fix: use vtid instead of vpid

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
falcosecurity · May 11, 2024 · 03e4ec2 · 03e4ec2
1 parent a5d1950
commit 03e4ec2
Show file tree

Hide file tree

Showing 9 changed files with 36 additions and 32 deletions.
diff --git a/driver/modern_bpf/helpers/base/maps_getters.h b/driver/modern_bpf/helpers/base/maps_getters.h
@@ -62,9 +62,9 @@ static __always_inline uint16_t maps__get_statsd_port()
 	return g_settings.statsd_port;
 }
 
-static __always_inline int32_t maps__get_scap_pid()
+static __always_inline int32_t maps__get_scap_tid()
 {
-	return g_settings.scap_pid;
+	return g_settings.scap_tid;
 }
 
 /*=============================== SETTINGS ===========================*/

diff --git a/driver/modern_bpf/helpers/store/ringbuf_store_params.h b/driver/modern_bpf/helpers/store/ringbuf_store_params.h
@@ -153,7 +153,7 @@ static __always_inline void ringbuf__rewrite_header_for_calibration(struct ringb
 	struct ppm_evt_hdr *hdr = (struct ppm_evt_hdr *)ringbuf->data;
 	/* we set this to 0 to recognize this calibration event */
 	hdr->nparams = 0;
-	/* we cannot send the tid seen by the init namespace we need to send the pid seen by the current pid namespace
+	/* we cannot send the tid seen by the init namespace we need to send the tid seen by the current pid namespace
 	 * to be compliant with what scap expects.
 	 */
 	hdr->tid = vtid;

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c
@@ -77,21 +77,21 @@ int BPF_PROG(socket_x,
 	if(ret >= 0 && maps__get_socket_file_ops() == NULL)
 	{
 		struct task_struct *task = get_current_task();
-		/* Please note that in `g_settings.scap_pid` scap will put its virtual pid
+		/* Please note that in `g_settings.scap_tid` scap will put its virtual tid
 		 * if it is running inside a container. If we want to extract the same information
-		 * in the kernel we need to extract the virtual pid of the task.
+		 * in the kernel we need to extract the virtual tid of the task.
 		 */
-		pid_t vpid = extract__task_xid_vnr(task, PIDTYPE_TGID);
+		pid_t vtid = extract__task_xid_vnr(task, PIDTYPE_PID);
 		/* it means that scap is performing the calibration */
-		if(vpid == maps__get_scap_pid())
+		if(vtid == maps__get_scap_tid())
 		{
 			struct file *f = extract__file_struct_from_fd(ret);
 			if(f)
 			{
 				struct file_operations *f_op = (struct file_operations *)BPF_CORE_READ(f, f_op);
 				maps__set_socket_file_ops((void*)f_op);
 				/* we need to rewrite the event header */
-				ringbuf__rewrite_header_for_calibration(&ringbuf, vpid);
+				ringbuf__rewrite_header_for_calibration(&ringbuf, vtid);
 			}
 		}
 	}

diff --git a/driver/modern_bpf/shared_definitions/struct_definitions.h b/driver/modern_bpf/shared_definitions/struct_definitions.h
@@ -33,7 +33,7 @@ struct capture_settings
 	uint16_t fullcapture_port_range_start; /* first interesting port */
 	uint16_t fullcapture_port_range_end;   /* last interesting port */
 	uint16_t statsd_port;		       /* port for statsd metrics */
-	int32_t scap_pid;		       /* pid of the scap process */
+	int32_t scap_tid;		       /* tid of the scap process */
 };
 
 /**

diff --git a/driver/syscall_compat.h b/driver/syscall_compat.h
@@ -0,0 +1,15 @@
+#pragma once
+
+#if defined(__x86_64__) || defined(__EMSCRIPTEN__)
+#include "syscall_compat_x86_64.h"
+#elif defined(__aarch64__)
+#include "syscall_compat_aarch64.h"
+#elif defined(__s390x__)
+#include "syscall_compat_s390x.h"
+#elif defined(__powerpc__)
+#include "syscall_compat_ppc64le.h"
+#elif defined(__riscv)
+#include "syscall_compat_riscv64.h"
+#elif defined(__loongarch__)
+#include "syscall_compat_loongarch64.h"
+#endif /* __x86_64__ */
diff --git a/driver/syscall_table64.c b/driver/syscall_table64.c
@@ -18,19 +18,7 @@ or GPL2.txt for full copies of the license.
  * even if the driver won't be able to send all syscalls.
  */
 #if defined(__GNUC__)
-#if defined(__x86_64__) || defined(__EMSCRIPTEN__)
-#include "syscall_compat_x86_64.h"
-#elif defined(__aarch64__)
-#include "syscall_compat_aarch64.h"
-#elif defined(__s390x__)
-#include "syscall_compat_s390x.h"
-#elif defined(__powerpc__)
-#include "syscall_compat_ppc64le.h"
-#elif defined(__riscv)
-#include "syscall_compat_riscv64.h"
-#elif defined(__loongarch__)
-#include "syscall_compat_loongarch64.h"
-#endif /* __x86_64__ */
+#include "syscall_compat.h"
 #elif defined(_MSC_VER) || defined(__EMSCRIPTEN__)
 // these are Linux syscall numbers and obviously meaningless for Windows/macOS
 // but we need *some* definition so that we have a mapping for scap_ppm_sc.c

diff --git a/userspace/libpman/include/libpman.h b/userspace/libpman/include/libpman.h
@@ -374,11 +374,11 @@ extern "C"
 	void pman_set_statsd_port(uint16_t statsd_port);
 
 	/**
-	 * @brief Set scap pid for socket calibration logic.
+	 * @brief Set scap tid for socket calibration logic.
 	 *
-	 * @param scap_pid port number.
+	 * @param scap_tid
 	 */
-	void pman_set_scap_pid(int32_t scap_pid);
+	void pman_set_scap_tid(int32_t scap_tid);
 
 	/**
 	 * @brief Get API version to check it a runtime.

diff --git a/userspace/libpman/src/maps.c b/userspace/libpman/src/maps.c
@@ -105,9 +105,9 @@ void pman_set_statsd_port(uint16_t statsd_port)
 	g_state.skel->bss->g_settings.statsd_port = statsd_port;
 }
 
-void pman_set_scap_pid(int32_t scap_pid)
+void pman_set_scap_tid(int32_t scap_tid)
 {
-	g_state.skel->bss->g_settings.scap_pid = scap_pid;
+	g_state.skel->bss->g_settings.scap_tid = scap_tid;
 }
 
 void pman_mark_single_64bit_syscall(int intersting_syscall_id, bool interesting)

diff --git a/userspace/libscap/engine/modern_bpf/scap_modern_bpf.c b/userspace/libscap/engine/modern_bpf/scap_modern_bpf.c
@@ -32,6 +32,7 @@ limitations under the License.
 #include <libscap/ringbuffer/ringbuffer.h>
 #include <libscap/scap_engine_util.h>
 #include <libscap/strerror.h>
+#include <driver/syscall_compat.h>
 
 static struct modern_bpf_engine* scap_modern_bpf__alloc_engine(scap_t* main_handle, char* lasterr_ptr)
 {
@@ -168,11 +169,11 @@ int32_t scap_modern_bpf__stop_capture(struct scap_engine_handle engine)
 
 static int32_t calibrate_socket_file_ops(struct scap_engine_handle engine)
 {
-	/* Set the scap_pid for the socket calibration.
-	 * If we are in a container this is the virtual pid.
+	/* Set the scap_tid for the socket calibration.
+	 * If we are in a container this is the virtual tid.
 	 */
-	pid_t scap_pid = getpid();
-	pman_set_scap_pid(scap_pid);
+	pid_t scap_tid = syscall(__NR_gettid);
+	pman_set_scap_tid(scap_tid);
 
 	/* We just need to enable the socket syscall for the socket calibration */
 	engine.m_handle->curr_sc_set.ppm_sc[PPM_SC_SOCKET] = 1;
@@ -208,7 +209,7 @@ static int32_t calibrate_socket_file_ops(struct scap_engine_handle engine)
 		if(res == SCAP_SUCCESS && pevent != NULL)
 		{
 			/* This is not a socket event or this is not our socket event */
-			if(pevent->type != PPME_SOCKET_SOCKET_X || pevent->tid != scap_pid)
+			if(pevent->type != PPME_SOCKET_SOCKET_X || pevent->tid != scap_tid)
 			{
 				continue;
 			}