diff --git a/docs/report.md b/docs/report.md index e652520bca..167bd635a1 100644 --- a/docs/report.md +++ b/docs/report.md @@ -65,7 +65,7 @@ | fcntl | 🟢 | | fdatasync | 🟡 | | fgetxattr | 🟡 | -| finit_module | 🟡 | +| finit_module | 🟢 | | flistxattr | 🟡 | | flock | 🟢 | | fork | 🟢 | @@ -116,7 +116,7 @@ | getuid | 🟢 | | getxattr | 🟡 | | idle | 🟡 | -| init_module | 🟡 | +| init_module | 🟢 | | inotify_add_watch | 🟡 | | inotify_init | 🟢 | | inotify_init1 | 🟢 | diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION index 437459cd94..e70b4523ae 100644 --- a/driver/SCHEMA_VERSION +++ b/driver/SCHEMA_VERSION @@ -1 +1 @@ -2.5.0 +2.6.0 diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 50f94b1153..bbcb5a72c0 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7058,4 +7058,52 @@ FILLER(sys_pidfd_open_x, true) return bpf_push_u32_to_ring(data, pidfd_open_flags_to_scap(flags)); } + +FILLER(sys_init_module_x, true) +{ + + /* Parameter 1: ret (type: PT_ERRNO) */ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, retval); + CHECK_RES(res); + + u64 len = bpf_syscall_get_argument(data, 1); + + /* Parameter 2: img (type: PT_BYTEBUF) */ + long img = bpf_syscall_get_argument(data, 0); + res = __bpf_val_to_ring(data, img, len, PT_BYTEBUF, -1, true, USER); + CHECK_RES(res); + + /* Parameter 3: length (type: PT_UINT64) */ + res = bpf_val_to_ring(data, len); + CHECK_RES(res); + + /* Parameter 4: uargs (type: PT_CHARBUF) */ + long uargs = bpf_syscall_get_argument(data, 2); + return bpf_val_to_ring(data, uargs); +} + +FILLER(sys_finit_module_x, true) +{ + + /* Parameter 1: ret (type: PT_ERRNO) */ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, retval); + CHECK_RES(res); + + /* Parameter 2: fd (type: PT_FD) */ + s32 fd = (s32)bpf_syscall_get_argument(data, 0); + res = bpf_push_s64_to_ring(data, (s64)fd); + CHECK_RES(res); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + long uargs = bpf_syscall_get_argument(data, 1); + res = bpf_val_to_ring(data, uargs); + CHECK_RES(res); + + /* Parameter 4: flags (type: PT_FLAGS32) */ + u32 flags = bpf_syscall_get_argument(data, 2); + return bpf_push_u32_to_ring(data, finit_module_flags_to_scap(flags)); +} + #endif diff --git a/driver/event_stats.h b/driver/event_stats.h index 07777a3933..e05dbfbab9 100644 --- a/driver/event_stats.h +++ b/driver/event_stats.h @@ -1,7 +1,7 @@ #pragma once /* These numbers must be updated when we add new events in the event table */ -#define SYSCALL_EVENTS_NUM 362 +#define SYSCALL_EVENTS_NUM 366 #define TRACEPOINT_EVENTS_NUM 6 #define METAEVENTS_NUM 20 #define PLUGIN_EVENTS_NUM 1 diff --git a/driver/event_table.c b/driver/event_table.c index 96da5a7842..ebb104899a 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -459,6 +459,10 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_PIDFD_GETFD_X] = {"pidfd_getfd", EC_PROCESS | EC_SYSCALL, EF_CREATES_FD , 4, {{"fd", PT_FD, PF_DEC}, {"pid_fd", PT_FD, PF_DEC}, {"target_fd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX}}}, [PPME_SYSCALL_PIDFD_OPEN_E] = {"pidfd_open", EC_PROCESS | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0}, [PPME_SYSCALL_PIDFD_OPEN_X] = {"pidfd_open", EC_PROCESS | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX}}}, + [PPME_SYSCALL_INIT_MODULE_E] = {"init_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0}, + [PPME_SYSCALL_INIT_MODULE_X] = {"init_module", EC_OTHER | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"img", PT_BYTEBUF, PF_NA}, {"length", PT_UINT64, PF_DEC}, {"uargs", PT_CHARBUF, PF_NA}}}, + [PPME_SYSCALL_FINIT_MODULE_E] = {"finit_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0}, + [PPME_SYSCALL_FINIT_MODULE_X] = {"finit_module", EC_OTHER | EC_SYSCALL, EF_USES_FD | EF_READS_FROM_FD, 4, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"uargs", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_DEC}}}, }; // We don't need this check in kmod (this source file is included during kmod compilation!) diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 1eee84084c..4f8fa38b7f 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -343,5 +343,9 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_PIDFD_GETFD_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_PIDFD_GETFD_X] = {FILLER_REF(sys_pidfd_getfd_x)}, [PPME_SYSCALL_PIDFD_OPEN_E] = {FILLER_REF(sys_empty)}, - [PPME_SYSCALL_PIDFD_OPEN_X] = {FILLER_REF(sys_pidfd_open_x)} + [PPME_SYSCALL_PIDFD_OPEN_X] = {FILLER_REF(sys_pidfd_open_x)}, + [PPME_SYSCALL_INIT_MODULE_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_INIT_MODULE_X] = {FILLER_REF(sys_init_module_x)}, + [PPME_SYSCALL_FINIT_MODULE_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_FINIT_MODULE_X] = {FILLER_REF(sys_finit_module_x)} }; diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 20dcd31508..396c0b6767 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -241,6 +241,8 @@ #define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + 4 * PARAM_LEN #define PIDFD_OPEN_E_SIZE HEADER_LEN #define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + 3 * PARAM_LEN +#define INIT_MODULE_E_SIZE HEADER_LEN +#define FINIT_MODULE_E_SIZE HEADER_LEN /* Generic tracepoints events. */ #define SCHED_SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6 diff --git a/driver/modern_bpf/definitions/missing_definitions.h b/driver/modern_bpf/definitions/missing_definitions.h index 4115f94d66..538cd20fcd 100644 --- a/driver/modern_bpf/definitions/missing_definitions.h +++ b/driver/modern_bpf/definitions/missing_definitions.h @@ -1530,5 +1530,11 @@ /*==================================== PRCTL OPTIONS ================================*/ +/*==================================== FINIT FLAGS ================================*/ + +#define MODULE_INIT_IGNORE_MODVERSIONS 1 +#define MODULE_INIT_IGNORE_VERMAGIC 2 +#define MODULE_INIT_COMPRESSED_FILE 4 +/*==================================== FINIT FLAGS ================================*/ #endif /* __MISSING_DEFINITIONS_H__ */ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/finit_module.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/finit_module.bpf.c new file mode 100644 index 0000000000..aae6858e63 --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/finit_module.bpf.c @@ -0,0 +1,83 @@ +/* + * Copyright (C) 2023 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(finit_module_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, FINIT_MODULE_E_SIZE, PPME_SYSCALL_FINIT_MODULE_E)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + // Here we have no parameters to collect. + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; + + +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(finit_module_x, + struct pt_regs *regs, + long ret) +{ + struct auxiliary_map *auxmap = auxmap__get(); + if(!auxmap) + { + return 0; + } + + auxmap__preload_event_header(auxmap, PPME_SYSCALL_FINIT_MODULE_X); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: ret (type: PT_ERRNO) */ + auxmap__store_s64_param(auxmap, ret); + + /* Parameter 2: fd (type: PT_FD) */ + s32 fd = (s32)extract__syscall_argument(regs, 0); + auxmap__store_s64_param(auxmap, (s64)fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + unsigned long uargs_ptr = extract__syscall_argument(regs, 1); + auxmap__store_charbuf_param(auxmap, uargs_ptr, MAX_PROC_ARG_ENV, USER); + + /* Parameter 4: flags (type: PT_FLAGS32) */ + u32 flags = extract__syscall_argument(regs, 2); + auxmap__store_s32_param(auxmap, finit_module_flags_to_scap(flags)); + + + /*=============================== COLLECT PARAMETERS ===========================*/ + + auxmap__finalize_event_header(auxmap); + + auxmap__submit_event(auxmap, ctx); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/init_module.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/init_module.bpf.c new file mode 100644 index 0000000000..9a6f576b5c --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/init_module.bpf.c @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2023 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(init_module_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, INIT_MODULE_E_SIZE, PPME_SYSCALL_INIT_MODULE_E)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + // Here we have no parameters to collect. + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; + + +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(init_module_x, + struct pt_regs *regs, + long ret) +{ + struct auxiliary_map *auxmap = auxmap__get(); + if(!auxmap) + { + return 0; + } + + auxmap__preload_event_header(auxmap, PPME_SYSCALL_INIT_MODULE_X); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: ret (type: PT_ERRNO) */ + auxmap__store_s64_param(auxmap, ret); + + u64 len = extract__syscall_argument(regs, 1); + + /* Parameter 2: img (type: PT_BYTEBUF) */ + unsigned long img_ptr = extract__syscall_argument(regs, 0); + auxmap__store_bytebuf_param(auxmap, img_ptr, len, USER); + + /* Parameter 3: length (type: PT_UINT64) */ + auxmap__store_u64_param(auxmap, (u64)len); + + /* Parameter 4: uargs (type: PT_CHARBUF) */ + unsigned long uargs_ptr = extract__syscall_argument(regs, 2); + auxmap__store_charbuf_param(auxmap, uargs_ptr, MAX_PROC_ARG_ENV, USER); + + + /*=============================== COLLECT PARAMETERS ===========================*/ + + auxmap__finalize_event_header(auxmap); + + auxmap__submit_event(auxmap, ctx); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 16302d76de..65cd383456 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -776,6 +776,13 @@ or GPL2.txt for full copies of the license. */ #define PPM_PIDFD_NONBLOCK (1<<0) +/* + * finit_module flags +*/ +#define PPM_MODULE_INIT_IGNORE_MODVERSIONS 1 +#define PPM_MODULE_INIT_IGNORE_VERMAGIC 2 +#define PPM_MODULE_INIT_COMPRESSED_FILE 4 + /* * Get/set the timerslack as used by poll/select/nanosleep * A value of 0 means "use default" @@ -1383,7 +1390,11 @@ typedef enum { PPME_SYSCALL_PIDFD_GETFD_X = 407, PPME_SYSCALL_PIDFD_OPEN_E = 408, PPME_SYSCALL_PIDFD_OPEN_X = 409, - PPM_EVENT_MAX = 410 + PPME_SYSCALL_INIT_MODULE_E = 410, + PPME_SYSCALL_INIT_MODULE_X = 411, + PPME_SYSCALL_FINIT_MODULE_E = 412, + PPME_SYSCALL_FINIT_MODULE_X = 413, + PPM_EVENT_MAX = 414 } ppm_event_code; /*@}*/ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 1620091508..3615c78af3 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8166,6 +8166,69 @@ int f_sys_pidfd_open_x(struct event_filler_arguments *args) syscall_get_arguments_deprecated(args, 1, 1, &val); res = val_to_ring(args, pidfd_open_flags_to_scap(val), 0, true, 0); CHECK_RES(res) + + return add_sentinel(args); +} + +int f_sys_init_module_x(struct event_filler_arguments *args) +{ + unsigned long val; + int res; + long retval; + u64 len; + + /* Parameter 1: ret (type: PT_ERRNO) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res) + + syscall_get_arguments_deprecated(args, 1, 1, &val); + len = val; + + /* Parameter 2: img (type: PT_BYTBUF) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + res = val_to_ring(args, val, len, true, 0); + CHECK_RES(res); + + /* Parameter 3: length (type: PT_UINT64) */ + res = val_to_ring(args, len, 0, true, 0); + CHECK_RES(res); + + /* Parameter 2: uargs (type: PT_CHARBUF) */ + syscall_get_arguments_deprecated(args, 2, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + +int f_sys_finit_module_x(struct event_filler_arguments *args) +{ + unsigned long val; + int res; + long retval; + s32 fd; + + /* Parameter 1: ret (type: PT_ERRNO) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res) + + /* Parameter 2: fd (type: PT_FD) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + fd = (s32)val; + res = val_to_ring(args, (s64)fd, 0, true, 0); + CHECK_RES(res) + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + /* Parameter 4: flags (type: PT_FLAGS32) */ + syscall_get_arguments_deprecated(args, 2, 1, &val); + res = val_to_ring(args, finit_module_flags_to_scap(val), 0, true, 0); + CHECK_RES(res); + return add_sentinel(args); -} \ No newline at end of file +} diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index a0aec9e435..e66a28dbc5 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -1,6 +1,6 @@ /* -Copyright (C) 2021 The Falco Authors. +Copyright (C) 2023 The Falco Authors. This file is dual licensed under either the MIT or GPL 2. See MIT.txt or GPL2.txt for full copies of the license. @@ -176,6 +176,8 @@ or GPL2.txt for full copies of the license. FN(sys_memfd_create_x) \ FN(sys_pidfd_getfd_x) \ FN(sys_pidfd_open_x) \ + FN(sys_init_module_x) \ + FN(sys_finit_module_x) \ FN(terminate_filler) #define FILLER_ENUM_FN(x) PPM_FILLER_##x, diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index 16bdaae243..4dae543fbd 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -17,7 +17,6 @@ or GPL2.txt for full copies of the license. #define ASSERT(expr) #endif - #if !defined(UDIG) && !defined(__USE_VMLINUX__) #include #include @@ -25,6 +24,9 @@ or GPL2.txt for full copies of the license. #include #include #include +#ifdef __NR_finit_module +#include +#endif #include "ppm.h" #ifdef __NR_memfd_create #include @@ -2099,4 +2101,25 @@ static __always_inline u32 prctl_options_to_scap(int options) return (u32)options; } +static __always_inline uint32_t finit_module_flags_to_scap(int32_t flags) +{ + int32_t res = 0; +#ifdef MODULE_INIT_IGNORE_MODVERSIONS + if(flags & MODULE_INIT_IGNORE_MODVERSIONS) + res |= PPM_MODULE_INIT_IGNORE_MODVERSIONS; +#endif + +#ifdef MODULE_INIT_IGNORE_VERMAGIC + if(flags & MODULE_INIT_IGNORE_VERMAGIC) + res |= PPM_MODULE_INIT_IGNORE_VERMAGIC; +#endif + +#ifdef MODULE_INIT_COMPRESSED_FILE + if(flags & MODULE_INIT_COMPRESSED_FILE) + res |= PPM_MODULE_INIT_COMPRESSED_FILE; +#endif + + return res; +} + #endif /* PPM_FLAG_HELPERS_H_ */ diff --git a/driver/syscall_table.c b/driver/syscall_table.c index 408adbc179..52b33a8024 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -408,6 +408,12 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #endif #ifdef __NR_pidfd_getfd [__NR_pidfd_getfd - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PIDFD_GETFD_E, PPME_SYSCALL_PIDFD_GETFD_X, PPM_SC_PIDFD_GETFD}, +#endif +#ifdef __NR_init_module + [__NR_init_module - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_INIT_MODULE_E, PPME_SYSCALL_INIT_MODULE_X, PPM_SC_INIT_MODULE}, +#endif +#ifdef __NR_finit_module + [__NR_finit_module - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FINIT_MODULE_E, PPME_SYSCALL_FINIT_MODULE_X, PPM_SC_FINIT_MODULE}, #endif [__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, [__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, @@ -454,7 +460,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_fsync - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_FSYNC}, [__NR_setdomainname - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_SETDOMAINNAME}, [__NR_adjtimex - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_ADJTIMEX}, - [__NR_init_module - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_INIT_MODULE}, [__NR_delete_module - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_DELETE_MODULE}, [__NR_getpgid - SYSCALL_TABLE_ID0] = {.ppm_sc= PPM_SC_GETPGID}, #ifdef __NR_sysfs @@ -662,9 +667,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #ifdef __NR_newfstatat [__NR_newfstatat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_NEWFSTATAT}, #endif -#ifdef __NR_finit_module - [__NR_finit_module - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FINIT_MODULE}, -#endif #ifdef __NR_sigaltstack [__NR_sigaltstack - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGALTSTACK}, #endif diff --git a/test/drivers/test_suites/syscall_enter_suite/finit_module_e.cpp b/test/drivers/test_suites/syscall_enter_suite/finit_module_e.cpp new file mode 100644 index 0000000000..16ae41a5c0 --- /dev/null +++ b/test/drivers/test_suites/syscall_enter_suite/finit_module_e.cpp @@ -0,0 +1,41 @@ +#include "../../event_class/event_class.h" +#if defined(__NR_finit_module) +TEST(SyscallEnter, finit_moduleE) +{ + auto evt_test = get_syscall_event_test(__NR_finit_module, ENTER_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int mock_fd = -1; + char mock_buf[8]; + int mock_flags = 0; + + assert_syscall_state(SYSCALL_FAILURE, "finit_module", syscall(__NR_finit_module, mock_fd, (void *)(mock_buf), mock_flags)); + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + // Here we have no parameters to assert. + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(0); + +} +#endif diff --git a/test/drivers/test_suites/syscall_enter_suite/init_module_e.cpp b/test/drivers/test_suites/syscall_enter_suite/init_module_e.cpp new file mode 100644 index 0000000000..a9ea5f6757 --- /dev/null +++ b/test/drivers/test_suites/syscall_enter_suite/init_module_e.cpp @@ -0,0 +1,41 @@ +#include "../../event_class/event_class.h" +#if defined(__NR_init_module) +TEST(SyscallEnter, init_moduleE) +{ + auto evt_test = get_syscall_event_test(__NR_init_module, ENTER_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char mock_img[100]; + unsigned long len = 100; + char mock_buf[8]; + + assert_syscall_state(SYSCALL_FAILURE, "init_module", syscall(__NR_init_module, (void *)(mock_img), len, (void *)(mock_buf))); + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + // Here we have no parameters to assert. + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(0); + +} +#endif diff --git a/test/drivers/test_suites/syscall_exit_suite/finit_module_x.cpp b/test/drivers/test_suites/syscall_exit_suite/finit_module_x.cpp new file mode 100644 index 0000000000..dab8e756c1 --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/finit_module_x.cpp @@ -0,0 +1,225 @@ +#include "../../event_class/event_class.h" + +#if defined(__NR_finit_module) +#include + +TEST(SyscallExit, finit_moduleX_failure) +{ + auto evt_test = get_syscall_event_test(__NR_finit_module, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char mock_buf[] = "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAA\0"; + int flags = 3; + + /* + * Call the `finit_module` + */ + + int64_t kmod_fd = -1; + assert_syscall_state(SYSCALL_FAILURE, "finit_module", syscall(__NR_finit_module, kmod_fd, (void*)mock_buf, flags)); + int64_t errno_value = -errno; + + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: fd (type: PT_FD) */ + evt_test->assert_numeric_param(2, (int64_t)kmod_fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, mock_buf); + + /* Parameter 4: flags (type: PT_INT32) */ + evt_test->assert_numeric_param(4, flags); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} + +#ifdef MODULE_INIT_IGNORE_MODVERSIONS +TEST(SyscallExit, finit_moduleX_failure_IGNORE_MODVERSIONS) +{ + auto evt_test = get_syscall_event_test(__NR_finit_module, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char mock_buf[] = "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAA\0"; + int flags = MODULE_INIT_IGNORE_MODVERSIONS; + + /* + * Call the `finit_module` + */ + + int64_t kmod_fd = 99; + assert_syscall_state(SYSCALL_FAILURE, "finit_module", syscall(__NR_finit_module, kmod_fd, (void*)mock_buf, flags)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: fd (type: PT_FD) */ + evt_test->assert_numeric_param(2, (int64_t)kmod_fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, mock_buf); + + /* Parameter 4: flags (type: PT_INT32) */ + evt_test->assert_numeric_param(4, PPM_MODULE_INIT_IGNORE_MODVERSIONS); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} +#endif + +#ifdef MODULE_INIT_IGNORE_VERMAGIC +TEST(SyscallExit, finit_moduleX_failure_IGNORE_VERMAGIC) +{ + auto evt_test = get_syscall_event_test(__NR_finit_module, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char mock_buf[] = "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAA\0"; + int flags = MODULE_INIT_IGNORE_VERMAGIC; + + /* + * Call the `finit_module` + */ + + int64_t kmod_fd = 99; + assert_syscall_state(SYSCALL_FAILURE, "finit_module", syscall(__NR_finit_module, kmod_fd, (void*)mock_buf, flags)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: fd (type: PT_FD) */ + evt_test->assert_numeric_param(2, (int64_t)kmod_fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, mock_buf); + + /* Parameter 4: flags (type: PT_INT32) */ + evt_test->assert_numeric_param(4, MODULE_INIT_IGNORE_VERMAGIC); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} +#endif + +#ifdef MODULE_INIT_COMPRESSED_FILE +TEST(SyscallExit, finit_moduleX_failure_COMPRESSED_FILE) +{ + auto evt_test = get_syscall_event_test(__NR_finit_module, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char mock_buf[] = "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAA\0"; + int flags = MODULE_INIT_COMPRESSED_FILE; + + /* + * Call the `finit_module` + */ + + int64_t kmod_fd = 99; + assert_syscall_state(SYSCALL_FAILURE, "finit_module", syscall(__NR_finit_module, kmod_fd, (void*)mock_buf, flags)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: fd (type: PT_FD) */ + evt_test->assert_numeric_param(2, (int64_t)kmod_fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, mock_buf); + + /* Parameter 4: flags (type: PT_INT32) */ + evt_test->assert_numeric_param(4, PPM_MODULE_INIT_COMPRESSED_FILE); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} +#endif + +#endif diff --git a/test/drivers/test_suites/syscall_exit_suite/init_module_x.cpp b/test/drivers/test_suites/syscall_exit_suite/init_module_x.cpp new file mode 100644 index 0000000000..4cc014ad1a --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/init_module_x.cpp @@ -0,0 +1,56 @@ +#include "../../event_class/event_class.h" + +#if defined(__NR_init_module) + +TEST(SyscallExit, init_moduleX_failure) +{ + auto evt_test = get_syscall_event_test(__NR_init_module, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + const unsigned data_len = DEFAULT_SNAPLEN / 2; + char mock_img[] = "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAA\0"; + char mock_buf[] = "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAA\0"; + + /* + * Call the `init_module` + */ + assert_syscall_state(SYSCALL_FAILURE, "init_module", syscall(__NR_init_module, (void*)mock_img, data_len, (void *)mock_buf)); + int64_t errno_value = -errno; + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: img (type: PT_BYTEBUF) */ + evt_test->assert_bytebuf_param(2, mock_img, data_len); + + /* Parameter 3: length (type: PT_UINT64) */ + evt_test->assert_numeric_param(3, (uint64_t)data_len); + + /* Parameter 4: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(4, mock_buf); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} + +#endif diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index 39e41628c0..a1aa1fa826 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -317,7 +317,11 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SYSCALL_PIDFD_GETFD_E] = "pidfd_getfd_e", [PPME_SYSCALL_PIDFD_GETFD_X] = "pidfd_getfd_x", [PPME_SYSCALL_PIDFD_OPEN_E] = "pidfd_open_e", - [PPME_SYSCALL_PIDFD_OPEN_X] = "pidfd_open_x" + [PPME_SYSCALL_PIDFD_OPEN_X] = "pidfd_open_x", + [PPME_SYSCALL_INIT_MODULE_E] = "init_module_e", + [PPME_SYSCALL_INIT_MODULE_X] = "init_module_x", + [PPME_SYSCALL_FINIT_MODULE_E] = "finit_module_e", + [PPME_SYSCALL_FINIT_MODULE_X] = "finit_module_x", }; /* Some events can require more than one bpf program to collect all the data. */ diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c index 01dea76418..dc9576d3d2 100644 --- a/userspace/libscap/linux/scap_ppm_sc.c +++ b/userspace/libscap/linux/scap_ppm_sc.c @@ -29,8 +29,8 @@ limitations under the License. * NOTE: first 2 lines are automatically bumped by syscalls-bumper. */ static const ppm_sc_code *g_events_to_sc_map[] = { - [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_INIT_MODULE, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_FINIT_MODULE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, -1}, - [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_INIT_MODULE, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_FINIT_MODULE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, -1}, + [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, -1}, + [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, -1}, [PPME_SYSCALL_OPEN_E] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_OPEN_X] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_CLOSE_E] = (ppm_sc_code[]){PPM_SC_CLOSE, -1}, @@ -439,6 +439,10 @@ static const ppm_sc_code *g_events_to_sc_map[] = { [PPME_SYSCALL_PIDFD_GETFD_X] = (ppm_sc_code[]){PPM_SC_PIDFD_GETFD, -1}, [PPME_SYSCALL_PIDFD_OPEN_E] = (ppm_sc_code[]){PPM_SC_PIDFD_OPEN, -1}, [PPME_SYSCALL_PIDFD_OPEN_X] = (ppm_sc_code[]){PPM_SC_PIDFD_OPEN, -1}, + [PPME_SYSCALL_INIT_MODULE_E] = (ppm_sc_code[]){PPM_SC_INIT_MODULE, -1}, + [PPME_SYSCALL_INIT_MODULE_X] = (ppm_sc_code[]){PPM_SC_INIT_MODULE, -1}, + [PPME_SYSCALL_FINIT_MODULE_E] = (ppm_sc_code[]){PPM_SC_FINIT_MODULE, -1}, + [PPME_SYSCALL_FINIT_MODULE_X] = (ppm_sc_code[]){PPM_SC_FINIT_MODULE, -1}, }; #if defined(__GNUC__) || (__STDC_VERSION__ >=201112L) diff --git a/userspace/libsinsp/test/public_sinsp_API/events_set.cpp b/userspace/libsinsp/test/public_sinsp_API/events_set.cpp index 4bf1872579..e06f3384c8 100644 --- a/userspace/libsinsp/test/public_sinsp_API/events_set.cpp +++ b/userspace/libsinsp/test/public_sinsp_API/events_set.cpp @@ -187,13 +187,13 @@ TEST(events_set, event_set_to_names_generic_events) ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"umount2"}).empty()); ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"eventfd2"}).empty()); ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"syscall"}).empty()); + ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"init_module"}).empty()); /* Random checks for some generic sc events. */ ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"syncfs"}).empty()); ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"perf_event_open"}).empty()); ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"timer_create"}).empty()); ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"lsetxattr"}).empty()); ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"getsid"}).empty()); - ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"init_module"}).empty()); ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"sethostname"}).empty()); ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"readlinkat"}).empty()); @@ -227,13 +227,13 @@ TEST(events_set, event_set_to_names_no_generic_events2) ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"mmap"}).empty()); ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"container"}).empty()); ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"procexit"}).empty()); + ASSERT_FALSE(unordered_set_intersection(names, std::unordered_set {"init_module"}).empty()); ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"syncfs"}).empty()); ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"perf_event_open"}).empty()); ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"timer_create"}).empty()); ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"lsetxattr"}).empty()); ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"getsid"}).empty()); - ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"init_module"}).empty()); ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"sethostname"}).empty()); ASSERT_TRUE(unordered_set_intersection(names, std::unordered_set {"readlinkat"}).empty()); } diff --git a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp index e2337a841f..c1753cc5b5 100644 --- a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp +++ b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp @@ -161,7 +161,6 @@ TEST(interesting_syscalls, event_set_to_sc_set_generic_events) /* Random checks for some generic sc events. */ ASSERT_TRUE(sc_set.contains(PPM_SC_PERF_EVENT_OPEN)); ASSERT_TRUE(sc_set.contains(PPM_SC_GETSID)); - ASSERT_TRUE(sc_set.contains(PPM_SC_INIT_MODULE)); ASSERT_TRUE(sc_set.contains(PPM_SC_READLINKAT)); }