update: support new umount2 event pair

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>

driver/bpf/fillers.h

@@ -133,6 +133,7 @@ FILLER_RAW(terminate_filler)
 			case PPME_SYSCALL_MOUNT_E:
 			case PPME_SYSCALL_UMOUNT_E:
 			case PPME_SYSCALL_UMOUNT_1_E:
+			case PPME_SYSCALL_UMOUNT2_E:
 			case PPME_SYSCALL_RENAME_E:
 			case PPME_SYSCALL_RENAMEAT_E:
 			case PPME_SYSCALL_RENAMEAT2_E:
@@ -216,6 +217,7 @@ FILLER_RAW(terminate_filler)
 			case PPME_SYSCALL_MOUNT_X:
 			case PPME_SYSCALL_UMOUNT_X:
 			case PPME_SYSCALL_UMOUNT_1_X:
+			case PPME_SYSCALL_UMOUNT2_X:
 			case PPME_SYSCALL_RENAME_X:
 			case PPME_SYSCALL_RENAMEAT_X:
 			case PPME_SYSCALL_RENAMEAT2_X:
@@ -6151,6 +6153,25 @@ FILLER(sys_umount_x, true)
 	return  bpf_val_to_ring(data, target_pointer);
 }
 
+FILLER(sys_umount2_e, true)
+{
+	/* Parameter 1: flags (type: PT_FLAGS32) */
+	u32 flags = (u32)bpf_syscall_get_argument(data, 1);
+	return bpf_val_to_ring(data, flags);
+}
+
+FILLER(sys_umount2_x, true)
+{
+	/* Parameter 1: res (type: PT_ERRNO) */
+	long retval = bpf_syscall_get_retval(data->ctx);
+	int res = bpf_val_to_ring_type(data, retval, PT_ERRNO);
+	CHECK_RES(res);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	unsigned long target_pointer = bpf_syscall_get_argument(data, 0);
+	return  bpf_val_to_ring(data, target_pointer);
+}
+
 #ifdef CAPTURE_SCHED_PROC_EXEC
 /* We set `is_syscall` flag to `false` since this is not
  * a real syscall, we only send the same event from another

driver/event_table.c

@@ -270,8 +270,8 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_PPOLL_X] = {"ppoll", EC_WAIT | EC_SYSCALL, EF_WAITS, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } },
 	[PPME_SYSCALL_MOUNT_E] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, mount_flags} } },
 	[PPME_SYSCALL_MOUNT_X] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dev", PT_CHARBUF, PF_NA}, {"dir", PT_FSPATH, PF_NA}, {"type", PT_CHARBUF, PF_NA} } },
-	[PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, // right now this event pair is used by umount2 syscall, we need to create a new event pair `PPME_SYSCALL_UMOUNT2_E/PPME_SYSCALL_UMOUNT2_X` with name "umount2" we cannot change the name here otherwise we break scap-files compatibility.
-	[PPME_SYSCALL_UMOUNT_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
+	[PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } },
+	[PPME_SYSCALL_UMOUNT_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 	[PPME_K8S_E] = {"k8s", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
 	[PPME_K8S_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
 	[PPME_SYSCALL_SEMGET_E] = {"semget", EC_PROCESS | EC_SYSCALL, EF_NONE, 3, {{"key", PT_INT32, PF_HEX}, {"nsems", PT_INT32, PF_DEC}, {"semflg", PT_FLAGS32, PF_HEX, semget_flags} } },
@@ -400,6 +400,8 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_FCHOWNAT_X] = {"fchownat", EC_FILE | EC_SYSCALL, EF_NONE, 6, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"pathname", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, fchownat_flags}} },
 	[PPME_SYSCALL_UMOUNT_1_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 0},
 	[PPME_SYSCALL_UMOUNT_1_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
+	[PPME_SYSCALL_UMOUNT2_E] = {"umount2", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } },
+	[PPME_SYSCALL_UMOUNT2_X] = {"umount2", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } },
 
 	/* NB: Starting from scap version 1.2, event types will no longer be changed when an event is modified, and the only kind of change permitted for pre-existent events is adding parameters.
 	 *     New event types are allowed only for new syscalls or new internal events.

driver/fillers_table.c

@@ -246,8 +246,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_poll_x)}, /* exit same for poll() and ppoll() */
 	[PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)},
 	[PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_autofill), 4, APT_REG, {{AF_ID_RETVAL}, {0}, {1}, {2} } },
-	[PPME_SYSCALL_UMOUNT_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{1} } },
-	[PPME_SYSCALL_UMOUNT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0} } },
 	[PPME_SYSCALL_SEMGET_E] = {FILLER_REF(sys_semget_e)},
 	[PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_single_x)},
 	[PPME_SYSCALL_ACCESS_E] = {FILLER_REF(sys_access_e)},
@@ -342,4 +340,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_FCHOWNAT_X] = {FILLER_REF(sys_fchownat_x)},
 	[PPME_SYSCALL_UMOUNT_1_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)},
+	[PPME_SYSCALL_UMOUNT2_E] = {FILLER_REF(sys_umount2_e)},
+	[PPME_SYSCALL_UMOUNT2_X] = {FILLER_REF(sys_umount2_x)},
 };

driver/flags_table.c

@@ -179,7 +179,9 @@ const struct ppm_name_value mount_flags[] = {
 	{0, 0},
 };
 
-/* http://lxr.free-electrons.com/source/include/linux/fs.h?v=4.2#L1251 */
+/* There is a 1:1 mapping between `umount2` flags and our `PPM` notation, so we don't
+ * need a dedicated helper for the conversion.
+ */
 const struct ppm_name_value umount_flags[] = {
 	{"FORCE", PPM_MNT_FORCE},
 	{"DETACH", PPM_MNT_DETACH},
@@ -642,4 +644,4 @@ const struct ppm_name_value fsconfig_cmds[] = {
 const struct ppm_name_value epoll_create1_flags[] = {
 	{"EPOLL_CLOEXEC", PPM_EPOLL_CLOEXEC},
 	{0, 0},
-};
+};

driver/main.c

@@ -1476,6 +1476,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
 	case PPME_SYSCALL_MOUNT_E:
 	case PPME_SYSCALL_UMOUNT_E:
 	case PPME_SYSCALL_UMOUNT_1_E:
+	case PPME_SYSCALL_UMOUNT2_E:
 	case PPME_SYSCALL_RENAME_E:
 	case PPME_SYSCALL_RENAMEAT_E:
 	case PPME_SYSCALL_RENAMEAT2_E:
@@ -1547,6 +1548,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
 	case PPME_SYSCALL_MOUNT_X:
 	case PPME_SYSCALL_UMOUNT_X:
 	case PPME_SYSCALL_UMOUNT_1_X:
+	case PPME_SYSCALL_UMOUNT2_X:
 	case PPME_SYSCALL_RENAME_X:
 	case PPME_SYSCALL_RENAMEAT_X:
 	case PPME_SYSCALL_RENAMEAT2_X:

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 The Falco Authors.
+ * Copyright (C) 2023 The Falco Authors.
  *
  * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
  * or GPL2.txt for full copies of the license.
@@ -21,8 +21,7 @@ int BPF_PROG(umount2_e,
 		return 0;
 	}
 
-	/// TODO: This event should be called `PPME_SYSCALL_UMOUNT2_E`.
-	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_UMOUNT_E);
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_UMOUNT2_E);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -52,8 +51,7 @@ int BPF_PROG(umount2_x,
 		return 0;
 	}
 
-	/// TODO: This event should be called `PPME_SYSCALL_UMOUNT2_X`.
-	auxmap__preload_event_header(auxmap, PPME_SYSCALL_UMOUNT_X);
+	auxmap__preload_event_header(auxmap, PPME_SYSCALL_UMOUNT2_X);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/ppm_events_public.h

@@ -1190,7 +1190,9 @@ typedef enum {
 	PPME_SYSCALL_FCHOWNAT_X = 385,
 	PPME_SYSCALL_UMOUNT_1_E = 386,
 	PPME_SYSCALL_UMOUNT_1_X = 387,
-	PPM_EVENT_MAX = 388
+	PPME_SYSCALL_UMOUNT2_E = 388,
+	PPME_SYSCALL_UMOUNT2_X = 389,
+	PPM_EVENT_MAX = 390
 } ppm_event_code;
 /*@}*/
 

driver/ppm_fillers.c

@@ -7004,6 +7004,38 @@ int f_sys_umount_x(struct event_filler_arguments *args)
 	return add_sentinel(args);
 }
 
+int f_sys_umount2_e(struct event_filler_arguments *args)
+{
+	unsigned long val;
+	int res;
+
+	/* Parameter 1: flags (type: PT_FLAGS32) */
+	syscall_get_arguments_deprecated(current, args->regs, 1, 1, &val);
+	res = val_to_ring(args, val, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
+int f_sys_umount2_x(struct event_filler_arguments *args)
+{
+	unsigned long val;
+	int res;
+	int64_t retval;
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	retval = (int64_t)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	syscall_get_arguments_deprecated(current, args->regs, 0, 1, &val);
+	res = val_to_ring(args, val, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 #ifdef CAPTURE_SCHED_PROC_EXEC
 int f_sched_prog_exec(struct event_filler_arguments *args)
 {

driver/ppm_fillers.h

@@ -157,6 +157,8 @@ or GPL2.txt for full copies of the license.
 	FN(sys_signalfd_e)                 \
 	FN(sys_splice_e)				\
 	FN(sys_umount_x)				\
+	FN(sys_umount2_e)				\
+	FN(sys_umount2_x)				\
 	FN(terminate_filler)
 
 #define FILLER_ENUM_FN(x) PPM_FILLER_##x,

driver/syscall_table.c

@@ -178,7 +178,9 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_chmod - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_CHMOD_E, PPME_SYSCALL_CHMOD_X, PPM_SC_CHMOD},
 #endif
 	[__NR_mount - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_MOUNT_E, PPME_SYSCALL_MOUNT_X, PPM_SC_MOUNT},
-	[__NR_umount2 - SYSCALL_TABLE_ID0] =                    {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT2},
+#ifdef __NR_umount2
+	[__NR_umount2 - SYSCALL_TABLE_ID0] =                    {UF_USED, PPME_SYSCALL_UMOUNT2_E, PPME_SYSCALL_UMOUNT2_X, PPM_SC_UMOUNT2},
+#endif
 	[__NR_ptrace - SYSCALL_TABLE_ID0] =                     {UF_USED, PPME_SYSCALL_PTRACE_E, PPME_SYSCALL_PTRACE_X, PPM_SC_PTRACE},
 #ifdef __NR_socket
 	[__NR_socket - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPM_SC_SOCKET},
@@ -1018,7 +1020,9 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_ia32_chmod - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_CHMOD_E, PPME_SYSCALL_CHMOD_X, PPM_SC_CHMOD},
 #endif
 	[__NR_ia32_mount - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_MOUNT_E, PPME_SYSCALL_MOUNT_X, PPM_SC_MOUNT},
-	[__NR_ia32_umount2 - SYSCALL_TABLE_ID0] =                    {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT2},
+#ifdef __NR_ia32_umount2
+	[__NR_ia32_umount2 - SYSCALL_TABLE_ID0] =                    {UF_USED, PPME_SYSCALL_UMOUNT2_E, PPME_SYSCALL_UMOUNT2_X, PPM_SC_UMOUNT2},
+#endif
 	[__NR_ia32_ptrace - SYSCALL_TABLE_ID0] =                     {UF_USED, PPME_SYSCALL_PTRACE_E, PPME_SYSCALL_PTRACE_X, PPM_SC_PTRACE},
 
 #ifndef __NR_ia32_socketcall

test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp

@@ -12,8 +12,8 @@ TEST(SyscallEnter, umount2E)
 
 	/*=============================== TRIGGER SYSCALL ===========================*/
 
-	const char* target = "/no_mount_point/xyzk-target";
-	unsigned long flags = MNT_FORCE;
+	const char* target = "//**null-file-path**//";
+	unsigned long flags = MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW;
 	assert_syscall_state(SYSCALL_FAILURE, "umount2", syscall(__NR_umount2, target, flags));
 
 	/*=============================== TRIGGER SYSCALL ===========================*/
@@ -34,7 +34,7 @@ TEST(SyscallEnter, umount2E)
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
 	/* Parameter 1: flags (type: PT_FLAGS32) */
-	evt_test->assert_numeric_param(1, (uint32_t)MNT_FORCE);
+	evt_test->assert_numeric_param(1, (uint32_t)(PPM_MNT_FORCE | PPM_MNT_DETACH | PPM_MNT_EXPIRE | PPM_UMOUNT_NOFOLLOW));
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 

test/drivers/test_suites/syscall_exit_suite/umount2_x.cpp

@@ -12,7 +12,7 @@ TEST(SyscallExit, umount2X)
 
 	/*=============================== TRIGGER SYSCALL ===========================*/
 
-	const char* target = "/no_mount_point/xyzk-target";
+	const char* target = "//**null-file-path**//";
 	unsigned long flags = MNT_FORCE;
 	assert_syscall_state(SYSCALL_FAILURE, "umount2", syscall(__NR_umount2, target, flags));
 	int64_t errno_value = -errno;

userspace/libpman/src/events_prog_names.h

@@ -134,9 +134,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_UNSHARE_X] = "unshare_x",
 	[PPME_SYSCALL_MOUNT_E] = "mount_e",
 	[PPME_SYSCALL_MOUNT_X] = "mount_x",
-	/* These events should be called `PPME_SYSCALL_UMOUNT2_...` */
-	[PPME_SYSCALL_UMOUNT_E] = "umount2_e",
-	[PPME_SYSCALL_UMOUNT_X] = "umount2_x",
+	[PPME_SYSCALL_UMOUNT2_E] = "umount2_e",
+	[PPME_SYSCALL_UMOUNT2_X] = "umount2_x",
 	[PPME_SYSCALL_LINK_2_E] = "link_e",
 	[PPME_SYSCALL_LINK_2_X] = "link_x",
 	[PPME_SYSCALL_LINKAT_2_E] = "linkat_e",

userspace/libsinsp/test/events_file.ut.cpp

@@ -197,3 +197,18 @@ TEST_F(sinsp_with_test_input, umount)
 	ASSERT_EQ(get_field_as_string(evt, "evt.arg.res"), "0");
 	ASSERT_EQ(get_field_as_string(evt, "evt.arg.name"), "/target_name");
 }
+
+TEST_F(sinsp_with_test_input, umount2)
+{
+    add_default_init_thread();
+
+    open_inspector();
+    sinsp_evt* evt = NULL;
+
+    add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_UMOUNT2_E, 1, 10);
+    evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_UMOUNT2_X, 2, 0, "/target_name");
+    ASSERT_EQ(get_field_as_string(evt, "evt.type"), "umount2");
+    ASSERT_EQ(get_field_as_string(evt, "evt.category"), "file");
+    ASSERT_EQ(get_field_as_string(evt, "evt.arg.res"), "0");
+    ASSERT_EQ(get_field_as_string(evt, "evt.arg.name"), "/target_name");
+}

userspace/libsinsp/test/table/event_table.cpp

@@ -2,7 +2,7 @@
 #include <sinsp.h>
 
 /* These numbers must be updated when we add new events */
-#define SYSCALL_EVENTS_NUM 342
+#define SYSCALL_EVENTS_NUM 344
 #define TRACEPOINT_EVENTS_NUM 6
 #define METAEVENTS_NUM 19
 #define PLUGIN_EVENTS_NUM 1