falcosecurity · poiana · Aug 1, 2023 · Jul 25, 2023 · Jul 28, 2023 · Jul 29, 2023
diff --git a/docs/report.md b/docs/report.md
@@ -65,7 +65,7 @@
 | fcntl                   | 🟢        |
 | fdatasync               | 🟡        |
 | fgetxattr               | 🟡        |
-| finit_module            | 🟡        |
+| finit_module            | 🟢        |
 | flistxattr              | 🟡        |
 | flock                   | 🟢        |
 | fork                    | 🟢        |
@@ -116,7 +116,7 @@
 | getuid                  | 🟢        |
 | getxattr                | 🟡        |
 | idle                    | 🟡        |
-| init_module             | 🟡        |
+| init_module             | 🟢        |
 | inotify_add_watch       | 🟡        |
 | inotify_init            | 🟢        |
 | inotify_init1           | 🟢        |

diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-2.5.0
+2.6.0
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -7058,4 +7058,52 @@ FILLER(sys_pidfd_open_x, true)
 	return bpf_push_u32_to_ring(data, pidfd_open_flags_to_scap(flags));
 
 }
+
+FILLER(sys_init_module_x, true)
+{
+
+	/* Parameter 1: ret (type: PT_ERRNO) */
+	long retval = bpf_syscall_get_retval(data->ctx);
+	int res = bpf_push_s64_to_ring(data, retval);
+	CHECK_RES(res);
+
+	u64 len = bpf_syscall_get_argument(data, 1);
+
+	/* Parameter 2: img (type: PT_BYTEBUF) */
+	long img = bpf_syscall_get_argument(data, 0);
+	res = __bpf_val_to_ring(data, img, len, PT_BYTEBUF, -1, true, USER);
+	CHECK_RES(res);
+
+	/* Parameter 3: length (type: PT_UINT64) */
+	res = bpf_val_to_ring(data, len);
+	CHECK_RES(res);
+
+	/* Parameter 4: uargs (type: PT_CHARBUF) */
+	long uargs = bpf_syscall_get_argument(data, 2);
+	return bpf_val_to_ring(data, uargs);
+}
+
+FILLER(sys_finit_module_x, true)
+{
+
+	/* Parameter 1: ret (type: PT_ERRNO) */
+	long retval = bpf_syscall_get_retval(data->ctx);
+	int res = bpf_push_s64_to_ring(data, retval);
+	CHECK_RES(res);
+
+	/* Parameter 2: fd (type: PT_FD) */
+	s32 fd = (s32)bpf_syscall_get_argument(data, 0);
+	res = bpf_push_s64_to_ring(data, (s64)fd);
+	CHECK_RES(res);
+
+	/* Parameter 3: uargs (type: PT_CHARBUF) */
+	long uargs = bpf_syscall_get_argument(data, 1);
+	res = bpf_val_to_ring(data, uargs);
+	CHECK_RES(res);
+
+	/* Parameter 4: flags (type: PT_FLAGS32) */
+	u32 flags = bpf_syscall_get_argument(data, 2);
+	return bpf_push_u32_to_ring(data, finit_module_flags_to_scap(flags));
+}
+
 #endif
diff --git a/driver/event_stats.h b/driver/event_stats.h
@@ -1,7 +1,7 @@
 #pragma once
 
 /* These numbers must be updated when we add new events in the event table */
-#define SYSCALL_EVENTS_NUM 362
+#define SYSCALL_EVENTS_NUM 366
 #define TRACEPOINT_EVENTS_NUM 6
 #define METAEVENTS_NUM 20
 #define PLUGIN_EVENTS_NUM 1

diff --git a/driver/event_table.c b/driver/event_table.c
@@ -459,6 +459,10 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_PIDFD_GETFD_X] = {"pidfd_getfd", EC_PROCESS | EC_SYSCALL, EF_CREATES_FD , 4, {{"fd", PT_FD, PF_DEC}, {"pid_fd", PT_FD, PF_DEC}, {"target_fd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX}}},
 	[PPME_SYSCALL_PIDFD_OPEN_E] = {"pidfd_open", EC_PROCESS | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
 	[PPME_SYSCALL_PIDFD_OPEN_X] = {"pidfd_open", EC_PROCESS | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX}}}, 
+	[PPME_SYSCALL_INIT_MODULE_E] = {"init_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0},
+	[PPME_SYSCALL_INIT_MODULE_X] = {"init_module", EC_OTHER | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"img", PT_BYTEBUF, PF_NA}, {"length", PT_UINT64, PF_DEC}, {"uargs", PT_CHARBUF, PF_NA}}},
+	[PPME_SYSCALL_FINIT_MODULE_E] = {"finit_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0},
+	[PPME_SYSCALL_FINIT_MODULE_X] = {"finit_module", EC_OTHER | EC_SYSCALL, EF_USES_FD | EF_READS_FROM_FD, 4, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"uargs", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_DEC}}},
 };
 
 // We don't need this check in kmod (this source file is included during kmod compilation!)

diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -343,5 +343,9 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_PIDFD_GETFD_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_PIDFD_GETFD_X] = {FILLER_REF(sys_pidfd_getfd_x)},
 	[PPME_SYSCALL_PIDFD_OPEN_E] = {FILLER_REF(sys_empty)},
-	[PPME_SYSCALL_PIDFD_OPEN_X] = {FILLER_REF(sys_pidfd_open_x)}
+	[PPME_SYSCALL_PIDFD_OPEN_X] = {FILLER_REF(sys_pidfd_open_x)},
+	[PPME_SYSCALL_INIT_MODULE_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_INIT_MODULE_X] = {FILLER_REF(sys_init_module_x)},
+	[PPME_SYSCALL_FINIT_MODULE_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_FINIT_MODULE_X] = {FILLER_REF(sys_finit_module_x)}
 };
diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -241,6 +241,8 @@
 #define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + 4 * PARAM_LEN
 #define PIDFD_OPEN_E_SIZE HEADER_LEN
 #define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + 3 * PARAM_LEN
+#define INIT_MODULE_E_SIZE HEADER_LEN
+#define FINIT_MODULE_E_SIZE HEADER_LEN
 
 /* Generic tracepoints events. */
 #define SCHED_SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6

diff --git a/driver/modern_bpf/definitions/missing_definitions.h b/driver/modern_bpf/definitions/missing_definitions.h
@@ -1530,5 +1530,11 @@
 
 /*==================================== PRCTL OPTIONS ================================*/
 
+/*==================================== FINIT   FLAGS ================================*/
+
+#define MODULE_INIT_IGNORE_MODVERSIONS 1
+#define MODULE_INIT_IGNORE_VERMAGIC    2
+#define MODULE_INIT_COMPRESSED_FILE    4
+/*==================================== FINIT   FLAGS ================================*/
 
 #endif /* __MISSING_DEFINITIONS_H__ */
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/finit_module.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/finit_module.bpf.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2023 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/variable_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(finit_module_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, ctx, FINIT_MODULE_E_SIZE, PPME_SYSCALL_FINIT_MODULE_E))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to collect.
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+
+
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(finit_module_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct auxiliary_map *auxmap = auxmap__get();
+	if(!auxmap)
+	{
+		return 0;
+	}
+
+	auxmap__preload_event_header(auxmap, PPME_SYSCALL_FINIT_MODULE_X);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: ret (type: PT_ERRNO) */
+	auxmap__store_s64_param(auxmap, ret);
+
+	/* Parameter 2: fd (type: PT_FD) */
+	s32 fd = (s32)extract__syscall_argument(regs, 0);
+	auxmap__store_s64_param(auxmap, (s64)fd);
+
+	/* Parameter 3: uargs (type: PT_CHARBUF) */
+	unsigned long uargs_ptr = extract__syscall_argument(regs, 1);
+	auxmap__store_charbuf_param(auxmap, uargs_ptr, MAX_PROC_ARG_ENV, USER);
+
+	/* Parameter 4: flags (type: PT_FLAGS32) */
+	u32 flags = extract__syscall_argument(regs, 2);
+	auxmap__store_s32_param(auxmap, finit_module_flags_to_scap(flags));
+
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	auxmap__finalize_event_header(auxmap);
+
+	auxmap__submit_event(auxmap, ctx);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/init_module.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/init_module.bpf.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2023 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/variable_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(init_module_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, ctx, INIT_MODULE_E_SIZE, PPME_SYSCALL_INIT_MODULE_E))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to collect.
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+
+
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(init_module_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct auxiliary_map *auxmap = auxmap__get();
+	if(!auxmap)
+	{
+		return 0;
+	}
+
+	auxmap__preload_event_header(auxmap, PPME_SYSCALL_INIT_MODULE_X);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: ret (type: PT_ERRNO) */
+	auxmap__store_s64_param(auxmap, ret);
+
+	u64 len = extract__syscall_argument(regs, 1);
+
+	/* Parameter 2: img (type: PT_BYTEBUF) */
+	unsigned long img_ptr = extract__syscall_argument(regs, 0);
+	auxmap__store_bytebuf_param(auxmap, img_ptr, len, USER);
+
+	/* Parameter 3: length (type: PT_UINT64) */
+	auxmap__store_u64_param(auxmap, (u64)len);
+
+	/* Parameter 4: uargs (type: PT_CHARBUF) */
+	unsigned long uargs_ptr = extract__syscall_argument(regs, 2);
+	auxmap__store_charbuf_param(auxmap, uargs_ptr, MAX_PROC_ARG_ENV, USER);
+
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	auxmap__finalize_event_header(auxmap);
+
+	auxmap__submit_event(auxmap, ctx);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/
diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
@@ -776,6 +776,13 @@ or GPL2.txt for full copies of the license.
 */
 #define PPM_PIDFD_NONBLOCK (1<<0)
 
+/*
+ * finit_module flags	
+*/
+#define PPM_MODULE_INIT_IGNORE_MODVERSIONS	1
+#define PPM_MODULE_INIT_IGNORE_VERMAGIC     2
+#define PPM_MODULE_INIT_COMPRESSED_FILE     4
+
 /*
  * Get/set the timerslack as used by poll/select/nanosleep
  * A value of 0 means "use default"
@@ -1383,7 +1390,11 @@ typedef enum {
 	PPME_SYSCALL_PIDFD_GETFD_X = 407,
 	PPME_SYSCALL_PIDFD_OPEN_E = 408,
 	PPME_SYSCALL_PIDFD_OPEN_X = 409,
-	PPM_EVENT_MAX = 410
+	PPME_SYSCALL_INIT_MODULE_E = 410,
+	PPME_SYSCALL_INIT_MODULE_X = 411,
+	PPME_SYSCALL_FINIT_MODULE_E = 412,
+	PPME_SYSCALL_FINIT_MODULE_X = 413,
+	PPM_EVENT_MAX = 414
 } ppm_event_code;
 /*@}*/
 

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -8166,6 +8166,69 @@ int f_sys_pidfd_open_x(struct event_filler_arguments *args)
 	syscall_get_arguments_deprecated(args, 1, 1, &val);
 	res = val_to_ring(args, pidfd_open_flags_to_scap(val), 0, true, 0);
 	CHECK_RES(res)
+
+	return add_sentinel(args);
+}
+
+int f_sys_init_module_x(struct event_filler_arguments *args)
+{
+	unsigned long val;
+	int res;
+	long retval;
+	u64 len;
+
+	/* Parameter 1: ret (type: PT_ERRNO) */
+	retval = (int64_t) syscall_get_return_value(current,args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res)
+
+	syscall_get_arguments_deprecated(args, 1, 1, &val);
+	len = val;
+
+	/* Parameter 2: img (type: PT_BYTBUF) */
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	res = val_to_ring(args, val, len, true, 0);
+	CHECK_RES(res);
+
+	/* Parameter 3: length (type: PT_UINT64) */
+	res = val_to_ring(args, len, 0, true, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: uargs (type: PT_CHARBUF) */
+	syscall_get_arguments_deprecated(args, 2, 1, &val);
+	res = val_to_ring(args, val, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
+int f_sys_finit_module_x(struct event_filler_arguments *args)
+{
+	unsigned long val;
+	int res;
+	long retval;
+	s32 fd;
+
+	/* Parameter 1: ret (type: PT_ERRNO) */
+	retval = (int64_t) syscall_get_return_value(current,args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res)
+
+	/* Parameter 2: fd (type: PT_FD) */
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	fd = (s32)val;
+	res = val_to_ring(args, (s64)fd, 0, true, 0);
+	CHECK_RES(res)
+
+	/* Parameter 3: uargs (type: PT_CHARBUF) */
+	syscall_get_arguments_deprecated(args, 1, 1, &val);
+	res = val_to_ring(args, val, 0, true, 0);
+	CHECK_RES(res);
 
+	/* Parameter 4: flags (type: PT_FLAGS32) */
+	syscall_get_arguments_deprecated(args, 2, 1, &val);
+	res = val_to_ring(args, finit_module_flags_to_scap(val), 0, true, 0);
+	CHECK_RES(res);
+
 	return add_sentinel(args);
-}
+}