update: made changes as per review request

Signed-off-by: RohithRaju <rohithraju488@gmail.com>
falcosecurity · Feb 7, 2024 · 71c85a2 · 71c85a2
1 parent 9241311
commit 71c85a2
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 21 deletions.
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -5801,9 +5801,9 @@ FILLER(sys_bpf_x, true)
 	long fd = bpf_syscall_get_retval(data->ctx);
 	bpf_push_s64_to_ring(data, fd);
 
-	/* Parameter 2: cmd (type: PT_INT32) */
-	unsigned long cmd = bpf_syscall_get_argument(data, 0);
-	return bpf_push_s32_to_ring(data, (int32_t)bpf_cmd_to_scap(cmd));
+	/* Parameter 2: cmd (type: PT_ENUMFLAGS32) */
+	int32_t cmd = (int32_t)bpf_syscall_get_argument(data, 0);
+	return bpf_push_u32_to_ring(data, (uint32_t)cmd);
 }
 
 FILLER(sys_unlinkat_x, true)

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c
@@ -58,9 +58,9 @@ int BPF_PROG(bpf_x,
 	/* Parameter 1: fd (type: PT_FD) */
 	ringbuf__store_s64(&ringbuf, ret);
 
-	/* Parameter 2: cmd (type: PT_INT32) */
-	unsigned long cmd = extract__syscall_argument(regs, 0);
-	ringbuf__store_s32(&ringbuf,(int32_t)bpf_cmd_to_scap(cmd));
+	/* Parameter 2: cmd (type: PT_ENUMFLAGS32) */
+	int32_t cmd = (int32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u32(&ringbuf, (uint32_t)cmd);
 
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -6752,10 +6752,10 @@ int f_sys_bpf_x(struct event_filler_arguments *args)
 	res = val_to_ring(args, fd, 0, false, 0);
 	CHECK_RES(res);
 
-	/* Parameter 2: cmd (type: PT_INT64) */
+	/* Parameter 2: cmd (type: PT_ENUMFLAGS32) */
 	syscall_get_arguments_deprecated(args, 0, 1, &val);
-	cmd = (int32_t)bpf_cmd_to_scap(val);
-	res = val_to_ring(args, cmd, 0, false, 0);
+	cmd = (int32_t)val;
+	res = val_to_ring(args, (uint32_t)cmd, 0, false, 0);
 	CHECK_RES(res);
 	return add_sentinel(args);
 }

diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h
@@ -2221,16 +2221,4 @@ static __always_inline uint32_t mknod_mode_to_scap(uint32_t modes)
 
 	return res;
 }
-
-static __always_inline uint32_t bpf_cmd_to_scap (unsigned long cmd){
-	/*
-	 * bpf opcodes are defined via enum in uapi/linux/bpf.h.
-	 * It is userspace API (thus stable) and arch-independent.
-	 * Therefore we map them 1:1; if any unmapped flag arrives,
-	 * we will just print its value to userspace without mapping it to a string flag.
-	 * We then need to append new flags to both flags_table and ppm_events_public PPM_ flags.
-	 */
-
-	return cmd;
-}
 #endif /* PPM_FLAG_HELPERS_H_ */