_id); } FILLER(sys_openat_e, true) { diff --git a/driver/bpf/probe.c b/driver/bpf/probe.c index 48237f844c..56a9614e9a 100644 --- a/driver/bpf/probe.c +++ b/driver/bpf/probe.c @@ -29,14 +29,7 @@ or GPL2.txt for full copies of the license. #define __NR_ia32_socketcall 102 BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) { - const struct syscall_evt_pair *sc_evt = NULL; - ppm_event_code evt_type = -1; - int drop_flags = 0; - long id = 0; - bool enabled = false; - int socketcall_syscall_id = -1; - - id = bpf_syscall_get_nr(ctx); + long id = bpf_syscall_get_nr(ctx); if(id < 0 || id >= SYSCALL_TABLE_SIZE) return 0; @@ -44,74 +37,66 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) { // Right now we support 32-bit emulation only on x86. // We try to convert the 32-bit id into the 64-bit one. #if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION) - if(id == __NR_ia32_socketcall) { - socketcall_syscall_id = __NR_ia32_socketcall; - } else { - id = convert_ia32_to_64(id); - // syscalls defined only on 32 bits are dropped here. - if(id == -1) { - return 0; - } + id = convert_ia32_to_64(id); + // Syscalls defined only on 32 bits are dropped here. + if(id == -1) { + return 0; } #else // Unsupported arch return 0; -#endif - } else { - // Right now only s390x supports it -#ifdef __NR_socketcall - socketcall_syscall_id = __NR_socketcall; #endif } - // Now all syscalls on 32-bit should be converted to 64-bit apart from `socketcall`. - // This one deserves a special treatment - if(id == socketcall_syscall_id) { -#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS - bool is_syscall_return = false; - int return_code = convert_network_syscalls(ctx, &is_syscall_return); - if(return_code == -1) { - // Wrong SYS_ argument passed. Drop the syscall. - return 0; - } - if(!is_syscall_return) { - evt_type = return_code; - drop_flags = UF_USED; - } else { - id = return_code; - } -#else - // We do not support socketcall when raw tracepoints are not supported. + // This program is used only for system calls requiring enter events generation for TOCTOU + // mitigation. For any other system call, just return. + switch(id) { +#ifdef __NR_connect + case __NR_connect: + break; +#endif // __NR_connect +#ifdef __NR_creat + case __NR_creat: + break; +#endif // __NR_creat +#ifdef __NR_open + case __NR_open: + break; +#endif // __NR_open +#ifdef __NR_openat + case __NR_openat: + break; +#endif // __NR_openat +#ifdef __NR_openat2 + case __NR_openat2: + break; +#endif // __NR_openat2 + default: return 0; -#endif } - // In case of `evt_type!=-1`, we need to skip the syscall filtering logic because - // the actual `id` is no longer representative for this event. - // There could be cases in which we have a `PPME_SOCKET_SEND_E` event - // and`id=__NR_ia32_socketcall`...We resolved the correct event type but we cannot - // update the `id`. - if(evt_type == -1) { - enabled = is_syscall_interesting(id); - if(!enabled) { - return 0; - } + if(!is_syscall_interesting(id)) { + return 0; + } - sc_evt = get_syscall_info(id); - if(!sc_evt) - return 0; + const struct syscall_evt_pair *sc_evt = get_syscall_info(id); + if(!sc_evt) { + return 0; + } - if(sc_evt->flags & UF_USED) { - evt_type = sc_evt->enter_event_type; - drop_flags = sc_evt->flags; - } else { - evt_type = PPME_GENERIC_E; - drop_flags = UF_ALWAYS_DROP; - } + if(unlikely((sc_evt->flags & UF_USED) == 0)) { + bpf_printk( + "event associated to syscall ID %ld doesn't have an UF_USED flag. This is a bug, " + "as the sys_enter dispatcher is meant only for calling fillers for system calls " + "supporting TOCTOU mitigation through enter event generation", + id); + return 0; } + ppm_event_code evt_type = sc_evt->enter_event_type; + int drop_flags = sc_evt->flags; #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS - call_filler(ctx, ctx, evt_type, drop_flags, socketcall_syscall_id); + call_filler(ctx, ctx, evt_type, drop_flags, -1); #else /* Duplicated here to avoid verifier madness */ struct sys_enter_args stack_ctx; @@ -120,7 +105,7 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) { if(stash_args(stack_ctx.args)) return 0; - call_filler(ctx, &stack_ctx, evt_type, drop_flags, socketcall_syscall_id); + call_filler(ctx, &stack_ctx, evt_type, drop_flags, -1); #endif return 0; } diff --git a/driver/fillers_table.c b/driver/fillers_table.c index b4dc3f2874..bea70f76da 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -23,9 +23,6 @@ or GPL2.txt for full copies of the license. #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wmissing-field-initializers" const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { - // TODO(ekoops): remove `PPME_GENERIC_E` entry once we limit legacy bpf probe sys_enter - // dispatcher for TOCTOU mitigation. - [PPME_GENERIC_E] = {FILLER_REF(sys_generic)}, [PPME_GENERIC_X] = {FILLER_REF(sys_generic)}, [PPME_SYSCALL_OPEN_E] = {FILLER_REF(sys_open_e)}, [PPME_SYSCALL_OPEN_X] = {FILLER_REF(sys_open_x)}, diff --git a/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp b/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp deleted file mode 100644 index c42c2f4e7b..0000000000 --- a/test/drivers/test_suites/syscall_enter_suite/generic_e.cpp +++ /dev/null @@ -1,50 +0,0 @@ -#include "../../event_class/event_class.h" - -#ifdef __NR_uname -TEST(SyscallEnter, genericE) { - /* We use `uname` syscall because it is defined on all architectures - * and is a very simple syscall. - */ - auto evt_test = get_syscall_event_test(__NR_uname, ENTER_EVENT); - - // TODO(ekoops): remove this test once we completely remove generic enter events detection in - // all 3 drivers. - if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore generic enter events " - "detection"; - } - - evt_test->enable_capture(); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - assert_syscall_state(SYSCALL_FAILURE, "uname", syscall(__NR_uname, NULL)); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - evt_test->disable_capture(); - - evt_test->assert_event_presence(); - - if(HasFatalFailure()) { - return; - } - - evt_test->parse_event(); - - evt_test->assert_header(); - - /*=============================== ASSERT PARAMETERS ===========================*/ - - /* Parameter 1: ID (type: PT_SYSCALLID) */ - /* this is the PPM_SC code obtained from the syscall id. */ - evt_test->assert_numeric_param(1, (uint16_t)PPM_SC_UNAME); - - /* Parameter 2: nativeID (type: PT_UINT16) */ - evt_test->assert_numeric_param(2, (uint16_t)__NR_uname); - - /*=============================== ASSERT PARAMETERS ===========================*/ - - evt_test->assert_num_params_pushed(2); -} -#endif diff --git a/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp b/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp deleted file mode 100644 index c2a3f03fe0..0000000000 --- a/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp +++ /dev/null @@ -1,148 +0,0 @@ -#include "../../event_class/event_class.h" - -#ifdef __NR_socketcall - -#if defined(__NR_socket) && defined(__NR_bind) && defined(__NR_connect) - -#include -#include - -TEST(SyscallEnter, socketcall_connectE) { - auto evt_test = get_syscall_event_test(__NR_connect, ENTER_EVENT); - - // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in - // all 3 drivers. - if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore socketcall enter events " - "detection"; - } - - evt_test->enable_capture(); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - int32_t mock_fd = -1; - sockaddr_in server_addr; - evt_test->server_fill_sockaddr_in(&server_addr); - unsigned long args[3]{}; - args[0] = mock_fd; - args[1] = (unsigned long)&server_addr; - args[2] = sizeof(server_addr); - assert_syscall_state(SYSCALL_FAILURE, - "socketcall connect", - syscall(__NR_socketcall, SYS_CONNECT, args)); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - evt_test->disable_capture(); - - evt_test->assert_event_presence(); - - if(HasFatalFailure()) { - return; - } - - evt_test->parse_event(); - - evt_test->assert_header(); - - /*=============================== ASSERT PARAMETERS ===========================*/ - - /* Parameter 1: fd (type: PT_FD) */ - evt_test->assert_numeric_param(1, (int64_t)mock_fd); - - /* Parameter 2: addr (type: PT_SOCKADDR) */ - evt_test->assert_addr_info_inet_param(2, PPM_AF_INET, IPV4_SERVER, IPV4_PORT_SERVER_STRING); - - /*=============================== ASSERT PARAMETERS ===========================*/ - - evt_test->assert_num_params_pushed(2); -} -#endif - -TEST(SyscallEnter, socketcall_wrong_code_socketcall_interesting) { - // We send a wrong code so the event will be dropped - auto evt_test = get_syscall_event_test(__NR_socketcall, ENTER_EVENT); - - // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in - // all 3 drivers. - if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore socketcall enter events " - "detection"; - } - - evt_test->enable_capture(); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - unsigned long args[3]{}; - args[0] = 47; - args[1] = 0; - args[2] = 0; - int wrong_code = 1230; - - assert_syscall_state(SYSCALL_FAILURE, "socketcall", syscall(__NR_socketcall, wrong_code, args)); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - evt_test->disable_capture(); - - evt_test->assert_event_absence(CURRENT_PID, PPME_GENERIC_E); -} - -TEST(SyscallEnter, socketcall_wrong_code_socketcall_not_interesting) { - // Same as the previous test - auto evt_test = get_syscall_event_test(__NR_setsockopt, ENTER_EVENT); - - // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in - // all 3 drivers. - if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore socketcall enter events " - "detection"; - } - - evt_test->enable_capture(); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - unsigned long args[3]{}; - args[0] = 47; - args[1] = 0; - args[2] = 0; - int wrong_code = 1230; - - assert_syscall_state(SYSCALL_FAILURE, "socketcall", syscall(__NR_socketcall, wrong_code, args)); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - evt_test->disable_capture(); - - evt_test->assert_event_absence(CURRENT_PID, PPME_GENERIC_E); -} - -TEST(SyscallEnter, socketcall_null_pointer_and_wrong_code_socketcall_interesting) { - // We send a wrong code so the event will be dropped - auto evt_test = get_syscall_event_test(__NR_socketcall, ENTER_EVENT); - - // TODO(ekoops): remove this test once we completely remove socketcall enter events detection in - // all 3 drivers. - if(evt_test->is_modern_bpf_engine()) { - GTEST_SKIP() << "Modern eBPF and kmod probes don't support anymore socketcall enter events " - "detection"; - } - - evt_test->enable_capture(); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - int wrong_code = 1230; - assert_syscall_state(SYSCALL_FAILURE, "socketcall", syscall(__NR_socketcall, wrong_code, NULL)); - - /*=============================== TRIGGER SYSCALL ===========================*/ - - evt_test->disable_capture(); - - evt_test->assert_event_absence(CURRENT_PID, PPME_GENERIC_E); -} - -#endif /* __NR_socketcall */