new(driver): support for prctl syscall

driver/bpf/filler_helpers.h

@@ -1075,8 +1075,8 @@ static __always_inline int bpf_push_empty_param(struct filler_data *data)
 	fixup_evt_arg_len(data->buf, data->state->tail_ctx.curarg, 0);
 	data->curarg_already_on_frame = false;
 
-	/* We increment the current argument */
-	++data->state->tail_ctx.curarg;
+	 /* We increment the current argument - to make verifier happy, properly check it against u32 max */
+	data->state->tail_ctx.curarg = (data->state->tail_ctx.curarg + 1) & (PPM_MAX_EVENT_PARAMS - 1);
 	return PPM_SUCCESS;
 }
 

driver/bpf/fillers.h

@@ -7111,4 +7111,70 @@ FILLER(sched_prog_fork_3, false)
 }
 #endif
 
+FILLER(sys_prctl_x, true)
+{
+	unsigned long option;
+	unsigned long arg2;
+	unsigned long arg2_int;
+	int res;
+	long retval;
+
+	retval = bpf_syscall_get_retval(data->ctx);
+	res = bpf_val_to_ring(data, retval);
+	CHECK_RES(res);
+
+	/*
+	 * option
+	 */
+	option = prctl_options_to_scap(bpf_syscall_get_argument(data, 0));
+	res = bpf_val_to_ring(data, option);
+	CHECK_RES(res);
+
+	arg2 = bpf_syscall_get_argument(data, 1);
+
+	switch(option){
+		case PPM_PR_GET_NAME:
+		case PPM_PR_SET_NAME:
+			/*
+			 * arg2_str
+			 */
+			res = bpf_val_to_ring(data, arg2);
+			CHECK_RES(res);
+			/*
+			 * arg2_int
+			 */
+			res = bpf_val_to_ring(data, 0);
+			CHECK_RES(res);
+			break;
+		case PPM_PR_GET_CHILD_SUBREAPER:
+			/*
+			 * arg2_str
+			 */
+			res = bpf_push_empty_param(data);
+			CHECK_RES(res);
+			/*
+			 * arg2_int
+			 */
+			bpf_probe_read_user(&arg2_int,sizeof(arg2_int),(void*)arg2);
+			res = bpf_val_to_ring(data, (int)arg2_int);
+			CHECK_RES(res);
+			break;
+		case PPM_PR_SET_CHILD_SUBREAPER:
+		default:
+			/*
+			 * arg2_str
+			 */
+			res = bpf_push_empty_param(data);
+			CHECK_RES(res);
+			/*
+			 * arg2_int
+			 */
+			res = bpf_val_to_ring(data, arg2);
+			CHECK_RES(res);
+			break;
+	}
+
+	return res;
+}
+
 #endif

driver/event_stats.h

@@ -1,7 +1,7 @@
 #pragma once
 
 /* These numbers must be updated when we add new events in the event table */
-#define SYSCALL_EVENTS_NUM 354
+#define SYSCALL_EVENTS_NUM 356
 #define TRACEPOINT_EVENTS_NUM 6
 #define METAEVENTS_NUM 19
 #define PLUGIN_EVENTS_NUM 1

driver/event_table.c

@@ -449,6 +449,8 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_EVENTFD2_X] = {"eventfd2", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"flags", PT_FLAGS16, PF_HEX, file_flags} } },
 	[PPME_SYSCALL_SIGNALFD4_E] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"mask", PT_UINT32, PF_HEX}}},
 	[PPME_SYSCALL_SIGNALFD4_X] = {"signalfd4", EC_SIGNAL | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC},  {"flags", PT_FLAGS16, PF_HEX}}},
+	[PPME_SYSCALL_PRCTL_E] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0 },
+	[PPME_SYSCALL_PRCTL_X] = {"prctl", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"option", PT_ENUMFLAGS32, PF_DEC, prctl_options}, {"arg2_str", PT_CHARBUF, PF_NA}, {"arg2_int", PT_INT64, PF_DEC} } },
 };
 
 // This code is compiled on windows and osx too!

driver/fillers_table.c

@@ -336,4 +336,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_EVENTFD2_X] = {FILLER_REF(sys_eventfd2_x)},
 	[PPME_SYSCALL_SIGNALFD4_E] = {FILLER_REF(sys_signalfd4_e)},
 	[PPME_SYSCALL_SIGNALFD4_X] = {FILLER_REF(sys_signalfd4_x)},
+	[PPME_SYSCALL_PRCTL_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_PRCTL_X] = {FILLER_REF(sys_prctl_x)},
 };

driver/flags_table.c

@@ -650,3 +650,30 @@ const struct ppm_name_value machine_info_flags[] = {
 	{"BPF_STATS_ENABLED", PPM_BPF_STATS_ENABLED},
 	{0, 0},
 };
+
+const struct ppm_name_value prctl_options[] = {
+	{"PR_GET_DUMPABLE",PPM_PR_GET_DUMPABLE},
+	{"PR_SET_DUMPABLE",PPM_PR_SET_DUMPABLE},
+	{"PR_GET_KEEPCAPS",PPM_PR_GET_KEEPCAPS},
+	{"PR_SET_KEEPCAPS",PPM_PR_SET_KEEPCAPS},
+	{"PR_SET_NAME",PPM_PR_SET_NAME},
+	{"PR_GET_NAME",PPM_PR_GET_NAME},
+	{"PR_GET_SECCOMP",PPM_PR_GET_SECCOMP},
+	{"PR_SET_SECCOMP",PPM_PR_SET_SECCOMP},
+	{"PR_CAPBSET_READ",PPM_PR_CAPBSET_READ},
+	{"PR_CAPBSET_DROP",PPM_PR_CAPBSET_DROP},
+	{"PR_GET_SECUREBITS",PPM_PR_GET_SECUREBITS},
+	{"PR_SET_SECUREBITS",PPM_PR_SET_SECUREBITS},
+	{"PR_MCE_KILL",PPM_PR_MCE_KILL},
+	{"PR_MCE_KILL",PPM_PR_MCE_KILL},
+	{"PR_SET_MM",PPM_PR_SET_MM},
+	{"PR_SET_CHILD_SUBREAPER",PPM_PR_SET_CHILD_SUBREAPER},
+	{"PR_GET_CHILD_SUBREAPER",PPM_PR_GET_CHILD_SUBREAPER},
+	{"PR_SET_NO_NEW_PRIVS",PPM_PR_SET_NO_NEW_PRIVS},
+	{"PR_GET_NO_NEW_PRIVS",PPM_PR_GET_NO_NEW_PRIVS},
+	{"PR_GET_TID_ADDRESS",PPM_PR_GET_TID_ADDRESS},
+	{"PR_SET_THP_DISABLE",PPM_PR_SET_THP_DISABLE},
+	{"PR_GET_THP_DISABLE",PPM_PR_GET_THP_DISABLE},
+	{"PR_CAP_AMBIENT",PPM_PR_CAP_AMBIENT},
+	{0, 0},
+};

driver/modern_bpf/definitions/events_dimensions.h

@@ -235,6 +235,7 @@
 #define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
 #define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN
 #define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
+#define PRCTL_E_SIZE HEADER_LEN
 
 /* Generic tracepoints events. */
 #define PROC_EXIT_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) * 2 + PARAM_LEN * 4

driver/modern_bpf/definitions/missing_definitions.h

@@ -1444,4 +1444,72 @@
 
 /*=============================== OPENED FILE DESCRIPTORS ===========================*/
 
+/*==================================== PRCTL OPTIONS ================================*/
+
+#define PR_SET_PDEATHSIG  1
+#define PR_GET_PDEATHSIG  2
+#define PR_GET_DUMPABLE   3
+#define PR_SET_DUMPABLE   4
+#define PR_GET_UNALIGN	  5
+#define PR_SET_UNALIGN	  6
+#define PR_GET_KEEPCAPS   7
+#define PR_SET_KEEPCAPS   8
+#define PR_GET_FPEMU  9
+#define PR_SET_FPEMU 10
+#define PR_GET_FPEXC	11
+#define PR_SET_FPEXC	12
+#define PR_GET_TIMING   13
+#define PR_SET_TIMING   14
+#define PR_SET_NAME    15
+#define PR_GET_NAME    16
+#define PR_GET_ENDIAN	19
+#define PR_SET_ENDIAN	20
+#define PR_GET_SECCOMP	21
+#define PR_SET_SECCOMP	22
+#define PR_CAPBSET_READ 23
+#define PR_CAPBSET_DROP 24
+#define PR_GET_TSC 25
+#define PR_SET_TSC 26
+#define PR_GET_SECUREBITS 27
+#define PR_SET_SECUREBITS 28
+#define PR_SET_TIMERSLACK 29
+#define PR_GET_TIMERSLACK 30
+#define PR_TASK_PERF_EVENTS_DISABLE		31
+#define PR_TASK_PERF_EVENTS_ENABLE		32
+#define PR_MCE_KILL	33
+#define PR_MCE_KILL_GET 34
+#define PR_SET_MM		35
+#define PR_SET_PTRACER 0x59616d61
+#define PR_SET_CHILD_SUBREAPER	36
+#define PR_GET_CHILD_SUBREAPER	37
+#define PR_SET_NO_NEW_PRIVS	38
+#define PR_GET_NO_NEW_PRIVS	39
+#define PR_GET_TID_ADDRESS	40
+#define PR_SET_THP_DISABLE	41
+#define PR_GET_THP_DISABLE	42
+#define PR_MPX_ENABLE_MANAGEMENT  43
+#define PR_MPX_DISABLE_MANAGEMENT 44
+#define PR_SET_FP_MODE		45
+#define PR_GET_FP_MODE		46
+#define PR_CAP_AMBIENT			47
+#define PR_SVE_SET_VL			50
+#define PR_SVE_GET_VL			51
+#define PR_GET_SPECULATION_CTRL		52
+#define PR_SET_SPECULATION_CTRL		53
+#define PR_PAC_RESET_KEYS		54
+#define PR_SET_TAGGED_ADDR_CTRL		55
+#define PR_GET_TAGGED_ADDR_CTRL		56
+#define PR_SET_IO_FLUSHER		57
+#define PR_GET_IO_FLUSHER		58
+#define PR_SET_SYSCALL_USER_DISPATCH	59
+#define PR_PAC_SET_ENABLED_KEYS		60
+#define PR_PAC_GET_ENABLED_KEYS		61
+#define PR_SCHED_CORE			62
+#define PR_SME_SET_VL			63
+#define PR_SME_GET_VL			64
+#define PR_SET_VMA		0x53564d41
+
+/*==================================== PRCTL OPTIONS ================================*/
+
+
 #endif /* __MISSING_DEFINITIONS_H__ */

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c

@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2023 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/variable_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(prctl_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, ctx, PRCTL_E_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_PRCTL_E);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to collect.
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+
+
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(prctl_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct auxiliary_map *auxmap = auxmap__get();
+	if(!auxmap)
+	{
+		return 0;
+	}
+
+	int reaper_attr;
+
+	auxmap__preload_event_header(auxmap, PPME_SYSCALL_PRCTL_X);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	auxmap__store_s64_param(auxmap, ret);
+
+	/* Parameter 2: option (type: PT_ENUMFLAGS32) */
+	u32 option = (u32)prctl_options_to_scap(extract__syscall_argument(regs, 0));
+	auxmap__store_u32_param(auxmap, option);
+
+	unsigned long arg2 = extract__syscall_argument(regs, 1);
+
+	switch(option){
+		case PPM_PR_GET_NAME:
+		case PPM_PR_SET_NAME:
+			/* Parameter 3: arg2_str (type: PT_CHARBUF) */
+			auxmap__store_charbuf_param(auxmap, arg2, MAX_PATH, USER);
+			/* Parameter 4: arg2_int (type: PT_INT64) */
+			auxmap__store_s64_param(auxmap, 0);
+			break;
+		case PPM_PR_GET_CHILD_SUBREAPER:
+			/* Parameter 3: arg2_str (type: PT_CHARBUF) */
+			auxmap__store_empty_param(auxmap);
+			bpf_probe_read_user(&reaper_attr, sizeof(reaper_attr), (void*)arg2);
+			/* Parameter 4: arg2_int (type: PT_INT64) */
+			auxmap__store_s64_param(auxmap, (s64)reaper_attr);
+			break;
+		case PPM_PR_SET_CHILD_SUBREAPER:
+		default:
+			/* Parameter 3: arg2_str (type: PT_CHARBUF) */
+			auxmap__store_empty_param(auxmap);
+			/* Parameter 4: arg2_int (type: PT_INT64) */
+			auxmap__store_s64_param(auxmap, arg2);
+			break;
+	}
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	auxmap__finalize_event_header(auxmap);
+
+	auxmap__submit_event(auxmap, ctx);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/