fix(driver/bpf): fix ebpf verifier issue

Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>

driver/bpf/filler_helpers.h

@@ -1075,8 +1075,8 @@ static __always_inline int bpf_push_empty_param(struct filler_data *data)
 	fixup_evt_arg_len(data->buf, data->state->tail_ctx.curarg, 0);
 	data->curarg_already_on_frame = false;
 
-	/* We increment the current argument */
-	++data->state->tail_ctx.curarg;
+	 /* We increment the current argument - to make verifier happy, properly check it against u32 max */
+	data->state->tail_ctx.curarg = (data->state->tail_ctx.curarg + 1) & (PPM_MAX_EVENT_PARAMS - 1);
 	return PPM_SUCCESS;
 }
 

driver/bpf/fillers.h

@@ -7159,14 +7159,12 @@ FILLER(sys_prctl_x, true)
 			res = bpf_val_to_ring(data, (int)arg2_int);
 			CHECK_RES(res);
 			break;
+		case PPM_PR_SET_CHILD_SUBREAPER:
 		default:
 			/*
 			 * arg2_str
 			 */
-			//XXX temporary workaround: the usage of `bpf_push_empty_param`
-			//    breaks the verifies
-			//res = bpf_push_empty_param(data);
-			res = bpf_val_to_ring(data, 0);
+			res = bpf_push_empty_param(data);
 			CHECK_RES(res);
 			/*
 			 * arg2_int

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c

@@ -82,11 +82,6 @@ int BPF_PROG(prctl_x,
 			auxmap__store_s64_param(auxmap, (s64)reaper_attr);
 			break;
 		case PPM_PR_SET_CHILD_SUBREAPER:
-			/* Parameter 3: arg2_str (type: PT_CHARBUF) */
-			auxmap__store_empty_param(auxmap);
-			/* Parameter 4: arg2_int (type: PT_INT64) */
-			auxmap__store_s64_param(auxmap, arg2);
-			break;
 		default:
 			/* Parameter 3: arg2_str (type: PT_CHARBUF) */
 			auxmap__store_empty_param(auxmap);

driver/syscall_table.c

@@ -396,6 +396,9 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #endif
 #ifdef __NR_send
 	[__NR_send - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SEND_E, PPME_SOCKET_SEND_X, PPM_SC_SEND},
+#endif
+#ifdef __NR_prctl
+	[__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL },
 #endif
 	[__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL },
 	[__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT},
@@ -459,9 +462,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_sched_get_priority_min - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MIN},
 	[__NR_sched_rr_get_interval - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_RR_GET_INTERVAL},
 	[__NR_mremap - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MREMAP},
-#ifdef __NR_prctl
-	[__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL },
-#endif
 #ifdef __NR_arch_prctl
 	[__NR_arch_prctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ARCH_PRCTL},
 #endif

userspace/libsinsp/events/sinsp_events_ppm_sc.cpp

@@ -392,6 +392,7 @@ libsinsp::events::set<ppm_sc_code> libsinsp::events::sinsp_repair_state_sc_set(c
 		PPM_SC_SETSID,
 		PPM_SC_SETUID,
 		PPM_SC_SETUID32,
+		PPM_SC_PRCTL,
 	};
 
 	if ((flags & PPM_REPAIR_STATE_SC_NETWORK_BASE))

userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp

@@ -202,6 +202,8 @@ const libsinsp::events::set<ppm_event_code> expected_sinsp_state_event_set = {
 	PPME_SYSCALL_EVENTFD2_X,
 	PPME_SYSCALL_SIGNALFD4_E,
 	PPME_SYSCALL_SIGNALFD4_X,
+	PPME_SYSCALL_PRCTL_E,
+	PPME_SYSCALL_PRCTL_X,
 };
 
 const libsinsp::events::set<ppm_sc_code> expected_sinsp_state_sc_set = {
@@ -267,6 +269,7 @@ const libsinsp::events::set<ppm_sc_code> expected_sinsp_state_sc_set = {
 	PPM_SC_EPOLL_CREATE,
 	PPM_SC_EPOLL_CREATE1,
 	PPM_SC_SCHED_PROCESS_EXIT,
+	PPM_SC_PRCTL,
 };
 
 const libsinsp::events::set<ppm_event_code> expected_unknown_event_set = {