diff --git a/driver/event_stats.h b/driver/event_stats.h index 07777a3933..1c5f979337 100644 --- a/driver/event_stats.h +++ b/driver/event_stats.h @@ -1,7 +1,7 @@ #pragma once /* These numbers must be updated when we add new events in the event table */ -#define SYSCALL_EVENTS_NUM 362 +#define SYSCALL_EVENTS_NUM 364 #define TRACEPOINT_EVENTS_NUM 6 #define METAEVENTS_NUM 20 #define PLUGIN_EVENTS_NUM 1 diff --git a/driver/event_table.c b/driver/event_table.c index 96da5a7842..083152f76d 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -71,8 +71,10 @@ const struct ppm_event_info g_event_info[] = { [PPME_SOCKET_BIND_X] = {"bind", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } }, [PPME_SOCKET_CONNECT_E] = {"connect", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } }, [PPME_SOCKET_CONNECT_X] = {"connect", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"fd", PT_FD, PF_DEC } } }, - [PPME_SOCKET_LISTEN_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_UINT32, PF_DEC} } }, - [PPME_SOCKET_LISTEN_X] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } }, + [PPME_SOCKET_LISTEN_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD | EF_OLD_VERSION, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_UINT32, PF_DEC} } }, + [PPME_SOCKET_LISTEN_X] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD | EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } }, + [PPME_SOCKET_LISTEN_1_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_INT32, PF_DEC} } }, + [PPME_SOCKET_LISTEN_1_X] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } }, [PPME_SOCKET_ACCEPT_E] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, [PPME_SOCKET_ACCEPT_X] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } }, [PPME_SOCKET_SEND_E] = {"send", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD | EF_WRITES_TO_FD, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 1eee84084c..c8cf79ebd8 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -39,8 +39,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SOCKET_BIND_X] = {FILLER_REF(sys_socket_bind_x)}, [PPME_SOCKET_CONNECT_E] = {FILLER_REF(sys_connect_e)}, [PPME_SOCKET_CONNECT_X] = {FILLER_REF(sys_connect_x)}, - [PPME_SOCKET_LISTEN_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {1} } }, - [PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_single_x)}, + [PPME_SOCKET_LISTEN_1_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {1} } }, + [PPME_SOCKET_LISTEN_1_X] = {FILLER_REF(sys_single_x)}, [PPME_SOCKET_SEND_E] = {FILLER_REF(sys_send_e)}, [PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)}, [PPME_SOCKET_SENDTO_E] = {FILLER_REF(sys_sendto_e)}, diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 20dcd31508..3a30d05c08 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -92,7 +92,7 @@ #define ACCEPT_E_SIZE HEADER_LEN #define ACCEPT4_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN #define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN -#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2 +#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2 #define LISTEN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN #define CLONE_E_SIZE HEADER_LEN #define CLONE3_E_SIZE HEADER_LEN diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/listen.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/listen.bpf.c index e972c882a3..01d5812dd4 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/listen.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/listen.bpf.c @@ -15,7 +15,7 @@ int BPF_PROG(listen_e, long id) { struct ringbuf_struct ringbuf; - if(!ringbuf__reserve_space(&ringbuf, ctx, LISTEN_E_SIZE, PPME_SOCKET_LISTEN_E)) + if(!ringbuf__reserve_space(&ringbuf, ctx, LISTEN_E_SIZE, PPME_SOCKET_LISTEN_1_E)) { return 0; } @@ -32,10 +32,9 @@ int BPF_PROG(listen_e, s32 fd = (s32)args[0]; ringbuf__store_s64(&ringbuf, (s64)fd); - /* Parameter 2: backlog (type: PT_UINT32) */ - /// TODO: This should be an `int` not a `uint32_t` - u32 backlog = (u32)args[1]; - ringbuf__store_u32(&ringbuf, backlog); + /* Parameter 2: backlog (type: PT_INT32) */ + s32 backlog = (s32)args[1]; + ringbuf__store_s32(&ringbuf, backlog); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -54,7 +53,7 @@ int BPF_PROG(listen_x, long ret) { struct ringbuf_struct ringbuf; - if(!ringbuf__reserve_space(&ringbuf, ctx, LISTEN_X_SIZE, PPME_SOCKET_LISTEN_X)) + if(!ringbuf__reserve_space(&ringbuf, ctx, LISTEN_X_SIZE, PPME_SOCKET_LISTEN_1_X)) { return 0; } diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 653457a8c4..05de34e500 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -1383,7 +1383,9 @@ typedef enum { PPME_SYSCALL_PIDFD_GETFD_X = 407, PPME_SYSCALL_PIDFD_OPEN_E = 408, PPME_SYSCALL_PIDFD_OPEN_X = 409, - PPM_EVENT_MAX = 410 + PPME_SOCKET_LISTEN_1_E = 410, + PPME_SOCKET_LISTEN_1_X = 411, + PPM_EVENT_MAX = 412 } ppm_event_code; /*@}*/ diff --git a/driver/socketcall_to_syscall.c b/driver/socketcall_to_syscall.c index e6dc64522a..3be109c5ae 100644 --- a/driver/socketcall_to_syscall.c +++ b/driver/socketcall_to_syscall.c @@ -191,7 +191,7 @@ int socketcall_code_to_syscall_code(int socketcall_code, bool* is_syscall_return return PPME_SOCKET_BIND_E; case SYS_LISTEN: - return PPME_SOCKET_LISTEN_E; + return PPME_SOCKET_LISTEN_1_E; case SYS_CONNECT: return PPME_SOCKET_CONNECT_E; diff --git a/driver/syscall_table.c b/driver/syscall_table.c index fdf7ce5abb..d06f409f0a 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -154,7 +154,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_connect - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPM_SC_CONNECT}, #endif #ifdef __NR_listen - [__NR_listen - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_LISTEN_E, PPME_SOCKET_LISTEN_X, PPM_SC_LISTEN}, + [__NR_listen - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_LISTEN_1_E, PPME_SOCKET_LISTEN_1_X, PPM_SC_LISTEN}, #endif #ifdef __NR_accept [__NR_accept - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_ACCEPT_5_E, PPME_SOCKET_ACCEPT_5_X, PPM_SC_ACCEPT}, diff --git a/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp b/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp index 6b4e37dd4f..290caacc97 100644 --- a/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp @@ -484,8 +484,8 @@ TEST(SyscallEnter, socketcall_listenE) /* Parameter 1: fd (type: PT_FD) */ evt_test->assert_numeric_param(1, (int64_t)socket_fd); - /* Parameter 2: backlog (type: PT_UINT32) */ - evt_test->assert_numeric_param(2, (uint32_t)backlog); + /* Parameter 2: backlog (type: PT_INT32) */ + evt_test->assert_numeric_param(2, (int32_t)backlog); /*=============================== ASSERT PARAMETERS ===========================*/ diff --git a/test/libscap/helpers/engines.cpp b/test/libscap/helpers/engines.cpp index fa09faea07..60c9f02683 100644 --- a/test/libscap/helpers/engines.cpp +++ b/test/libscap/helpers/engines.cpp @@ -96,7 +96,7 @@ void check_event_is_not_overwritten(scap_t *h) void check_event_order(scap_t *h) { - uint32_t events_to_assert[EVENTS_TO_ASSERT] = {PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPME_SOCKET_LISTEN_E, PPME_SOCKET_LISTEN_X, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPME_SOCKET_GETSOCKOPT_E, PPME_SOCKET_GETSOCKOPT_X, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X}; + uint32_t events_to_assert[EVENTS_TO_ASSERT] = {PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPME_SOCKET_LISTEN_1_E, PPME_SOCKET_LISTEN_1_X, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPME_SOCKET_GETSOCKOPT_E, PPME_SOCKET_GETSOCKOPT_X, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X}; /* Start the capture */ ASSERT_EQ(scap_start_capture(h), SCAP_SUCCESS) << "unable to start the capture: " << scap_getlasterr(h) << std::endl; diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index 39e41628c0..262ebfd296 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -110,8 +110,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SOCKET_ACCEPT_5_X] = "accept_x", [PPME_SOCKET_BIND_E] = "bind_e", [PPME_SOCKET_BIND_X] = "bind_x", - [PPME_SOCKET_LISTEN_E] = "listen_e", - [PPME_SOCKET_LISTEN_X] = "listen_x", + [PPME_SOCKET_LISTEN_1_E] = "listen_e", + [PPME_SOCKET_LISTEN_1_X] = "listen_x", [PPME_SYSCALL_EXECVE_19_E] = "execve_e", [PPME_SYSCALL_EXECVE_19_X] = "execve_x", [PPME_SYSCALL_EXECVEAT_E] = "execveat_e", diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c index 5fc6478966..0ba40a76eb 100644 --- a/userspace/libscap/linux/scap_ppm_sc.c +++ b/userspace/libscap/linux/scap_ppm_sc.c @@ -57,6 +57,8 @@ static const ppm_sc_code *g_events_to_sc_map[] = { [PPME_SOCKET_CONNECT_X] = (ppm_sc_code[]){PPM_SC_CONNECT, -1}, [PPME_SOCKET_LISTEN_E] = (ppm_sc_code[]){PPM_SC_LISTEN, -1}, [PPME_SOCKET_LISTEN_X] = (ppm_sc_code[]){PPM_SC_LISTEN, -1}, + [PPME_SOCKET_LISTEN_1_E] = (ppm_sc_code[]){PPM_SC_LISTEN, -1}, + [PPME_SOCKET_LISTEN_1_X] = (ppm_sc_code[]){PPM_SC_LISTEN, -1}, [PPME_SOCKET_ACCEPT_E] = (ppm_sc_code[]){PPM_SC_ACCEPT, -1}, [PPME_SOCKET_ACCEPT_X] = (ppm_sc_code[]){PPM_SC_ACCEPT, -1}, [PPME_SOCKET_SEND_E] = (ppm_sc_code[]){PPM_SC_SEND, -1}, diff --git a/userspace/libscap/test/test_suites/engines/modern_bpf/modern_bpf.cpp b/userspace/libscap/test/test_suites/engines/modern_bpf/modern_bpf.cpp index 370a81aba5..0f79e8d41b 100644 --- a/userspace/libscap/test/test_suites/engines/modern_bpf/modern_bpf.cpp +++ b/userspace/libscap/test/test_suites/engines/modern_bpf/modern_bpf.cpp @@ -244,7 +244,7 @@ TEST(modern_bpf, one_buffer_shared_between_all_online_CPUs_with_explicit_CPUs_nu void check_event_order(scap_t* h) { - uint32_t events_to_assert[EVENTS_TO_ASSERT] = {PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPME_SOCKET_LISTEN_E, PPME_SOCKET_LISTEN_X, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPME_SOCKET_SENDMSG_E, PPME_SOCKET_SENDMSG_X, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X}; + uint32_t events_to_assert[EVENTS_TO_ASSERT] = {PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPME_SOCKET_LISTEN_1_E, PPME_SOCKET_LISTEN_1_X, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPME_SOCKET_SENDMSG_E, PPME_SOCKET_SENDMSG_X, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X}; /* Start the capture */ ASSERT_EQ(scap_start_capture(h), SCAP_SUCCESS) << "unable to start the capture: " << scap_getlasterr(h) << std::endl; diff --git a/userspace/libsinsp/test/events_net.ut.cpp b/userspace/libsinsp/test/events_net.ut.cpp index 173b1da362..e142886cb6 100644 --- a/userspace/libsinsp/test/events_net.ut.cpp +++ b/userspace/libsinsp/test/events_net.ut.cpp @@ -305,8 +305,8 @@ TEST_F(sinsp_with_test_input, net_bind_listen_accept_ipv4) ASSERT_FALSE(field_exists(evt, "fd.rport")); ASSERT_FALSE(field_exists(evt, "fd.lport")); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_E, 2, server_fd, 5); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_X, 1, return_value); + add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_1_E, 2, server_fd, 5); + add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_1_X, 1, return_value); sockaddr_in client = test_utils::fill_sockaddr_in(DEFAULT_CLIENT_PORT, DEFAULT_IPV4_CLIENT_STRING); @@ -348,8 +348,8 @@ TEST_F(sinsp_with_test_input, net_bind_listen_accept_ipv6) ASSERT_EQ(get_field_as_string(evt, "fd.name"), fdname); ASSERT_EQ(get_field_as_string(evt, "fd.is_server"), "true"); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_E, 2, server_fd, 5); - add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_X, 1, return_value); + add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_1_E, 2, server_fd, 5); + add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_1_X, 1, return_value); sockaddr_in6 client = test_utils::fill_sockaddr_in6(DEFAULT_CLIENT_PORT, DEFAULT_IPV6_CLIENT_STRING);