-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
- Loading branch information
1 parent
9f791d5
commit 94b7f87
Showing
9 changed files
with
328 additions
and
72 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
93 changes: 93 additions & 0 deletions
93
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/send.bpf.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
/* | ||
* Copyright (C) 2023 The Falco Authors. | ||
* | ||
* This file is dual licensed under either the MIT or GPL 2. See MIT.txt | ||
* or GPL2.txt for full copies of the license. | ||
*/ | ||
|
||
#include <helpers/interfaces/variable_size_event.h> | ||
#include <helpers/interfaces/fixed_size_event.h> | ||
|
||
/*=============================== ENTER EVENT ===========================*/ | ||
|
||
SEC("tp_btf/sys_enter") | ||
int BPF_PROG(send_e, | ||
struct pt_regs *regs, | ||
long id) | ||
{ | ||
struct ringbuf_struct ringbuf; | ||
if(!ringbuf__reserve_space(&ringbuf, SEND_E_SIZE)) | ||
{ | ||
return 0; | ||
} | ||
|
||
ringbuf__store_event_header(&ringbuf, PPME_SOCKET_SEND_E); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
/* Collect parameters at the beginning to manage socketcalls */ | ||
unsigned long args[3]; | ||
extract__network_args(args, 3, regs); | ||
|
||
/* Parameter 1: fd (type: PT_FD) */ | ||
s32 fd = (s32)args[0]; | ||
ringbuf__store_s64(&ringbuf, (s64)fd); | ||
|
||
/* Parameter 2: size (type: PT_UINT32) */ | ||
u32 size = (u32)args[2]; | ||
ringbuf__store_u32(&ringbuf, size); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
ringbuf__submit_event(&ringbuf); | ||
|
||
return 0; | ||
} | ||
|
||
/*=============================== ENTER EVENT ===========================*/ | ||
|
||
/*=============================== EXIT EVENT ===========================*/ | ||
|
||
SEC("tp_btf/sys_exit") | ||
int BPF_PROG(send_x, | ||
struct pt_regs *regs, | ||
long ret) | ||
{ | ||
struct auxiliary_map *auxmap = auxmap__get(); | ||
if(!auxmap) | ||
{ | ||
return 0; | ||
} | ||
|
||
auxmap__preload_event_header(auxmap, PPME_SOCKET_SEND_X); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
/* Parameter 1: res (type: PT_ERRNO) */ | ||
auxmap__store_s64_param(auxmap, ret); | ||
|
||
/* Collect parameters at the beginning to manage socketcalls */ | ||
unsigned long args[3]; | ||
extract__network_args(args, 3, regs); | ||
|
||
unsigned long bytes_to_read = ret > 0 ? ret : args[2]; | ||
unsigned long snaplen = maps__get_snaplen(); | ||
if(bytes_to_read > snaplen) | ||
{ | ||
bytes_to_read = snaplen; | ||
} | ||
|
||
/* Parameter 2: data (type: PT_BYTEBUF) */ | ||
unsigned long sent_data_pointer = args[1]; | ||
auxmap__store_bytebuf_param(auxmap, sent_data_pointer, bytes_to_read, USER); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
auxmap__finalize_event_header(auxmap); | ||
|
||
auxmap__submit_event(auxmap); | ||
|
||
return 0; | ||
} | ||
|
||
/*=============================== EXIT EVENT ===========================*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
#include "../../event_class/event_class.h" | ||
|
||
#ifdef __NR_send | ||
TEST(SyscallEnter, sendE) | ||
{ | ||
auto evt_test = get_syscall_event_test(__NR_send, ENTER_EVENT); | ||
|
||
evt_test->enable_capture(); | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
int32_t mock_fd = -1; | ||
char mock_buf[8]; | ||
size_t mock_count = 4096; | ||
int flags = 0; | ||
assert_syscall_state(SYSCALL_FAILURE, "send", syscall(__NR_send, mock_fd, (void *)(mock_buf), mock_count, flags)); | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
evt_test->disable_capture(); | ||
|
||
evt_test->assert_event_presence(); | ||
|
||
if(HasFatalFailure()) | ||
{ | ||
return; | ||
} | ||
|
||
evt_test->parse_event(); | ||
|
||
evt_test->assert_header(); | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
/* Parameter 1: fd (type: PT_FD) */ | ||
evt_test->assert_numeric_param(1, (int64_t)mock_fd); | ||
|
||
/* Parameter 2: size (type: PT_UINT32)*/ | ||
evt_test->assert_numeric_param(2, (uint32_t)mock_count); | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
evt_test->assert_num_params_pushed(2); | ||
} | ||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.