feat(driver): resolve args

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
falcosecurity · Apr 3, 2023 · c075a30 · c075a30
1 parent 529ac41
commit c075a30
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 54 deletions.
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -7111,23 +7111,12 @@ FILLER(sched_prog_fork_3, false)
 }
 #endif
 
-/*
-FILLER(sys_prctl_e, true)
-{
-	int res;
-	long retval;
-
-	retval = bpf_syscall_get_retval(data->ctx);
-	res = bpf_val_to_ring(data, retval);
-
-	return res;
-}
-*/
-
 FILLER(sys_prctl_x, true)
 {
 	int val;
+	unsigned long option;
 	unsigned long arg;
+	unsigned long arg2;
 	int res;
 	long retval;
 
@@ -7139,16 +7128,16 @@ FILLER(sys_prctl_x, true)
 	/*
 	 * option
 	 */
-	val = bpf_syscall_get_argument(data, 0);
-	res = bpf_val_to_ring(data, val);
+	option = bpf_syscall_get_argument(data, 0);
+	res = bpf_val_to_ring(data, option);
 	if (res != PPM_SUCCESS)
 		return res;
 
 	/*
 	 * arg2
 	 */
-	arg = bpf_syscall_get_argument(data, 1);
-	res = bpf_val_to_ring(data, arg);
+	arg2 = bpf_syscall_get_argument(data, 1);
+	res = bpf_val_to_ring(data, arg2);
 	if (res != PPM_SUCCESS)
 		return res;
 
@@ -7176,6 +7165,34 @@ FILLER(sys_prctl_x, true)
 	if (res != PPM_SUCCESS)
 		return res;
 
+	/*
+	 * arg2str
+	 */
+	if(option == 15){
+		res = bpf_val_to_ring(data, arg2);
+	}else if(option == 37){
+		res = bpf_val_to_ring(data, 0);
+	}else{
+		res = bpf_val_to_ring(data, arg2);
+	}
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * arg2int
+	 */
+	if(option == 15){
+		res = bpf_val_to_ring(data, 0);
+	}else if(option == 37){
+		unsigned long arg2int;
+		bpf_probe_read_user(&arg2int,sizeof(arg2int),(void*)arg2);
+		res = bpf_val_to_ring(data, (int)arg2int);
+	}else{
+		res = bpf_val_to_ring(data, arg2);
+	}
+	if (res != PPM_SUCCESS)
+		return res;
+
 	return res;
 }
 

diff --git a/driver/event_table.c b/driver/event_table.c
@@ -450,7 +450,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}},
 	[PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC},  {"flags", PT_FLAGS16, PF_HEX}}},
 	[PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0 },
-	[PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 6, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2", PT_CHARBUF,PT_UINT64}, {"arg3", PT_UINT64}, {"arg4", PT_UINT64}, {"arg5", PT_UINT64}  } },
+	[PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 8, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2", PT_UINT64, PF_HEX}, {"arg3", PT_UINT64, PF_HEX}, {"arg4", PT_UINT64, PF_HEX}, {"arg5", PT_UINT64, PF_HEX}, {"arg2str", PT_CHARBUF, PF_NA}, {"arg2int", PT_UINT64, PF_DEC} } },
 };
 
 // This code is compiled on windows and osx too!

diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -336,6 +336,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_EVENTFD2_X] = {FILLER_REF(sys_eventfd2_x)},
 	[PPME_SYSCALL_SIGNALFD4_E] = {FILLER_REF(sys_signalfd4_e)},
 	[PPME_SYSCALL_SIGNALFD4_X] = {FILLER_REF(sys_signalfd4_x)},
-	//[PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_prctl_e)},
+	[PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_PRCTL_X] = {FILLER_REF(sys_prctl_x)},
 };
diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -236,8 +236,7 @@
 #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN
 #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
 #define PRCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-//#define PRCTL_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(uint32_t) * 4 + 5 * PARAM_LEN
-//#define PRCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define PRCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 1 + sizeof(uint64_t) * 7 + 8 * PARAM_LEN
 
 /* Generic tracepoints events. */
 #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c
@@ -55,17 +55,47 @@ int BPF_PROG(prctl_x,
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: option (type: PT_UINT32) */
-	u32 flags = (u32)extract__syscall_argument(regs, 0);
-	auxmap__store_u32_param(auxmap, open_flags_to_scap(flags));
+	/* Parameter 1: res (type: PT_ERRNO) */
+	auxmap__store_s64_param(auxmap, ret);
+
+	/* Parameter 2: option (type: PT_UINT64) */
+	u64 option = (u64)extract__syscall_argument(regs, 0);
+	auxmap__store_u64_param(auxmap, option);
+
+	/* Parameter 3: arg2 (type: PT_CHARBUF) */
+	unsigned long arg2 = extract__syscall_argument(regs, 1);
+	auxmap__store_u64_param(auxmap, arg2);
+
+	/* Parameter 4: arg3 (type: PT_UINT64) */
+	unsigned long arg3 = extract__syscall_argument(regs, 2);
+	auxmap__store_u64_param(auxmap, arg3);
+
+	/* Parameter 5: arg4 (type: PT_UINT64) */
+	unsigned long arg4 = extract__syscall_argument(regs, 3);
+	auxmap__store_u64_param(auxmap, arg4);
+
+	/* Parameter 6: arg5 (type: PT_UINT64) */
+	unsigned long arg5 = extract__syscall_argument(regs, 4);
+	auxmap__store_u64_param(auxmap, arg5);
+
+	/* Parameter 7: arg2str (type: PT_CHARBUF) */
+	if(option == 15){
+		auxmap__store_charbuf_param(auxmap, arg2, MAX_PATH, USER);
+	}else{
+		auxmap__store_charbuf_param(auxmap, 0, MAX_PATH, USER);
+	}
 
-	/* Parameter 1: name (type: PT_CHARBUF) */
-	unsigned long name_pointer = extract__syscall_argument(regs, 1);
-	auxmap__store_charbuf_param(auxmap, name_pointer, MAX_PATH, USER);
+	/* Parameter 8: arg2int (type: PT_UINT64) */
+	if(option == 37){
+		u64 reaper_pid;
+		bpf_probe_read_user(&reaper_pid, sizeof(reaper_pid), (void*)arg2);
+		auxmap__store_u64_param(auxmap, (int)reaper_pid);
+	}else if(option == 15){
+		auxmap__store_u64_param(auxmap, 0);
+	}else{
+		auxmap__store_u64_param(auxmap, arg2);
+	}
 
-	/* Parameter 3: mode (type: PT_UINT32) */
-	//unsigned long mode = extract__syscall_argument(regs, 2);
-	//auxmap__store_u32_param(auxmap, open_modes_to_scap(flags, mode));
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -7984,6 +7984,8 @@ int f_sys_prctl_x(struct event_filler_arguments *args)
 	int res;
 	int retval;
 	syscall_arg_t val;
+	syscall_arg_t option;
+	syscall_arg_t arg2;
 	//unsigned long flags;
 
 	/* Parameter 1: res (type: PT_ERRNO) */
@@ -7995,53 +7997,58 @@ int f_sys_prctl_x(struct event_filler_arguments *args)
 	/*
 	 * option
 	 */
-	syscall_get_arguments_deprecated(current, args->regs, 0, 1, &val);
-	res = val_to_ring(args, val, 0, false, 0);
-	if (unlikely(res != PPM_SUCCESS))
-	{
-		return res;
-	}
+	syscall_get_arguments_deprecated(current, args->regs, 0, 1, &option);
+	res = val_to_ring(args, option, 0, false, 0);
+	CHECK_RES(res);
 
 	/*
 	 * arg2
 	 */
-	syscall_get_arguments_deprecated(current, args->regs, 1, 1, &val);
-	res = val_to_ring(args, val, 0, true, 0);
-	if (unlikely(res != PPM_SUCCESS))
-	{
-		return res;
-	}
+	syscall_get_arguments_deprecated(current, args->regs, 1, 1, &arg2);
+	res = val_to_ring(args, arg2, 0, true, 0);
+	CHECK_RES(res);
 
 	/*
 	 * arg3
 	 */
 	syscall_get_arguments_deprecated(current, args->regs, 2, 1, &val);
 	res = val_to_ring(args, val, 0, false, 0);
-	if (unlikely(res != PPM_SUCCESS))
-	{
-		return res;
-	}
+	CHECK_RES(res);
 
 	/*
 	 * arg4
 	 */
 	syscall_get_arguments_deprecated(current, args->regs, 3, 1, &val);
 	res = val_to_ring(args, val, 0, false, 0);
-	if (unlikely(res != PPM_SUCCESS))
-	{
-		return res;
-	}
+	CHECK_RES(res);
 
 	/*
 	 * arg5
 	 */
 	syscall_get_arguments_deprecated(current, args->regs, 4, 1, &val);
 	res = val_to_ring(args, val, 0, false, 0);
-	if (unlikely(res != PPM_SUCCESS))
-	{
-		return res;
+	CHECK_RES(res);
+
+	/*
+	 * arg2str
+	 */
+	//res = val_to_ring(args, option, 0, false, 0);
+	if(option == 15){
+		arg2 = (syscall_arg_t)NULL;
 	}
+	res = val_to_ring(args, arg2, 0, true, 0);
+	CHECK_RES(res);
 
+	/*
+	 * arg2int
+	 */
+	if(option == 37){
+		int reaper_pid;
+		res = ppm_copy_from_user(&reaper_pid, (void *)arg2, sizeof(int));
+		arg2 = (unsigned long)reaper_pid;
+	}
+	res = val_to_ring(args, arg2, 0, true, 0);
+	CHECK_RES(res);
 
 	return add_sentinel(args);
 }
diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h
@@ -172,7 +172,6 @@ or GPL2.txt for full copies of the license.
 	FN(sys_eventfd2_x)          \
 	FN(sys_signalfd4_e)          \
 	FN(sys_signalfd4_x)          \
-	FN(sys_prctl_e)				\
 	FN(sys_prctl_x)				\
 	FN(terminate_filler)