From c075a304f9768097d904b83be884b6dbf2c2b887 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Mon, 3 Apr 2023 19:00:05 +0000 Subject: [PATCH] feat(driver): resolve args Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 51 ++++++++++++------ driver/event_table.c | 2 +- driver/fillers_table.c | 2 +- .../definitions/events_dimensions.h | 3 +- .../syscall_dispatched_events/prctl.bpf.c | 48 +++++++++++++---- driver/ppm_fillers.c | 53 +++++++++++-------- driver/ppm_fillers.h | 1 - 7 files changed, 106 insertions(+), 54 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 81a6ad79ccd..361d05edbc3 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7111,23 +7111,12 @@ FILLER(sched_prog_fork_3, false) } #endif -/* -FILLER(sys_prctl_e, true) -{ - int res; - long retval; - - retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring(data, retval); - - return res; -} -*/ - FILLER(sys_prctl_x, true) { int val; + unsigned long option; unsigned long arg; + unsigned long arg2; int res; long retval; @@ -7139,16 +7128,16 @@ FILLER(sys_prctl_x, true) /* * option */ - val = bpf_syscall_get_argument(data, 0); - res = bpf_val_to_ring(data, val); + option = bpf_syscall_get_argument(data, 0); + res = bpf_val_to_ring(data, option); if (res != PPM_SUCCESS) return res; /* * arg2 */ - arg = bpf_syscall_get_argument(data, 1); - res = bpf_val_to_ring(data, arg); + arg2 = bpf_syscall_get_argument(data, 1); + res = bpf_val_to_ring(data, arg2); if (res != PPM_SUCCESS) return res; @@ -7176,6 +7165,34 @@ FILLER(sys_prctl_x, true) if (res != PPM_SUCCESS) return res; + /* + * arg2str + */ + if(option == 15){ + res = bpf_val_to_ring(data, arg2); + }else if(option == 37){ + res = bpf_val_to_ring(data, 0); + }else{ + res = bpf_val_to_ring(data, arg2); + } + if (res != PPM_SUCCESS) + return res; + + /* + * arg2int + */ + if(option == 15){ + res = bpf_val_to_ring(data, 0); + }else if(option == 37){ + unsigned long arg2int; + bpf_probe_read_user(&arg2int,sizeof(arg2int),(void*)arg2); + res = bpf_val_to_ring(data, (int)arg2int); + }else{ + res = bpf_val_to_ring(data, arg2); + } + if (res != PPM_SUCCESS) + return res; + return res; } diff --git a/driver/event_table.c b/driver/event_table.c index a816f4d007e..e11b9d440de 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -450,7 +450,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}}, [PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"flags", PT_FLAGS16, PF_HEX}}}, [PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0 }, - [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 6, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2", PT_CHARBUF,PT_UINT64}, {"arg3", PT_UINT64}, {"arg4", PT_UINT64}, {"arg5", PT_UINT64} } }, + [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 8, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2", PT_UINT64, PF_HEX}, {"arg3", PT_UINT64, PF_HEX}, {"arg4", PT_UINT64, PF_HEX}, {"arg5", PT_UINT64, PF_HEX}, {"arg2str", PT_CHARBUF, PF_NA}, {"arg2int", PT_UINT64, PF_DEC} } }, }; // This code is compiled on windows and osx too! diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 867566760f4..76f1fead826 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -336,6 +336,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_EVENTFD2_X] = {FILLER_REF(sys_eventfd2_x)}, [PPME_SYSCALL_SIGNALFD4_E] = {FILLER_REF(sys_signalfd4_e)}, [PPME_SYSCALL_SIGNALFD4_X] = {FILLER_REF(sys_signalfd4_x)}, - //[PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_prctl_e)}, + [PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_PRCTL_X] = {FILLER_REF(sys_prctl_x)}, }; diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 1ef7199905e..ff9081a1a57 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -236,8 +236,7 @@ #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN #define PRCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN -//#define PRCTL_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(uint32_t) * 4 + 5 * PARAM_LEN -//#define PRCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN +#define PRCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 1 + sizeof(uint64_t) * 7 + 8 * PARAM_LEN /* Generic tracepoints events. */ #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index c79415b1c7d..d09d6d32092 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -55,17 +55,47 @@ int BPF_PROG(prctl_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: option (type: PT_UINT32) */ - u32 flags = (u32)extract__syscall_argument(regs, 0); - auxmap__store_u32_param(auxmap, open_flags_to_scap(flags)); + /* Parameter 1: res (type: PT_ERRNO) */ + auxmap__store_s64_param(auxmap, ret); + + /* Parameter 2: option (type: PT_UINT64) */ + u64 option = (u64)extract__syscall_argument(regs, 0); + auxmap__store_u64_param(auxmap, option); + + /* Parameter 3: arg2 (type: PT_CHARBUF) */ + unsigned long arg2 = extract__syscall_argument(regs, 1); + auxmap__store_u64_param(auxmap, arg2); + + /* Parameter 4: arg3 (type: PT_UINT64) */ + unsigned long arg3 = extract__syscall_argument(regs, 2); + auxmap__store_u64_param(auxmap, arg3); + + /* Parameter 5: arg4 (type: PT_UINT64) */ + unsigned long arg4 = extract__syscall_argument(regs, 3); + auxmap__store_u64_param(auxmap, arg4); + + /* Parameter 6: arg5 (type: PT_UINT64) */ + unsigned long arg5 = extract__syscall_argument(regs, 4); + auxmap__store_u64_param(auxmap, arg5); + + /* Parameter 7: arg2str (type: PT_CHARBUF) */ + if(option == 15){ + auxmap__store_charbuf_param(auxmap, arg2, MAX_PATH, USER); + }else{ + auxmap__store_charbuf_param(auxmap, 0, MAX_PATH, USER); + } - /* Parameter 1: name (type: PT_CHARBUF) */ - unsigned long name_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, name_pointer, MAX_PATH, USER); + /* Parameter 8: arg2int (type: PT_UINT64) */ + if(option == 37){ + u64 reaper_pid; + bpf_probe_read_user(&reaper_pid, sizeof(reaper_pid), (void*)arg2); + auxmap__store_u64_param(auxmap, (int)reaper_pid); + }else if(option == 15){ + auxmap__store_u64_param(auxmap, 0); + }else{ + auxmap__store_u64_param(auxmap, arg2); + } - /* Parameter 3: mode (type: PT_UINT32) */ - //unsigned long mode = extract__syscall_argument(regs, 2); - //auxmap__store_u32_param(auxmap, open_modes_to_scap(flags, mode)); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 1485007f695..d9ee1996d83 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7984,6 +7984,8 @@ int f_sys_prctl_x(struct event_filler_arguments *args) int res; int retval; syscall_arg_t val; + syscall_arg_t option; + syscall_arg_t arg2; //unsigned long flags; /* Parameter 1: res (type: PT_ERRNO) */ @@ -7995,53 +7997,58 @@ int f_sys_prctl_x(struct event_filler_arguments *args) /* * option */ - syscall_get_arguments_deprecated(current, args->regs, 0, 1, &val); - res = val_to_ring(args, val, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; - } + syscall_get_arguments_deprecated(current, args->regs, 0, 1, &option); + res = val_to_ring(args, option, 0, false, 0); + CHECK_RES(res); /* * arg2 */ - syscall_get_arguments_deprecated(current, args->regs, 1, 1, &val); - res = val_to_ring(args, val, 0, true, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; - } + syscall_get_arguments_deprecated(current, args->regs, 1, 1, &arg2); + res = val_to_ring(args, arg2, 0, true, 0); + CHECK_RES(res); /* * arg3 */ syscall_get_arguments_deprecated(current, args->regs, 2, 1, &val); res = val_to_ring(args, val, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; - } + CHECK_RES(res); /* * arg4 */ syscall_get_arguments_deprecated(current, args->regs, 3, 1, &val); res = val_to_ring(args, val, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; - } + CHECK_RES(res); /* * arg5 */ syscall_get_arguments_deprecated(current, args->regs, 4, 1, &val); res = val_to_ring(args, val, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; + CHECK_RES(res); + + /* + * arg2str + */ + //res = val_to_ring(args, option, 0, false, 0); + if(option == 15){ + arg2 = (syscall_arg_t)NULL; } + res = val_to_ring(args, arg2, 0, true, 0); + CHECK_RES(res); + /* + * arg2int + */ + if(option == 37){ + int reaper_pid; + res = ppm_copy_from_user(&reaper_pid, (void *)arg2, sizeof(int)); + arg2 = (unsigned long)reaper_pid; + } + res = val_to_ring(args, arg2, 0, true, 0); + CHECK_RES(res); return add_sentinel(args); } diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index 479a7a2423d..bd676cbf4a1 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -172,7 +172,6 @@ or GPL2.txt for full copies of the license. FN(sys_eventfd2_x) \ FN(sys_signalfd4_e) \ FN(sys_signalfd4_x) \ - FN(sys_prctl_e) \ FN(sys_prctl_x) \ FN(terminate_filler)