-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
update: support new
umount
event pair
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
- Loading branch information
1 parent
4cf0db4
commit ce3023e
Showing
15 changed files
with
219 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
72 changes: 72 additions & 0 deletions
72
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount.bpf.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
/* | ||
* Copyright (C) 2023 The Falco Authors. | ||
* | ||
* This file is dual licensed under either the MIT or GPL 2. See MIT.txt | ||
* or GPL2.txt for full copies of the license. | ||
*/ | ||
|
||
#include <helpers/interfaces/fixed_size_event.h> | ||
#include <helpers/interfaces/variable_size_event.h> | ||
|
||
/*=============================== ENTER EVENT ===========================*/ | ||
|
||
SEC("tp_btf/sys_enter") | ||
int BPF_PROG(umount_e, | ||
struct pt_regs *regs, | ||
long id) | ||
{ | ||
struct ringbuf_struct ringbuf; | ||
if(!ringbuf__reserve_space(&ringbuf, UMOUNT_E_SIZE)) | ||
{ | ||
return 0; | ||
} | ||
|
||
ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_UMOUNT_1_E); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
// Here we have no parameters to collect. | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
ringbuf__submit_event(&ringbuf); | ||
|
||
return 0; | ||
} | ||
|
||
/*=============================== ENTER EVENT ===========================*/ | ||
|
||
/*=============================== EXIT EVENT ===========================*/ | ||
|
||
SEC("tp_btf/sys_exit") | ||
int BPF_PROG(umount_x, | ||
struct pt_regs *regs, | ||
long ret) | ||
{ | ||
struct auxiliary_map *auxmap = auxmap__get(); | ||
if(!auxmap) | ||
{ | ||
return 0; | ||
} | ||
|
||
auxmap__preload_event_header(auxmap, PPME_SYSCALL_UMOUNT_1_X); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
/* Parameter 1: res (type: PT_ERRNO) */ | ||
auxmap__store_s64_param(auxmap, ret); | ||
|
||
/* Parameter 2: name (type: PT_FSPATH) */ | ||
unsigned long target_pointer = extract__syscall_argument(regs, 0); | ||
auxmap__store_charbuf_param(auxmap, target_pointer, MAX_PATH, USER); | ||
|
||
/*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
||
auxmap__finalize_event_header(auxmap); | ||
|
||
auxmap__submit_event(auxmap); | ||
|
||
return 0; | ||
} | ||
|
||
/*=============================== EXIT EVENT ===========================*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
#include "../../event_class/event_class.h" | ||
|
||
#ifdef __NR_umount | ||
|
||
TEST(SyscallEnter, umountE) | ||
{ | ||
auto evt_test = get_syscall_event_test(__NR_umount, ENTER_EVENT); | ||
|
||
evt_test->enable_capture(); | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
const char* target = "//**null-file-path**//"; | ||
assert_syscall_state(SYSCALL_FAILURE, "umount", syscall(__NR_umount, target)); | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
evt_test->disable_capture(); | ||
|
||
evt_test->assert_event_presence(); | ||
|
||
if(HasFatalFailure()) | ||
{ | ||
return; | ||
} | ||
|
||
evt_test->parse_event(); | ||
|
||
evt_test->assert_header(); | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
// Here we have no parameters to assert. | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
evt_test->assert_num_params_pushed(0); | ||
} | ||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
#include "../../event_class/event_class.h" | ||
|
||
#ifdef __NR_umount | ||
|
||
TEST(SyscallExit, umountX) | ||
{ | ||
auto evt_test = get_syscall_event_test(__NR_umount, EXIT_EVENT); | ||
|
||
evt_test->enable_capture(); | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
const char* target = "//**null-file-path**//"; | ||
assert_syscall_state(SYSCALL_FAILURE, "umount", syscall(__NR_umount, target)); | ||
int64_t errno_value = -errno; | ||
|
||
/*=============================== TRIGGER SYSCALL ===========================*/ | ||
|
||
evt_test->disable_capture(); | ||
|
||
evt_test->assert_event_presence(); | ||
|
||
if(HasFatalFailure()) | ||
{ | ||
return; | ||
} | ||
|
||
evt_test->parse_event(); | ||
|
||
evt_test->assert_header(); | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
/* Parameter 1: res (type: PT_ERRNO) */ | ||
evt_test->assert_numeric_param(1, (int64_t)errno_value); | ||
|
||
/* Parameter 2: name (type: PT_FSPATH) */ | ||
evt_test->assert_charbuf_param(2, target); | ||
|
||
/*=============================== ASSERT PARAMETERS ===========================*/ | ||
|
||
evt_test->assert_num_params_pushed(2); | ||
} | ||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters