From d7e53b87c64d6f16ec930982eaa11900dbf930ab Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 29 Mar 2023 20:31:10 +0000 Subject: [PATCH 01/22] new(driver,userspace/libscap): initial prctl syscall support Signed-off-by: Roberto Scolaro --- driver/event_table.c | 2 + driver/fillers_table.c | 1 + driver/ppm_events_public.h | 10 ++++- driver/ppm_fillers.c | 60 +++++++++++++++++++++++++++ driver/ppm_fillers.h | 1 + driver/syscall_table.c | 2 +- userspace/libscap/linux/scap_ppm_sc.c | 2 + 7 files changed, 76 insertions(+), 2 deletions(-) diff --git a/driver/event_table.c b/driver/event_table.c index 0e84fa5a14..b6d4ce5fff 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -449,6 +449,8 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_EVENTFD2_X] = {"eventfd2", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"flags", PT_FLAGS16, PF_HEX, file_flags} } }, [PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}}, [PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"flags", PT_FLAGS16, PF_HEX}}}, + [PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 5, {{"option", PF_DEC}, {"arg2", PT_CHARBUF,PT_UINT64}, {"arg3", PT_UINT64}, {"arg4", PT_UINT64}, {"arg5", PT_UINT64} } }, + [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}} }, }; // This code is compiled on windows and osx too! diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 279a468ae3..d889815e94 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -336,4 +336,5 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_EVENTFD2_X] = {FILLER_REF(sys_eventfd2_x)}, [PPME_SYSCALL_SIGNALFD4_E] = {FILLER_REF(sys_signalfd4_e)}, [PPME_SYSCALL_SIGNALFD4_X] = {FILLER_REF(sys_signalfd4_x)}, + [PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_prctl_e)}, }; diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 5284930929..46ca4f855c 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -711,6 +711,11 @@ or GPL2.txt for full copies of the license. */ #define PPM_EPOLL_CLOEXEC (1 << 0) +/* + * Prctl flags + */ +//XXX TODO ADD FLAGS + /* * SuS says limits have to be unsigned. * Which makes a ton more sense anyway. @@ -1202,7 +1207,9 @@ typedef enum { PPME_SYSCALL_EVENTFD2_X = 397, PPME_SYSCALL_SIGNALFD4_E = 398, PPME_SYSCALL_SIGNALFD4_X = 399, - PPM_EVENT_MAX = 400 + PPME_SYSCALL_PRCTL_E = 400, + PPME_SYSCALL_PRCTL_X = 401, + PPM_EVENT_MAX = 402 } ppm_event_code; /*@}*/ @@ -1916,6 +1923,7 @@ extern const struct ppm_name_value mlock2_flags[]; extern const struct ppm_name_value fsconfig_cmds[]; extern const struct ppm_name_value epoll_create1_flags[]; extern const struct ppm_name_value fchownat_flags[]; +//XXX ADD HERE IF PRCTL FLAGS ARE PRESENT extern const struct ppm_param_info sockopt_dynamic_param[]; extern const struct ppm_param_info ptrace_dynamic_param[]; diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 8015a28a69..dd9c93ced0 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7978,3 +7978,63 @@ int f_sched_prog_fork(struct event_filler_arguments *args) return add_sentinel(args); } #endif + +int f_sys_prctl_e(struct event_filler_arguments *args) +{ + int res; + syscall_arg_t val; + //unsigned long flags; + + /* + * option + */ + syscall_get_arguments_deprecated(current, args->regs, 0, 1, &val); + res = val_to_ring(args, val, 0, false, 0); + if (unlikely(res != PPM_SUCCESS)) + { + return res; + } + + /* + * arg2 + */ + syscall_get_arguments_deprecated(current, args->regs, 1, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + if (unlikely(res != PPM_SUCCESS)) + { + return res; + } + + /* + * arg3 + */ + syscall_get_arguments_deprecated(current, args->regs, 2, 1, &val); + res = val_to_ring(args, val, 0, false, 0); + if (unlikely(res != PPM_SUCCESS)) + { + return res; + } + + /* + * arg4 + */ + syscall_get_arguments_deprecated(current, args->regs, 3, 1, &val); + res = val_to_ring(args, val, 0, false, 0); + if (unlikely(res != PPM_SUCCESS)) + { + return res; + } + + /* + * arg5 + */ + syscall_get_arguments_deprecated(current, args->regs, 4, 1, &val); + res = val_to_ring(args, val, 0, false, 0); + if (unlikely(res != PPM_SUCCESS)) + { + return res; + } + + + return add_sentinel(args); +} diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index 2f52524503..6b2eef7fd5 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -172,6 +172,7 @@ or GPL2.txt for full copies of the license. FN(sys_eventfd2_x) \ FN(sys_signalfd4_e) \ FN(sys_signalfd4_x) \ + FN(sys_prctl_e) \ FN(terminate_filler) #define FILLER_ENUM_FN(x) PPM_FILLER_##x, diff --git a/driver/syscall_table.c b/driver/syscall_table.c index 378240b883..586e0bc903 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -459,7 +459,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_sched_get_priority_min - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MIN}, [__NR_sched_rr_get_interval - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_RR_GET_INTERVAL}, [__NR_mremap - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MREMAP}, - [__NR_prctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PRCTL}, + [__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X }, #ifdef __NR_arch_prctl [__NR_arch_prctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ARCH_PRCTL}, #endif diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c index 98ebe3a616..f84c260184 100644 --- a/userspace/libscap/linux/scap_ppm_sc.c +++ b/userspace/libscap/linux/scap_ppm_sc.c @@ -48,6 +48,8 @@ static const ppm_sc_code *g_events_to_sc_map[] = { [PPME_SYSCALL_EXECVE_8_X] = (ppm_sc_code[]){PPM_SC_EXECVE, -1}, [PPME_SYSCALL_CLONE_11_E] = (ppm_sc_code[]){PPM_SC_CLONE, -1}, [PPME_SYSCALL_CLONE_11_X] = (ppm_sc_code[]){PPM_SC_CLONE, -1}, + [PPME_SYSCALL_PRCTL_E] = (ppm_sc_code[]){PPM_SC_PRCTL, -1}, + [PPME_SYSCALL_PRCTL_X] = (ppm_sc_code[]){PPM_SC_PRCTL, -1}, [PPME_PROCEXIT_E] = (ppm_sc_code[]){PPM_SC_SCHED_PROCESS_EXIT, -1}, [PPME_PROCEXIT_X] = NULL, [PPME_SOCKET_SOCKET_E] = (ppm_sc_code[]){PPM_SC_SOCKET, -1}, From c753a772198cfa518591eb049294327ed5b6571f Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Thu, 30 Mar 2023 13:35:53 +0000 Subject: [PATCH 02/22] new(bpf,modern_bpf): initial prctl syscall support Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 61 +++++++++++++ .../definitions/events_dimensions.h | 2 + .../syscall_dispatched_events/prctl.bpf.c | 85 +++++++++++++++++++ driver/ppm_fillers.h | 1 + driver/syscall_table.c | 2 +- userspace/libpman/src/events_prog_names.h | 2 + 6 files changed, 152 insertions(+), 1 deletion(-) create mode 100644 driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 6f83b9b241..568566812f 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7111,4 +7111,65 @@ FILLER(sched_prog_fork_3, false) } #endif +FILLER(sys_prctl_e, true) +{ + int val; + unsigned long arg; + int res; + + /* + * option + */ + val = bpf_syscall_get_argument(data, 0); + res = bpf_val_to_ring(data, val); + if (res != PPM_SUCCESS) + return res; + + /* + * arg2 + */ + arg = bpf_syscall_get_argument(data, 1); + res = bpf_val_to_ring(data, arg); + if (res != PPM_SUCCESS) + return res; + + /* + * arg3 + */ + arg = bpf_syscall_get_argument(data, 2); + res = bpf_val_to_ring(data, arg); + if (res != PPM_SUCCESS) + return res; + + /* + * arg4 + */ + val = bpf_syscall_get_argument(data, 3); + res = bpf_val_to_ring(data, arg); + if (res != PPM_SUCCESS) + return res; + + /* + * arg5 + */ + arg = bpf_syscall_get_argument(data, 4); + res = bpf_val_to_ring(data, arg); + if (res != PPM_SUCCESS) + return res; + + return res; +} + +FILLER(sys_prctl_x, true) +{ + int res; + long retval; + + retval = bpf_syscall_get_retval(data->ctx); + res = bpf_val_to_ring(data, retval); + + return res; +} + + #endif diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 06cbdec9cc..9b9e50b1ae 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -235,6 +235,8 @@ #define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN +#define PRCTL_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(uint32_t) * 4 + 5 * PARAM_LEN +#define PRCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN /* Generic tracepoints events. */ #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c new file mode 100644 index 0000000000..f3c7e0f262 --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -0,0 +1,85 @@ +/* + * Copyright (C) 2023 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(prctl_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, PRCTL_E_SIZE)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_PRCTL_E); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: option (type: PT_UINT32)*/ + s32 option = (s32)extract__syscall_argument(regs, 0); + ringbuf__store_s32(&ringbuf, (s32)option); + + /* Parameter 2: arg2 (type: PT_UINT64)*/ + s32 arg2 = (s32)extract__syscall_argument(regs, 1); + ringbuf__store_s32(&ringbuf, (s32)arg2); + + /* Parameter 3: arg3 (type: PT_UINT64)*/ + s32 arg3 = (s32)extract__syscall_argument(regs, 2); + ringbuf__store_s32(&ringbuf, (s32)arg3); + + /* Parameter 4: arg4 (type: PT_UINT64)*/ + s32 arg4 = (s32)extract__syscall_argument(regs, 3); + ringbuf__store_s32(&ringbuf, (s32)arg4); + + /* Parameter 5: arg5 (type: PT_UINT64)*/ + s32 arg5 = (s32)extract__syscall_argument(regs, 4); + ringbuf__store_s32(&ringbuf, (s32)arg5); + + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(prctl_x, + struct pt_regs *regs, + long ret) +{ + struct ringbuf_struct ringbuf; + //XXX the +2 is problably wrong but without it the verifier will complain + if(!ringbuf__reserve_space(&ringbuf, PRCTL_X_SIZE+2)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_PRCTL_X); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + ringbuf__store_s64(&ringbuf, (s64)ret); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index 6b2eef7fd5..479a7a2423 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -173,6 +173,7 @@ or GPL2.txt for full copies of the license. FN(sys_signalfd4_e) \ FN(sys_signalfd4_x) \ FN(sys_prctl_e) \ + FN(sys_prctl_x) \ FN(terminate_filler) #define FILLER_ENUM_FN(x) PPM_FILLER_##x, diff --git a/driver/syscall_table.c b/driver/syscall_table.c index 586e0bc903..c395e9cda6 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -459,7 +459,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_sched_get_priority_min - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MIN}, [__NR_sched_rr_get_interval - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_RR_GET_INTERVAL}, [__NR_mremap - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MREMAP}, - [__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X }, + [__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL }, #ifdef __NR_arch_prctl [__NR_arch_prctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ARCH_PRCTL}, #endif diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index 7a45ff3e0e..f288c91f2b 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -310,6 +310,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SYSCALL_EVENTFD2_X] = "eventfd2_x", [PPME_SYSCALL_SIGNALFD4_E] = "signalfd4_e", [PPME_SYSCALL_SIGNALFD4_X] = "signalfd4_x", + [PPME_SYSCALL_PRCTL_E] = "prctl_e", + [PPME_SYSCALL_PRCTL_X] = "prctl_x", }; /* Some events can require more than one bpf program to collect all the data. */ From 8d8063b1632a77bdd1bac0ce8783e43fcb674e21 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Thu, 30 Mar 2023 16:05:11 +0000 Subject: [PATCH 03/22] chore(driver): prctl refactor Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 30 +++++++----- driver/event_table.c | 4 +- driver/fillers_table.c | 3 +- .../definitions/events_dimensions.h | 5 +- .../syscall_dispatched_events/prctl.bpf.c | 48 ++++++++----------- driver/ppm_fillers.c | 9 +++- 6 files changed, 55 insertions(+), 44 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 568566812f..81a6ad79cc 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7111,11 +7111,30 @@ FILLER(sched_prog_fork_3, false) } #endif +/* FILLER(sys_prctl_e, true) +{ + int res; + long retval; + + retval = bpf_syscall_get_retval(data->ctx); + res = bpf_val_to_ring(data, retval); + + return res; +} +*/ + +FILLER(sys_prctl_x, true) { int val; unsigned long arg; int res; + long retval; + + retval = bpf_syscall_get_retval(data->ctx); + res = bpf_val_to_ring(data, retval); + if (res != PPM_SUCCESS) + return res; /* * option @@ -7160,16 +7179,5 @@ FILLER(sys_prctl_e, true) return res; } -FILLER(sys_prctl_x, true) -{ - int res; - long retval; - - retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring(data, retval); - - return res; -} - #endif diff --git a/driver/event_table.c b/driver/event_table.c index b6d4ce5fff..f2affd5130 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -449,8 +449,8 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_EVENTFD2_X] = {"eventfd2", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"flags", PT_FLAGS16, PF_HEX, file_flags} } }, [PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}}, [PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"flags", PT_FLAGS16, PF_HEX}}}, - [PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 5, {{"option", PF_DEC}, {"arg2", PT_CHARBUF,PT_UINT64}, {"arg3", PT_UINT64}, {"arg4", PT_UINT64}, {"arg5", PT_UINT64} } }, - [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}} }, + [PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0 }, + [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 6, {{"res", PT_ERRNO, PF_DEC}, {"option", PF_DEC}, {"arg2", PT_CHARBUF,PT_UINT64}, {"arg3", PT_UINT64}, {"arg4", PT_UINT64}, {"arg5", PT_UINT64} } }, }; // This code is compiled on windows and osx too! diff --git a/driver/fillers_table.c b/driver/fillers_table.c index d889815e94..867566760f 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -336,5 +336,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_EVENTFD2_X] = {FILLER_REF(sys_eventfd2_x)}, [PPME_SYSCALL_SIGNALFD4_E] = {FILLER_REF(sys_signalfd4_e)}, [PPME_SYSCALL_SIGNALFD4_X] = {FILLER_REF(sys_signalfd4_x)}, - [PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_prctl_e)}, + //[PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_prctl_e)}, + [PPME_SYSCALL_PRCTL_X] = {FILLER_REF(sys_prctl_x)}, }; diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 9b9e50b1ae..fa9ecfe55e 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -235,8 +235,9 @@ #define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN -#define PRCTL_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(uint32_t) * 4 + 5 * PARAM_LEN -#define PRCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN +#define PRCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN +//#define PRCTL_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(uint32_t) * 4 + 5 * PARAM_LEN +//#define PRCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN /* Generic tracepoints events. */ #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index f3c7e0f262..c79415b1c7 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -6,6 +6,7 @@ */ #include +#include /*=============================== ENTER EVENT ===========================*/ @@ -24,32 +25,15 @@ int BPF_PROG(prctl_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: option (type: PT_UINT32)*/ - s32 option = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s32(&ringbuf, (s32)option); - - /* Parameter 2: arg2 (type: PT_UINT64)*/ - s32 arg2 = (s32)extract__syscall_argument(regs, 1); - ringbuf__store_s32(&ringbuf, (s32)arg2); - - /* Parameter 3: arg3 (type: PT_UINT64)*/ - s32 arg3 = (s32)extract__syscall_argument(regs, 2); - ringbuf__store_s32(&ringbuf, (s32)arg3); - - /* Parameter 4: arg4 (type: PT_UINT64)*/ - s32 arg4 = (s32)extract__syscall_argument(regs, 3); - ringbuf__store_s32(&ringbuf, (s32)arg4); - - /* Parameter 5: arg5 (type: PT_UINT64)*/ - s32 arg5 = (s32)extract__syscall_argument(regs, 4); - ringbuf__store_s32(&ringbuf, (s32)arg5); - + // Here we have no parameters to collect. /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); return 0; + + } /*=============================== ENTER EVENT ===========================*/ @@ -61,23 +45,33 @@ int BPF_PROG(prctl_x, struct pt_regs *regs, long ret) { - struct ringbuf_struct ringbuf; - //XXX the +2 is problably wrong but without it the verifier will complain - if(!ringbuf__reserve_space(&ringbuf, PRCTL_X_SIZE+2)) + struct auxiliary_map *auxmap = auxmap__get(); + if(!auxmap) { return 0; } - ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_PRCTL_X); + auxmap__preload_event_header(auxmap, PPME_SYSCALL_PRCTL_X); /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ - ringbuf__store_s64(&ringbuf, (s64)ret); + /* Parameter 1: option (type: PT_UINT32) */ + u32 flags = (u32)extract__syscall_argument(regs, 0); + auxmap__store_u32_param(auxmap, open_flags_to_scap(flags)); + + /* Parameter 1: name (type: PT_CHARBUF) */ + unsigned long name_pointer = extract__syscall_argument(regs, 1); + auxmap__store_charbuf_param(auxmap, name_pointer, MAX_PATH, USER); + + /* Parameter 3: mode (type: PT_UINT32) */ + //unsigned long mode = extract__syscall_argument(regs, 2); + //auxmap__store_u32_param(auxmap, open_modes_to_scap(flags, mode)); /*=============================== COLLECT PARAMETERS ===========================*/ - ringbuf__submit_event(&ringbuf); + auxmap__finalize_event_header(auxmap); + + auxmap__submit_event(auxmap); return 0; } diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index dd9c93ced0..1485007f69 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7979,12 +7979,19 @@ int f_sched_prog_fork(struct event_filler_arguments *args) } #endif -int f_sys_prctl_e(struct event_filler_arguments *args) +int f_sys_prctl_x(struct event_filler_arguments *args) { int res; + int retval; syscall_arg_t val; //unsigned long flags; + /* Parameter 1: res (type: PT_ERRNO) */ + retval = (int64_t)syscall_get_return_value(current, args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); + + /* * option */ From 28499e1114150f7d61ca2c1f65258cfc8fd4455a Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Sat, 1 Apr 2023 20:28:30 +0000 Subject: [PATCH 04/22] new(driver): added prctl flags Signed-off-by: Roberto Scolaro --- driver/event_table.c | 2 +- driver/flags_table.c | 27 +++++++++++++++++++++ driver/ppm_events_public.h | 48 +++++++++++++++++++++++++++++++++++++- 3 files changed, 75 insertions(+), 2 deletions(-) diff --git a/driver/event_table.c b/driver/event_table.c index f2affd5130..a816f4d007 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -450,7 +450,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}}, [PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"flags", PT_FLAGS16, PF_HEX}}}, [PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0 }, - [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 6, {{"res", PT_ERRNO, PF_DEC}, {"option", PF_DEC}, {"arg2", PT_CHARBUF,PT_UINT64}, {"arg3", PT_UINT64}, {"arg4", PT_UINT64}, {"arg5", PT_UINT64} } }, + [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 6, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2", PT_CHARBUF,PT_UINT64}, {"arg3", PT_UINT64}, {"arg4", PT_UINT64}, {"arg5", PT_UINT64} } }, }; // This code is compiled on windows and osx too! diff --git a/driver/flags_table.c b/driver/flags_table.c index 3208c55ade..99dc351c11 100644 --- a/driver/flags_table.c +++ b/driver/flags_table.c @@ -650,3 +650,30 @@ const struct ppm_name_value machine_info_flags[] = { {"BPF_STATS_ENABLED", PPM_BPF_STATS_ENABLED}, {0, 0}, }; + +const struct ppm_name_value prctl_options[] = { + {"PR_GET_DUMPABLE",PPM_PR_GET_DUMPABLE}, + {"PR_SET_DUMPABLE",PPM_PR_SET_DUMPABLE}, + {"PR_GET_KEEPCAPS",PPM_PR_GET_KEEPCAPS}, + {"PR_SET_KEEPCAPS",PPM_PR_SET_KEEPCAPS}, + {"PR_SET_NAME",PPM_PR_SET_NAME}, + {"PR_GET_NAME",PPM_PR_GET_NAME}, + {"PR_GET_SECCOMP",PPM_PR_GET_SECCOMP}, + {"PR_SET_SECCOMP",PPM_PR_SET_SECCOMP}, + {"PR_CAPBSET_READ",PPM_PR_CAPBSET_READ}, + {"PR_CAPBSET_DROP",PPM_PR_CAPBSET_DROP}, + {"PR_GET_SECUREBITS",PPM_PR_GET_SECUREBITS}, + {"PR_SET_SECUREBITS",PPM_PR_SET_SECUREBITS}, + {"PR_MCE_KILL",PPM_PR_MCE_KILL}, + {"PR_MCE_KILL",PPM_PR_MCE_KILL}, + {"PR_SET_MM",PPM_PR_SET_MM}, + {"PR_SET_CHILD_SUBREAPER",PPM_PR_SET_CHILD_SUBREAPER}, + {"PR_GET_CHILD_SUBREAPER",PPM_PR_GET_CHILD_SUBREAPER}, + {"PR_SET_NO_NEW_PRIVS",PPM_PR_SET_NO_NEW_PRIVS}, + {"PR_GET_NO_NEW_PRIVS",PPM_PR_GET_NO_NEW_PRIVS}, + {"PR_GET_TID_ADDRESS",PPM_PR_GET_TID_ADDRESS}, + {"PR_SET_THP_DISABLE",PPM_PR_SET_THP_DISABLE}, + {"PR_GET_THP_DISABLE",PPM_PR_GET_THP_DISABLE}, + {"PR_CAP_AMBIENT",PPM_PR_CAP_AMBIENT}, + {0, 0}, +}; diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 46ca4f855c..03f9be89f6 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -714,7 +714,52 @@ or GPL2.txt for full copies of the license. /* * Prctl flags */ -//XXX TODO ADD FLAGS +//XXX take a look at https://github.com/torvalds/linux/blob/master/include/uapi/linux/prctl.h +/* Get/set current->mm->dumpable */ +#define PPM_PR_GET_DUMPABLE 3 +#define PPM_PR_SET_DUMPABLE 4 +/* Get/set whether or not to drop capabilities on setuid() away from + * uid 0 (as per security/commoncap.c) */ +#define PPM_PR_GET_KEEPCAPS 7 +#define PPM_PR_SET_KEEPCAPS 8 + +#define PPM_PR_SET_NAME 15 /* Set process name */ +#define PPM_PR_GET_NAME 16 /* Get process name */ +/* Get/set process seccomp mode */ +#define PPM_PR_GET_SECCOMP 21 +#define PPM_PR_SET_SECCOMP 22 +/* Get/set the capability bounding set (as per security/commoncap.c) */ +#define PPM_PR_CAPBSET_READ 23 +#define PPM_PR_CAPBSET_DROP 24 + +/* Get/set securebits (as per security/commoncap.c) */ +#define PPM_PR_GET_SECUREBITS 27 +#define PPM_PR_SET_SECUREBITS 28 + +/* + * Set early/late kill mode for hwpoison memory corruption. + * This influences when the process gets killed on a memory corruption. + */ +#define PPM_PR_MCE_KILL 33 + +/* + * Tune up process memory map specifics. + */ +#define PPM_PR_SET_MM 35 + +#define PPM_PR_SET_CHILD_SUBREAPER 36 +#define PPM_PR_GET_CHILD_SUBREAPER 37 + +#define PPM_PR_SET_NO_NEW_PRIVS 38 +#define PPM_PR_GET_NO_NEW_PRIVS 39 + +#define PPM_PR_GET_TID_ADDRESS 40 + +#define PPM_PR_SET_THP_DISABLE 41 +#define PPM_PR_GET_THP_DISABLE 42 + +/* Control the ambient capability set */ +#define PPM_PR_CAP_AMBIENT 47 /* * SuS says limits have to be unsigned. @@ -1924,6 +1969,7 @@ extern const struct ppm_name_value fsconfig_cmds[]; extern const struct ppm_name_value epoll_create1_flags[]; extern const struct ppm_name_value fchownat_flags[]; //XXX ADD HERE IF PRCTL FLAGS ARE PRESENT +extern const struct ppm_name_value prctl_options[]; extern const struct ppm_param_info sockopt_dynamic_param[]; extern const struct ppm_param_info ptrace_dynamic_param[]; From 9e7b0a1c0bd44b2dfbb6c585ae975b8531e38e73 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Mon, 3 Apr 2023 19:00:05 +0000 Subject: [PATCH 05/22] feat(driver): resolve args Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 51 ++++++++++------ driver/event_table.c | 2 +- driver/fillers_table.c | 2 +- .../definitions/events_dimensions.h | 3 +- .../syscall_dispatched_events/prctl.bpf.c | 48 ++++++++++++--- driver/ppm_fillers.c | 59 +++++++++++-------- driver/ppm_fillers.h | 1 - 7 files changed, 112 insertions(+), 54 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 81a6ad79cc..361d05edbc 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7111,23 +7111,12 @@ FILLER(sched_prog_fork_3, false) } #endif -/* -FILLER(sys_prctl_e, true) -{ - int res; - long retval; - - retval = bpf_syscall_get_retval(data->ctx); - res = bpf_val_to_ring(data, retval); - - return res; -} -*/ - FILLER(sys_prctl_x, true) { int val; + unsigned long option; unsigned long arg; + unsigned long arg2; int res; long retval; @@ -7139,16 +7128,16 @@ FILLER(sys_prctl_x, true) /* * option */ - val = bpf_syscall_get_argument(data, 0); - res = bpf_val_to_ring(data, val); + option = bpf_syscall_get_argument(data, 0); + res = bpf_val_to_ring(data, option); if (res != PPM_SUCCESS) return res; /* * arg2 */ - arg = bpf_syscall_get_argument(data, 1); - res = bpf_val_to_ring(data, arg); + arg2 = bpf_syscall_get_argument(data, 1); + res = bpf_val_to_ring(data, arg2); if (res != PPM_SUCCESS) return res; @@ -7176,6 +7165,34 @@ FILLER(sys_prctl_x, true) if (res != PPM_SUCCESS) return res; + /* + * arg2str + */ + if(option == 15){ + res = bpf_val_to_ring(data, arg2); + }else if(option == 37){ + res = bpf_val_to_ring(data, 0); + }else{ + res = bpf_val_to_ring(data, arg2); + } + if (res != PPM_SUCCESS) + return res; + + /* + * arg2int + */ + if(option == 15){ + res = bpf_val_to_ring(data, 0); + }else if(option == 37){ + unsigned long arg2int; + bpf_probe_read_user(&arg2int,sizeof(arg2int),(void*)arg2); + res = bpf_val_to_ring(data, (int)arg2int); + }else{ + res = bpf_val_to_ring(data, arg2); + } + if (res != PPM_SUCCESS) + return res; + return res; } diff --git a/driver/event_table.c b/driver/event_table.c index a816f4d007..e11b9d440d 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -450,7 +450,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}}, [PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"flags", PT_FLAGS16, PF_HEX}}}, [PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0 }, - [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 6, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2", PT_CHARBUF,PT_UINT64}, {"arg3", PT_UINT64}, {"arg4", PT_UINT64}, {"arg5", PT_UINT64} } }, + [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 8, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2", PT_UINT64, PF_HEX}, {"arg3", PT_UINT64, PF_HEX}, {"arg4", PT_UINT64, PF_HEX}, {"arg5", PT_UINT64, PF_HEX}, {"arg2str", PT_CHARBUF, PF_NA}, {"arg2int", PT_UINT64, PF_DEC} } }, }; // This code is compiled on windows and osx too! diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 867566760f..76f1fead82 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -336,6 +336,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_EVENTFD2_X] = {FILLER_REF(sys_eventfd2_x)}, [PPME_SYSCALL_SIGNALFD4_E] = {FILLER_REF(sys_signalfd4_e)}, [PPME_SYSCALL_SIGNALFD4_X] = {FILLER_REF(sys_signalfd4_x)}, - //[PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_prctl_e)}, + [PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_PRCTL_X] = {FILLER_REF(sys_prctl_x)}, }; diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index fa9ecfe55e..f18801aca3 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -236,8 +236,7 @@ #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN #define PRCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN -//#define PRCTL_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(uint32_t) * 4 + 5 * PARAM_LEN -//#define PRCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN +#define PRCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 1 + sizeof(uint64_t) * 7 + 8 * PARAM_LEN /* Generic tracepoints events. */ #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index c79415b1c7..d09d6d3209 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -55,17 +55,47 @@ int BPF_PROG(prctl_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: option (type: PT_UINT32) */ - u32 flags = (u32)extract__syscall_argument(regs, 0); - auxmap__store_u32_param(auxmap, open_flags_to_scap(flags)); + /* Parameter 1: res (type: PT_ERRNO) */ + auxmap__store_s64_param(auxmap, ret); + + /* Parameter 2: option (type: PT_UINT64) */ + u64 option = (u64)extract__syscall_argument(regs, 0); + auxmap__store_u64_param(auxmap, option); + + /* Parameter 3: arg2 (type: PT_CHARBUF) */ + unsigned long arg2 = extract__syscall_argument(regs, 1); + auxmap__store_u64_param(auxmap, arg2); + + /* Parameter 4: arg3 (type: PT_UINT64) */ + unsigned long arg3 = extract__syscall_argument(regs, 2); + auxmap__store_u64_param(auxmap, arg3); + + /* Parameter 5: arg4 (type: PT_UINT64) */ + unsigned long arg4 = extract__syscall_argument(regs, 3); + auxmap__store_u64_param(auxmap, arg4); + + /* Parameter 6: arg5 (type: PT_UINT64) */ + unsigned long arg5 = extract__syscall_argument(regs, 4); + auxmap__store_u64_param(auxmap, arg5); + + /* Parameter 7: arg2str (type: PT_CHARBUF) */ + if(option == 15){ + auxmap__store_charbuf_param(auxmap, arg2, MAX_PATH, USER); + }else{ + auxmap__store_charbuf_param(auxmap, 0, MAX_PATH, USER); + } - /* Parameter 1: name (type: PT_CHARBUF) */ - unsigned long name_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, name_pointer, MAX_PATH, USER); + /* Parameter 8: arg2int (type: PT_UINT64) */ + if(option == 37){ + u64 reaper_pid; + bpf_probe_read_user(&reaper_pid, sizeof(reaper_pid), (void*)arg2); + auxmap__store_u64_param(auxmap, (int)reaper_pid); + }else if(option == 15){ + auxmap__store_u64_param(auxmap, 0); + }else{ + auxmap__store_u64_param(auxmap, arg2); + } - /* Parameter 3: mode (type: PT_UINT32) */ - //unsigned long mode = extract__syscall_argument(regs, 2); - //auxmap__store_u32_param(auxmap, open_modes_to_scap(flags, mode)); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 1485007f69..c5aaeee5fd 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7984,6 +7984,9 @@ int f_sys_prctl_x(struct event_filler_arguments *args) int res; int retval; syscall_arg_t val; + syscall_arg_t option; + syscall_arg_t arg2; + char *name = NULL; //unsigned long flags; /* Parameter 1: res (type: PT_ERRNO) */ @@ -7995,53 +7998,63 @@ int f_sys_prctl_x(struct event_filler_arguments *args) /* * option */ - syscall_get_arguments_deprecated(current, args->regs, 0, 1, &val); - res = val_to_ring(args, val, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; - } + syscall_get_arguments_deprecated(current, args->regs, 0, 1, &option); + res = val_to_ring(args, option, 0, false, 0); + CHECK_RES(res); /* * arg2 */ - syscall_get_arguments_deprecated(current, args->regs, 1, 1, &val); - res = val_to_ring(args, val, 0, true, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; - } + syscall_get_arguments_deprecated(current, args->regs, 1, 1, &arg2); + res = val_to_ring(args, arg2, 0, true, 0); + CHECK_RES(res); /* * arg3 */ syscall_get_arguments_deprecated(current, args->regs, 2, 1, &val); res = val_to_ring(args, val, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; - } + CHECK_RES(res); /* * arg4 */ syscall_get_arguments_deprecated(current, args->regs, 3, 1, &val); res = val_to_ring(args, val, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; - } + CHECK_RES(res); /* * arg5 */ syscall_get_arguments_deprecated(current, args->regs, 4, 1, &val); res = val_to_ring(args, val, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - { - return res; + CHECK_RES(res); + + /* + * arg2str + */ + if(option == 15){ + ppm_strncpy_from_user(args->str_storage, (const void __user *)arg2, 15); + name = args->str_storage; + name[PPM_MAX_PATH_SIZE - 1] = '\0'; + res = val_to_ring(args, (int64_t)(long)name, 0, false, 0); + }else{ + res = val_to_ring(args, arg2, 0, false, 0); } + CHECK_RES(res); + /* + * arg2int + */ + if(option == 15){ + arg2 = (unsigned long)NULL; + }else if(option == 37){ + int reaper_pid; + ppm_copy_from_user(&reaper_pid, (void *)arg2, sizeof(int)); + arg2 = (unsigned long)reaper_pid; + } + res = val_to_ring(args, arg2, 0, true, 0); + CHECK_RES(res); return add_sentinel(args); } diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index 479a7a2423..bd676cbf4a 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -172,7 +172,6 @@ or GPL2.txt for full copies of the license. FN(sys_eventfd2_x) \ FN(sys_signalfd4_e) \ FN(sys_signalfd4_x) \ - FN(sys_prctl_e) \ FN(sys_prctl_x) \ FN(terminate_filler) From 0c8c178d58a0da7fc28254859d5f049bb794189c Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Tue, 4 Apr 2023 17:51:23 +0000 Subject: [PATCH 06/22] feat(driver): added first test Signed-off-by: Roberto Scolaro --- .../syscall_exit_suite/prctl_x.cpp | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp diff --git a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp new file mode 100644 index 0000000000..758df25002 --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp @@ -0,0 +1,99 @@ +#include "../../event_class/event_class.h" +#include "../../flags/flags_definitions.h" +#include "../../helpers/proc_parsing.h" + +#if defined(__NR_prctl) && defined(__NR_clone3) && defined(__NR_wait4) + +#include + +TEST(SyscallExit, prctlX) +{ + auto evt_test = get_syscall_event_test(__NR_prctl, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + const char newname[] = "changedname"; + int option = 15; //PR_SET_NAME + unsigned long arg3 = 0; + unsigned long arg4 = 0; + unsigned long arg5 = 0; + + /* We need to use `SIGCHLD` otherwise the parent won't receive any signal + * when the child terminates. + */ + struct clone_args cl_args = {0}; + cl_args.exit_signal = SIGCHLD; + pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args)); + assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1); + + if (ret_pid == 0) + { + /* + * Call the `prctl` + */ + int res = syscall(__NR_prctl, option, newname, arg3, arg4, arg5); + assert_syscall_state(SYSCALL_SUCCESS, "prctl", res,EQUAL,0); + exit(EXIT_SUCCESS); + + } + + /* Catch the child before doing anything else. */ + int status = 0; + int options = 0; + assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1); + + if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0) + { + FAIL() << "The prctl call is successful while it should fail..." << std::endl; + } + + + evt_test->disable_capture(); + + evt_test->assert_event_presence(ret_pid); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)0); + + /* Parameter 2: option (type: PT_ENUMFLAGS32) */ + evt_test->assert_numeric_param(2, option); //PR_SET_NAME + + /* Parameter 3: arg2 (type: PT_CHARBUFARRAY) */ + //evt_test->assert_charbuf_param(3, newname); + + /* Parameter 4: arg3 (type: PT_UINT64) */ + evt_test->assert_numeric_param(4, arg3); + + /* Parameter 5: arg4 (type: PT_UINT64) */ + evt_test->assert_numeric_param(5, arg4); + + /* Parameter 6: arg5 (type: PT_UINT64) */ + evt_test->assert_numeric_param(6, arg5); + + /* Parameter 6: arg2str (type: PT_UINT64) */ + evt_test->assert_charbuf_param(7, newname); + + /* Parameter 7: arg2int (type: PT_UINT64) */ + evt_test->assert_numeric_param(8, (uint64_t)0); + + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(8); + +} +#endif From 341b5429b4a2b75114d6ea5231ff92e649677ad5 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 5 Apr 2023 12:58:24 +0000 Subject: [PATCH 07/22] chore(driver): removed useless params Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 70 ++++++------------- driver/event_table.c | 2 +- .../definitions/events_dimensions.h | 2 +- .../syscall_dispatched_events/prctl.bpf.c | 54 ++++++-------- driver/ppm_fillers.c | 65 +++++++---------- 5 files changed, 72 insertions(+), 121 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 361d05edbc..b4371a54d2 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7113,10 +7113,9 @@ FILLER(sched_prog_fork_3, false) FILLER(sys_prctl_x, true) { - int val; unsigned long option; - unsigned long arg; unsigned long arg2; + unsigned long arg2_int; int res; long retval; @@ -7133,62 +7132,37 @@ FILLER(sys_prctl_x, true) if (res != PPM_SUCCESS) return res; - /* - * arg2 - */ arg2 = bpf_syscall_get_argument(data, 1); - res = bpf_val_to_ring(data, arg2); - if (res != PPM_SUCCESS) - return res; - - /* - * arg3 - */ - arg = bpf_syscall_get_argument(data, 2); - res = bpf_val_to_ring(data, arg); - if (res != PPM_SUCCESS) - return res; - - /* - * arg4 - */ - val = bpf_syscall_get_argument(data, 3); - res = bpf_val_to_ring(data, arg); - if (res != PPM_SUCCESS) - return res; - - /* - * arg5 - */ - arg = bpf_syscall_get_argument(data, 4); - res = bpf_val_to_ring(data, arg); - if (res != PPM_SUCCESS) - return res; /* - * arg2str + * arg2_str */ - if(option == 15){ - res = bpf_val_to_ring(data, arg2); - }else if(option == 37){ - res = bpf_val_to_ring(data, 0); - }else{ - res = bpf_val_to_ring(data, arg2); + switch(option){ + case PPM_PR_GET_CHILD_SUBREAPER: + res = bpf_val_to_ring(data, 0); + break; + case PPM_PR_SET_NAME: + default: + res = bpf_val_to_ring(data, arg2); + break; } if (res != PPM_SUCCESS) return res; /* - * arg2int + * arg2_int */ - if(option == 15){ - res = bpf_val_to_ring(data, 0); - }else if(option == 37){ - unsigned long arg2int; - bpf_probe_read_user(&arg2int,sizeof(arg2int),(void*)arg2); - res = bpf_val_to_ring(data, (int)arg2int); - }else{ - res = bpf_val_to_ring(data, arg2); + switch(option){ + case PPM_PR_SET_NAME: + res = bpf_val_to_ring(data, 0); + break; + case PPM_PR_GET_CHILD_SUBREAPER: + bpf_probe_read_user(&arg2_int,sizeof(arg2_int),(void*)arg2); + res = bpf_val_to_ring(data, (int)arg2_int); + break; + default: + res = bpf_val_to_ring(data, arg2); + break; } if (res != PPM_SUCCESS) return res; diff --git a/driver/event_table.c b/driver/event_table.c index e11b9d440d..9d2a946c9f 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -450,7 +450,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}}, [PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"flags", PT_FLAGS16, PF_HEX}}}, [PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0 }, - [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 8, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2", PT_UINT64, PF_HEX}, {"arg3", PT_UINT64, PF_HEX}, {"arg4", PT_UINT64, PF_HEX}, {"arg5", PT_UINT64, PF_HEX}, {"arg2str", PT_CHARBUF, PF_NA}, {"arg2int", PT_UINT64, PF_DEC} } }, + [PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2_str", PT_CHARBUF, PF_NA}, {"arg2_int", PT_INT64, PF_DEC} } }, }; // This code is compiled on windows and osx too! diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index f18801aca3..c28caf87b9 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -236,7 +236,7 @@ #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN #define PRCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN -#define PRCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 1 + sizeof(uint64_t) * 7 + 8 * PARAM_LEN +#define PRCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 1 + sizeof(uint64_t) * 3 + 4 * PARAM_LEN /* Generic tracepoints events. */ #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index d09d6d3209..9c96724c76 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -46,6 +46,7 @@ int BPF_PROG(prctl_x, long ret) { struct auxiliary_map *auxmap = auxmap__get(); + u64 reaper_pid; if(!auxmap) { return 0; @@ -59,44 +60,35 @@ int BPF_PROG(prctl_x, auxmap__store_s64_param(auxmap, ret); /* Parameter 2: option (type: PT_UINT64) */ - u64 option = (u64)extract__syscall_argument(regs, 0); - auxmap__store_u64_param(auxmap, option); + u32 option = (u32)extract__syscall_argument(regs, 0); + auxmap__store_u32_param(auxmap, option); - /* Parameter 3: arg2 (type: PT_CHARBUF) */ unsigned long arg2 = extract__syscall_argument(regs, 1); - auxmap__store_u64_param(auxmap, arg2); - /* Parameter 4: arg3 (type: PT_UINT64) */ - unsigned long arg3 = extract__syscall_argument(regs, 2); - auxmap__store_u64_param(auxmap, arg3); - - /* Parameter 5: arg4 (type: PT_UINT64) */ - unsigned long arg4 = extract__syscall_argument(regs, 3); - auxmap__store_u64_param(auxmap, arg4); - - /* Parameter 6: arg5 (type: PT_UINT64) */ - unsigned long arg5 = extract__syscall_argument(regs, 4); - auxmap__store_u64_param(auxmap, arg5); - - /* Parameter 7: arg2str (type: PT_CHARBUF) */ - if(option == 15){ - auxmap__store_charbuf_param(auxmap, arg2, MAX_PATH, USER); - }else{ - auxmap__store_charbuf_param(auxmap, 0, MAX_PATH, USER); + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ + switch(option){ + case PPM_PR_SET_NAME: + auxmap__store_charbuf_param(auxmap, arg2, 16, USER); + break; + default: + auxmap__store_charbuf_param(auxmap, 0, 0, USER); + break; } - /* Parameter 8: arg2int (type: PT_UINT64) */ - if(option == 37){ - u64 reaper_pid; - bpf_probe_read_user(&reaper_pid, sizeof(reaper_pid), (void*)arg2); - auxmap__store_u64_param(auxmap, (int)reaper_pid); - }else if(option == 15){ - auxmap__store_u64_param(auxmap, 0); - }else{ - auxmap__store_u64_param(auxmap, arg2); + /* Parameter 4: arg2_int (type: PT_UINT64) */ + switch(option){ + case PPM_PR_SET_NAME: + auxmap__store_u64_param(auxmap, 0); + break; + case PPM_PR_GET_CHILD_SUBREAPER: + bpf_probe_read_user(&reaper_pid, sizeof(reaper_pid), (void*)arg2); + auxmap__store_s64_param(auxmap, (int)reaper_pid); + break; + default: + auxmap__store_s64_param(auxmap, arg2); + break; } - /*=============================== COLLECT PARAMETERS ===========================*/ auxmap__finalize_event_header(auxmap); diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index c5aaeee5fd..4bce033c85 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7986,15 +7986,13 @@ int f_sys_prctl_x(struct event_filler_arguments *args) syscall_arg_t val; syscall_arg_t option; syscall_arg_t arg2; - char *name = NULL; - //unsigned long flags; + char name[16] = "\0"; /* Parameter 1: res (type: PT_ERRNO) */ retval = (int64_t)syscall_get_return_value(current, args->regs); res = val_to_ring(args, retval, 0, false, 0); CHECK_RES(res); - /* * option */ @@ -8006,54 +8004,41 @@ int f_sys_prctl_x(struct event_filler_arguments *args) * arg2 */ syscall_get_arguments_deprecated(current, args->regs, 1, 1, &arg2); - res = val_to_ring(args, arg2, 0, true, 0); - CHECK_RES(res); - - /* - * arg3 - */ - syscall_get_arguments_deprecated(current, args->regs, 2, 1, &val); - res = val_to_ring(args, val, 0, false, 0); - CHECK_RES(res); - - /* - * arg4 - */ - syscall_get_arguments_deprecated(current, args->regs, 3, 1, &val); - res = val_to_ring(args, val, 0, false, 0); - CHECK_RES(res); - - /* - * arg5 - */ - syscall_get_arguments_deprecated(current, args->regs, 4, 1, &val); - res = val_to_ring(args, val, 0, false, 0); - CHECK_RES(res); /* * arg2str */ - if(option == 15){ - ppm_strncpy_from_user(args->str_storage, (const void __user *)arg2, 15); - name = args->str_storage; - name[PPM_MAX_PATH_SIZE - 1] = '\0'; - res = val_to_ring(args, (int64_t)(long)name, 0, false, 0); - }else{ - res = val_to_ring(args, arg2, 0, false, 0); + switch(option){ + case PPM_PR_SET_NAME: + ppm_strncpy_from_user(name, (const void __user *)arg2, sizeof(name)); + name[15] = '\0'; + val = (int64_t)(long)name; + break; + default: + val = 0; + break; } + res = val_to_ring(args, val, 0, false, 0); CHECK_RES(res); /* * arg2int */ - if(option == 15){ - arg2 = (unsigned long)NULL; - }else if(option == 37){ - int reaper_pid; - ppm_copy_from_user(&reaper_pid, (void *)arg2, sizeof(int)); - arg2 = (unsigned long)reaper_pid; + switch(option){ + case PPM_PR_SET_NAME: + arg2 = (unsigned long)NULL; + break; + case PPM_PR_SET_CHILD_SUBREAPER: + break; + case PPM_PR_GET_CHILD_SUBREAPER: + int reaper_pid; + ppm_copy_from_user(&reaper_pid, (void *)arg2, sizeof(int)); + arg2 = (unsigned long)reaper_pid; + break; + default: + break; } - res = val_to_ring(args, arg2, 0, true, 0); + res = val_to_ring(args, arg2, 0, false, 0); CHECK_RES(res); return add_sentinel(args); From 6f4e28bbfe3a8e04425ccdaa0851846155232a7b Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 5 Apr 2023 13:24:41 +0000 Subject: [PATCH 08/22] fix(test/drivers): updated prctl tests with 4 params Signed-off-by: Roberto Scolaro --- .../syscall_exit_suite/prctl_x.cpp | 101 +++++++++++++++--- 1 file changed, 84 insertions(+), 17 deletions(-) diff --git a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp index 758df25002..18b2cf5d94 100644 --- a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp @@ -6,7 +6,7 @@ #include -TEST(SyscallExit, prctlX) +TEST(SyscallExit, prctlX_set_child_subreaper) { auto evt_test = get_syscall_event_test(__NR_prctl, EXIT_EVENT); @@ -14,8 +14,8 @@ TEST(SyscallExit, prctlX) /*=============================== TRIGGER SYSCALL ===========================*/ - const char newname[] = "changedname"; - int option = 15; //PR_SET_NAME + int option = 36; //PR_SET_CHILD_SUBREAPER + unsigned long arg2 = 1337; unsigned long arg3 = 0; unsigned long arg4 = 0; unsigned long arg5 = 0; @@ -33,7 +33,7 @@ TEST(SyscallExit, prctlX) /* * Call the `prctl` */ - int res = syscall(__NR_prctl, option, newname, arg3, arg4, arg5); + int res = syscall(__NR_prctl, option, arg2, arg3, arg4, arg5); assert_syscall_state(SYSCALL_SUCCESS, "prctl", res,EQUAL,0); exit(EXIT_SUCCESS); @@ -70,30 +70,97 @@ TEST(SyscallExit, prctlX) evt_test->assert_numeric_param(1, (uint64_t)0); /* Parameter 2: option (type: PT_ENUMFLAGS32) */ - evt_test->assert_numeric_param(2, option); //PR_SET_NAME + evt_test->assert_numeric_param(2, option); //PR_SET_CHILD_SUBREAPER - /* Parameter 3: arg2 (type: PT_CHARBUFARRAY) */ + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ //evt_test->assert_charbuf_param(3, newname); - /* Parameter 4: arg3 (type: PT_UINT64) */ - evt_test->assert_numeric_param(4, arg3); + /* Parameter 4: arg2_int (type: PT_INT64) */ + evt_test->assert_numeric_param(4, (int64_t)arg2); + - /* Parameter 5: arg4 (type: PT_UINT64) */ - evt_test->assert_numeric_param(5, arg4); + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); - /* Parameter 6: arg5 (type: PT_UINT64) */ - evt_test->assert_numeric_param(6, arg5); +} + +TEST(SyscallExit, prctlX_set_name) +{ + auto evt_test = get_syscall_event_test(__NR_prctl, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + const char newname[] = "changedname"; + int option = 15; //PR_SET_NAME + unsigned long arg3 = 0; + unsigned long arg4 = 0; + unsigned long arg5 = 0; + + /* We need to use `SIGCHLD` otherwise the parent won't receive any signal + * when the child terminates. + */ + struct clone_args cl_args = {0}; + cl_args.exit_signal = SIGCHLD; + pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args)); + assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1); + + if (ret_pid == 0) + { + /* + * Call the `prctl` + */ + int res = syscall(__NR_prctl, option, newname, arg3, arg4, arg5); + assert_syscall_state(SYSCALL_SUCCESS, "prctl", res,EQUAL,0); + exit(EXIT_SUCCESS); + + } + + /* Catch the child before doing anything else. */ + int status = 0; + int options = 0; + assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1); + + if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0) + { + FAIL() << "The prctl call is successful while it should fail..." << std::endl; + } + + + evt_test->disable_capture(); + + evt_test->assert_event_presence(ret_pid); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)0); + + /* Parameter 2: option (type: PT_ENUMFLAGS32) */ + evt_test->assert_numeric_param(2, option); //PR_SET_NAME - /* Parameter 6: arg2str (type: PT_UINT64) */ - evt_test->assert_charbuf_param(7, newname); + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, newname); - /* Parameter 7: arg2int (type: PT_UINT64) */ - evt_test->assert_numeric_param(8, (uint64_t)0); + /* Parameter 4: arg2_int (type: PT_INT64) */ + evt_test->assert_numeric_param(4, (uint64_t)0); /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(8); + evt_test->assert_num_params_pushed(4); } #endif From cbc85d26c13dba9f559ec93920cf261ae4f60377 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 5 Apr 2023 13:43:07 +0000 Subject: [PATCH 09/22] chore(driver): prctl cleanup Signed-off-by: Roberto Scolaro --- .../definitions/events_dimensions.h | 2 +- .../syscall_dispatched_events/prctl.bpf.c | 4 +- driver/ppm_events_public.h | 1 - driver/syscall_table.c | 785 ++++++++++++++++++ .../syscall_exit_suite/prctl_x.cpp | 4 +- 5 files changed, 790 insertions(+), 6 deletions(-) diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index c28caf87b9..c1f66f9cf4 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -236,7 +236,7 @@ #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN #define PRCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN -#define PRCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 1 + sizeof(uint64_t) * 3 + 4 * PARAM_LEN +#define PRCTL_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(uint64_t) * 2 + sizeof(int64_t) + 4 * PARAM_LEN /* Generic tracepoints events. */ #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index 9c96724c76..1fc1295486 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -75,10 +75,10 @@ int BPF_PROG(prctl_x, break; } - /* Parameter 4: arg2_int (type: PT_UINT64) */ + /* Parameter 4: arg2_int (type: PT_INT64) */ switch(option){ case PPM_PR_SET_NAME: - auxmap__store_u64_param(auxmap, 0); + auxmap__store_s64_param(auxmap, 0); break; case PPM_PR_GET_CHILD_SUBREAPER: bpf_probe_read_user(&reaper_pid, sizeof(reaper_pid), (void*)arg2); diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 03f9be89f6..be0d59a281 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -1968,7 +1968,6 @@ extern const struct ppm_name_value mlock2_flags[]; extern const struct ppm_name_value fsconfig_cmds[]; extern const struct ppm_name_value epoll_create1_flags[]; extern const struct ppm_name_value fchownat_flags[]; -//XXX ADD HERE IF PRCTL FLAGS ARE PRESENT extern const struct ppm_name_value prctl_options[]; extern const struct ppm_param_info sockopt_dynamic_param[]; diff --git a/driver/syscall_table.c b/driver/syscall_table.c index c395e9cda6..a7c5381ea3 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -459,7 +459,9 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_sched_get_priority_min - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MIN}, [__NR_sched_rr_get_interval - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_RR_GET_INTERVAL}, [__NR_mremap - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MREMAP}, +#ifdef __NR_prctl [__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL }, +#endif #ifdef __NR_arch_prctl [__NR_arch_prctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ARCH_PRCTL}, #endif @@ -903,7 +905,790 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #ifdef __NR_s390_pci_mmio_read [__NR_s390_pci_mmio_read - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_S390_PCI_MMIO_READ}, #endif +<<<<<<< HEAD #ifdef __NR_sigsuspend [__NR_sigsuspend - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGSUSPEND}, +======= + [__NR_ia32_poll - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_POLL_E, PPME_SYSCALL_POLL_X, PPM_SC_POLL}, +#ifdef __NR_ia32_select + [__NR_ia32_select - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SELECT_E, PPME_SYSCALL_SELECT_X, PPM_SC_SELECT}, +#endif + [__NR_ia32_lseek - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_LSEEK_E, PPME_SYSCALL_LSEEK_X, PPM_SC_LSEEK}, + [__NR_ia32_ioctl - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_IOCTL_3_E, PPME_SYSCALL_IOCTL_3_X, PPM_SC_IOCTL}, + [__NR_ia32_getcwd - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_GETCWD_E, PPME_SYSCALL_GETCWD_X, PPM_SC_GETCWD}, +#ifdef __NR_ia32_capset + [__NR_ia32_capset - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_CAPSET_E, PPME_SYSCALL_CAPSET_X, PPM_SC_CAPSET}, +#endif + [__NR_ia32_chdir - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CHDIR_E, PPME_SYSCALL_CHDIR_X, PPM_SC_CHDIR}, + [__NR_ia32_fchdir - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FCHDIR_E, PPME_SYSCALL_FCHDIR_X, PPM_SC_FCHDIR}, +#ifdef __NR_ia32_mkdir + [__NR_ia32_mkdir - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MKDIR_2_E, PPME_SYSCALL_MKDIR_2_X, PPM_SC_MKDIR}, +#endif +#ifdef __NR_ia32_rmdir + [__NR_ia32_rmdir - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_RMDIR_2_E, PPME_SYSCALL_RMDIR_2_X, PPM_SC_RMDIR}, +#endif + [__NR_ia32_openat - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPM_SC_OPENAT}, + [__NR_ia32_mkdirat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MKDIRAT_E, PPME_SYSCALL_MKDIRAT_X, PPM_SC_MKDIRAT}, +#ifdef __NR_ia32_link + [__NR_ia32_link - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LINK_2_E, PPME_SYSCALL_LINK_2_X, PPM_SC_LINK}, +#endif + [__NR_ia32_linkat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LINKAT_2_E, PPME_SYSCALL_LINKAT_2_X, PPM_SC_LINKAT}, +#ifdef __NR_ia32_unlink + [__NR_ia32_unlink - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UNLINK_2_E, PPME_SYSCALL_UNLINK_2_X, PPM_SC_UNLINK}, +#endif + [__NR_ia32_unlinkat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UNLINKAT_2_E, PPME_SYSCALL_UNLINKAT_2_X, PPM_SC_UNLINKAT}, + [__NR_ia32_pread64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PREAD_E, PPME_SYSCALL_PREAD_X, PPM_SC_PREAD64}, + [__NR_ia32_pwrite64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PWRITE_E, PPME_SYSCALL_PWRITE_X, PPM_SC_PWRITE64}, + [__NR_ia32_readv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_READV_E, PPME_SYSCALL_READV_X, PPM_SC_READV}, + [__NR_ia32_writev - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_WRITEV_E, PPME_SYSCALL_WRITEV_X, PPM_SC_WRITEV}, + [__NR_ia32_preadv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PREADV_E, PPME_SYSCALL_PREADV_X, PPM_SC_PREADV}, + [__NR_ia32_pwritev - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PWRITEV_E, PPME_SYSCALL_PWRITEV_X, PPM_SC_PWRITEV}, + [__NR_ia32_dup - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_DUP_1_E, PPME_SYSCALL_DUP_1_X, PPM_SC_DUP}, +#ifdef __NR_ia32_dup2 + [__NR_ia32_dup2 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_DUP2_E, PPME_SYSCALL_DUP2_X, PPM_SC_DUP2}, +#endif + [__NR_ia32_dup3 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_DUP3_E, PPME_SYSCALL_DUP3_X, PPM_SC_DUP3}, +#ifdef __NR_ia32_signalfd + [__NR_ia32_signalfd - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_SIGNALFD_E, PPME_SYSCALL_SIGNALFD_X, PPM_SC_SIGNALFD}, +#endif +#ifdef __NR_ia32_signalfd4 + [__NR_ia32_signalfd4 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_SIGNALFD4_E, PPME_SYSCALL_SIGNALFD4_X, PPM_SC_SIGNALFD4}, +#endif + [__NR_ia32_kill - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_KILL_E, PPME_SYSCALL_KILL_X, PPM_SC_KILL}, + [__NR_ia32_tkill - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_TKILL_E, PPME_SYSCALL_TKILL_X, PPM_SC_TKILL}, + [__NR_ia32_tgkill - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_TGKILL_E, PPME_SYSCALL_TGKILL_X, PPM_SC_TGKILL}, + [__NR_ia32_nanosleep - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_NANOSLEEP_E, PPME_SYSCALL_NANOSLEEP_X, PPM_SC_NANOSLEEP}, + [__NR_ia32_timerfd_create - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_TIMERFD_CREATE_E, PPME_SYSCALL_TIMERFD_CREATE_X, PPM_SC_TIMERFD_CREATE}, +#ifdef __NR_ia32_inotify_init + [__NR_ia32_inotify_init - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_INOTIFY_INIT_E, PPME_SYSCALL_INOTIFY_INIT_X, PPM_SC_INOTIFY_INIT}, +#endif +#ifdef __NR_ia32_inotify_init1 + [__NR_ia32_inotify_init1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_INOTIFY_INIT1_E, PPME_SYSCALL_INOTIFY_INIT1_X, PPM_SC_INOTIFY_INIT1}, +#endif + [__NR_ia32_fchmodat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCHMODAT_E, PPME_SYSCALL_FCHMODAT_X, PPM_SC_FCHMODAT}, + [__NR_ia32_fchmod - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCHMOD_E, PPME_SYSCALL_FCHMOD_X, PPM_SC_FCHMOD}, +#ifdef __NR_ia32_getrlimit + [__NR_ia32_getrlimit - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRLIMIT_E, PPME_SYSCALL_GETRLIMIT_X, PPM_SC_GETRLIMIT}, +#endif + [__NR_ia32_setrlimit - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_SETRLIMIT_E, PPME_SYSCALL_SETRLIMIT_X, PPM_SC_SETRLIMIT}, +#ifdef __NR_ia32_prlimit64 + [__NR_ia32_prlimit64 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRLIMIT_E, PPME_SYSCALL_PRLIMIT_X, PPM_SC_PRLIMIT64}, +#endif +#ifdef __NR_ia32_ugetrlimit + [__NR_ia32_ugetrlimit - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRLIMIT_E, PPME_SYSCALL_GETRLIMIT_X, PPM_SC_UGETRLIMIT}, +#endif + [__NR_ia32_fcntl - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCNTL_E, PPME_SYSCALL_FCNTL_X, PPM_SC_FCNTL}, +#ifdef __NR_ia32_fcntl64 + [__NR_ia32_fcntl64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCNTL_E, PPME_SYSCALL_FCNTL_X, PPM_SC_FCNTL64}, +#endif +#ifdef __NR_ia32_chmod + [__NR_ia32_chmod - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_CHMOD_E, PPME_SYSCALL_CHMOD_X, PPM_SC_CHMOD}, +#endif + [__NR_ia32_mount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MOUNT_E, PPME_SYSCALL_MOUNT_X, PPM_SC_MOUNT}, +#ifdef __NR_ia32_umount2 + [__NR_ia32_umount2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT2_E, PPME_SYSCALL_UMOUNT2_X, PPM_SC_UMOUNT2}, +#endif + [__NR_ia32_ptrace - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PTRACE_E, PPME_SYSCALL_PTRACE_X, PPM_SC_PTRACE}, + +#ifndef __NR_ia32_socketcall + [__NR_ia32_socket - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPM_SC_SOCKET}, + [__NR_ia32_bind - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPM_SC_BIND}, + [__NR_ia32_connect - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPM_SC_CONNECT}, + [__NR_ia32_listen - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_LISTEN_E, PPME_SOCKET_LISTEN_X, PPM_SC_LISTEN}, + [__NR_ia32_accept - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_ACCEPT_5_E, PPME_SOCKET_ACCEPT_5_X, PPM_SC_ACCEPT}, + [__NR_ia32_getsockname - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SOCKET_GETSOCKNAME_E, PPME_SOCKET_GETSOCKNAME_X, PPM_SC_GETSOCKNAME}, + [__NR_ia32_getpeername - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SOCKET_GETPEERNAME_E, PPME_SOCKET_GETPEERNAME_X, PPM_SC_GETPEERNAME}, + [__NR_ia32_socketpair - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X, PPM_SC_SOCKETPAIR}, + [__NR_ia32_sendto - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPM_SC_SENDTO}, + [__NR_ia32_recvfrom - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPM_SC_RECVFROM}, + [__NR_ia32_shutdown - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SHUTDOWN_E, PPME_SOCKET_SHUTDOWN_X, PPM_SC_SHUTDOWN}, + [__NR_ia32_setsockopt - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SOCKET_SETSOCKOPT_E, PPME_SOCKET_SETSOCKOPT_X, PPM_SC_SETSOCKOPT}, + [__NR_ia32_getsockopt - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_GETSOCKOPT_E, PPME_SOCKET_GETSOCKOPT_X, PPM_SC_GETSOCKOPT}, + [__NR_ia32_sendmsg - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SENDMSG_E, PPME_SOCKET_SENDMSG_X, PPM_SC_SENDMSG}, + [__NR_ia32_accept4 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPM_SC_ACCEPT4}, +#else + [__NR_ia32_socketcall - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SOCKETCALL}, +#endif + +#ifdef __NR_ia32_sendmmsg + [__NR_ia32_sendmmsg - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SENDMMSG_E, PPME_SOCKET_SENDMMSG_X, PPM_SC_SENDMMSG}, +#endif +#ifdef __NR_ia32_recvmsg + [__NR_ia32_recvmsg - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPM_SC_RECVMSG}, +#endif +#ifdef __NR_ia32_recvmmsg + [__NR_ia32_recvmmsg - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECVMMSG_E, PPME_SOCKET_RECVMMSG_X, PPM_SC_RECVMMSG}, +#endif +#ifdef __NR_ia32_stat64 + [__NR_ia32_stat64 - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_STAT64_E, PPME_SYSCALL_STAT64_X, PPM_SC_STAT64}, +#endif +#ifdef __NR_ia32_fstat64 + [__NR_ia32_fstat64 - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_FSTAT64_E, PPME_SYSCALL_FSTAT64_X, PPM_SC_FSTAT64}, +#endif +#ifdef __NR_ia32__llseek + [__NR_ia32__llseek - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_LLSEEK_E, PPME_SYSCALL_LLSEEK_X, PPM_SC__LLSEEK}, +#endif +#ifdef __NR_ia32_mmap + [__NR_ia32_mmap - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MMAP_E, PPME_SYSCALL_MMAP_X, PPM_SC_MMAP}, +#endif +#ifdef __NR_ia32_mmap2 + [__NR_ia32_mmap2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MMAP2_E, PPME_SYSCALL_MMAP2_X, PPM_SC_MMAP2}, +#endif + [__NR_ia32_munmap - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_MUNMAP_E, PPME_SYSCALL_MUNMAP_X, PPM_SC_MUNMAP}, + [__NR_ia32_splice - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SPLICE_E, PPME_SYSCALL_SPLICE_X, PPM_SC_SPLICE}, +#ifdef __NR_ia32_rename + [__NR_ia32_rename - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_RENAME_E, PPME_SYSCALL_RENAME_X, PPM_SC_RENAME}, +#endif +#ifdef __NR_ia32_renameat + [__NR_ia32_renameat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_RENAMEAT_E, PPME_SYSCALL_RENAMEAT_X, PPM_SC_RENAMEAT}, +#endif + [__NR_ia32_symlink - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SYMLINK_E, PPME_SYSCALL_SYMLINK_X, PPM_SC_SYMLINK}, + [__NR_ia32_symlinkat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SYMLINKAT_E, PPME_SYSCALL_SYMLINKAT_X, PPM_SC_SYMLINKAT}, + [__NR_ia32_sendfile - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SENDFILE_E, PPME_SYSCALL_SENDFILE_X, PPM_SC_SENDFILE}, +#ifdef __NR_ia32_sendfile64 + [__NR_ia32_sendfile64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SENDFILE_E, PPME_SYSCALL_SENDFILE_X, PPM_SC_SENDFILE64}, +#endif +#ifdef __NR_ia32_quotactl + [__NR_ia32_quotactl - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_QUOTACTL_E, PPME_SYSCALL_QUOTACTL_X, PPM_SC_QUOTACTL}, +#endif +#ifdef __NR_ia32_setresuid + [__NR_ia32_setresuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETRESUID_E, PPME_SYSCALL_SETRESUID_X, PPM_SC_SETRESUID}, +#endif +#ifdef __NR_ia32_setresuid32 + [__NR_ia32_setresuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETRESUID_E, PPME_SYSCALL_SETRESUID_X, PPM_SC_SETRESUID32}, +#endif +#ifdef __NR_ia32_setresgid + [__NR_ia32_setresgid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETRESGID_E, PPME_SYSCALL_SETRESGID_X, PPM_SC_SETRESGID}, +#endif +#ifdef __NR_ia32_setresgid32 + [__NR_ia32_setresgid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETRESGID_E, PPME_SYSCALL_SETRESGID_X, PPM_SC_SETRESGID32}, +#endif +#ifdef __NR_ia32_setuid + [__NR_ia32_setuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETUID_E, PPME_SYSCALL_SETUID_X, PPM_SC_SETUID}, +#endif +#ifdef __NR_ia32_setuid32 + [__NR_ia32_setuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETUID_E, PPME_SYSCALL_SETUID_X, PPM_SC_SETUID32}, +#endif +#ifdef __NR_ia32_setgid + [__NR_ia32_setgid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETGID_E, PPME_SYSCALL_SETGID_X, PPM_SC_SETGID}, +#endif +#ifdef __NR_ia32_setgid32 + [__NR_ia32_setgid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETGID_E, PPME_SYSCALL_SETGID_X, PPM_SC_SETGID32}, +#endif +#ifdef __NR_ia32_getuid + [__NR_ia32_getuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPM_SC_GETUID}, +#endif +#ifdef __NR_ia32_getuid32 + [__NR_ia32_getuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPM_SC_GETUID32}, +#endif +#ifdef __NR_ia32_geteuid + [__NR_ia32_geteuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPM_SC_GETEUID}, +#endif +#ifdef __NR_ia32_geteuid32 + [__NR_ia32_geteuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPM_SC_GETEUID32}, +#endif +#ifdef __NR_ia32_getgid + [__NR_ia32_getgid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPM_SC_GETGID}, +#endif +#ifdef __NR_ia32_getgid32 + [__NR_ia32_getgid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPM_SC_GETGID32}, +#endif +#ifdef __NR_ia32_getegid + [__NR_ia32_getegid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPM_SC_GETEGID}, +#endif +#ifdef __NR_ia32_getegid32 + [__NR_ia32_getegid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPM_SC_GETEGID32}, +#endif +#ifdef __NR_ia32_getresuid + [__NR_ia32_getresuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRESUID_E, PPME_SYSCALL_GETRESUID_X, PPM_SC_GETRESUID}, +#endif +#ifdef __NR_ia32_getresuid32 + [__NR_ia32_getresuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRESUID_E, PPME_SYSCALL_GETRESUID_X, PPM_SC_GETRESUID32}, +#endif +#ifdef __NR_ia32_getresgid + [__NR_ia32_getresgid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRESGID_E, PPME_SYSCALL_GETRESGID_X, PPM_SC_GETRESGID}, +#endif +#ifdef __NR_ia32_getresgid32 + [__NR_ia32_getresgid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRESGID_E, PPME_SYSCALL_GETRESGID_X, PPM_SC_GETRESGID32}, +#endif +#ifdef __NR_ia32_getdents + [__NR_ia32_getdents - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_GETDENTS_E, PPME_SYSCALL_GETDENTS_X, PPM_SC_GETDENTS}, +#endif + [__NR_ia32_getdents64 - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_GETDENTS64_E, PPME_SYSCALL_GETDENTS64_X, PPM_SC_GETDENTS64}, +#ifdef __NR_ia32_setns + [__NR_ia32_setns - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETNS_E, PPME_SYSCALL_SETNS_X, PPM_SC_SETNS}, +#endif +#ifdef __NR_ia32_unshare + [__NR_ia32_unshare - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_UNSHARE_E, PPME_SYSCALL_UNSHARE_X, PPM_SC_UNSHARE}, +#endif + [__NR_ia32_flock - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_FLOCK_E, PPME_SYSCALL_FLOCK_X, PPM_SC_FLOCK}, +#ifdef __NR_ia32_semop + [__NR_ia32_semop - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SEMOP_E, PPME_SYSCALL_SEMOP_X, PPM_SC_SEMOP}, +#endif +#ifdef __NR_ia32_semget + [__NR_ia32_semget - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SEMGET_E, PPME_SYSCALL_SEMGET_X, PPM_SC_SEMGET}, +#endif +#ifdef __NR_ia32_semctl + [__NR_ia32_semctl - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SEMCTL_E, PPME_SYSCALL_SEMCTL_X, PPM_SC_SEMCTL}, +#endif + [__NR_ia32_ppoll - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_PPOLL_E, PPME_SYSCALL_PPOLL_X, PPM_SC_PPOLL}, +#ifdef __NR_ia32_access + [__NR_ia32_access - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_ACCESS_E, PPME_SYSCALL_ACCESS_X, PPM_SC_ACCESS}, +#endif +#ifdef __NR_ia32_chroot + [__NR_ia32_chroot - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CHROOT_E, PPME_SYSCALL_CHROOT_X, PPM_SC_CHROOT}, +#endif + [__NR_ia32_setsid - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SETSID_E, PPME_SYSCALL_SETSID_X, PPM_SC_SETSID}, + [__NR_ia32_setpgid - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SETPGID_E, PPME_SYSCALL_SETPGID_X, PPM_SC_SETPGID}, +#ifdef __NR_ia32_bpf + [__NR_ia32_bpf - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_BPF_2_E, PPME_SYSCALL_BPF_2_X, PPM_SC_BPF}, +#endif +#ifdef __NR_ia32_seccomp + [__NR_ia32_seccomp - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SECCOMP_E, PPME_SYSCALL_SECCOMP_X, PPM_SC_SECCOMP}, +#endif +#ifdef __NR_ia32_renameat2 + [__NR_ia32_renameat2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_RENAMEAT2_E, PPME_SYSCALL_RENAMEAT2_X, PPM_SC_RENAMEAT2}, +#endif +#ifdef __NR_ia32_userfaultfd + [__NR_ia32_userfaultfd - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_USERFAULTFD_E, PPME_SYSCALL_USERFAULTFD_X, PPM_SC_USERFAULTFD}, +#endif +#ifdef __NR_ia32_openat2 + [__NR_ia32_openat2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_OPENAT2_E, PPME_SYSCALL_OPENAT2_X, PPM_SC_OPENAT2}, +#endif +#ifdef __NR_ia32_clone3 + [__NR_ia32_clone3 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE3_E, PPME_SYSCALL_CLONE3_X, PPM_SC_CLONE3}, +#endif +#ifdef __NR_ia32_mprotect + [__NR_ia32_mprotect - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MPROTECT_E, PPME_SYSCALL_MPROTECT_X, PPM_SC_MPROTECT}, +#endif +#ifdef __NR_ia32_execveat + [__NR_ia32_execveat - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVEAT_E, PPME_SYSCALL_EXECVEAT_X, PPM_SC_EXECVEAT}, +#endif +#ifdef __NR_ia32_io_uring_setup + [__NR_ia32_io_uring_setup - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_IO_URING_SETUP_E, PPME_SYSCALL_IO_URING_SETUP_X, PPM_SC_IO_URING_SETUP}, +#endif +#ifdef __NR_ia32_io_uring_enter + [__NR_ia32_io_uring_enter - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_IO_URING_ENTER_E, PPME_SYSCALL_IO_URING_ENTER_X, PPM_SC_IO_URING_ENTER}, +#endif +#ifdef __NR_ia32_io_uring_register + [__NR_ia32_io_uring_register - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_IO_URING_REGISTER_E, PPME_SYSCALL_IO_URING_REGISTER_X, PPM_SC_IO_URING_REGISTER}, +#endif +#ifdef __NR_ia32_copy_file_range + [__NR_ia32_copy_file_range - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_COPY_FILE_RANGE_E, PPME_SYSCALL_COPY_FILE_RANGE_X, PPM_SC_COPY_FILE_RANGE}, +#endif +#ifdef __NR_ia32_open_by_handle_at + [__NR_ia32_open_by_handle_at - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_OPEN_BY_HANDLE_AT_E, PPME_SYSCALL_OPEN_BY_HANDLE_AT_X, PPM_SC_OPEN_BY_HANDLE_AT}, +#endif +#ifdef __NR_ia32_mlock + [__NR_ia32_mlock - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MLOCK_E, PPME_SYSCALL_MLOCK_X, PPM_SC_MLOCK}, +#endif +#ifdef __NR_ia32_munlock + [__NR_ia32_munlock - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MUNLOCK_E, PPME_SYSCALL_MUNLOCK_X, PPM_SC_MUNLOCK}, +#endif +#ifdef __NR_ia32_mlockall + [__NR_ia32_mlockall - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MLOCKALL_E, PPME_SYSCALL_MLOCKALL_X, PPM_SC_MLOCKALL}, +#endif +#ifdef __NR_ia32_munlockall + [__NR_ia32_munlockall - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MUNLOCKALL_E, PPME_SYSCALL_MUNLOCKALL_X, PPM_SC_MUNLOCKALL}, +#endif +#ifdef __NR_mlock2 + [__NR_ia32_mlock2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MLOCK2_E, PPME_SYSCALL_MLOCK2_X, PPM_SC_MLOCK2}, +#endif +#ifdef __NR_ia32_fsconfig + [__NR_ia32_fsconfig - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FSCONFIG_E, PPME_SYSCALL_FSCONFIG_X, PPM_SC_FSCONFIG}, +#endif +#ifdef __NR_ia32_epoll_create + [__NR_ia32_epoll_create - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE_E, PPME_SYSCALL_EPOLL_CREATE_X, PPM_SC_EPOLL_CREATE}, +#endif +#ifdef __NR_ia32_epoll_create1 + [__NR_ia32_epoll_create1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE1_E, PPME_SYSCALL_EPOLL_CREATE1_X, PPM_SC_EPOLL_CREATE1}, +#endif +#ifdef __NR_ia32_lstat64 + [__NR_ia32_lstat64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LSTAT64_E, PPME_SYSCALL_LSTAT64_X, PPM_SC_LSTAT64}, +#endif +#ifdef __NR_ia32_umount + [__NR_ia32_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_1_E, PPME_SYSCALL_UMOUNT_1_X, PPM_SC_UMOUNT}, +#endif +#ifdef __NR_ia32_recv + [__NR_ia32_recv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECV_E, PPME_SOCKET_RECV_X, PPM_SC_RECV}, +#endif +#ifdef __NR_ia32_send + [__NR_ia32_send - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SEND_E, PPME_SOCKET_SEND_X, PPM_SC_SEND}, +#endif + [__NR_ia32_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, + [__NR_ia32_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, +#ifdef __NR_ia32_time + [__NR_ia32_time - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIME}, +#endif +#ifdef __NR_ia32_mknod + [__NR_ia32_mknod - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MKNOD}, +#endif + [__NR_ia32_getpid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETPID}, + [__NR_ia32_sync - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYNC}, + [__NR_ia32_times - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMES}, + [__NR_ia32_acct - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ACCT}, + [__NR_ia32_umask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UMASK}, +#ifdef __NR_ia32_ustat + [__NR_ia32_ustat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_USTAT}, +#endif + [__NR_ia32_getppid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETPPID}, +#ifdef __NR_ia32_getpgrp + [__NR_ia32_getpgrp - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETPGRP}, +#endif + [__NR_ia32_sethostname - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETHOSTNAME}, + [__NR_ia32_getrusage - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETRUSAGE}, + [__NR_ia32_gettimeofday - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETTIMEOFDAY}, + [__NR_ia32_settimeofday - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETTIMEOFDAY}, +#ifdef __NR_ia32_readlink + [__NR_ia32_readlink - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_READLINK}, +#endif + [__NR_ia32_swapon - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SWAPON}, + [__NR_ia32_reboot - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_REBOOT}, + [__NR_ia32_truncate - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TRUNCATE}, + [__NR_ia32_ftruncate - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FTRUNCATE}, + [__NR_ia32_getpriority - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_GETPRIORITY}, + [__NR_ia32_setpriority - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SETPRIORITY}, + [__NR_ia32_statfs - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_STATFS}, + [__NR_ia32_fstatfs - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_FSTATFS}, + [__NR_ia32_setitimer - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SETITIMER}, + [__NR_ia32_getitimer - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_GETITIMER}, + [__NR_ia32_uname - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_UNAME}, + [__NR_ia32_vhangup - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_VHANGUP}, + [__NR_ia32_wait4 - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_WAIT4}, + [__NR_ia32_swapoff - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SWAPOFF}, + [__NR_ia32_sysinfo - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SYSINFO}, + [__NR_ia32_fsync - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_FSYNC}, + [__NR_ia32_setdomainname - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SETDOMAINNAME}, + [__NR_ia32_adjtimex - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_ADJTIMEX}, + [__NR_ia32_init_module - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_INIT_MODULE}, + [__NR_ia32_delete_module - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_DELETE_MODULE}, + [__NR_ia32_getpgid - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_GETPGID}, +#ifdef __NR_ia32_sysfs + [__NR_ia32_sysfs - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYSFS}, +#endif + [__NR_ia32_personality - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PERSONALITY}, + [__NR_ia32_msync - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSYNC}, + [__NR_ia32_getsid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETSID}, + [__NR_ia32_fdatasync - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FDATASYNC}, + [__NR_ia32_sched_setscheduler - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_SETSCHEDULER}, + [__NR_ia32_sched_getscheduler - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GETSCHEDULER}, + [__NR_ia32_sched_yield - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_YIELD}, + [__NR_ia32_sched_get_priority_max - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MAX}, + [__NR_ia32_sched_get_priority_min - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MIN}, + [__NR_ia32_sched_rr_get_interval - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_RR_GET_INTERVAL}, + [__NR_ia32_mremap - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MREMAP}, +#ifdef __NR_ia32_prctl + [__NR_ia32_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL }, +#endif +#ifdef __NR_ia32_arch_prctl + [__NR_ia32_arch_prctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ARCH_PRCTL}, +#endif + [__NR_ia32_rt_sigaction - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGACTION}, + [__NR_ia32_rt_sigprocmask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGPROCMASK}, + [__NR_ia32_rt_sigpending - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGPENDING}, + [__NR_ia32_rt_sigtimedwait - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGTIMEDWAIT}, + [__NR_ia32_rt_sigqueueinfo - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGQUEUEINFO}, + [__NR_ia32_rt_sigsuspend - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGSUSPEND}, + [__NR_ia32_capget - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CAPGET}, + + [__NR_ia32_setreuid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETREUID}, + [__NR_ia32_setregid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETREGID}, + [__NR_ia32_getgroups - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETGROUPS}, + [__NR_ia32_setgroups - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETGROUPS}, +#ifdef __NR_ia32_fchown + [__NR_ia32_fchown - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCHOWN_E, PPME_SYSCALL_FCHOWN_X, PPM_SC_FCHOWN}, +#endif +#ifdef __NR_ia32_chown + [__NR_ia32_chown - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_CHOWN_E, PPME_SYSCALL_CHOWN_X, PPM_SC_CHOWN}, +#endif + [__NR_ia32_setfsuid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETFSUID}, + [__NR_ia32_setfsgid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETFSGID}, + [__NR_ia32_pivot_root - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIVOT_ROOT}, + [__NR_ia32_mincore - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MINCORE}, + [__NR_ia32_madvise - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MADVISE}, + [__NR_ia32_gettid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETTID}, + [__NR_ia32_setxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETXATTR}, + [__NR_ia32_lsetxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LSETXATTR}, + [__NR_ia32_fsetxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSETXATTR}, + [__NR_ia32_getxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETXATTR}, + [__NR_ia32_lgetxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LGETXATTR}, + [__NR_ia32_fgetxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FGETXATTR}, + [__NR_ia32_listxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LISTXATTR}, + [__NR_ia32_llistxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LLISTXATTR}, + [__NR_ia32_flistxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FLISTXATTR}, + [__NR_ia32_removexattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_REMOVEXATTR}, + [__NR_ia32_lremovexattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LREMOVEXATTR}, + [__NR_ia32_fremovexattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FREMOVEXATTR}, + [__NR_ia32_sched_setaffinity - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_SETAFFINITY}, + [__NR_ia32_sched_getaffinity - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GETAFFINITY}, +#ifdef __NR_ia32_set_thread_area + [__NR_ia32_set_thread_area - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_THREAD_AREA}, +#endif +#ifdef __NR_ia32_get_thread_area + [__NR_ia32_get_thread_area - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GET_THREAD_AREA}, +#endif + [__NR_ia32_io_setup - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_SETUP}, + [__NR_ia32_io_destroy - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_DESTROY}, + [__NR_ia32_io_getevents - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_GETEVENTS}, + [__NR_ia32_io_submit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_SUBMIT}, + [__NR_ia32_io_cancel - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_CANCEL}, + [__NR_ia32_exit_group - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT_GROUP}, + [__NR_ia32_remap_file_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_REMAP_FILE_PAGES}, + [__NR_ia32_set_tid_address - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_TID_ADDRESS}, + [__NR_ia32_timer_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_CREATE}, + [__NR_ia32_timer_settime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_SETTIME}, + [__NR_ia32_timer_gettime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_GETTIME}, + [__NR_ia32_timer_getoverrun - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_GETOVERRUN}, + [__NR_ia32_timer_delete - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_DELETE}, + [__NR_ia32_clock_settime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_SETTIME}, + [__NR_ia32_clock_gettime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_GETTIME}, + [__NR_ia32_clock_getres - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_GETRES}, + [__NR_ia32_clock_nanosleep - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_NANOSLEEP}, +#ifdef __NR_ia32_utimes + [__NR_ia32_utimes - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UTIMES}, +#endif + [__NR_ia32_mq_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_OPEN}, + [__NR_ia32_mq_unlink - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_UNLINK}, + [__NR_ia32_mq_timedsend - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_TIMEDSEND}, + [__NR_ia32_mq_timedreceive - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_TIMEDRECEIVE}, + [__NR_ia32_mq_notify - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_NOTIFY}, + [__NR_ia32_mq_getsetattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_GETSETATTR}, + [__NR_ia32_kexec_load - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEXEC_LOAD}, + [__NR_ia32_waitid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_WAITID}, + [__NR_ia32_add_key - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ADD_KEY}, + [__NR_ia32_request_key - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_REQUEST_KEY}, + [__NR_ia32_keyctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEYCTL}, + [__NR_ia32_ioprio_set - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPRIO_SET}, + [__NR_ia32_ioprio_get - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPRIO_GET}, + [__NR_ia32_inotify_add_watch - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_INOTIFY_ADD_WATCH}, + [__NR_ia32_inotify_rm_watch - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_INOTIFY_RM_WATCH}, + [__NR_ia32_mknodat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MKNODAT}, +#ifdef __NR_ia32_fchownat + [__NR_ia32_fchownat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCHOWNAT_E, PPME_SYSCALL_FCHOWNAT_X, PPM_SC_FCHOWNAT}, +#endif +#ifdef __NR_ia32_futimesat + [__NR_ia32_futimesat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FUTIMESAT}, +#endif + [__NR_ia32_readlinkat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_READLINKAT}, + [__NR_ia32_faccessat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FACCESSAT}, + [__NR_ia32_set_robust_list - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_ROBUST_LIST}, + [__NR_ia32_get_robust_list - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GET_ROBUST_LIST}, + [__NR_ia32_tee - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TEE}, + [__NR_ia32_vmsplice - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_VMSPLICE}, +#ifdef __NR_ia32_getcpu + [__NR_ia32_getcpu - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETCPU}, +#endif + [__NR_ia32_epoll_pwait - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_PWAIT}, + [__NR_ia32_utimensat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UTIMENSAT}, + [__NR_ia32_timerfd_settime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMERFD_SETTIME}, + [__NR_ia32_timerfd_gettime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMERFD_GETTIME}, + [__NR_ia32_rt_tgsigqueueinfo - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_TGSIGQUEUEINFO}, + [__NR_ia32_perf_event_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PERF_EVENT_OPEN}, +#ifdef __NR_ia32_fanotify_init + [__NR_ia32_fanotify_init - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FANOTIFY_INIT}, +#endif +#ifdef __NR_ia32_clock_adjtime + [__NR_ia32_clock_adjtime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_ADJTIME}, +#endif +#ifdef __NR_ia32_syncfs + [__NR_ia32_syncfs - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYNCFS}, +#endif +#ifdef __NR_ia32_msgsnd + [__NR_ia32_msgsnd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSGSND}, +#endif +#ifdef __NR_ia32_msgrcv + [__NR_ia32_msgrcv - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSGRCV}, +#endif +#ifdef __NR_ia32_msgget + [__NR_ia32_msgget - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSGGET}, +#endif +#ifdef __NR_ia32_msgctl + [__NR_ia32_msgctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSGCTL}, +#endif +#ifdef __NR_ia32_shmdt + [__NR_ia32_shmdt - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMDT}, +#endif +#ifdef __NR_ia32_shmget + [__NR_ia32_shmget - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMGET}, +#endif +#ifdef __NR_ia32_shmctl + [__NR_ia32_shmctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMCTL}, +#endif +#ifdef __NR_ia32_statfs64 + [__NR_ia32_statfs64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_STATFS64}, +#endif +#ifdef __NR_ia32_fstatfs64 + [__NR_ia32_fstatfs64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSTATFS64}, +#endif +#ifdef __NR_ia32_fstatat64 + [__NR_ia32_fstatat64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSTATAT64}, +#endif +#ifdef __NR_ia32_bdflush + [__NR_ia32_bdflush - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_BDFLUSH}, +#endif +#ifdef __NR_ia32_sigprocmask + [__NR_ia32_sigprocmask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGPROCMASK}, +#endif +#ifdef __NR_ia32_ipc + [__NR_ia32_ipc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IPC}, +#endif +#ifdef __NR_ia32__newselect + [__NR_ia32__newselect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC__NEWSELECT}, +#endif +#ifdef __NR_ia32_sgetmask + [__NR_ia32_sgetmask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SGETMASK}, +#endif +#ifdef __NR_ia32_ssetmask + [__NR_ia32_ssetmask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SSETMASK}, +#endif +#ifdef __NR_ia32_sigpending + [__NR_ia32_sigpending - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGPENDING}, +#endif +#ifdef __NR_ia32_olduname + [__NR_ia32_olduname - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OLDUNAME}, +#endif +#ifdef __NR_ia32_signal + [__NR_ia32_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGNAL}, +#endif +#ifdef __NR_ia32_nice + [__NR_ia32_nice - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NICE}, +#endif +#ifdef __NR_ia32_stime + [__NR_ia32_stime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_STIME}, +#endif +#ifdef __NR_ia32_waitpid + [__NR_ia32_waitpid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_WAITPID}, +#endif +#ifdef __NR_ia32_shmat + [__NR_ia32_shmat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMAT}, +#endif +#ifdef __NR_ia32_rt_sigreturn + [__NR_ia32_rt_sigreturn - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGRETURN}, +#endif +#ifdef __NR_ia32_fallocate + [__NR_ia32_fallocate - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FALLOCATE}, +#endif +#ifdef __NR_ia32_newfstatat + [__NR_ia32_newfstatat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NEWFSTATAT}, +#endif +#ifdef __NR_ia32_finit_module + [__NR_ia32_finit_module - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FINIT_MODULE}, +#endif +#ifdef __NR_ia32_sigaltstack + [__NR_ia32_sigaltstack - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGALTSTACK}, +#endif +#ifdef __NR_ia32_getrandom + [__NR_ia32_getrandom - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETRANDOM}, +#endif +#ifdef __NR_ia32_fadvise64 + [__NR_ia32_fadvise64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FADVISE64}, +#endif +#ifdef __NR_ia32_fspick + [__NR_ia32_fspick - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSPICK}, +#endif +#ifdef __NR_ia32_fsmount + [__NR_ia32_fsmount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSMOUNT}, +#endif +#ifdef __NR_ia32_fsopen + [__NR_ia32_fsopen - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSOPEN}, +#endif +#ifdef __NR_ia32_open_tree + [__NR_ia32_open_tree - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OPEN_TREE}, +#endif +#ifdef __NR_ia32_move_mount + [__NR_ia32_move_mount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_MOUNT}, +#endif +#ifdef __NR_ia32_mount_setattr + [__NR_ia32_mount_setattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOUNT_SETATTR}, +#endif +#ifdef __NR_ia32_memfd_create + [__NR_ia32_memfd_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_CREATE}, +#endif +#ifdef __NR_ia32_memfd_secret + [__NR_ia32_memfd_secret - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_SECRET}, +#endif +#ifdef __NR_ia32_ioperm + [__NR_ia32_ioperm - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPERM}, +#endif +#ifdef __NR_ia32_kexec_file_load + [__NR_ia32_kexec_file_load - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEXEC_FILE_LOAD}, +#endif +#ifdef __NR_ia32_pidfd_getfd + [__NR_ia32_pidfd_getfd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_GETFD}, +#endif +#ifdef __NR_ia32_pidfd_open + [__NR_ia32_pidfd_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_OPEN}, +#endif +#ifdef __NR_ia32_pidfd_send_signal + [__NR_ia32_pidfd_send_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_SEND_SIGNAL}, +#endif +#ifdef __NR_ia32_pkey_alloc + [__NR_ia32_pkey_alloc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_ALLOC}, +#endif +#ifdef __NR_ia32_pkey_mprotect + [__NR_ia32_pkey_mprotect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_MPROTECT}, +#endif +#ifdef __NR_ia32_pkey_free + [__NR_ia32_pkey_free - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_FREE}, +#endif +#ifdef __NR_ia32_landlock_create_ruleset + [__NR_ia32_landlock_create_ruleset - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_CREATE_RULESET}, +#endif +#ifdef __NR_ia32_quotactl_fd + [__NR_ia32_quotactl_fd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_QUOTACTL_FD}, +#endif +#ifdef __NR_ia32_landlock_restrict_self + [__NR_ia32_landlock_restrict_self - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_RESTRICT_SELF}, +#endif +#ifdef __NR_ia32_landlock_add_rule + [__NR_ia32_landlock_add_rule - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_ADD_RULE}, +#endif +#ifdef __NR_ia32_epoll_pwait2 + [__NR_ia32_epoll_pwait2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_PWAIT2}, +#endif +#ifdef __NR_ia32_migrate_pages + [__NR_ia32_migrate_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MIGRATE_PAGES}, +#endif +#ifdef __NR_ia32_move_pages + [__NR_ia32_move_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_PAGES}, +#endif +#ifdef __NR_ia32_preadv2 + [__NR_ia32_preadv2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PREADV2}, +#endif +#ifdef __NR_ia32_pwritev2 + [__NR_ia32_pwritev2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PWRITEV2}, +#endif +#ifdef __NR_ia32_process_madvise + [__NR_ia32_process_madvise - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_MADVISE}, +#endif +#ifdef __NR_ia32_readahead + [__NR_ia32_readahead - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_READAHEAD}, +#endif +#ifdef __NR_ia32_process_mrelease + [__NR_ia32_process_mrelease - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_MRELEASE}, +#endif +#ifdef __NR_ia32_mbind + [__NR_ia32_mbind - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MBIND}, +#endif +#ifdef __NR_ia32_epoll_wait_old + [__NR_ia32_epoll_wait_old - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_WAIT_OLD}, +#endif +#ifdef __NR_ia32_membarrier + [__NR_ia32_membarrier - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMBARRIER}, +#endif +#ifdef __NR_ia32_modify_ldt + [__NR_ia32_modify_ldt - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MODIFY_LDT}, +#endif +#ifdef __NR_ia32_semtimedop + [__NR_ia32_semtimedop - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SEMTIMEDOP}, +#endif +#ifdef __NR_ia32_name_to_handle_at + [__NR_ia32_name_to_handle_at - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NAME_TO_HANDLE_AT}, +#endif +#ifdef __NR_ia32_kcmp + [__NR_ia32_kcmp - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KCMP}, +#endif +#ifdef __NR_ia32_epoll_ctl_old + [__NR_ia32_epoll_ctl_old - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_CTL_OLD}, +#endif +#ifdef __NR_ia32_create_module + [__NR_ia32_create_module - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CREATE_MODULE}, +#endif +#ifdef __NR_ia32_futex_waitv + [__NR_ia32_futex_waitv - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FUTEX_WAITV}, +#endif +#ifdef __NR_ia32_iopl + [__NR_ia32_iopl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPL}, +#endif +#ifdef __NR_ia32__sysctl + [__NR_ia32__sysctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC__SYSCTL}, +#endif +#ifdef __NR_ia32_lookup_dcookie + [__NR_ia32_lookup_dcookie - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LOOKUP_DCOOKIE}, +#endif +#ifdef __NR_ia32_rseq + [__NR_ia32_rseq - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RSEQ}, +#endif +#ifdef __NR_ia32_io_pgetevents + [__NR_ia32_io_pgetevents - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_PGETEVENTS}, +#endif +#ifdef __NR_ia32_getpmsg + [__NR_ia32_getpmsg - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETPMSG}, +#endif +#ifdef __NR_ia32_sched_setattr + [__NR_ia32_sched_setattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_SETATTR}, +#endif +#ifdef __NR_ia32_get_kernel_syms + [__NR_ia32_get_kernel_syms - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GET_KERNEL_SYMS}, +#endif +#ifdef __NR_ia32_set_mempolicy_home_node + [__NR_ia32_set_mempolicy_home_node - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_MEMPOLICY_HOME_NODE}, +#endif +#ifdef __NR_ia32_close_range + [__NR_ia32_close_range - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOSE_RANGE}, +#endif +#ifdef __NR_ia32_get_mempolicy + [__NR_ia32_get_mempolicy - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GET_MEMPOLICY}, +#endif +#ifdef __NR_ia32_sched_getattr + [__NR_ia32_sched_getattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GETATTR}, +#endif +#ifdef __NR_ia32_nfsservctl + [__NR_ia32_nfsservctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NFSSERVCTL}, +#endif +#ifdef __NR_ia32_faccessat2 + [__NR_ia32_faccessat2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FACCESSAT2}, +#endif +#ifdef __NR_ia32_sync_file_range + [__NR_ia32_sync_file_range - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYNC_FILE_RANGE}, +#endif +#ifdef __NR_ia32_query_module + [__NR_ia32_query_module - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_QUERY_MODULE}, +#endif +#ifdef __NR_ia32_statx + [__NR_ia32_statx - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_STATX}, +#endif +#ifdef __NR_ia32_set_mempolicy + [__NR_ia32_set_mempolicy - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_MEMPOLICY}, +#endif +#ifdef __NR_ia32_fanotify_mark + [__NR_ia32_fanotify_mark - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FANOTIFY_MARK}, +#endif +#ifdef __NR_ia32_sched_setparam + [__NR_ia32_sched_setparam - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_SETPARAM}, +#endif +#ifdef __NR_ia32_process_vm_readv + [__NR_ia32_process_vm_readv - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_VM_READV}, +#endif +#ifdef __NR_ia32_pause + [__NR_ia32_pause - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PAUSE}, +#endif +#ifdef __NR_ia32_epoll_ctl + [__NR_ia32_epoll_ctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_CTL}, +#endif +#ifdef __NR_ia32_process_vm_writev + [__NR_ia32_process_vm_writev - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_VM_WRITEV}, +#endif +#ifdef __NR_ia32_sched_getparam + [__NR_ia32_sched_getparam - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GETPARAM}, +#endif +#ifdef __NR_ia32_pselect6 + [__NR_ia32_pselect6 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PSELECT6}, +#endif +#ifdef __NR_ia32_lchown + [__NR_ia32_lchown - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LCHOWN_E, PPME_SYSCALL_LCHOWN_X, PPM_SC_LCHOWN}, +#endif +#ifdef __NR_ia32_alarm + [__NR_ia32_alarm - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ALARM}, +#endif +#ifdef __NR_ia32_utime + [__NR_ia32_utime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UTIME}, +#endif +#ifdef __NR_ia32_syslog + [__NR_ia32_syslog - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYSLOG}, +#endif +#ifdef __NR_ia32_uselib + [__NR_ia32_uselib - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_USELIB}, +>>>>>>> 714a0d84 (chore(driver): prctl cleanup) #endif }; diff --git a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp index 18b2cf5d94..7b2c83b04e 100644 --- a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp @@ -73,7 +73,7 @@ TEST(SyscallExit, prctlX_set_child_subreaper) evt_test->assert_numeric_param(2, option); //PR_SET_CHILD_SUBREAPER /* Parameter 3: arg2_str (type: PT_CHARBUF) */ - //evt_test->assert_charbuf_param(3, newname); + evt_test->assert_empty_param(3); /* Parameter 4: arg2_int (type: PT_INT64) */ evt_test->assert_numeric_param(4, (int64_t)arg2); @@ -155,7 +155,7 @@ TEST(SyscallExit, prctlX_set_name) evt_test->assert_charbuf_param(3, newname); /* Parameter 4: arg2_int (type: PT_INT64) */ - evt_test->assert_numeric_param(4, (uint64_t)0); + evt_test->assert_numeric_param(4, (int64_t)0); /*=============================== ASSERT PARAMETERS ===========================*/ From eb11c77b04a5d39d27544ca812c336a01ec1b1ee Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 5 Apr 2023 17:59:19 +0000 Subject: [PATCH 10/22] chore(driver): refactor to match the other fillers Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 52 ++++++++++------- .../definitions/events_dimensions.h | 2 +- .../definitions/missing_definitions.h | 28 +++++++++ .../syscall_dispatched_events/prctl.bpf.c | 20 +++---- driver/ppm_events_public.h | 1 + driver/ppm_fillers.c | 57 +++++++++++-------- driver/ppm_flag_helpers.h | 52 +++++++++++++++++ .../syscall_exit_suite/prctl_x.cpp | 2 + userspace/libscap/userspace_flag_helpers.h | 1 + 9 files changed, 158 insertions(+), 57 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index b4371a54d2..33c36aba0f 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7127,48 +7127,58 @@ FILLER(sys_prctl_x, true) /* * option */ - option = bpf_syscall_get_argument(data, 0); + option = prctl_options_to_scap(bpf_syscall_get_argument(data, 0)); res = bpf_val_to_ring(data, option); if (res != PPM_SUCCESS) return res; arg2 = bpf_syscall_get_argument(data, 1); - /* - * arg2_str - */ switch(option){ - case PPM_PR_GET_CHILD_SUBREAPER: - res = bpf_val_to_ring(data, 0); - break; case PPM_PR_SET_NAME: - default: + /* + * arg2_str + */ res = bpf_val_to_ring(data, arg2); - break; - } - if (res != PPM_SUCCESS) - return res; - - /* - * arg2_int - */ - switch(option){ - case PPM_PR_SET_NAME: + if (res != PPM_SUCCESS) + return res; + /* + * arg2_int + */ res = bpf_val_to_ring(data, 0); + if (res != PPM_SUCCESS) + return res; break; case PPM_PR_GET_CHILD_SUBREAPER: + /* + * arg2_str + */ + res = bpf_val_to_ring(data, 0); + if (res != PPM_SUCCESS) + return res; + /* + * arg2_int + */ bpf_probe_read_user(&arg2_int,sizeof(arg2_int),(void*)arg2); res = bpf_val_to_ring(data, (int)arg2_int); break; default: + /* + * arg2_str + */ + res = bpf_val_to_ring(data, arg2); + if (res != PPM_SUCCESS) + return res; + /* + * arg2_int + */ res = bpf_val_to_ring(data, arg2); + if (res != PPM_SUCCESS) + return res; break; } - if (res != PPM_SUCCESS) - return res; return res; } - #endif diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index c1f66f9cf4..be44bb32f6 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -235,7 +235,7 @@ #define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN -#define PRCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN +#define PRCTL_E_SIZE HEADER_LEN #define PRCTL_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(uint64_t) * 2 + sizeof(int64_t) + 4 * PARAM_LEN /* Generic tracepoints events. */ diff --git a/driver/modern_bpf/definitions/missing_definitions.h b/driver/modern_bpf/definitions/missing_definitions.h index a0f2e9ed17..8ef6b7d0dc 100644 --- a/driver/modern_bpf/definitions/missing_definitions.h +++ b/driver/modern_bpf/definitions/missing_definitions.h @@ -1444,4 +1444,32 @@ /*=============================== OPENED FILE DESCRIPTORS ===========================*/ +/*==================================== PRCTL OPTIONS ================================*/ + +#define PR_GET_DUMPABLE 3 +#define PR_SET_DUMPABLE 4 +#define PR_GET_KEEPCAPS 7 +#define PR_SET_KEEPCAPS 8 +#define PR_SET_NAME 15 +#define PR_GET_NAME 16 +#define PR_GET_SECCOMP 21 +#define PR_SET_SECCOMP 22 +#define PR_CAPBSET_READ 23 +#define PR_CAPBSET_DROP 24 +#define PR_GET_SECUREBITS 27 +#define PR_SET_SECUREBITS 28 +#define PR_MCE_KILL 33 +#define PR_SET_MM 35 +#define PR_SET_CHILD_SUBREAPER 36 +#define PR_GET_CHILD_SUBREAPER 37 +#define PR_SET_NO_NEW_PRIVS 38 +#define PR_GET_NO_NEW_PRIVS 39 +#define PR_GET_TID_ADDRESS 40 +#define PR_SET_THP_DISABLE 41 +#define PR_GET_THP_DISABLE 42 +#define PR_CAP_AMBIENT 47 + +/*==================================== PRCTL OPTIONS ================================*/ + + #endif /* __MISSING_DEFINITIONS_H__ */ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index 1fc1295486..6a9b8301ef 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -60,31 +60,29 @@ int BPF_PROG(prctl_x, auxmap__store_s64_param(auxmap, ret); /* Parameter 2: option (type: PT_UINT64) */ - u32 option = (u32)extract__syscall_argument(regs, 0); + u32 option = (u32)prctl_options_to_scap(extract__syscall_argument(regs, 0)); auxmap__store_u32_param(auxmap, option); unsigned long arg2 = extract__syscall_argument(regs, 1); - /* Parameter 3: arg2_str (type: PT_CHARBUF) */ switch(option){ case PPM_PR_SET_NAME: + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ auxmap__store_charbuf_param(auxmap, arg2, 16, USER); - break; - default: - auxmap__store_charbuf_param(auxmap, 0, 0, USER); - break; - } - - /* Parameter 4: arg2_int (type: PT_INT64) */ - switch(option){ - case PPM_PR_SET_NAME: + /* Parameter 4: arg2_int (type: PT_INT64) */ auxmap__store_s64_param(auxmap, 0); break; case PPM_PR_GET_CHILD_SUBREAPER: + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ + auxmap__store_charbuf_param(auxmap, 0, 0, USER); bpf_probe_read_user(&reaper_pid, sizeof(reaper_pid), (void*)arg2); + /* Parameter 4: arg2_int (type: PT_INT64) */ auxmap__store_s64_param(auxmap, (int)reaper_pid); break; default: + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ + auxmap__store_charbuf_param(auxmap, 0, 0, USER); + /* Parameter 4: arg2_int (type: PT_INT64) */ auxmap__store_s64_param(auxmap, arg2); break; } diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index be0d59a281..bc109d8404 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -715,6 +715,7 @@ or GPL2.txt for full copies of the license. * Prctl flags */ //XXX take a look at https://github.com/torvalds/linux/blob/master/include/uapi/linux/prctl.h +#define PPM_PR_UNKNOWN 0 /* Get/set current->mm->dumpable */ #define PPM_PR_GET_DUMPABLE 3 #define PPM_PR_SET_DUMPABLE 4 diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 4bce033c85..c34d301b5b 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7983,9 +7983,9 @@ int f_sys_prctl_x(struct event_filler_arguments *args) { int res; int retval; - syscall_arg_t val; syscall_arg_t option; syscall_arg_t arg2; + int reaper_pid; char name[16] = "\0"; /* Parameter 1: res (type: PT_ERRNO) */ @@ -7997,6 +7997,7 @@ int f_sys_prctl_x(struct event_filler_arguments *args) * option */ syscall_get_arguments_deprecated(current, args->regs, 0, 1, &option); + option = prctl_options_to_scap(option); res = val_to_ring(args, option, 0, false, 0); CHECK_RES(res); @@ -8005,41 +8006,49 @@ int f_sys_prctl_x(struct event_filler_arguments *args) */ syscall_get_arguments_deprecated(current, args->regs, 1, 1, &arg2); - /* - * arg2str - */ switch(option){ case PPM_PR_SET_NAME: + /* + * arg2_str + */ ppm_strncpy_from_user(name, (const void __user *)arg2, sizeof(name)); name[15] = '\0'; - val = (int64_t)(long)name; - break; - default: - val = 0; - break; - } - res = val_to_ring(args, val, 0, false, 0); - CHECK_RES(res); - - /* - * arg2int - */ - switch(option){ - case PPM_PR_SET_NAME: - arg2 = (unsigned long)NULL; - break; - case PPM_PR_SET_CHILD_SUBREAPER: + res = val_to_ring(args, (int64_t)(long)name, 0, false, 0); + CHECK_RES(res); + /* + * arg2_int + */ + res = val_to_ring(args, (unsigned long)NULL, 0, false, 0); + CHECK_RES(res); break; case PPM_PR_GET_CHILD_SUBREAPER: - int reaper_pid; + /* + * arg2_str + */ + res = val_to_ring(args, 0, 0, false, 0); + CHECK_RES(res); + /* + * arg2_int + */ ppm_copy_from_user(&reaper_pid, (void *)arg2, sizeof(int)); arg2 = (unsigned long)reaper_pid; + res = val_to_ring(args, arg2, 0, false, 0); + CHECK_RES(res); break; + case PPM_PR_SET_CHILD_SUBREAPER: default: + /* + * arg2_str + */ + res = val_to_ring(args, 0, 0, false, 0); + CHECK_RES(res); + /* + * arg2_int + */ + res = val_to_ring(args, arg2, 0, false, 0); + CHECK_RES(res); break; } - res = val_to_ring(args, arg2, 0, false, 0); - CHECK_RES(res); return add_sentinel(args); } diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index 8b2eb360c0..ed29e8917e 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -23,6 +23,7 @@ or GPL2.txt for full copies of the license. #include #include #include +#include #include "ppm.h" #ifdef __NR_io_uring_register #include @@ -2064,5 +2065,56 @@ static __always_inline uint32_t splice_flags_to_scap(uint32_t flags) #define PPM_OVERLAYFS_SUPER_MAGIC 0x794c7630 #endif +static __always_inline u32 prctl_options_to_scap(unsigned long options) +{ + switch(options){ + case PR_GET_DUMPABLE: + return PPM_PR_GET_DUMPABLE; + case PR_SET_DUMPABLE: + return PPM_PR_SET_DUMPABLE; + case PR_GET_KEEPCAPS: + return PPM_PR_GET_KEEPCAPS; + case PR_SET_KEEPCAPS: + return PPM_PR_SET_KEEPCAPS; + case PR_SET_NAME: + return PPM_PR_SET_NAME; + case PR_GET_NAME: + return PPM_PR_GET_NAME; + case PR_GET_SECCOMP: + return PPM_PR_GET_SECCOMP; + case PR_SET_SECCOMP: + return PPM_PR_SET_SECCOMP; + case PR_CAPBSET_READ: + return PPM_PR_CAPBSET_READ; + case PR_CAPBSET_DROP: + return PPM_PR_CAPBSET_DROP; + case PR_GET_SECUREBITS: + return PPM_PR_GET_SECUREBITS; + case PR_SET_SECUREBITS: + return PPM_PR_SET_SECUREBITS; + case PR_MCE_KILL: + return PPM_PR_MCE_KILL; + case PR_SET_MM: + return PPM_PR_SET_MM; + case PR_SET_CHILD_SUBREAPER: + return PPM_PR_SET_CHILD_SUBREAPER; + case PR_GET_CHILD_SUBREAPER: + return PPM_PR_GET_CHILD_SUBREAPER; + case PR_SET_NO_NEW_PRIVS: + return PPM_PR_SET_NO_NEW_PRIVS; + case PR_GET_NO_NEW_PRIVS: + return PPM_PR_GET_NO_NEW_PRIVS; + case PR_GET_TID_ADDRESS: + return PPM_PR_GET_TID_ADDRESS; + case PR_SET_THP_DISABLE: + return PPM_PR_SET_THP_DISABLE; + case PR_GET_THP_DISABLE: + return PPM_PR_GET_THP_DISABLE; + case PR_CAP_AMBIENT: + return PPM_PR_CAP_AMBIENT; + default: + return PPM_PR_UNKNOWN; + } +} #endif /* PPM_FLAG_HELPERS_H_ */ diff --git a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp index 7b2c83b04e..73dcdf53b7 100644 --- a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp @@ -49,6 +49,7 @@ TEST(SyscallExit, prctlX_set_child_subreaper) FAIL() << "The prctl call is successful while it should fail..." << std::endl; } + /*=============================== TRIGGER SYSCALL ===========================*/ evt_test->disable_capture(); @@ -128,6 +129,7 @@ TEST(SyscallExit, prctlX_set_name) FAIL() << "The prctl call is successful while it should fail..." << std::endl; } + /*=============================== TRIGGER SYSCALL ===========================*/ evt_test->disable_capture(); diff --git a/userspace/libscap/userspace_flag_helpers.h b/userspace/libscap/userspace_flag_helpers.h index a60c579696..a2799e0f79 100644 --- a/userspace/libscap/userspace_flag_helpers.h +++ b/userspace/libscap/userspace_flag_helpers.h @@ -10,6 +10,7 @@ #include #include #include +#include #include #define ASSERT assert From 689c8937bacf635d7725c7024f22192d97de60e3 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 5 Apr 2023 20:48:07 +0000 Subject: [PATCH 11/22] chore(test/drivers): added new prctl tests Signed-off-by: Roberto Scolaro --- .../syscall_enter_suite/prctl_e.cpp | 76 ++++++++++++++++ .../syscall_exit_suite/prctl_x.cpp | 91 +++++++++++++------ 2 files changed, 139 insertions(+), 28 deletions(-) create mode 100644 test/drivers/test_suites/syscall_enter_suite/prctl_e.cpp diff --git a/test/drivers/test_suites/syscall_enter_suite/prctl_e.cpp b/test/drivers/test_suites/syscall_enter_suite/prctl_e.cpp new file mode 100644 index 0000000000..bf7ccf902f --- /dev/null +++ b/test/drivers/test_suites/syscall_enter_suite/prctl_e.cpp @@ -0,0 +1,76 @@ +#include "../../event_class/event_class.h" +#include "../../flags/flags_definitions.h" +#include "../../helpers/proc_parsing.h" + +#if defined(__NR_prctl) && defined(__NR_clone3) && defined(__NR_wait4) + +#include + +TEST(SyscallEnter, prctlE) +{ + auto evt_test = get_syscall_event_test(__NR_prctl, ENTER_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int option = 36; //PR_SET_CHILD_SUBREAPER + unsigned long arg2 = 1; + unsigned long arg3 = 0; + unsigned long arg4 = 0; + unsigned long arg5 = 0; + + /* We need to use `SIGCHLD` otherwise the parent won't receive any signal + * when the child terminates. + */ + struct clone_args cl_args = {0}; + cl_args.exit_signal = SIGCHLD; + pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args)); + assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1); + + if (ret_pid == 0) + { + /* + * Call the `prctl` + */ + int res = syscall(__NR_prctl, option, arg2, arg3, arg4, arg5); + assert_syscall_state(SYSCALL_SUCCESS, "prctl", res,EQUAL,0); + exit(EXIT_SUCCESS); + + } + + /* Catch the child before doing anything else. */ + int status = 0; + int options = 0; + assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1); + + if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0) + { + FAIL() << "The prctl call is successful while it should fail..." << std::endl; + } + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(ret_pid); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + // Here we have no parameters to assert. + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(0); + +} +#endif diff --git a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp index 73dcdf53b7..6168cb04b3 100644 --- a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp @@ -3,10 +3,11 @@ #include "../../helpers/proc_parsing.h" #if defined(__NR_prctl) && defined(__NR_clone3) && defined(__NR_wait4) - #include +#endif -TEST(SyscallExit, prctlX_set_child_subreaper) +#if defined(__NR_prctl) +TEST(SyscallExit, prctlX_failure) { auto evt_test = get_syscall_event_test(__NR_prctl, EXIT_EVENT); @@ -14,46 +15,80 @@ TEST(SyscallExit, prctlX_set_child_subreaper) /*=============================== TRIGGER SYSCALL ===========================*/ - int option = 36; //PR_SET_CHILD_SUBREAPER - unsigned long arg2 = 1337; + int option = 0; + unsigned long arg2 = 0; unsigned long arg3 = 0; unsigned long arg4 = 0; unsigned long arg5 = 0; - /* We need to use `SIGCHLD` otherwise the parent won't receive any signal - * when the child terminates. + /* + * Call the `prctl` */ - struct clone_args cl_args = {0}; - cl_args.exit_signal = SIGCHLD; - pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args)); - assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1); + int res = syscall(__NR_prctl, option, arg2, arg3, arg4, arg5); + assert_syscall_state(SYSCALL_FAILURE, "prctl", res); + int64_t errno_value = -errno; - if (ret_pid == 0) - { - /* - * Call the `prctl` - */ - int res = syscall(__NR_prctl, option, arg2, arg3, arg4, arg5); - assert_syscall_state(SYSCALL_SUCCESS, "prctl", res,EQUAL,0); - exit(EXIT_SUCCESS); + /*=============================== TRIGGER SYSCALL ===========================*/ - } + evt_test->disable_capture(); - /* Catch the child before doing anything else. */ - int status = 0; - int options = 0; - assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1); + evt_test->assert_event_presence(); - if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0) + if(HasFatalFailure()) { - FAIL() << "The prctl call is successful while it should fail..." << std::endl; + return; } + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: option (type: PT_ENUMFLAGS32) */ + evt_test->assert_numeric_param(2, option); //PR_SET_CHILD_SUBREAPER + + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ + evt_test->assert_empty_param(3); + + /* Parameter 4: arg2_int (type: PT_INT64) */ + evt_test->assert_numeric_param(4, (int64_t)arg2); + + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); + +} +#endif + +#if defined(__NR_prctl) && defined(__NR_clone3) && defined(__NR_wait4) +TEST(SyscallExit, prctlX_set_child_subreaper) +{ + auto evt_test = get_syscall_event_test(__NR_prctl, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + //int option = 36; //PR_SET_CHILD_SUBREAPER + int option = 34; //PR_MCE_KILL_GET + unsigned long arg2 = 1337; + unsigned long arg3 = 1; + unsigned long arg4 = 2; + unsigned long arg5 = 3; + + int res = syscall(__NR_prctl, option, arg2, arg3, arg4, arg5); + /*=============================== TRIGGER SYSCALL ===========================*/ evt_test->disable_capture(); - evt_test->assert_event_presence(ret_pid); + evt_test->assert_event_presence(); if(HasFatalFailure()) { @@ -68,10 +103,10 @@ TEST(SyscallExit, prctlX_set_child_subreaper) /* Parameter 1: res (type: PT_ERRNO)*/ - evt_test->assert_numeric_param(1, (uint64_t)0); + evt_test->assert_numeric_param(1, (uint64_t)-22); /* Parameter 2: option (type: PT_ENUMFLAGS32) */ - evt_test->assert_numeric_param(2, option); //PR_SET_CHILD_SUBREAPER + evt_test->assert_numeric_param(2, 0); //PR_SET_CHILD_SUBREAPER /* Parameter 3: arg2_str (type: PT_CHARBUF) */ evt_test->assert_empty_param(3); From a5a2ee7fa251b2cf2fd79748503d93a59df4526e Mon Sep 17 00:00:00 2001 From: Roberto Scolaro <39174179+therealbobo@users.noreply.github.com> Date: Tue, 11 Apr 2023 12:41:33 +0200 Subject: [PATCH 12/22] fix(driver/modern_bpf): removed size of variable sized event (PRCTL_X_SIZE) Co-authored-by: Andrea Terzolo Signed-off-by: Roberto Scolaro <39174179+therealbobo@users.noreply.github.com> --- driver/modern_bpf/definitions/events_dimensions.h | 1 - 1 file changed, 1 deletion(-) diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index be44bb32f6..cf2fe13052 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -236,7 +236,6 @@ #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN #define PRCTL_E_SIZE HEADER_LEN -#define PRCTL_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(uint64_t) * 2 + sizeof(int64_t) + 4 * PARAM_LEN /* Generic tracepoints events. */ #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4 From 4043a3ccad6ce9e104380c49ff8607536fd5bf19 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 12 Apr 2023 13:57:05 +0000 Subject: [PATCH 13/22] chore(test/drivers): added new tests Signed-off-by: Roberto Scolaro --- .../syscall_enter_suite/prctl_e.cpp | 44 +---- .../syscall_exit_suite/prctl_x.cpp | 150 +++++++++++++----- 2 files changed, 114 insertions(+), 80 deletions(-) diff --git a/test/drivers/test_suites/syscall_enter_suite/prctl_e.cpp b/test/drivers/test_suites/syscall_enter_suite/prctl_e.cpp index bf7ccf902f..3deb44b83e 100644 --- a/test/drivers/test_suites/syscall_enter_suite/prctl_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/prctl_e.cpp @@ -1,59 +1,25 @@ #include "../../event_class/event_class.h" -#include "../../flags/flags_definitions.h" -#include "../../helpers/proc_parsing.h" - -#if defined(__NR_prctl) && defined(__NR_clone3) && defined(__NR_wait4) - -#include - +#if defined(__NR_prctl) TEST(SyscallEnter, prctlE) { auto evt_test = get_syscall_event_test(__NR_prctl, ENTER_EVENT); - evt_test->enable_capture(); /*=============================== TRIGGER SYSCALL ===========================*/ - int option = 36; //PR_SET_CHILD_SUBREAPER - unsigned long arg2 = 1; + int option = -2; + unsigned long arg2 = 0; unsigned long arg3 = 0; unsigned long arg4 = 0; unsigned long arg5 = 0; - /* We need to use `SIGCHLD` otherwise the parent won't receive any signal - * when the child terminates. - */ - struct clone_args cl_args = {0}; - cl_args.exit_signal = SIGCHLD; - pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args)); - assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1); - - if (ret_pid == 0) - { - /* - * Call the `prctl` - */ - int res = syscall(__NR_prctl, option, arg2, arg3, arg4, arg5); - assert_syscall_state(SYSCALL_SUCCESS, "prctl", res,EQUAL,0); - exit(EXIT_SUCCESS); - - } - - /* Catch the child before doing anything else. */ - int status = 0; - int options = 0; - assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1); - - if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0) - { - FAIL() << "The prctl call is successful while it should fail..." << std::endl; - } + assert_syscall_state(SYSCALL_SUCCESS, "prctl", syscall(__NR_prctl, option, arg2, arg3, arg4, arg5)); /*=============================== TRIGGER SYSCALL ===========================*/ evt_test->disable_capture(); - evt_test->assert_event_presence(ret_pid); + evt_test->assert_event_presence(); if(HasFatalFailure()) { diff --git a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp index 6168cb04b3..184ee24acf 100644 --- a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp @@ -1,22 +1,19 @@ #include "../../event_class/event_class.h" -#include "../../flags/flags_definitions.h" -#include "../../helpers/proc_parsing.h" #if defined(__NR_prctl) && defined(__NR_clone3) && defined(__NR_wait4) + #include -#endif +#include -#if defined(__NR_prctl) TEST(SyscallExit, prctlX_failure) { auto evt_test = get_syscall_event_test(__NR_prctl, EXIT_EVENT); - evt_test->enable_capture(); /*=============================== TRIGGER SYSCALL ===========================*/ - int option = 0; - unsigned long arg2 = 0; + int option = -3; + unsigned long arg2 = -3; unsigned long arg3 = 0; unsigned long arg4 = 0; unsigned long arg5 = 0; @@ -24,8 +21,8 @@ TEST(SyscallExit, prctlX_failure) /* * Call the `prctl` */ - int res = syscall(__NR_prctl, option, arg2, arg3, arg4, arg5); - assert_syscall_state(SYSCALL_FAILURE, "prctl", res); + + assert_syscall_state(SYSCALL_FAILURE, "prctl", syscall(__NR_prctl, option, arg2, arg3, arg4, arg5)); int64_t errno_value = -errno; /*=============================== TRIGGER SYSCALL ===========================*/ @@ -45,12 +42,11 @@ TEST(SyscallExit, prctlX_failure) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ evt_test->assert_numeric_param(1, (uint64_t)errno_value); /* Parameter 2: option (type: PT_ENUMFLAGS32) */ - evt_test->assert_numeric_param(2, option); //PR_SET_CHILD_SUBREAPER + evt_test->assert_numeric_param(2, (int32_t)option); /* Parameter 3: arg2_str (type: PT_CHARBUF) */ evt_test->assert_empty_param(3); @@ -58,15 +54,68 @@ TEST(SyscallExit, prctlX_failure) /* Parameter 4: arg2_int (type: PT_INT64) */ evt_test->assert_numeric_param(4, (int64_t)arg2); - /*=============================== ASSERT PARAMETERS ===========================*/ evt_test->assert_num_params_pushed(4); +} + +TEST(SyscallExit, prctlX_get_child_subreaper) +{ + auto evt_test = get_syscall_event_test(__NR_prctl, EXIT_EVENT); + + // set the subreaper attribute + assert_syscall_state(SYSCALL_SUCCESS, "prctl", syscall(__NR_prctl, PR_SET_CHILD_SUBREAPER, 1, 0, 0, 0), EQUAL, 0); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int option = PR_GET_CHILD_SUBREAPER; + int arg2 = 0; + unsigned long arg3 = 0; + unsigned long arg4 = 0; + unsigned long arg5 = 0; + + assert_syscall_state(SYSCALL_SUCCESS, "prctl", syscall(__NR_prctl, option, &arg2, arg3, arg4, arg5), EQUAL, 0); + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + // unset the subreaper attribute + assert_syscall_state(SYSCALL_SUCCESS, "prctl", syscall(__NR_prctl, PR_SET_CHILD_SUBREAPER, 0, 0, 0, 0), EQUAL, 0); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)0); + + /* Parameter 2: option (type: PT_ENUMFLAGS32) */ + evt_test->assert_numeric_param(2, PPM_PR_GET_CHILD_SUBREAPER); + + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ + evt_test->assert_empty_param(3); + + /* Parameter 4: arg2_int (type: PT_INT64) */ + evt_test->assert_numeric_param(4, (int64_t)1); + + /*=============================== ASSERT PARAMETERS ===========================*/ + evt_test->assert_num_params_pushed(4); } -#endif -#if defined(__NR_prctl) && defined(__NR_clone3) && defined(__NR_wait4) TEST(SyscallExit, prctlX_set_child_subreaper) { auto evt_test = get_syscall_event_test(__NR_prctl, EXIT_EVENT); @@ -75,20 +124,45 @@ TEST(SyscallExit, prctlX_set_child_subreaper) /*=============================== TRIGGER SYSCALL ===========================*/ - //int option = 36; //PR_SET_CHILD_SUBREAPER - int option = 34; //PR_MCE_KILL_GET + int option = PR_SET_CHILD_SUBREAPER; unsigned long arg2 = 1337; - unsigned long arg3 = 1; - unsigned long arg4 = 2; - unsigned long arg5 = 3; + unsigned long arg3 = 0; + unsigned long arg4 = 0; + unsigned long arg5 = 0; + + /* We need to use `SIGCHLD` otherwise the parent won't receive any signal + * when the child terminates. + */ + struct clone_args cl_args = {0}; + cl_args.exit_signal = SIGCHLD; + + pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args)); + if(ret_pid == 0) + { + /* + * Call the `prctl` + */ + assert_syscall_state(SYSCALL_SUCCESS, "prctl", syscall(__NR_prctl, option, arg2, arg3, arg4, arg5), EQUAL, 0); + exit(EXIT_SUCCESS); + } + + assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1); + + /* Catch the child before doing anything else. */ + int status = 0; + int options = 0; - int res = syscall(__NR_prctl, option, arg2, arg3, arg4, arg5); + assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1); + if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0) + { + FAIL() << "The prctl call is successful while it should fail..." << std::endl; + } /*=============================== TRIGGER SYSCALL ===========================*/ evt_test->disable_capture(); - evt_test->assert_event_presence(); + evt_test->assert_event_presence(ret_pid); if(HasFatalFailure()) { @@ -101,12 +175,11 @@ TEST(SyscallExit, prctlX_set_child_subreaper) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ - evt_test->assert_numeric_param(1, (uint64_t)-22); + evt_test->assert_numeric_param(1, (uint64_t)0); /* Parameter 2: option (type: PT_ENUMFLAGS32) */ - evt_test->assert_numeric_param(2, 0); //PR_SET_CHILD_SUBREAPER + evt_test->assert_numeric_param(2, PPM_PR_SET_CHILD_SUBREAPER); /* Parameter 3: arg2_str (type: PT_CHARBUF) */ evt_test->assert_empty_param(3); @@ -114,11 +187,9 @@ TEST(SyscallExit, prctlX_set_child_subreaper) /* Parameter 4: arg2_int (type: PT_INT64) */ evt_test->assert_numeric_param(4, (int64_t)arg2); - /*=============================== ASSERT PARAMETERS ===========================*/ evt_test->assert_num_params_pushed(4); - } TEST(SyscallExit, prctlX_set_name) @@ -129,8 +200,8 @@ TEST(SyscallExit, prctlX_set_name) /*=============================== TRIGGER SYSCALL ===========================*/ - const char newname[] = "changedname"; - int option = 15; //PR_SET_NAME + int option = PR_SET_NAME; + const char arg2[] = "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXAB"; unsigned long arg3 = 0; unsigned long arg4 = 0; unsigned long arg5 = 0; @@ -140,25 +211,25 @@ TEST(SyscallExit, prctlX_set_name) */ struct clone_args cl_args = {0}; cl_args.exit_signal = SIGCHLD; - pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args)); - assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1); - if (ret_pid == 0) + pid_t ret_pid = syscall(__NR_clone3, &cl_args, sizeof(cl_args)); + if(ret_pid == 0) { /* * Call the `prctl` */ - int res = syscall(__NR_prctl, option, newname, arg3, arg4, arg5); - assert_syscall_state(SYSCALL_SUCCESS, "prctl", res,EQUAL,0); + assert_syscall_state(SYSCALL_SUCCESS, "prctl", syscall(__NR_prctl, option, arg2, arg3, arg4, arg5), EQUAL, 0); exit(EXIT_SUCCESS); - } + assert_syscall_state(SYSCALL_SUCCESS, "clone3", ret_pid, NOT_EQUAL, -1); + /* Catch the child before doing anything else. */ + int status = 0; int options = 0; - assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1); + assert_syscall_state(SYSCALL_SUCCESS, "wait4", syscall(__NR_wait4, ret_pid, &status, options, NULL), NOT_EQUAL, -1); if(__WEXITSTATUS(status) == EXIT_FAILURE || __WIFSIGNALED(status) != 0) { FAIL() << "The prctl call is successful while it should fail..." << std::endl; @@ -181,23 +252,20 @@ TEST(SyscallExit, prctlX_set_name) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_ERRNO)*/ evt_test->assert_numeric_param(1, (uint64_t)0); /* Parameter 2: option (type: PT_ENUMFLAGS32) */ - evt_test->assert_numeric_param(2, option); //PR_SET_NAME + evt_test->assert_numeric_param(2, PPM_PR_SET_NAME); /* Parameter 3: arg2_str (type: PT_CHARBUF) */ - evt_test->assert_charbuf_param(3, newname); + evt_test->assert_charbuf_param(3, arg2); /* Parameter 4: arg2_int (type: PT_INT64) */ - evt_test->assert_numeric_param(4, (int64_t)0); - + evt_test->assert_empty_param(4); /*=============================== ASSERT PARAMETERS ===========================*/ evt_test->assert_num_params_pushed(4); - } #endif From 5c36064ef7c20361619d3e5985d97adb454a6a6d Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 12 Apr 2023 13:58:53 +0000 Subject: [PATCH 14/22] fix(driver): major refactor Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 32 ++-- .../definitions/missing_definitions.h | 84 +++++++--- .../syscall_dispatched_events/prctl.bpf.c | 24 ++- driver/ppm_events_public.h | 153 +++++++++++++++--- driver/ppm_fillers.c | 40 ++--- driver/ppm_flag_helpers.h | 51 +----- 6 files changed, 249 insertions(+), 135 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 33c36aba0f..08f663885e 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7121,60 +7121,58 @@ FILLER(sys_prctl_x, true) retval = bpf_syscall_get_retval(data->ctx); res = bpf_val_to_ring(data, retval); - if (res != PPM_SUCCESS) - return res; + CHECK_RES(res); /* * option */ option = prctl_options_to_scap(bpf_syscall_get_argument(data, 0)); res = bpf_val_to_ring(data, option); - if (res != PPM_SUCCESS) - return res; + CHECK_RES(res); arg2 = bpf_syscall_get_argument(data, 1); switch(option){ + case PPM_PR_GET_NAME: case PPM_PR_SET_NAME: /* * arg2_str */ res = bpf_val_to_ring(data, arg2); - if (res != PPM_SUCCESS) - return res; + CHECK_RES(res); /* * arg2_int */ - res = bpf_val_to_ring(data, 0); - if (res != PPM_SUCCESS) - return res; + res = bpf_push_empty_param(data); + CHECK_RES(res); break; case PPM_PR_GET_CHILD_SUBREAPER: /* * arg2_str */ - res = bpf_val_to_ring(data, 0); - if (res != PPM_SUCCESS) - return res; + res = bpf_push_empty_param(data); + CHECK_RES(res); /* * arg2_int */ bpf_probe_read_user(&arg2_int,sizeof(arg2_int),(void*)arg2); res = bpf_val_to_ring(data, (int)arg2_int); + CHECK_RES(res); break; default: /* * arg2_str */ - res = bpf_val_to_ring(data, arg2); - if (res != PPM_SUCCESS) - return res; + //XXX temporary workaround: the usage of `bpf_push_empty_param` + // breaks the verifies + //res = bpf_push_empty_param(data); + res = bpf_val_to_ring(data, 0); + CHECK_RES(res); /* * arg2_int */ res = bpf_val_to_ring(data, arg2); - if (res != PPM_SUCCESS) - return res; + CHECK_RES(res); break; } diff --git a/driver/modern_bpf/definitions/missing_definitions.h b/driver/modern_bpf/definitions/missing_definitions.h index 8ef6b7d0dc..394f9d18d7 100644 --- a/driver/modern_bpf/definitions/missing_definitions.h +++ b/driver/modern_bpf/definitions/missing_definitions.h @@ -1446,28 +1446,68 @@ /*==================================== PRCTL OPTIONS ================================*/ -#define PR_GET_DUMPABLE 3 -#define PR_SET_DUMPABLE 4 -#define PR_GET_KEEPCAPS 7 -#define PR_SET_KEEPCAPS 8 -#define PR_SET_NAME 15 -#define PR_GET_NAME 16 -#define PR_GET_SECCOMP 21 -#define PR_SET_SECCOMP 22 -#define PR_CAPBSET_READ 23 -#define PR_CAPBSET_DROP 24 -#define PR_GET_SECUREBITS 27 -#define PR_SET_SECUREBITS 28 -#define PR_MCE_KILL 33 -#define PR_SET_MM 35 -#define PR_SET_CHILD_SUBREAPER 36 -#define PR_GET_CHILD_SUBREAPER 37 -#define PR_SET_NO_NEW_PRIVS 38 -#define PR_GET_NO_NEW_PRIVS 39 -#define PR_GET_TID_ADDRESS 40 -#define PR_SET_THP_DISABLE 41 -#define PR_GET_THP_DISABLE 42 -#define PR_CAP_AMBIENT 47 +#define PR_SET_PDEATHSIG 1 +#define PR_GET_PDEATHSIG 2 +#define PR_GET_DUMPABLE 3 +#define PR_SET_DUMPABLE 4 +#define PR_GET_UNALIGN 5 +#define PR_SET_UNALIGN 6 +#define PR_GET_KEEPCAPS 7 +#define PR_SET_KEEPCAPS 8 +#define PR_GET_FPEMU 9 +#define PR_SET_FPEMU 10 +#define PR_GET_FPEXC 11 +#define PR_SET_FPEXC 12 +#define PR_GET_TIMING 13 +#define PR_SET_TIMING 14 +#define PR_SET_NAME 15 +#define PR_GET_NAME 16 +#define PR_GET_ENDIAN 19 +#define PR_SET_ENDIAN 20 +#define PR_GET_SECCOMP 21 +#define PR_SET_SECCOMP 22 +#define PR_CAPBSET_READ 23 +#define PR_CAPBSET_DROP 24 +#define PR_GET_TSC 25 +#define PR_SET_TSC 26 +#define PR_GET_SECUREBITS 27 +#define PR_SET_SECUREBITS 28 +#define PR_SET_TIMERSLACK 29 +#define PR_GET_TIMERSLACK 30 +#define PR_TASK_PERF_EVENTS_DISABLE 31 +#define PR_TASK_PERF_EVENTS_ENABLE 32 +#define PR_MCE_KILL 33 +#define PR_MCE_KILL_GET 34 +#define PR_SET_MM 35 +#define PR_SET_PTRACER 0x59616d61 +#define PR_SET_CHILD_SUBREAPER 36 +#define PR_GET_CHILD_SUBREAPER 37 +#define PR_SET_NO_NEW_PRIVS 38 +#define PR_GET_NO_NEW_PRIVS 39 +#define PR_GET_TID_ADDRESS 40 +#define PR_SET_THP_DISABLE 41 +#define PR_GET_THP_DISABLE 42 +#define PR_MPX_ENABLE_MANAGEMENT 43 +#define PR_MPX_DISABLE_MANAGEMENT 44 +#define PR_SET_FP_MODE 45 +#define PR_GET_FP_MODE 46 +#define PR_CAP_AMBIENT 47 +#define PR_SVE_SET_VL 50 +#define PR_SVE_GET_VL 51 +#define PR_GET_SPECULATION_CTRL 52 +#define PR_SET_SPECULATION_CTRL 53 +#define PR_PAC_RESET_KEYS 54 +#define PR_SET_TAGGED_ADDR_CTRL 55 +#define PR_GET_TAGGED_ADDR_CTRL 56 +#define PR_SET_IO_FLUSHER 57 +#define PR_GET_IO_FLUSHER 58 +#define PR_SET_SYSCALL_USER_DISPATCH 59 +#define PR_PAC_SET_ENABLED_KEYS 60 +#define PR_PAC_GET_ENABLED_KEYS 61 +#define PR_SCHED_CORE 62 +#define PR_SME_SET_VL 63 +#define PR_SME_GET_VL 64 +#define PR_SET_VMA 0x53564d41 /*==================================== PRCTL OPTIONS ================================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index 6a9b8301ef..8ba34bbf69 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -46,12 +46,13 @@ int BPF_PROG(prctl_x, long ret) { struct auxiliary_map *auxmap = auxmap__get(); - u64 reaper_pid; if(!auxmap) { return 0; } + int reaper_attr; + auxmap__preload_event_header(auxmap, PPME_SYSCALL_PRCTL_X); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -59,29 +60,36 @@ int BPF_PROG(prctl_x, /* Parameter 1: res (type: PT_ERRNO) */ auxmap__store_s64_param(auxmap, ret); - /* Parameter 2: option (type: PT_UINT64) */ + /* Parameter 2: option (type: PT_ENUMFLAGS32) */ u32 option = (u32)prctl_options_to_scap(extract__syscall_argument(regs, 0)); auxmap__store_u32_param(auxmap, option); unsigned long arg2 = extract__syscall_argument(regs, 1); switch(option){ + case PPM_PR_GET_NAME: case PPM_PR_SET_NAME: /* Parameter 3: arg2_str (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, arg2, 16, USER); + auxmap__store_charbuf_param(auxmap, arg2, MAX_PATH, USER); /* Parameter 4: arg2_int (type: PT_INT64) */ - auxmap__store_s64_param(auxmap, 0); + auxmap__store_empty_param(auxmap); break; case PPM_PR_GET_CHILD_SUBREAPER: /* Parameter 3: arg2_str (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, 0, 0, USER); - bpf_probe_read_user(&reaper_pid, sizeof(reaper_pid), (void*)arg2); + auxmap__store_empty_param(auxmap); + bpf_probe_read_user(&reaper_attr, sizeof(reaper_attr), (void*)arg2); /* Parameter 4: arg2_int (type: PT_INT64) */ - auxmap__store_s64_param(auxmap, (int)reaper_pid); + auxmap__store_s64_param(auxmap, (s64)reaper_attr); + break; + case PPM_PR_SET_CHILD_SUBREAPER: + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ + auxmap__store_empty_param(auxmap); + /* Parameter 4: arg2_int (type: PT_INT64) */ + auxmap__store_s64_param(auxmap, arg2); break; default: /* Parameter 3: arg2_str (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, 0, 0, USER); + auxmap__store_empty_param(auxmap); /* Parameter 4: arg2_int (type: PT_INT64) */ auxmap__store_s64_param(auxmap, arg2); break; diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index bc109d8404..ee9f65e58d 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -714,54 +714,165 @@ or GPL2.txt for full copies of the license. /* * Prctl flags */ -//XXX take a look at https://github.com/torvalds/linux/blob/master/include/uapi/linux/prctl.h -#define PPM_PR_UNKNOWN 0 +//taken from https://github.com/torvalds/linux/blob/master/include/uapi/linux/prctl.h +/* Values to pass as first argument to prctl() */ +#define PPM_PR_SET_PDEATHSIG 1 /* Second arg is a signal */ +#define PPM_PR_GET_PDEATHSIG 2 /* Second arg is a ptr to return the signal */ /* Get/set current->mm->dumpable */ -#define PPM_PR_GET_DUMPABLE 3 -#define PPM_PR_SET_DUMPABLE 4 +#define PPM_PR_GET_DUMPABLE 3 +#define PPM_PR_SET_DUMPABLE 4 + +/* Get/set unaligned access control bits (if meaningful) */ +#define PPM_PR_GET_UNALIGN 5 +#define PPM_PR_SET_UNALIGN 6 + /* Get/set whether or not to drop capabilities on setuid() away from * uid 0 (as per security/commoncap.c) */ -#define PPM_PR_GET_KEEPCAPS 7 -#define PPM_PR_SET_KEEPCAPS 8 +#define PPM_PR_GET_KEEPCAPS 7 +#define PPM_PR_SET_KEEPCAPS 8 + +/* Get/set floating-point emulation control bits (if meaningful) */ +#define PPM_PR_GET_FPEMU 9 +#define PPM_PR_SET_FPEMU 10 + +/* Get/set floating-point exception mode (if meaningful) */ +#define PPM_PR_GET_FPEXC 11 +#define PPM_PR_SET_FPEXC 12 + +/* Get/set whether we use statistical process timing or accurate timestamp + * based process timing */ +#define PPM_PR_GET_TIMING 13 +#define PPM_PR_SET_TIMING 14 + +#define PPM_PR_SET_NAME 15 /* Set process name */ +#define PPM_PR_GET_NAME 16 /* Get process name */ + +/* Get/set process endian */ +#define PPM_PR_GET_ENDIAN 19 +#define PPM_PR_SET_ENDIAN 20 -#define PPM_PR_SET_NAME 15 /* Set process name */ -#define PPM_PR_GET_NAME 16 /* Get process name */ /* Get/set process seccomp mode */ -#define PPM_PR_GET_SECCOMP 21 -#define PPM_PR_SET_SECCOMP 22 +#define PPM_PR_GET_SECCOMP 21 +#define PPM_PR_SET_SECCOMP 22 + /* Get/set the capability bounding set (as per security/commoncap.c) */ -#define PPM_PR_CAPBSET_READ 23 -#define PPM_PR_CAPBSET_DROP 24 +#define PPM_PR_CAPBSET_READ 23 +#define PPM_PR_CAPBSET_DROP 24 + +/* Get/set the process' ability to use the timestamp counter instruction */ +#define PPM_PR_GET_TSC 25 +#define PPM_PR_SET_TSC 26 /* Get/set securebits (as per security/commoncap.c) */ -#define PPM_PR_GET_SECUREBITS 27 -#define PPM_PR_SET_SECUREBITS 28 +#define PPM_PR_GET_SECUREBITS 27 +#define PPM_PR_SET_SECUREBITS 28 + +/* + * Get/set the timerslack as used by poll/select/nanosleep + * A value of 0 means "use default" + */ +#define PPM_PR_SET_TIMERSLACK 29 +#define PPM_PR_GET_TIMERSLACK 30 + +#define PPM_PR_TASK_PERF_EVENTS_DISABLE 31 +#define PPM_PR_TASK_PERF_EVENTS_ENABLE 32 /* * Set early/late kill mode for hwpoison memory corruption. * This influences when the process gets killed on a memory corruption. */ -#define PPM_PR_MCE_KILL 33 +#define PPM_PR_MCE_KILL 33 + + +#define PPM_PR_MCE_KILL_GET 34 /* * Tune up process memory map specifics. */ -#define PPM_PR_SET_MM 35 +#define PPM_PR_SET_MM 35 + +/* + * Set specific pid that is allowed to ptrace the current task. + * A value of 0 mean "no process". + */ +#define PPM_PR_SET_PTRACER 0x59616d61 #define PPM_PR_SET_CHILD_SUBREAPER 36 #define PPM_PR_GET_CHILD_SUBREAPER 37 -#define PPM_PR_SET_NO_NEW_PRIVS 38 -#define PPM_PR_GET_NO_NEW_PRIVS 39 +/* + * If no_new_privs is set, then operations that grant new privileges (i.e. + * execve) will either fail or not grant them. This affects suid/sgid, + * file capabilities, and LSMs. + * + * Operations that merely manipulate or drop existing privileges (setresuid, + * capset, etc.) will still work. Drop those privileges if you want them gone. + * + * Changing LSM security domain is considered a new privilege. So, for example, + * asking selinux for a specific new context (e.g. with runcon) will result + * in execve returning -EPERM. + * + * See Documentation/userspace-api/no_new_privs.rst for more details. + */ +#define PPM_PR_SET_NO_NEW_PRIVS 38 +#define PPM_PR_GET_NO_NEW_PRIVS 39 + +#define PPM_PR_GET_TID_ADDRESS 40 -#define PPM_PR_GET_TID_ADDRESS 40 +#define PPM_PR_SET_THP_DISABLE 41 +#define PPM_PR_GET_THP_DISABLE 42 -#define PPM_PR_SET_THP_DISABLE 41 -#define PPM_PR_GET_THP_DISABLE 42 +/* + * No longer implemented, but left here to ensure the numbers stay reserved: + */ +#define PPM_PR_MPX_ENABLE_MANAGEMENT 43 +#define PPM_PR_MPX_DISABLE_MANAGEMENT 44 + +#define PPM_PR_SET_FP_MODE 45 +#define PPM_PR_GET_FP_MODE 46 /* Control the ambient capability set */ #define PPM_PR_CAP_AMBIENT 47 +/* arm64 Scalable Vector Extension controls */ +/* Flag values must be kept in sync with ptrace NT_ARM_SVE interface */ +#define PPM_PR_SVE_SET_VL 50 /* set task vector length */ +#define PPM_PR_SVE_GET_VL 51 /* get task vector length */ + +/* Per task speculation control */ +#define PPM_PR_GET_SPECULATION_CTRL 52 +#define PPM_PR_SET_SPECULATION_CTRL 53 + +/* Reset arm64 pointer authentication keys */ +#define PPM_PR_PAC_RESET_KEYS 54 + +/* Tagged user address controls for arm64 */ +#define PPM_PR_SET_TAGGED_ADDR_CTRL 55 +#define PPM_PR_GET_TAGGED_ADDR_CTRL 56 + +/* Control reclaim behavior when allocating memory */ +#define PPM_PR_SET_IO_FLUSHER 57 +#define PPM_PR_GET_IO_FLUSHER 58 + +/* Dispatch syscalls to a userspace handler */ +#define PPM_PR_SET_SYSCALL_USER_DISPATCH 59 + +/* Set/get enabled arm64 pointer authentication keys */ +#define PPM_PR_PAC_SET_ENABLED_KEYS 60 +#define PPM_PR_PAC_GET_ENABLED_KEYS 61 + +/* Request the scheduler to share a core */ +#define PPM_PR_SCHED_CORE 62 + +/* arm64 Scalable Matrix Extension controls */ +/* Flag values must be in sync with SVE versions */ +#define PPM_PR_SME_SET_VL 63 /* set task vector length */ +#define PPM_PR_SME_GET_VL 64 /* get task vector length */ +/* Bits common to PR_SME_SET_VL and PR_SME_GET_VL */ + +#define PPM_PR_SET_VMA 0x53564d41 + + /* * SuS says limits have to be unsigned. * Which makes a ton more sense anyway. diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index c34d301b5b..7e7f958a96 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7983,10 +7983,9 @@ int f_sys_prctl_x(struct event_filler_arguments *args) { int res; int retval; + char *name = NULL; syscall_arg_t option; syscall_arg_t arg2; - int reaper_pid; - char name[16] = "\0"; /* Parameter 1: res (type: PT_ERRNO) */ retval = (int64_t)syscall_get_return_value(current, args->regs); @@ -8007,40 +8006,45 @@ int f_sys_prctl_x(struct event_filler_arguments *args) syscall_get_arguments_deprecated(current, args->regs, 1, 1, &arg2); switch(option){ + case PPM_PR_GET_NAME: case PPM_PR_SET_NAME: /* * arg2_str */ - ppm_strncpy_from_user(name, (const void __user *)arg2, sizeof(name)); - name[15] = '\0'; + if(likely(ppm_strncpy_from_user(args->str_storage, (const void __user *)arg2, PPM_MAX_PATH_SIZE) >= 0)) + { + name = args->str_storage; + name[PPM_MAX_PATH_SIZE - 1] = '\0'; + } res = val_to_ring(args, (int64_t)(long)name, 0, false, 0); CHECK_RES(res); /* * arg2_int */ - res = val_to_ring(args, (unsigned long)NULL, 0, false, 0); + res = push_empty_param(args); CHECK_RES(res); break; case PPM_PR_GET_CHILD_SUBREAPER: - /* - * arg2_str - */ - res = val_to_ring(args, 0, 0, false, 0); - CHECK_RES(res); - /* - * arg2_int - */ - ppm_copy_from_user(&reaper_pid, (void *)arg2, sizeof(int)); - arg2 = (unsigned long)reaper_pid; - res = val_to_ring(args, arg2, 0, false, 0); - CHECK_RES(res); + { + int reaper_attr = 0; + /* Parameter 3: arg2_str (type: PT_CHARBUF) */ + res = push_empty_param(args); + CHECK_RES(res); + /* Parameter 4: arg2_int (type: PT_INT64) */ + if(unlikely(ppm_copy_from_user(&reaper_attr, (void *)arg2, sizeof(reaper_attr)))) + { + reaper_attr = 0; + } + res = val_to_ring(args, (s64)reaper_attr, 0, false, 0); + CHECK_RES(res); + } break; case PPM_PR_SET_CHILD_SUBREAPER: default: /* * arg2_str */ - res = val_to_ring(args, 0, 0, false, 0); + res = push_empty_param(args); CHECK_RES(res); /* * arg2_int diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index ed29e8917e..000ca57125 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -2065,56 +2065,9 @@ static __always_inline uint32_t splice_flags_to_scap(uint32_t flags) #define PPM_OVERLAYFS_SUPER_MAGIC 0x794c7630 #endif -static __always_inline u32 prctl_options_to_scap(unsigned long options) +static __always_inline u32 prctl_options_to_scap(int options) { - switch(options){ - case PR_GET_DUMPABLE: - return PPM_PR_GET_DUMPABLE; - case PR_SET_DUMPABLE: - return PPM_PR_SET_DUMPABLE; - case PR_GET_KEEPCAPS: - return PPM_PR_GET_KEEPCAPS; - case PR_SET_KEEPCAPS: - return PPM_PR_SET_KEEPCAPS; - case PR_SET_NAME: - return PPM_PR_SET_NAME; - case PR_GET_NAME: - return PPM_PR_GET_NAME; - case PR_GET_SECCOMP: - return PPM_PR_GET_SECCOMP; - case PR_SET_SECCOMP: - return PPM_PR_SET_SECCOMP; - case PR_CAPBSET_READ: - return PPM_PR_CAPBSET_READ; - case PR_CAPBSET_DROP: - return PPM_PR_CAPBSET_DROP; - case PR_GET_SECUREBITS: - return PPM_PR_GET_SECUREBITS; - case PR_SET_SECUREBITS: - return PPM_PR_SET_SECUREBITS; - case PR_MCE_KILL: - return PPM_PR_MCE_KILL; - case PR_SET_MM: - return PPM_PR_SET_MM; - case PR_SET_CHILD_SUBREAPER: - return PPM_PR_SET_CHILD_SUBREAPER; - case PR_GET_CHILD_SUBREAPER: - return PPM_PR_GET_CHILD_SUBREAPER; - case PR_SET_NO_NEW_PRIVS: - return PPM_PR_SET_NO_NEW_PRIVS; - case PR_GET_NO_NEW_PRIVS: - return PPM_PR_GET_NO_NEW_PRIVS; - case PR_GET_TID_ADDRESS: - return PPM_PR_GET_TID_ADDRESS; - case PR_SET_THP_DISABLE: - return PPM_PR_SET_THP_DISABLE; - case PR_GET_THP_DISABLE: - return PPM_PR_GET_THP_DISABLE; - case PR_CAP_AMBIENT: - return PPM_PR_CAP_AMBIENT; - default: - return PPM_PR_UNKNOWN; - } + return (u32)options; } #endif /* PPM_FLAG_HELPERS_H_ */ From e98ad3a7d3008834e9264bd9bd574caccfe92333 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 12 Apr 2023 13:59:39 +0000 Subject: [PATCH 15/22] fix(driver): removed ia32 for prctl Signed-off-by: Roberto Scolaro --- driver/syscall_table.c | 783 ----------------------------------------- 1 file changed, 783 deletions(-) diff --git a/driver/syscall_table.c b/driver/syscall_table.c index a7c5381ea3..46a1271452 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -905,790 +905,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #ifdef __NR_s390_pci_mmio_read [__NR_s390_pci_mmio_read - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_S390_PCI_MMIO_READ}, #endif -<<<<<<< HEAD #ifdef __NR_sigsuspend [__NR_sigsuspend - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGSUSPEND}, -======= - [__NR_ia32_poll - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_POLL_E, PPME_SYSCALL_POLL_X, PPM_SC_POLL}, -#ifdef __NR_ia32_select - [__NR_ia32_select - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SELECT_E, PPME_SYSCALL_SELECT_X, PPM_SC_SELECT}, -#endif - [__NR_ia32_lseek - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_LSEEK_E, PPME_SYSCALL_LSEEK_X, PPM_SC_LSEEK}, - [__NR_ia32_ioctl - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_IOCTL_3_E, PPME_SYSCALL_IOCTL_3_X, PPM_SC_IOCTL}, - [__NR_ia32_getcwd - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_GETCWD_E, PPME_SYSCALL_GETCWD_X, PPM_SC_GETCWD}, -#ifdef __NR_ia32_capset - [__NR_ia32_capset - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_CAPSET_E, PPME_SYSCALL_CAPSET_X, PPM_SC_CAPSET}, -#endif - [__NR_ia32_chdir - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CHDIR_E, PPME_SYSCALL_CHDIR_X, PPM_SC_CHDIR}, - [__NR_ia32_fchdir - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FCHDIR_E, PPME_SYSCALL_FCHDIR_X, PPM_SC_FCHDIR}, -#ifdef __NR_ia32_mkdir - [__NR_ia32_mkdir - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MKDIR_2_E, PPME_SYSCALL_MKDIR_2_X, PPM_SC_MKDIR}, -#endif -#ifdef __NR_ia32_rmdir - [__NR_ia32_rmdir - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_RMDIR_2_E, PPME_SYSCALL_RMDIR_2_X, PPM_SC_RMDIR}, -#endif - [__NR_ia32_openat - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPM_SC_OPENAT}, - [__NR_ia32_mkdirat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MKDIRAT_E, PPME_SYSCALL_MKDIRAT_X, PPM_SC_MKDIRAT}, -#ifdef __NR_ia32_link - [__NR_ia32_link - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LINK_2_E, PPME_SYSCALL_LINK_2_X, PPM_SC_LINK}, -#endif - [__NR_ia32_linkat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LINKAT_2_E, PPME_SYSCALL_LINKAT_2_X, PPM_SC_LINKAT}, -#ifdef __NR_ia32_unlink - [__NR_ia32_unlink - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UNLINK_2_E, PPME_SYSCALL_UNLINK_2_X, PPM_SC_UNLINK}, -#endif - [__NR_ia32_unlinkat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UNLINKAT_2_E, PPME_SYSCALL_UNLINKAT_2_X, PPM_SC_UNLINKAT}, - [__NR_ia32_pread64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PREAD_E, PPME_SYSCALL_PREAD_X, PPM_SC_PREAD64}, - [__NR_ia32_pwrite64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PWRITE_E, PPME_SYSCALL_PWRITE_X, PPM_SC_PWRITE64}, - [__NR_ia32_readv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_READV_E, PPME_SYSCALL_READV_X, PPM_SC_READV}, - [__NR_ia32_writev - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_WRITEV_E, PPME_SYSCALL_WRITEV_X, PPM_SC_WRITEV}, - [__NR_ia32_preadv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PREADV_E, PPME_SYSCALL_PREADV_X, PPM_SC_PREADV}, - [__NR_ia32_pwritev - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PWRITEV_E, PPME_SYSCALL_PWRITEV_X, PPM_SC_PWRITEV}, - [__NR_ia32_dup - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_DUP_1_E, PPME_SYSCALL_DUP_1_X, PPM_SC_DUP}, -#ifdef __NR_ia32_dup2 - [__NR_ia32_dup2 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_DUP2_E, PPME_SYSCALL_DUP2_X, PPM_SC_DUP2}, -#endif - [__NR_ia32_dup3 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_DUP3_E, PPME_SYSCALL_DUP3_X, PPM_SC_DUP3}, -#ifdef __NR_ia32_signalfd - [__NR_ia32_signalfd - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_SIGNALFD_E, PPME_SYSCALL_SIGNALFD_X, PPM_SC_SIGNALFD}, -#endif -#ifdef __NR_ia32_signalfd4 - [__NR_ia32_signalfd4 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_SIGNALFD4_E, PPME_SYSCALL_SIGNALFD4_X, PPM_SC_SIGNALFD4}, -#endif - [__NR_ia32_kill - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_KILL_E, PPME_SYSCALL_KILL_X, PPM_SC_KILL}, - [__NR_ia32_tkill - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_TKILL_E, PPME_SYSCALL_TKILL_X, PPM_SC_TKILL}, - [__NR_ia32_tgkill - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_TGKILL_E, PPME_SYSCALL_TGKILL_X, PPM_SC_TGKILL}, - [__NR_ia32_nanosleep - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_NANOSLEEP_E, PPME_SYSCALL_NANOSLEEP_X, PPM_SC_NANOSLEEP}, - [__NR_ia32_timerfd_create - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_TIMERFD_CREATE_E, PPME_SYSCALL_TIMERFD_CREATE_X, PPM_SC_TIMERFD_CREATE}, -#ifdef __NR_ia32_inotify_init - [__NR_ia32_inotify_init - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_INOTIFY_INIT_E, PPME_SYSCALL_INOTIFY_INIT_X, PPM_SC_INOTIFY_INIT}, -#endif -#ifdef __NR_ia32_inotify_init1 - [__NR_ia32_inotify_init1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_INOTIFY_INIT1_E, PPME_SYSCALL_INOTIFY_INIT1_X, PPM_SC_INOTIFY_INIT1}, -#endif - [__NR_ia32_fchmodat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCHMODAT_E, PPME_SYSCALL_FCHMODAT_X, PPM_SC_FCHMODAT}, - [__NR_ia32_fchmod - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCHMOD_E, PPME_SYSCALL_FCHMOD_X, PPM_SC_FCHMOD}, -#ifdef __NR_ia32_getrlimit - [__NR_ia32_getrlimit - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRLIMIT_E, PPME_SYSCALL_GETRLIMIT_X, PPM_SC_GETRLIMIT}, -#endif - [__NR_ia32_setrlimit - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_SETRLIMIT_E, PPME_SYSCALL_SETRLIMIT_X, PPM_SC_SETRLIMIT}, -#ifdef __NR_ia32_prlimit64 - [__NR_ia32_prlimit64 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRLIMIT_E, PPME_SYSCALL_PRLIMIT_X, PPM_SC_PRLIMIT64}, -#endif -#ifdef __NR_ia32_ugetrlimit - [__NR_ia32_ugetrlimit - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRLIMIT_E, PPME_SYSCALL_GETRLIMIT_X, PPM_SC_UGETRLIMIT}, -#endif - [__NR_ia32_fcntl - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCNTL_E, PPME_SYSCALL_FCNTL_X, PPM_SC_FCNTL}, -#ifdef __NR_ia32_fcntl64 - [__NR_ia32_fcntl64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCNTL_E, PPME_SYSCALL_FCNTL_X, PPM_SC_FCNTL64}, -#endif -#ifdef __NR_ia32_chmod - [__NR_ia32_chmod - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_CHMOD_E, PPME_SYSCALL_CHMOD_X, PPM_SC_CHMOD}, -#endif - [__NR_ia32_mount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MOUNT_E, PPME_SYSCALL_MOUNT_X, PPM_SC_MOUNT}, -#ifdef __NR_ia32_umount2 - [__NR_ia32_umount2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT2_E, PPME_SYSCALL_UMOUNT2_X, PPM_SC_UMOUNT2}, -#endif - [__NR_ia32_ptrace - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PTRACE_E, PPME_SYSCALL_PTRACE_X, PPM_SC_PTRACE}, - -#ifndef __NR_ia32_socketcall - [__NR_ia32_socket - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPM_SC_SOCKET}, - [__NR_ia32_bind - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPM_SC_BIND}, - [__NR_ia32_connect - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPM_SC_CONNECT}, - [__NR_ia32_listen - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_LISTEN_E, PPME_SOCKET_LISTEN_X, PPM_SC_LISTEN}, - [__NR_ia32_accept - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_ACCEPT_5_E, PPME_SOCKET_ACCEPT_5_X, PPM_SC_ACCEPT}, - [__NR_ia32_getsockname - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SOCKET_GETSOCKNAME_E, PPME_SOCKET_GETSOCKNAME_X, PPM_SC_GETSOCKNAME}, - [__NR_ia32_getpeername - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SOCKET_GETPEERNAME_E, PPME_SOCKET_GETPEERNAME_X, PPM_SC_GETPEERNAME}, - [__NR_ia32_socketpair - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X, PPM_SC_SOCKETPAIR}, - [__NR_ia32_sendto - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPM_SC_SENDTO}, - [__NR_ia32_recvfrom - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPM_SC_RECVFROM}, - [__NR_ia32_shutdown - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SHUTDOWN_E, PPME_SOCKET_SHUTDOWN_X, PPM_SC_SHUTDOWN}, - [__NR_ia32_setsockopt - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SOCKET_SETSOCKOPT_E, PPME_SOCKET_SETSOCKOPT_X, PPM_SC_SETSOCKOPT}, - [__NR_ia32_getsockopt - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_GETSOCKOPT_E, PPME_SOCKET_GETSOCKOPT_X, PPM_SC_GETSOCKOPT}, - [__NR_ia32_sendmsg - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SENDMSG_E, PPME_SOCKET_SENDMSG_X, PPM_SC_SENDMSG}, - [__NR_ia32_accept4 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPM_SC_ACCEPT4}, -#else - [__NR_ia32_socketcall - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SOCKETCALL}, -#endif - -#ifdef __NR_ia32_sendmmsg - [__NR_ia32_sendmmsg - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SENDMMSG_E, PPME_SOCKET_SENDMMSG_X, PPM_SC_SENDMMSG}, -#endif -#ifdef __NR_ia32_recvmsg - [__NR_ia32_recvmsg - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPM_SC_RECVMSG}, -#endif -#ifdef __NR_ia32_recvmmsg - [__NR_ia32_recvmmsg - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECVMMSG_E, PPME_SOCKET_RECVMMSG_X, PPM_SC_RECVMMSG}, -#endif -#ifdef __NR_ia32_stat64 - [__NR_ia32_stat64 - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_STAT64_E, PPME_SYSCALL_STAT64_X, PPM_SC_STAT64}, -#endif -#ifdef __NR_ia32_fstat64 - [__NR_ia32_fstat64 - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_FSTAT64_E, PPME_SYSCALL_FSTAT64_X, PPM_SC_FSTAT64}, -#endif -#ifdef __NR_ia32__llseek - [__NR_ia32__llseek - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_LLSEEK_E, PPME_SYSCALL_LLSEEK_X, PPM_SC__LLSEEK}, -#endif -#ifdef __NR_ia32_mmap - [__NR_ia32_mmap - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MMAP_E, PPME_SYSCALL_MMAP_X, PPM_SC_MMAP}, -#endif -#ifdef __NR_ia32_mmap2 - [__NR_ia32_mmap2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MMAP2_E, PPME_SYSCALL_MMAP2_X, PPM_SC_MMAP2}, -#endif - [__NR_ia32_munmap - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_MUNMAP_E, PPME_SYSCALL_MUNMAP_X, PPM_SC_MUNMAP}, - [__NR_ia32_splice - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SPLICE_E, PPME_SYSCALL_SPLICE_X, PPM_SC_SPLICE}, -#ifdef __NR_ia32_rename - [__NR_ia32_rename - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_RENAME_E, PPME_SYSCALL_RENAME_X, PPM_SC_RENAME}, -#endif -#ifdef __NR_ia32_renameat - [__NR_ia32_renameat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_RENAMEAT_E, PPME_SYSCALL_RENAMEAT_X, PPM_SC_RENAMEAT}, -#endif - [__NR_ia32_symlink - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SYMLINK_E, PPME_SYSCALL_SYMLINK_X, PPM_SC_SYMLINK}, - [__NR_ia32_symlinkat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SYMLINKAT_E, PPME_SYSCALL_SYMLINKAT_X, PPM_SC_SYMLINKAT}, - [__NR_ia32_sendfile - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SENDFILE_E, PPME_SYSCALL_SENDFILE_X, PPM_SC_SENDFILE}, -#ifdef __NR_ia32_sendfile64 - [__NR_ia32_sendfile64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SENDFILE_E, PPME_SYSCALL_SENDFILE_X, PPM_SC_SENDFILE64}, -#endif -#ifdef __NR_ia32_quotactl - [__NR_ia32_quotactl - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_QUOTACTL_E, PPME_SYSCALL_QUOTACTL_X, PPM_SC_QUOTACTL}, -#endif -#ifdef __NR_ia32_setresuid - [__NR_ia32_setresuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETRESUID_E, PPME_SYSCALL_SETRESUID_X, PPM_SC_SETRESUID}, -#endif -#ifdef __NR_ia32_setresuid32 - [__NR_ia32_setresuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETRESUID_E, PPME_SYSCALL_SETRESUID_X, PPM_SC_SETRESUID32}, -#endif -#ifdef __NR_ia32_setresgid - [__NR_ia32_setresgid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETRESGID_E, PPME_SYSCALL_SETRESGID_X, PPM_SC_SETRESGID}, -#endif -#ifdef __NR_ia32_setresgid32 - [__NR_ia32_setresgid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETRESGID_E, PPME_SYSCALL_SETRESGID_X, PPM_SC_SETRESGID32}, -#endif -#ifdef __NR_ia32_setuid - [__NR_ia32_setuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETUID_E, PPME_SYSCALL_SETUID_X, PPM_SC_SETUID}, -#endif -#ifdef __NR_ia32_setuid32 - [__NR_ia32_setuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETUID_E, PPME_SYSCALL_SETUID_X, PPM_SC_SETUID32}, -#endif -#ifdef __NR_ia32_setgid - [__NR_ia32_setgid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETGID_E, PPME_SYSCALL_SETGID_X, PPM_SC_SETGID}, -#endif -#ifdef __NR_ia32_setgid32 - [__NR_ia32_setgid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETGID_E, PPME_SYSCALL_SETGID_X, PPM_SC_SETGID32}, -#endif -#ifdef __NR_ia32_getuid - [__NR_ia32_getuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPM_SC_GETUID}, -#endif -#ifdef __NR_ia32_getuid32 - [__NR_ia32_getuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPM_SC_GETUID32}, -#endif -#ifdef __NR_ia32_geteuid - [__NR_ia32_geteuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPM_SC_GETEUID}, -#endif -#ifdef __NR_ia32_geteuid32 - [__NR_ia32_geteuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPM_SC_GETEUID32}, -#endif -#ifdef __NR_ia32_getgid - [__NR_ia32_getgid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPM_SC_GETGID}, -#endif -#ifdef __NR_ia32_getgid32 - [__NR_ia32_getgid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPM_SC_GETGID32}, -#endif -#ifdef __NR_ia32_getegid - [__NR_ia32_getegid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPM_SC_GETEGID}, -#endif -#ifdef __NR_ia32_getegid32 - [__NR_ia32_getegid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPM_SC_GETEGID32}, -#endif -#ifdef __NR_ia32_getresuid - [__NR_ia32_getresuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRESUID_E, PPME_SYSCALL_GETRESUID_X, PPM_SC_GETRESUID}, -#endif -#ifdef __NR_ia32_getresuid32 - [__NR_ia32_getresuid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRESUID_E, PPME_SYSCALL_GETRESUID_X, PPM_SC_GETRESUID32}, -#endif -#ifdef __NR_ia32_getresgid - [__NR_ia32_getresgid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRESGID_E, PPME_SYSCALL_GETRESGID_X, PPM_SC_GETRESGID}, -#endif -#ifdef __NR_ia32_getresgid32 - [__NR_ia32_getresgid32 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_GETRESGID_E, PPME_SYSCALL_GETRESGID_X, PPM_SC_GETRESGID32}, -#endif -#ifdef __NR_ia32_getdents - [__NR_ia32_getdents - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_GETDENTS_E, PPME_SYSCALL_GETDENTS_X, PPM_SC_GETDENTS}, -#endif - [__NR_ia32_getdents64 - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_GETDENTS64_E, PPME_SYSCALL_GETDENTS64_X, PPM_SC_GETDENTS64}, -#ifdef __NR_ia32_setns - [__NR_ia32_setns - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETNS_E, PPME_SYSCALL_SETNS_X, PPM_SC_SETNS}, -#endif -#ifdef __NR_ia32_unshare - [__NR_ia32_unshare - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_UNSHARE_E, PPME_SYSCALL_UNSHARE_X, PPM_SC_UNSHARE}, -#endif - [__NR_ia32_flock - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_FLOCK_E, PPME_SYSCALL_FLOCK_X, PPM_SC_FLOCK}, -#ifdef __NR_ia32_semop - [__NR_ia32_semop - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SEMOP_E, PPME_SYSCALL_SEMOP_X, PPM_SC_SEMOP}, -#endif -#ifdef __NR_ia32_semget - [__NR_ia32_semget - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SEMGET_E, PPME_SYSCALL_SEMGET_X, PPM_SC_SEMGET}, -#endif -#ifdef __NR_ia32_semctl - [__NR_ia32_semctl - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SEMCTL_E, PPME_SYSCALL_SEMCTL_X, PPM_SC_SEMCTL}, -#endif - [__NR_ia32_ppoll - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_PPOLL_E, PPME_SYSCALL_PPOLL_X, PPM_SC_PPOLL}, -#ifdef __NR_ia32_access - [__NR_ia32_access - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_ACCESS_E, PPME_SYSCALL_ACCESS_X, PPM_SC_ACCESS}, -#endif -#ifdef __NR_ia32_chroot - [__NR_ia32_chroot - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CHROOT_E, PPME_SYSCALL_CHROOT_X, PPM_SC_CHROOT}, -#endif - [__NR_ia32_setsid - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SETSID_E, PPME_SYSCALL_SETSID_X, PPM_SC_SETSID}, - [__NR_ia32_setpgid - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_SETPGID_E, PPME_SYSCALL_SETPGID_X, PPM_SC_SETPGID}, -#ifdef __NR_ia32_bpf - [__NR_ia32_bpf - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_BPF_2_E, PPME_SYSCALL_BPF_2_X, PPM_SC_BPF}, -#endif -#ifdef __NR_ia32_seccomp - [__NR_ia32_seccomp - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SECCOMP_E, PPME_SYSCALL_SECCOMP_X, PPM_SC_SECCOMP}, -#endif -#ifdef __NR_ia32_renameat2 - [__NR_ia32_renameat2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_RENAMEAT2_E, PPME_SYSCALL_RENAMEAT2_X, PPM_SC_RENAMEAT2}, -#endif -#ifdef __NR_ia32_userfaultfd - [__NR_ia32_userfaultfd - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_USERFAULTFD_E, PPME_SYSCALL_USERFAULTFD_X, PPM_SC_USERFAULTFD}, -#endif -#ifdef __NR_ia32_openat2 - [__NR_ia32_openat2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_OPENAT2_E, PPME_SYSCALL_OPENAT2_X, PPM_SC_OPENAT2}, -#endif -#ifdef __NR_ia32_clone3 - [__NR_ia32_clone3 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE3_E, PPME_SYSCALL_CLONE3_X, PPM_SC_CLONE3}, -#endif -#ifdef __NR_ia32_mprotect - [__NR_ia32_mprotect - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MPROTECT_E, PPME_SYSCALL_MPROTECT_X, PPM_SC_MPROTECT}, -#endif -#ifdef __NR_ia32_execveat - [__NR_ia32_execveat - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVEAT_E, PPME_SYSCALL_EXECVEAT_X, PPM_SC_EXECVEAT}, -#endif -#ifdef __NR_ia32_io_uring_setup - [__NR_ia32_io_uring_setup - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_IO_URING_SETUP_E, PPME_SYSCALL_IO_URING_SETUP_X, PPM_SC_IO_URING_SETUP}, -#endif -#ifdef __NR_ia32_io_uring_enter - [__NR_ia32_io_uring_enter - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_IO_URING_ENTER_E, PPME_SYSCALL_IO_URING_ENTER_X, PPM_SC_IO_URING_ENTER}, -#endif -#ifdef __NR_ia32_io_uring_register - [__NR_ia32_io_uring_register - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_IO_URING_REGISTER_E, PPME_SYSCALL_IO_URING_REGISTER_X, PPM_SC_IO_URING_REGISTER}, -#endif -#ifdef __NR_ia32_copy_file_range - [__NR_ia32_copy_file_range - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_COPY_FILE_RANGE_E, PPME_SYSCALL_COPY_FILE_RANGE_X, PPM_SC_COPY_FILE_RANGE}, -#endif -#ifdef __NR_ia32_open_by_handle_at - [__NR_ia32_open_by_handle_at - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_OPEN_BY_HANDLE_AT_E, PPME_SYSCALL_OPEN_BY_HANDLE_AT_X, PPM_SC_OPEN_BY_HANDLE_AT}, -#endif -#ifdef __NR_ia32_mlock - [__NR_ia32_mlock - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MLOCK_E, PPME_SYSCALL_MLOCK_X, PPM_SC_MLOCK}, -#endif -#ifdef __NR_ia32_munlock - [__NR_ia32_munlock - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MUNLOCK_E, PPME_SYSCALL_MUNLOCK_X, PPM_SC_MUNLOCK}, -#endif -#ifdef __NR_ia32_mlockall - [__NR_ia32_mlockall - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MLOCKALL_E, PPME_SYSCALL_MLOCKALL_X, PPM_SC_MLOCKALL}, -#endif -#ifdef __NR_ia32_munlockall - [__NR_ia32_munlockall - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MUNLOCKALL_E, PPME_SYSCALL_MUNLOCKALL_X, PPM_SC_MUNLOCKALL}, -#endif -#ifdef __NR_mlock2 - [__NR_ia32_mlock2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MLOCK2_E, PPME_SYSCALL_MLOCK2_X, PPM_SC_MLOCK2}, -#endif -#ifdef __NR_ia32_fsconfig - [__NR_ia32_fsconfig - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FSCONFIG_E, PPME_SYSCALL_FSCONFIG_X, PPM_SC_FSCONFIG}, -#endif -#ifdef __NR_ia32_epoll_create - [__NR_ia32_epoll_create - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE_E, PPME_SYSCALL_EPOLL_CREATE_X, PPM_SC_EPOLL_CREATE}, -#endif -#ifdef __NR_ia32_epoll_create1 - [__NR_ia32_epoll_create1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE1_E, PPME_SYSCALL_EPOLL_CREATE1_X, PPM_SC_EPOLL_CREATE1}, -#endif -#ifdef __NR_ia32_lstat64 - [__NR_ia32_lstat64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LSTAT64_E, PPME_SYSCALL_LSTAT64_X, PPM_SC_LSTAT64}, -#endif -#ifdef __NR_ia32_umount - [__NR_ia32_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_1_E, PPME_SYSCALL_UMOUNT_1_X, PPM_SC_UMOUNT}, -#endif -#ifdef __NR_ia32_recv - [__NR_ia32_recv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECV_E, PPME_SOCKET_RECV_X, PPM_SC_RECV}, -#endif -#ifdef __NR_ia32_send - [__NR_ia32_send - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SEND_E, PPME_SOCKET_SEND_X, PPM_SC_SEND}, -#endif - [__NR_ia32_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, - [__NR_ia32_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, -#ifdef __NR_ia32_time - [__NR_ia32_time - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIME}, -#endif -#ifdef __NR_ia32_mknod - [__NR_ia32_mknod - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MKNOD}, -#endif - [__NR_ia32_getpid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETPID}, - [__NR_ia32_sync - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYNC}, - [__NR_ia32_times - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMES}, - [__NR_ia32_acct - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ACCT}, - [__NR_ia32_umask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UMASK}, -#ifdef __NR_ia32_ustat - [__NR_ia32_ustat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_USTAT}, -#endif - [__NR_ia32_getppid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETPPID}, -#ifdef __NR_ia32_getpgrp - [__NR_ia32_getpgrp - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETPGRP}, -#endif - [__NR_ia32_sethostname - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETHOSTNAME}, - [__NR_ia32_getrusage - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETRUSAGE}, - [__NR_ia32_gettimeofday - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETTIMEOFDAY}, - [__NR_ia32_settimeofday - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETTIMEOFDAY}, -#ifdef __NR_ia32_readlink - [__NR_ia32_readlink - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_READLINK}, -#endif - [__NR_ia32_swapon - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SWAPON}, - [__NR_ia32_reboot - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_REBOOT}, - [__NR_ia32_truncate - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TRUNCATE}, - [__NR_ia32_ftruncate - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FTRUNCATE}, - [__NR_ia32_getpriority - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_GETPRIORITY}, - [__NR_ia32_setpriority - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SETPRIORITY}, - [__NR_ia32_statfs - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_STATFS}, - [__NR_ia32_fstatfs - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_FSTATFS}, - [__NR_ia32_setitimer - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SETITIMER}, - [__NR_ia32_getitimer - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_GETITIMER}, - [__NR_ia32_uname - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_UNAME}, - [__NR_ia32_vhangup - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_VHANGUP}, - [__NR_ia32_wait4 - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_WAIT4}, - [__NR_ia32_swapoff - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SWAPOFF}, - [__NR_ia32_sysinfo - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SYSINFO}, - [__NR_ia32_fsync - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_FSYNC}, - [__NR_ia32_setdomainname - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SETDOMAINNAME}, - [__NR_ia32_adjtimex - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_ADJTIMEX}, - [__NR_ia32_init_module - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_INIT_MODULE}, - [__NR_ia32_delete_module - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_DELETE_MODULE}, - [__NR_ia32_getpgid - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_GETPGID}, -#ifdef __NR_ia32_sysfs - [__NR_ia32_sysfs - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYSFS}, -#endif - [__NR_ia32_personality - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PERSONALITY}, - [__NR_ia32_msync - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSYNC}, - [__NR_ia32_getsid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETSID}, - [__NR_ia32_fdatasync - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FDATASYNC}, - [__NR_ia32_sched_setscheduler - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_SETSCHEDULER}, - [__NR_ia32_sched_getscheduler - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GETSCHEDULER}, - [__NR_ia32_sched_yield - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_YIELD}, - [__NR_ia32_sched_get_priority_max - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MAX}, - [__NR_ia32_sched_get_priority_min - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MIN}, - [__NR_ia32_sched_rr_get_interval - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_RR_GET_INTERVAL}, - [__NR_ia32_mremap - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MREMAP}, -#ifdef __NR_ia32_prctl - [__NR_ia32_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL }, -#endif -#ifdef __NR_ia32_arch_prctl - [__NR_ia32_arch_prctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ARCH_PRCTL}, -#endif - [__NR_ia32_rt_sigaction - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGACTION}, - [__NR_ia32_rt_sigprocmask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGPROCMASK}, - [__NR_ia32_rt_sigpending - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGPENDING}, - [__NR_ia32_rt_sigtimedwait - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGTIMEDWAIT}, - [__NR_ia32_rt_sigqueueinfo - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGQUEUEINFO}, - [__NR_ia32_rt_sigsuspend - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGSUSPEND}, - [__NR_ia32_capget - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CAPGET}, - - [__NR_ia32_setreuid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETREUID}, - [__NR_ia32_setregid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETREGID}, - [__NR_ia32_getgroups - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETGROUPS}, - [__NR_ia32_setgroups - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETGROUPS}, -#ifdef __NR_ia32_fchown - [__NR_ia32_fchown - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCHOWN_E, PPME_SYSCALL_FCHOWN_X, PPM_SC_FCHOWN}, -#endif -#ifdef __NR_ia32_chown - [__NR_ia32_chown - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_CHOWN_E, PPME_SYSCALL_CHOWN_X, PPM_SC_CHOWN}, -#endif - [__NR_ia32_setfsuid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETFSUID}, - [__NR_ia32_setfsgid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETFSGID}, - [__NR_ia32_pivot_root - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIVOT_ROOT}, - [__NR_ia32_mincore - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MINCORE}, - [__NR_ia32_madvise - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MADVISE}, - [__NR_ia32_gettid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETTID}, - [__NR_ia32_setxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETXATTR}, - [__NR_ia32_lsetxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LSETXATTR}, - [__NR_ia32_fsetxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSETXATTR}, - [__NR_ia32_getxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETXATTR}, - [__NR_ia32_lgetxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LGETXATTR}, - [__NR_ia32_fgetxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FGETXATTR}, - [__NR_ia32_listxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LISTXATTR}, - [__NR_ia32_llistxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LLISTXATTR}, - [__NR_ia32_flistxattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FLISTXATTR}, - [__NR_ia32_removexattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_REMOVEXATTR}, - [__NR_ia32_lremovexattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LREMOVEXATTR}, - [__NR_ia32_fremovexattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FREMOVEXATTR}, - [__NR_ia32_sched_setaffinity - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_SETAFFINITY}, - [__NR_ia32_sched_getaffinity - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GETAFFINITY}, -#ifdef __NR_ia32_set_thread_area - [__NR_ia32_set_thread_area - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_THREAD_AREA}, -#endif -#ifdef __NR_ia32_get_thread_area - [__NR_ia32_get_thread_area - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GET_THREAD_AREA}, -#endif - [__NR_ia32_io_setup - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_SETUP}, - [__NR_ia32_io_destroy - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_DESTROY}, - [__NR_ia32_io_getevents - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_GETEVENTS}, - [__NR_ia32_io_submit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_SUBMIT}, - [__NR_ia32_io_cancel - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_CANCEL}, - [__NR_ia32_exit_group - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT_GROUP}, - [__NR_ia32_remap_file_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_REMAP_FILE_PAGES}, - [__NR_ia32_set_tid_address - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_TID_ADDRESS}, - [__NR_ia32_timer_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_CREATE}, - [__NR_ia32_timer_settime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_SETTIME}, - [__NR_ia32_timer_gettime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_GETTIME}, - [__NR_ia32_timer_getoverrun - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_GETOVERRUN}, - [__NR_ia32_timer_delete - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMER_DELETE}, - [__NR_ia32_clock_settime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_SETTIME}, - [__NR_ia32_clock_gettime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_GETTIME}, - [__NR_ia32_clock_getres - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_GETRES}, - [__NR_ia32_clock_nanosleep - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_NANOSLEEP}, -#ifdef __NR_ia32_utimes - [__NR_ia32_utimes - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UTIMES}, -#endif - [__NR_ia32_mq_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_OPEN}, - [__NR_ia32_mq_unlink - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_UNLINK}, - [__NR_ia32_mq_timedsend - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_TIMEDSEND}, - [__NR_ia32_mq_timedreceive - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_TIMEDRECEIVE}, - [__NR_ia32_mq_notify - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_NOTIFY}, - [__NR_ia32_mq_getsetattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MQ_GETSETATTR}, - [__NR_ia32_kexec_load - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEXEC_LOAD}, - [__NR_ia32_waitid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_WAITID}, - [__NR_ia32_add_key - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ADD_KEY}, - [__NR_ia32_request_key - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_REQUEST_KEY}, - [__NR_ia32_keyctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEYCTL}, - [__NR_ia32_ioprio_set - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPRIO_SET}, - [__NR_ia32_ioprio_get - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPRIO_GET}, - [__NR_ia32_inotify_add_watch - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_INOTIFY_ADD_WATCH}, - [__NR_ia32_inotify_rm_watch - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_INOTIFY_RM_WATCH}, - [__NR_ia32_mknodat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MKNODAT}, -#ifdef __NR_ia32_fchownat - [__NR_ia32_fchownat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCHOWNAT_E, PPME_SYSCALL_FCHOWNAT_X, PPM_SC_FCHOWNAT}, -#endif -#ifdef __NR_ia32_futimesat - [__NR_ia32_futimesat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FUTIMESAT}, -#endif - [__NR_ia32_readlinkat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_READLINKAT}, - [__NR_ia32_faccessat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FACCESSAT}, - [__NR_ia32_set_robust_list - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_ROBUST_LIST}, - [__NR_ia32_get_robust_list - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GET_ROBUST_LIST}, - [__NR_ia32_tee - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TEE}, - [__NR_ia32_vmsplice - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_VMSPLICE}, -#ifdef __NR_ia32_getcpu - [__NR_ia32_getcpu - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETCPU}, -#endif - [__NR_ia32_epoll_pwait - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_PWAIT}, - [__NR_ia32_utimensat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UTIMENSAT}, - [__NR_ia32_timerfd_settime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMERFD_SETTIME}, - [__NR_ia32_timerfd_gettime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIMERFD_GETTIME}, - [__NR_ia32_rt_tgsigqueueinfo - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_TGSIGQUEUEINFO}, - [__NR_ia32_perf_event_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PERF_EVENT_OPEN}, -#ifdef __NR_ia32_fanotify_init - [__NR_ia32_fanotify_init - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FANOTIFY_INIT}, -#endif -#ifdef __NR_ia32_clock_adjtime - [__NR_ia32_clock_adjtime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOCK_ADJTIME}, -#endif -#ifdef __NR_ia32_syncfs - [__NR_ia32_syncfs - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYNCFS}, -#endif -#ifdef __NR_ia32_msgsnd - [__NR_ia32_msgsnd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSGSND}, -#endif -#ifdef __NR_ia32_msgrcv - [__NR_ia32_msgrcv - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSGRCV}, -#endif -#ifdef __NR_ia32_msgget - [__NR_ia32_msgget - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSGGET}, -#endif -#ifdef __NR_ia32_msgctl - [__NR_ia32_msgctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MSGCTL}, -#endif -#ifdef __NR_ia32_shmdt - [__NR_ia32_shmdt - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMDT}, -#endif -#ifdef __NR_ia32_shmget - [__NR_ia32_shmget - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMGET}, -#endif -#ifdef __NR_ia32_shmctl - [__NR_ia32_shmctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMCTL}, -#endif -#ifdef __NR_ia32_statfs64 - [__NR_ia32_statfs64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_STATFS64}, -#endif -#ifdef __NR_ia32_fstatfs64 - [__NR_ia32_fstatfs64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSTATFS64}, -#endif -#ifdef __NR_ia32_fstatat64 - [__NR_ia32_fstatat64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSTATAT64}, -#endif -#ifdef __NR_ia32_bdflush - [__NR_ia32_bdflush - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_BDFLUSH}, -#endif -#ifdef __NR_ia32_sigprocmask - [__NR_ia32_sigprocmask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGPROCMASK}, -#endif -#ifdef __NR_ia32_ipc - [__NR_ia32_ipc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IPC}, -#endif -#ifdef __NR_ia32__newselect - [__NR_ia32__newselect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC__NEWSELECT}, -#endif -#ifdef __NR_ia32_sgetmask - [__NR_ia32_sgetmask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SGETMASK}, -#endif -#ifdef __NR_ia32_ssetmask - [__NR_ia32_ssetmask - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SSETMASK}, -#endif -#ifdef __NR_ia32_sigpending - [__NR_ia32_sigpending - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGPENDING}, -#endif -#ifdef __NR_ia32_olduname - [__NR_ia32_olduname - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OLDUNAME}, -#endif -#ifdef __NR_ia32_signal - [__NR_ia32_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGNAL}, -#endif -#ifdef __NR_ia32_nice - [__NR_ia32_nice - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NICE}, -#endif -#ifdef __NR_ia32_stime - [__NR_ia32_stime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_STIME}, -#endif -#ifdef __NR_ia32_waitpid - [__NR_ia32_waitpid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_WAITPID}, -#endif -#ifdef __NR_ia32_shmat - [__NR_ia32_shmat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SHMAT}, -#endif -#ifdef __NR_ia32_rt_sigreturn - [__NR_ia32_rt_sigreturn - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGRETURN}, -#endif -#ifdef __NR_ia32_fallocate - [__NR_ia32_fallocate - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FALLOCATE}, -#endif -#ifdef __NR_ia32_newfstatat - [__NR_ia32_newfstatat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NEWFSTATAT}, -#endif -#ifdef __NR_ia32_finit_module - [__NR_ia32_finit_module - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FINIT_MODULE}, -#endif -#ifdef __NR_ia32_sigaltstack - [__NR_ia32_sigaltstack - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGALTSTACK}, -#endif -#ifdef __NR_ia32_getrandom - [__NR_ia32_getrandom - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETRANDOM}, -#endif -#ifdef __NR_ia32_fadvise64 - [__NR_ia32_fadvise64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FADVISE64}, -#endif -#ifdef __NR_ia32_fspick - [__NR_ia32_fspick - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSPICK}, -#endif -#ifdef __NR_ia32_fsmount - [__NR_ia32_fsmount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSMOUNT}, -#endif -#ifdef __NR_ia32_fsopen - [__NR_ia32_fsopen - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSOPEN}, -#endif -#ifdef __NR_ia32_open_tree - [__NR_ia32_open_tree - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OPEN_TREE}, -#endif -#ifdef __NR_ia32_move_mount - [__NR_ia32_move_mount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_MOUNT}, -#endif -#ifdef __NR_ia32_mount_setattr - [__NR_ia32_mount_setattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOUNT_SETATTR}, -#endif -#ifdef __NR_ia32_memfd_create - [__NR_ia32_memfd_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_CREATE}, -#endif -#ifdef __NR_ia32_memfd_secret - [__NR_ia32_memfd_secret - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_SECRET}, -#endif -#ifdef __NR_ia32_ioperm - [__NR_ia32_ioperm - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPERM}, -#endif -#ifdef __NR_ia32_kexec_file_load - [__NR_ia32_kexec_file_load - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEXEC_FILE_LOAD}, -#endif -#ifdef __NR_ia32_pidfd_getfd - [__NR_ia32_pidfd_getfd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_GETFD}, -#endif -#ifdef __NR_ia32_pidfd_open - [__NR_ia32_pidfd_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_OPEN}, -#endif -#ifdef __NR_ia32_pidfd_send_signal - [__NR_ia32_pidfd_send_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_SEND_SIGNAL}, -#endif -#ifdef __NR_ia32_pkey_alloc - [__NR_ia32_pkey_alloc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_ALLOC}, -#endif -#ifdef __NR_ia32_pkey_mprotect - [__NR_ia32_pkey_mprotect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_MPROTECT}, -#endif -#ifdef __NR_ia32_pkey_free - [__NR_ia32_pkey_free - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_FREE}, -#endif -#ifdef __NR_ia32_landlock_create_ruleset - [__NR_ia32_landlock_create_ruleset - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_CREATE_RULESET}, -#endif -#ifdef __NR_ia32_quotactl_fd - [__NR_ia32_quotactl_fd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_QUOTACTL_FD}, -#endif -#ifdef __NR_ia32_landlock_restrict_self - [__NR_ia32_landlock_restrict_self - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_RESTRICT_SELF}, -#endif -#ifdef __NR_ia32_landlock_add_rule - [__NR_ia32_landlock_add_rule - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_ADD_RULE}, -#endif -#ifdef __NR_ia32_epoll_pwait2 - [__NR_ia32_epoll_pwait2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_PWAIT2}, -#endif -#ifdef __NR_ia32_migrate_pages - [__NR_ia32_migrate_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MIGRATE_PAGES}, -#endif -#ifdef __NR_ia32_move_pages - [__NR_ia32_move_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_PAGES}, -#endif -#ifdef __NR_ia32_preadv2 - [__NR_ia32_preadv2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PREADV2}, -#endif -#ifdef __NR_ia32_pwritev2 - [__NR_ia32_pwritev2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PWRITEV2}, -#endif -#ifdef __NR_ia32_process_madvise - [__NR_ia32_process_madvise - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_MADVISE}, -#endif -#ifdef __NR_ia32_readahead - [__NR_ia32_readahead - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_READAHEAD}, -#endif -#ifdef __NR_ia32_process_mrelease - [__NR_ia32_process_mrelease - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_MRELEASE}, -#endif -#ifdef __NR_ia32_mbind - [__NR_ia32_mbind - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MBIND}, -#endif -#ifdef __NR_ia32_epoll_wait_old - [__NR_ia32_epoll_wait_old - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_WAIT_OLD}, -#endif -#ifdef __NR_ia32_membarrier - [__NR_ia32_membarrier - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMBARRIER}, -#endif -#ifdef __NR_ia32_modify_ldt - [__NR_ia32_modify_ldt - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MODIFY_LDT}, -#endif -#ifdef __NR_ia32_semtimedop - [__NR_ia32_semtimedop - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SEMTIMEDOP}, -#endif -#ifdef __NR_ia32_name_to_handle_at - [__NR_ia32_name_to_handle_at - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NAME_TO_HANDLE_AT}, -#endif -#ifdef __NR_ia32_kcmp - [__NR_ia32_kcmp - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KCMP}, -#endif -#ifdef __NR_ia32_epoll_ctl_old - [__NR_ia32_epoll_ctl_old - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_CTL_OLD}, -#endif -#ifdef __NR_ia32_create_module - [__NR_ia32_create_module - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CREATE_MODULE}, -#endif -#ifdef __NR_ia32_futex_waitv - [__NR_ia32_futex_waitv - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FUTEX_WAITV}, -#endif -#ifdef __NR_ia32_iopl - [__NR_ia32_iopl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPL}, -#endif -#ifdef __NR_ia32__sysctl - [__NR_ia32__sysctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC__SYSCTL}, -#endif -#ifdef __NR_ia32_lookup_dcookie - [__NR_ia32_lookup_dcookie - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LOOKUP_DCOOKIE}, -#endif -#ifdef __NR_ia32_rseq - [__NR_ia32_rseq - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RSEQ}, -#endif -#ifdef __NR_ia32_io_pgetevents - [__NR_ia32_io_pgetevents - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IO_PGETEVENTS}, -#endif -#ifdef __NR_ia32_getpmsg - [__NR_ia32_getpmsg - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETPMSG}, -#endif -#ifdef __NR_ia32_sched_setattr - [__NR_ia32_sched_setattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_SETATTR}, -#endif -#ifdef __NR_ia32_get_kernel_syms - [__NR_ia32_get_kernel_syms - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GET_KERNEL_SYMS}, -#endif -#ifdef __NR_ia32_set_mempolicy_home_node - [__NR_ia32_set_mempolicy_home_node - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_MEMPOLICY_HOME_NODE}, -#endif -#ifdef __NR_ia32_close_range - [__NR_ia32_close_range - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CLOSE_RANGE}, -#endif -#ifdef __NR_ia32_get_mempolicy - [__NR_ia32_get_mempolicy - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GET_MEMPOLICY}, -#endif -#ifdef __NR_ia32_sched_getattr - [__NR_ia32_sched_getattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GETATTR}, -#endif -#ifdef __NR_ia32_nfsservctl - [__NR_ia32_nfsservctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NFSSERVCTL}, -#endif -#ifdef __NR_ia32_faccessat2 - [__NR_ia32_faccessat2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FACCESSAT2}, -#endif -#ifdef __NR_ia32_sync_file_range - [__NR_ia32_sync_file_range - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYNC_FILE_RANGE}, -#endif -#ifdef __NR_ia32_query_module - [__NR_ia32_query_module - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_QUERY_MODULE}, -#endif -#ifdef __NR_ia32_statx - [__NR_ia32_statx - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_STATX}, -#endif -#ifdef __NR_ia32_set_mempolicy - [__NR_ia32_set_mempolicy - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SET_MEMPOLICY}, -#endif -#ifdef __NR_ia32_fanotify_mark - [__NR_ia32_fanotify_mark - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FANOTIFY_MARK}, -#endif -#ifdef __NR_ia32_sched_setparam - [__NR_ia32_sched_setparam - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_SETPARAM}, -#endif -#ifdef __NR_ia32_process_vm_readv - [__NR_ia32_process_vm_readv - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_VM_READV}, -#endif -#ifdef __NR_ia32_pause - [__NR_ia32_pause - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PAUSE}, -#endif -#ifdef __NR_ia32_epoll_ctl - [__NR_ia32_epoll_ctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_CTL}, -#endif -#ifdef __NR_ia32_process_vm_writev - [__NR_ia32_process_vm_writev - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_VM_WRITEV}, -#endif -#ifdef __NR_ia32_sched_getparam - [__NR_ia32_sched_getparam - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GETPARAM}, -#endif -#ifdef __NR_ia32_pselect6 - [__NR_ia32_pselect6 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PSELECT6}, -#endif -#ifdef __NR_ia32_lchown - [__NR_ia32_lchown - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LCHOWN_E, PPME_SYSCALL_LCHOWN_X, PPM_SC_LCHOWN}, -#endif -#ifdef __NR_ia32_alarm - [__NR_ia32_alarm - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ALARM}, -#endif -#ifdef __NR_ia32_utime - [__NR_ia32_utime - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UTIME}, -#endif -#ifdef __NR_ia32_syslog - [__NR_ia32_syslog - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYSLOG}, -#endif -#ifdef __NR_ia32_uselib - [__NR_ia32_uselib - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_USELIB}, ->>>>>>> 714a0d84 (chore(driver): prctl cleanup) #endif }; From 4e2c03329d3d84486a1294956fe72d0d418e09f9 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 12 Apr 2023 14:32:22 +0000 Subject: [PATCH 16/22] fix(userspace/libscap): removed prctl from generic events Signed-off-by: Roberto Scolaro --- userspace/libscap/linux/scap_ppm_sc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c index f84c260184..73663b0998 100644 --- a/userspace/libscap/linux/scap_ppm_sc.c +++ b/userspace/libscap/linux/scap_ppm_sc.c @@ -32,8 +32,8 @@ limitations under the License. * NOTE: first 2 lines are automatically bumped by syscalls-bumper. */ static const ppm_sc_code *g_events_to_sc_map[] = { - [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_INIT_MODULE, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_PRCTL, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_FINIT_MODULE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_CREATE, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_GETFD, PPM_SC_PIDFD_OPEN, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, -1}, - [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_INIT_MODULE, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_PRCTL, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_FINIT_MODULE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_CREATE, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_GETFD, PPM_SC_PIDFD_OPEN, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, -1}, + [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_INIT_MODULE, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_FINIT_MODULE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_CREATE, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_GETFD, PPM_SC_PIDFD_OPEN, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, -1}, + [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_INIT_MODULE, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_FINIT_MODULE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_CREATE, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_GETFD, PPM_SC_PIDFD_OPEN, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, -1}, [PPME_SYSCALL_OPEN_E] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_OPEN_X] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_CLOSE_E] = (ppm_sc_code[]){PPM_SC_CLOSE, -1}, From 14dc3450f3ff10a21e4e223d2fe90288ce8ae046 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 12 Apr 2023 14:34:14 +0000 Subject: [PATCH 17/22] fix(driver/modern_bpf): fix func args Signed-off-by: Roberto Scolaro --- .../tail_called/events/syscall_dispatched_events/prctl.bpf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index 8ba34bbf69..6681313d1a 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -16,7 +16,7 @@ int BPF_PROG(prctl_e, long id) { struct ringbuf_struct ringbuf; - if(!ringbuf__reserve_space(&ringbuf, PRCTL_E_SIZE)) + if(!ringbuf__reserve_space(&ringbuf, ctx, PRCTL_E_SIZE)) { return 0; } @@ -99,7 +99,7 @@ int BPF_PROG(prctl_x, auxmap__finalize_event_header(auxmap); - auxmap__submit_event(auxmap); + auxmap__submit_event(auxmap, ctx); return 0; } From 18fb68bd53ecc44adfc6c08c6a0fc8feb26b2b8e Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 12 Apr 2023 14:45:31 +0000 Subject: [PATCH 18/22] fix: push 0 instead of empty param Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 2 +- .../tail_called/events/syscall_dispatched_events/prctl.bpf.c | 2 +- driver/ppm_fillers.c | 2 +- test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 08f663885e..9f4f04c1b9 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7143,7 +7143,7 @@ FILLER(sys_prctl_x, true) /* * arg2_int */ - res = bpf_push_empty_param(data); + res = bpf_val_to_ring(data, 0); CHECK_RES(res); break; case PPM_PR_GET_CHILD_SUBREAPER: diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index 6681313d1a..5098fb9595 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -72,7 +72,7 @@ int BPF_PROG(prctl_x, /* Parameter 3: arg2_str (type: PT_CHARBUF) */ auxmap__store_charbuf_param(auxmap, arg2, MAX_PATH, USER); /* Parameter 4: arg2_int (type: PT_INT64) */ - auxmap__store_empty_param(auxmap); + auxmap__store_s64_param(auxmap, 0); break; case PPM_PR_GET_CHILD_SUBREAPER: /* Parameter 3: arg2_str (type: PT_CHARBUF) */ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 7e7f958a96..84155831bb 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8021,7 +8021,7 @@ int f_sys_prctl_x(struct event_filler_arguments *args) /* * arg2_int */ - res = push_empty_param(args); + res = val_to_ring(args, 0, 0, false, 0); CHECK_RES(res); break; case PPM_PR_GET_CHILD_SUBREAPER: diff --git a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp index 184ee24acf..8e3a9ac26f 100644 --- a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp @@ -262,7 +262,7 @@ TEST(SyscallExit, prctlX_set_name) evt_test->assert_charbuf_param(3, arg2); /* Parameter 4: arg2_int (type: PT_INT64) */ - evt_test->assert_empty_param(4); + evt_test->assert_numeric_param(4, (uint64_t)0); /*=============================== ASSERT PARAMETERS ===========================*/ From 0b1d68483b42f087a5e82f5b0e0dc3fa72f5efdd Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 12 Apr 2023 16:51:20 +0000 Subject: [PATCH 19/22] fix(driver): removed useless code Signed-off-by: Roberto Scolaro --- driver/ppm_fillers.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 84155831bb..0441923c6d 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7983,7 +7983,6 @@ int f_sys_prctl_x(struct event_filler_arguments *args) { int res; int retval; - char *name = NULL; syscall_arg_t option; syscall_arg_t arg2; @@ -8011,12 +8010,7 @@ int f_sys_prctl_x(struct event_filler_arguments *args) /* * arg2_str */ - if(likely(ppm_strncpy_from_user(args->str_storage, (const void __user *)arg2, PPM_MAX_PATH_SIZE) >= 0)) - { - name = args->str_storage; - name[PPM_MAX_PATH_SIZE - 1] = '\0'; - } - res = val_to_ring(args, (int64_t)(long)name, 0, false, 0); + res = val_to_ring(args, arg2, 0, true, 0); CHECK_RES(res); /* * arg2_int From ca5636fe67f5bc705abb5e0b15648064502b75e5 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 12 Apr 2023 16:51:54 +0000 Subject: [PATCH 20/22] chrore(driver): bumped SYSCALL_EVENTS_NUM Signed-off-by: Roberto Scolaro --- driver/event_stats.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/driver/event_stats.h b/driver/event_stats.h index 627f5f7b91..3995e4820c 100644 --- a/driver/event_stats.h +++ b/driver/event_stats.h @@ -1,7 +1,7 @@ #pragma once /* These numbers must be updated when we add new events in the event table */ -#define SYSCALL_EVENTS_NUM 354 +#define SYSCALL_EVENTS_NUM 356 #define TRACEPOINT_EVENTS_NUM 6 #define METAEVENTS_NUM 19 #define PLUGIN_EVENTS_NUM 1 From d97d3ea872e1327dbdf65d2d7f4292871639aca6 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Wed, 12 Apr 2023 16:52:43 +0000 Subject: [PATCH 21/22] fix(test/drivers): wrong cast fix Signed-off-by: Roberto Scolaro --- test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp index 8e3a9ac26f..d78fa8f9db 100644 --- a/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/prctl_x.cpp @@ -262,7 +262,7 @@ TEST(SyscallExit, prctlX_set_name) evt_test->assert_charbuf_param(3, arg2); /* Parameter 4: arg2_int (type: PT_INT64) */ - evt_test->assert_numeric_param(4, (uint64_t)0); + evt_test->assert_numeric_param(4, (int64_t)0); /*=============================== ASSERT PARAMETERS ===========================*/ From 751504501c52f7cd0e7caee9432a77e045325098 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Thu, 13 Apr 2023 08:46:43 +0000 Subject: [PATCH 22/22] fix(driver/bpf): fix ebpf verifier issue Co-authored-by: Federico Di Pierro Signed-off-by: Roberto Scolaro --- driver/bpf/filler_helpers.h | 4 ++-- driver/bpf/fillers.h | 6 ++---- .../events/syscall_dispatched_events/prctl.bpf.c | 5 ----- driver/syscall_table.c | 6 +++--- userspace/libsinsp/events/sinsp_events_ppm_sc.cpp | 1 + .../test/public_sinsp_API/interesting_syscalls.cpp | 12 ++++++------ .../libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp | 3 +++ 7 files changed, 17 insertions(+), 20 deletions(-) diff --git a/driver/bpf/filler_helpers.h b/driver/bpf/filler_helpers.h index aaaabd18df..241daae1e2 100644 --- a/driver/bpf/filler_helpers.h +++ b/driver/bpf/filler_helpers.h @@ -1075,8 +1075,8 @@ static __always_inline int bpf_push_empty_param(struct filler_data *data) fixup_evt_arg_len(data->buf, data->state->tail_ctx.curarg, 0); data->curarg_already_on_frame = false; - /* We increment the current argument */ - ++data->state->tail_ctx.curarg; + /* We increment the current argument - to make verifier happy, properly check it against u32 max */ + data->state->tail_ctx.curarg = (data->state->tail_ctx.curarg + 1) & (PPM_MAX_EVENT_PARAMS - 1); return PPM_SUCCESS; } diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 9f4f04c1b9..2174227a1b 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7159,14 +7159,12 @@ FILLER(sys_prctl_x, true) res = bpf_val_to_ring(data, (int)arg2_int); CHECK_RES(res); break; + case PPM_PR_SET_CHILD_SUBREAPER: default: /* * arg2_str */ - //XXX temporary workaround: the usage of `bpf_push_empty_param` - // breaks the verifies - //res = bpf_push_empty_param(data); - res = bpf_val_to_ring(data, 0); + res = bpf_push_empty_param(data); CHECK_RES(res); /* * arg2_int diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c index 5098fb9595..7b4c227dcb 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c @@ -82,11 +82,6 @@ int BPF_PROG(prctl_x, auxmap__store_s64_param(auxmap, (s64)reaper_attr); break; case PPM_PR_SET_CHILD_SUBREAPER: - /* Parameter 3: arg2_str (type: PT_CHARBUF) */ - auxmap__store_empty_param(auxmap); - /* Parameter 4: arg2_int (type: PT_INT64) */ - auxmap__store_s64_param(auxmap, arg2); - break; default: /* Parameter 3: arg2_str (type: PT_CHARBUF) */ auxmap__store_empty_param(auxmap); diff --git a/driver/syscall_table.c b/driver/syscall_table.c index 46a1271452..8f4e9de39a 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -396,6 +396,9 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #endif #ifdef __NR_send [__NR_send - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SEND_E, PPME_SOCKET_SEND_X, PPM_SC_SEND}, +#endif +#ifdef __NR_prctl + [__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL }, #endif [__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, [__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, @@ -459,9 +462,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_sched_get_priority_min - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MIN}, [__NR_sched_rr_get_interval - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_RR_GET_INTERVAL}, [__NR_mremap - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MREMAP}, -#ifdef __NR_prctl - [__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL }, -#endif #ifdef __NR_arch_prctl [__NR_arch_prctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ARCH_PRCTL}, #endif diff --git a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp index 75b6e102b2..200285a9df 100644 --- a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp +++ b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp @@ -392,6 +392,7 @@ libsinsp::events::set libsinsp::events::sinsp_repair_state_sc_set(c PPM_SC_SETSID, PPM_SC_SETUID, PPM_SC_SETUID32, + PPM_SC_PRCTL, }; if ((flags & PPM_REPAIR_STATE_SC_NETWORK_BASE)) diff --git a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp index 1faf9dcbec..e2337a841f 100644 --- a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp +++ b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp @@ -174,7 +174,7 @@ TEST(filter_ppm_codes, check_sinsp_repair_state_sc_set) truth = libsinsp::events::event_names_to_sc_set({ "capset", "chdir", "chroot", "clone", "clone3", "execve", "execveat", "fchdir", "fork", "procexit", "setgid", "setgid32", "setpgid", "setresgid", "setresgid32", "setresuid", "setresuid32", "setsid", - "setuid", "setuid32", "vfork"}); + "setuid", "setuid32", "vfork", "prctl"}); input_sc_set = libsinsp::events::event_names_to_sc_set({"execve", "execveat"}); sc_set = sinsp_repair_state_sc_set(input_sc_set); ASSERT_PPM_SC_CODES_EQ(truth, sc_set); @@ -182,7 +182,7 @@ TEST(filter_ppm_codes, check_sinsp_repair_state_sc_set) truth = libsinsp::events::event_names_to_sc_set({ "accept", "accept4", "bind", "capset", "chdir", "chroot", "clone", "clone3", "close", "connect", "execve", "execveat", "fchdir", "fork", "getsockopt", "procexit", "setgid", "setgid32", "setpgid", "setresgid", "setresgid32", - "setresuid", "setresuid32", "setsid", "setuid", "setuid32", "socket", "vfork"}); + "setresuid", "setresuid32", "setsid", "setuid", "setuid32", "socket", "vfork", "prctl"}); input_sc_set = libsinsp::events::event_names_to_sc_set({"execve", "execveat", "connect", "accept", "accept4"}); sc_set = sinsp_repair_state_sc_set(input_sc_set); ASSERT_PPM_SC_CODES_EQ(truth, sc_set); @@ -190,7 +190,7 @@ TEST(filter_ppm_codes, check_sinsp_repair_state_sc_set) truth = libsinsp::events::event_names_to_sc_set({ "capset", "chdir", "chroot", "clone", "clone3", "close", "connect", "execve", "execveat", "fchdir", "fork", "getsockopt", "procexit", "setgid", "setgid32", "setpgid", "setresgid", "setresgid32", - "setresuid", "setresuid32", "setsid", "setuid", "setuid32", "socket", "vfork"}); + "setresuid", "setresuid32", "setsid", "setuid", "setuid32", "socket", "vfork", "prctl"}); input_sc_set = libsinsp::events::event_names_to_sc_set({"execve", "execveat", "connect"}); sc_set = sinsp_repair_state_sc_set(input_sc_set); ASSERT_PPM_SC_CODES_EQ(truth, sc_set); @@ -198,7 +198,7 @@ TEST(filter_ppm_codes, check_sinsp_repair_state_sc_set) truth = libsinsp::events::event_names_to_sc_set({ "accept", "accept4", "bind", "capset", "chdir", "chroot", "clone", "clone3", "close", "execve", "execveat", "fchdir", "fork", "getsockopt", "procexit", "setgid", "setgid32", "setpgid", "setresgid", "setresgid32", - "setresuid", "setresuid32", "setsid", "setuid", "setuid32", "socket", "vfork"}); + "setresuid", "setresuid32", "setsid", "setuid", "setuid32", "socket", "vfork", "prctl"}); input_sc_set = libsinsp::events::event_names_to_sc_set({"execve", "accept", "accept4"}); sc_set = sinsp_repair_state_sc_set(input_sc_set); ASSERT_PPM_SC_CODES_EQ(truth, sc_set); @@ -206,7 +206,7 @@ TEST(filter_ppm_codes, check_sinsp_repair_state_sc_set) truth = libsinsp::events::event_names_to_sc_set({ "capset", "chdir", "chroot", "clone", "clone3", "execve", "execveat", "fchdir", "fork", "procexit", "setgid", "setgid32", "setpgid", "setresgid", "setresgid32", "setresuid", "setresuid32", "setsid", - "setuid", "setuid32", "vfork"}); + "setuid", "setuid32", "vfork", "prctl"}); input_sc_set = libsinsp::events::event_names_to_sc_set({"execve", "execveat"}); sc_set = sinsp_repair_state_sc_set(input_sc_set); ASSERT_PPM_SC_CODES_EQ(truth, sc_set); @@ -214,7 +214,7 @@ TEST(filter_ppm_codes, check_sinsp_repair_state_sc_set) truth = libsinsp::events::event_names_to_sc_set({ "capset", "chdir", "chroot", "clone", "clone3", "close", "execve", "execveat", "fchdir", "fork", "open", "openat", "openat2", "procexit", "setgid", "setgid32", "setpgid", "setresgid", "setresgid32", - "setresuid", "setresuid32", "setsid", "setuid", "setuid32", "vfork"}); + "setresuid", "setresuid32", "setsid", "setuid", "setuid32", "vfork", "prctl"}); input_sc_set = libsinsp::events::event_names_to_sc_set({"open", "openat", "openat2"}); sc_set = sinsp_repair_state_sc_set(input_sc_set); ASSERT_PPM_SC_CODES_EQ(truth, sc_set); diff --git a/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp b/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp index 115b744475..62278f7f47 100644 --- a/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp +++ b/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp @@ -202,6 +202,8 @@ const libsinsp::events::set expected_sinsp_state_event_set = { PPME_SYSCALL_EVENTFD2_X, PPME_SYSCALL_SIGNALFD4_E, PPME_SYSCALL_SIGNALFD4_X, + PPME_SYSCALL_PRCTL_E, + PPME_SYSCALL_PRCTL_X, }; const libsinsp::events::set expected_sinsp_state_sc_set = { @@ -267,6 +269,7 @@ const libsinsp::events::set expected_sinsp_state_sc_set = { PPM_SC_EPOLL_CREATE, PPM_SC_EPOLL_CREATE1, PPM_SC_SCHED_PROCESS_EXIT, + PPM_SC_PRCTL, }; const libsinsp::events::set expected_unknown_event_set = {