-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
- Loading branch information
1 parent
94b7f87
commit 746a8af
Showing
7 changed files
with
297 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
100 changes: 100 additions & 0 deletions
100
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recv.bpf.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
/* | ||
* Copyright (C) 2023 The Falco Authors. | ||
* | ||
* This file is dual licensed under either the MIT or GPL 2. See MIT.txt | ||
* or GPL2.txt for full copies of the license. | ||
*/ | ||
|
||
#include <helpers/interfaces/variable_size_event.h> | ||
#include <helpers/interfaces/fixed_size_event.h> | ||
|
||
/*=============================== ENTER EVENT ===========================*/ | ||
|
||
SEC("tp_btf/sys_enter") | ||
int BPF_PROG(recv_e, | ||
struct pt_regs *regs, | ||
long id) | ||
{ | ||
struct ringbuf_struct ringbuf; | ||
if(!ringbuf__reserve_space(&ringbuf, RECV_E_SIZE)) | ||
{ | ||
return 0; | ||
} | ||
|
||
ringbuf__store_event_header(&ringbuf, PPME_SOCKET_RECV_E); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
/* Collect parameters at the beginning to manage socketcalls */ | ||
unsigned long args[3]; | ||
extract__network_args(args, 3, regs); | ||
|
||
/* Parameter 1: fd (type: PT_FD) */ | ||
s32 fd = (s32)args[0]; | ||
ringbuf__store_s64(&ringbuf, (s64)fd); | ||
|
||
/* Parameter 2: size (type: PT_UINT32) */ | ||
u32 size = (u32)args[2]; | ||
ringbuf__store_u32(&ringbuf, size); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
ringbuf__submit_event(&ringbuf); | ||
|
||
return 0; | ||
} | ||
|
||
/*=============================== ENTER EVENT ===========================*/ | ||
|
||
/*=============================== EXIT EVENT ===========================*/ | ||
|
||
SEC("tp_btf/sys_exit") | ||
int BPF_PROG(recv_x, | ||
struct pt_regs *regs, | ||
long ret) | ||
{ | ||
struct auxiliary_map *auxmap = auxmap__get(); | ||
if(!auxmap) | ||
{ | ||
return 0; | ||
} | ||
|
||
auxmap__preload_event_header(auxmap, PPME_SOCKET_RECV_X); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
/* Parameter 1: res (type: PT_ERRNO) */ | ||
auxmap__store_s64_param(auxmap, ret); | ||
|
||
if(ret > 0) | ||
{ | ||
/* Collect parameters at the beginning to manage socketcalls */ | ||
unsigned long args[2]; | ||
extract__network_args(args, 2, regs); | ||
|
||
unsigned long bytes_to_read = maps__get_snaplen(); | ||
if(bytes_to_read > ret) | ||
{ | ||
bytes_to_read = ret; | ||
} | ||
|
||
/* Parameter 2: data (type: PT_BYTEBUF) */ | ||
unsigned long data_pointer = args[1]; | ||
auxmap__store_bytebuf_param(auxmap, data_pointer, bytes_to_read, USER); | ||
} | ||
else | ||
{ | ||
/* Parameter 2: data (type: PT_BYTEBUF) */ | ||
auxmap__store_empty_param(auxmap); | ||
} | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
auxmap__finalize_event_header(auxmap); | ||
|
||
auxmap__submit_event(auxmap); | ||
|
||
return 0; | ||
} | ||
|
||
/*=============================== EXIT EVENT ===========================*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
#include "../../event_class/event_class.h" | ||
|
||
#ifdef __NR_recv | ||
|
||
TEST(SyscallEnter, recvE) | ||
{ | ||
auto evt_test = get_syscall_event_test(__NR_recv, ENTER_EVENT); | ||
|
||
evt_test->enable_capture(); | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
int32_t mock_fd = -1; | ||
char* mock_buf = NULL; | ||
size_t mock_count = DEFAULT_SNAPLEN; | ||
int flags = 0; | ||
assert_syscall_state(SYSCALL_FAILURE, "recv", syscall(__NR_recv, mock_fd, (void*)(mock_buf), mock_count, flags)); | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
evt_test->disable_capture(); | ||
|
||
evt_test->assert_event_presence(); | ||
|
||
if(HasFatalFailure()) | ||
{ | ||
return; | ||
} | ||
|
||
evt_test->parse_event(); | ||
|
||
evt_test->assert_header(); | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
/* Parameter 1: fd (type: PT_FD) */ | ||
evt_test->assert_numeric_param(1, (int64_t)mock_fd); | ||
|
||
/* Parameter 2: size (type: PT_UINT32)*/ | ||
evt_test->assert_numeric_param(2, (uint32_t)mock_count); | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
evt_test->assert_num_params_pushed(2); | ||
} | ||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
#include "../../event_class/event_class.h" | ||
|
||
#ifdef __NR_recv | ||
TEST(SyscallExit, recvX_fail) | ||
{ | ||
auto evt_test = get_syscall_event_test(__NR_recv, EXIT_EVENT); | ||
|
||
evt_test->enable_capture(); | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
int32_t mock_fd = -1; | ||
char* mock_buf = NULL; | ||
size_t mock_count = DEFAULT_SNAPLEN; | ||
int flags = 0; | ||
assert_syscall_state(SYSCALL_FAILURE, "recv", syscall(__NR_recv, mock_fd, (void*)(mock_buf), mock_count, flags)); | ||
int errno_value = -errno; | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
evt_test->disable_capture(); | ||
|
||
evt_test->assert_event_presence(); | ||
|
||
if(HasFatalFailure()) | ||
{ | ||
return; | ||
} | ||
|
||
evt_test->parse_event(); | ||
|
||
evt_test->assert_header(); | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
/* Parameter 1: res (type: PT_ERRNO) */ | ||
evt_test->assert_numeric_param(1, (int64_t)errno_value); | ||
|
||
/* Parameter 2: data (type: PT_BYTEBUF) */ | ||
evt_test->assert_empty_param(2); | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
evt_test->assert_num_params_pushed(2); | ||
} | ||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters