diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index bbcb5a72c0..2f2d006b04 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7106,4 +7106,58 @@ FILLER(sys_finit_module_x, true) return bpf_push_u32_to_ring(data, finit_module_flags_to_scap(flags)); } +FILLER(sys_mknod_x, true) +{ + + /* Parameter 1: ret (type: PT_ERRNO) */ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, retval); + CHECK_RES(res); + + /* Parameter 2: path (type: PT_CHARBUF) */ + unsigned long path_pointer = bpf_syscall_get_argument(data, 0); + res = bpf_val_to_ring(data, path_pointer); + CHECK_RES(res); + + /* Parameter 3: mode (type: PT_MODE) */ + u32 mode = bpf_syscall_get_argument(data, 1); + res = bpf_push_u32_to_ring(data, mknod_mode_to_scap(mode)); + CHECK_RES(res); + + /* Parameter 4: dev (type: PT_UINT32) */ + u32 dev = bpf_syscall_get_argument(data, 2); + return bpf_push_u32_to_ring(data, bpf_encode_dev(dev)); +} + +FILLER(sys_mknodat_x, true) +{ + unsigned long val; + s32 fd; + + /* Parameter 1: ret (type: PT_ERRNO) */ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, retval); + CHECK_RES(res); + + /* Parameter 2: fd (type: PT_FD) */ + fd = (s32)bpf_syscall_get_argument(data, 0); + if (fd == AT_FDCWD) + fd = PPM_AT_FDCWD; + res = bpf_push_s64_to_ring(data, (s64)fd); + CHECK_RES(res); + + /* Parameter 3: path (type: PT_CHARBUF) */ + val = bpf_syscall_get_argument(data, 1); + res = bpf_val_to_ring(data, val); + CHECK_RES(res); + + /* Parameter 4: mode (type: PT_MODE) */ + u32 mode = bpf_syscall_get_argument(data, 2); + res = bpf_push_u32_to_ring(data, mknod_mode_to_scap(mode)); + CHECK_RES(res); + + /* Parameter 5: dev (type: PT_UINT32) */ + u32 dev = bpf_syscall_get_argument(data, 3); + return bpf_push_u32_to_ring(data, bpf_encode_dev(dev)); +} #endif diff --git a/driver/event_stats.h b/driver/event_stats.h index e05dbfbab9..f1a80a5240 100644 --- a/driver/event_stats.h +++ b/driver/event_stats.h @@ -1,7 +1,7 @@ #pragma once /* These numbers must be updated when we add new events in the event table */ -#define SYSCALL_EVENTS_NUM 366 +#define SYSCALL_EVENTS_NUM 370 #define TRACEPOINT_EVENTS_NUM 6 #define METAEVENTS_NUM 20 #define PLUGIN_EVENTS_NUM 1 diff --git a/driver/event_table.c b/driver/event_table.c index ebb104899a..c287e60069 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -463,6 +463,10 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_INIT_MODULE_X] = {"init_module", EC_OTHER | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"img", PT_BYTEBUF, PF_NA}, {"length", PT_UINT64, PF_DEC}, {"uargs", PT_CHARBUF, PF_NA}}}, [PPME_SYSCALL_FINIT_MODULE_E] = {"finit_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_FINIT_MODULE_X] = {"finit_module", EC_OTHER | EC_SYSCALL, EF_USES_FD | EF_READS_FROM_FD, 4, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"uargs", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_DEC}}}, + [PPME_SYSCALL_MKNOD_E] = {"mknod", EC_OTHER | EC_SYSCALL, EF_NONE, 0}, + [PPME_SYSCALL_MKNOD_X] = {"mknod", EC_OTHER | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA},{"mode", PT_MODE, PF_OCT, mknod_mode},{"dev", PT_UINT32, PF_DEC}}}, + [PPME_SYSCALL_MKNODAT_E] = {"mknodat", EC_OTHER | EC_SYSCALL, EF_NONE, 0}, + [PPME_SYSCALL_MKNODAT_X] = {"mknodat", EC_OTHER | EC_SYSCALL, EF_USES_FD, 5, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)},{"mode", PT_MODE, PF_OCT, mknod_mode},{"dev", PT_UINT32, PF_DEC}}}, }; // We don't need this check in kmod (this source file is included during kmod compilation!) diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 4f8fa38b7f..d5ced6cde6 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -347,5 +347,9 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_INIT_MODULE_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_INIT_MODULE_X] = {FILLER_REF(sys_init_module_x)}, [PPME_SYSCALL_FINIT_MODULE_E] = {FILLER_REF(sys_empty)}, - [PPME_SYSCALL_FINIT_MODULE_X] = {FILLER_REF(sys_finit_module_x)} + [PPME_SYSCALL_FINIT_MODULE_X] = {FILLER_REF(sys_finit_module_x)}, + [PPME_SYSCALL_MKNOD_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_MKNOD_X] = {FILLER_REF(sys_mknod_x)}, + [PPME_SYSCALL_MKNODAT_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_MKNODAT_X] = {FILLER_REF(sys_mknodat_x)} }; diff --git a/driver/flags_table.c b/driver/flags_table.c index 0b7550dad7..29ea3edfd1 100644 --- a/driver/flags_table.c +++ b/driver/flags_table.c @@ -684,4 +684,26 @@ const struct ppm_name_value memfd_create_flags[] = { const struct ppm_name_value pidfd_open_flags[] = { {"PIDFD_NONBLOCK", PPM_PIDFD_NONBLOCK}, {0,0}, -}; \ No newline at end of file +}; + +const struct ppm_name_value mknod_mode[] = { + {"S_IXOTH", PPM_S_IXOTH}, + {"S_IWOTH", PPM_S_IWOTH}, + {"S_IROTH", PPM_S_IROTH}, + {"S_IXGRP", PPM_S_IXGRP}, + {"S_IWGRP", PPM_S_IWGRP}, + {"S_IRGRP", PPM_S_IRGRP}, + {"S_IXUSR", PPM_S_IXUSR}, + {"S_IWUSR", PPM_S_IWUSR}, + {"S_IRUSR", PPM_S_IRUSR}, + {"S_ISVTX", PPM_S_ISVTX}, + {"S_ISGID", PPM_S_ISGID}, + {"S_ISUID", PPM_S_ISUID}, + {"S_IFREG", PPM_S_IFREG}, + {"S_IFCHR", PPM_S_IFCHR}, + {"S_IFBLK", PPM_S_IFBLK}, + {"S_IFIFO", PPM_S_IFIFO}, + {"S_IFSOCK", PPM_S_IFSOCK}, + {0, 0}, +}; + diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 396c0b6767..f1f4aec2e2 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -243,6 +243,8 @@ #define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + 3 * PARAM_LEN #define INIT_MODULE_E_SIZE HEADER_LEN #define FINIT_MODULE_E_SIZE HEADER_LEN +#define MKNOD_E_SIZE HEADER_LEN +#define MKNODAT_E_SIZE HEADER_LEN /* Generic tracepoints events. */ #define SCHED_SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mknod.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mknod.bpf.c new file mode 100644 index 0000000000..5cfdcd5810 --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mknod.bpf.c @@ -0,0 +1,83 @@ +/* + * Copyright (C) 2023 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(mknod_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, MKNOD_E_SIZE, PPME_SYSCALL_MKNOD_E)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + // Here we have no parameters to collect. + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; + + +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(mknod_x, + struct pt_regs *regs, + long ret) +{ + struct auxiliary_map *auxmap = auxmap__get(); + if(!auxmap) + { + return 0; + } + + auxmap__preload_event_header(auxmap, PPME_SYSCALL_MKNOD_X); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: ret (type: PT_ERRNO) */ + auxmap__store_s64_param(auxmap, ret); + + /* Parameter 2: path (type: PT_CHARBUF) */ + unsigned long path_pointer = extract__syscall_argument(regs, 0); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); + + /* Parameter 3: mode (type: PT_MODE) */ + u32 mode = (u32)extract__syscall_argument(regs, 1); + auxmap__store_u32_param(auxmap,mknod_mode_to_scap(mode)); + + /* Parameter 4: dev (type: PT_UINT32) */ + u32 dev = (u32)extract__syscall_argument(regs, 2); + auxmap__store_u32_param(auxmap, encode_dev(dev)); + + + /*=============================== COLLECT PARAMETERS ===========================*/ + + auxmap__finalize_event_header(auxmap); + + auxmap__submit_event(auxmap, ctx); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mknodat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mknodat.bpf.c new file mode 100644 index 0000000000..de8598e287 --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mknodat.bpf.c @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2023 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(mknodat_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, MKNODAT_E_SIZE, PPME_SYSCALL_MKNODAT_E)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + // Here we have no parameters to collect. + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; + + +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(mknodat_x, + struct pt_regs *regs, + long ret) +{ + struct auxiliary_map *auxmap = auxmap__get(); + if(!auxmap) + { + return 0; + } + + auxmap__preload_event_header(auxmap, PPME_SYSCALL_MKNODAT_X); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: ret (type: PT_ERRNO) */ + auxmap__store_s64_param(auxmap, ret); + + /* Parameter 2: dirfd (type: PT_FD) */ + s32 dirfd = (s32)extract__syscall_argument(regs, 0); + if(dirfd == AT_FDCWD) + { + dirfd = PPM_AT_FDCWD; + } + auxmap__store_s64_param(auxmap, (s64)dirfd); + + /* Parameter 2: path (type: PT_CHARBUF) */ + unsigned long path_pointer = extract__syscall_argument(regs, 1); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); + + /* Parameter 3: mode (type: PT_MODE) */ + u32 mode = (u32)extract__syscall_argument(regs, 2); + auxmap__store_u32_param(auxmap, mknod_mode_to_scap(mode)); + + /* Parameter 4: dev (type: PT_UINT32) */ + u32 dev = (u32)extract__syscall_argument(regs, 3); + auxmap__store_u32_param(auxmap, encode_dev(dev)); + + + /*=============================== COLLECT PARAMETERS ===========================*/ + + auxmap__finalize_event_header(auxmap); + + auxmap__submit_event(auxmap, ctx); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 65cd383456..69b3fc8aee 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -117,6 +117,15 @@ or GPL2.txt for full copies of the license. #define PPM_S_ISGID (1 << 10) #define PPM_S_ISUID (1 << 11) +/* + * mknod() modes + */ +#define PPM_S_IFREG 0100000 +#define PPM_S_IFCHR 0020000 +#define PPM_S_IFBLK 0060000 +#define PPM_S_IFIFO 0010000 +#define PPM_S_IFSOCK 0140000 + /* * flock() flags */ @@ -1394,7 +1403,11 @@ typedef enum { PPME_SYSCALL_INIT_MODULE_X = 411, PPME_SYSCALL_FINIT_MODULE_E = 412, PPME_SYSCALL_FINIT_MODULE_X = 413, - PPM_EVENT_MAX = 414 + PPME_SYSCALL_MKNOD_E = 414, + PPME_SYSCALL_MKNOD_X = 415, + PPME_SYSCALL_MKNODAT_E = 416, + PPME_SYSCALL_MKNODAT_X = 417, + PPM_EVENT_MAX = 418 } ppm_event_code; /*@}*/ @@ -2090,6 +2103,7 @@ extern const struct ppm_name_value pf_flags[]; extern const struct ppm_name_value unlinkat_flags[]; extern const struct ppm_name_value linkat_flags[]; extern const struct ppm_name_value chmod_mode[]; +extern const struct ppm_name_value mknod_mode[]; extern const struct ppm_name_value renameat2_flags[]; extern const struct ppm_name_value openat2_flags[]; extern const struct ppm_name_value execve_flags[]; diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 3615c78af3..3c6542c3b6 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8232,3 +8232,70 @@ int f_sys_finit_module_x(struct event_filler_arguments *args) return add_sentinel(args); } + +int f_sys_mknod_x(struct event_filler_arguments *args) +{ + unsigned long val; + int res; + long retval; + + /* Parameter 1: ret (type: PT_ERRNO) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res) + + /* Parameter 2: path (type: PT_CHARBUF) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + /* Parameter 3: mode (type: PT_MODE) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, mknod_mode_to_scap(val), 0, false, 0); + CHECK_RES(res); + + /* Parameter 4: dev (type: PT_UINT32) */ + syscall_get_arguments_deprecated(args, 2, 1, &val); + res = val_to_ring(args, new_encode_dev(val), 0, false, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + +int f_sys_mknodat_x(struct event_filler_arguments *args) +{ + unsigned long val; + int res; + s32 fd; + long retval; + + /* Parameter 1: ret (type: PT_ERRNO) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); + + /* Parameter 2: dirfd (type: PT_FD) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + fd = (s32)val; + if (fd == AT_FDCWD) + fd = PPM_AT_FDCWD; + res = val_to_ring(args, (s64)fd, 0, true, 0); + CHECK_RES(res); + + /* Parameter 2: path (type: PT_CHARBUF) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + /* Parameter 3: mode (type: PT_MODE) */ + syscall_get_arguments_deprecated(args, 2, 1, &val); + res = val_to_ring(args, mknod_mode_to_scap(val), 0, false, 0); + CHECK_RES(res); + + /* Parameter 4: dev (type: PT_UINT32) */ + syscall_get_arguments_deprecated(args, 3, 1, &val); + res = val_to_ring(args, new_encode_dev(val), 0, false, 0); + CHECK_RES(res); + + return add_sentinel(args); +} diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index e66a28dbc5..44fe2cbe9f 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -178,6 +178,8 @@ or GPL2.txt for full copies of the license. FN(sys_pidfd_open_x) \ FN(sys_init_module_x) \ FN(sys_finit_module_x) \ + FN(sys_mknod_x) \ + FN(sys_mknodat_x) \ FN(terminate_filler) #define FILLER_ENUM_FN(x) PPM_FILLER_##x, diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index 4dae543fbd..c69a1bc769 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -2122,4 +2122,49 @@ static __always_inline uint32_t finit_module_flags_to_scap(int32_t flags) return res; } +static __always_inline uint32_t mknod_mode_to_scap(u32 modes) +{ + u32 res = chmod_mode_to_scap(modes); + + /* + * mknod modes + */ + +#ifdef S_IFMT + switch(modes & S_IFMT){ +#ifdef S_IFSOCK + case S_IFSOCK: + res |= PPM_S_IFSOCK; + break; +#endif +#ifdef S_IFREG + // Zero file type is equivalent to type S_IFREG. + case 0: + case S_IFREG: + res |= PPM_S_IFREG; + break; +#endif +#ifdef S_IFBLK + case S_IFBLK: + res |= PPM_S_IFBLK; + break; +#endif +#ifdef S_IFCHR + case S_IFCHR: + res |= PPM_S_IFCHR; + break; +#endif +#ifdef S_IFIFO + case S_IFIFO: + res |= PPM_S_IFIFO; + break; +#endif + default: + break; + } +#endif + + return res; +} + #endif /* PPM_FLAG_HELPERS_H_ */ diff --git a/driver/syscall_table.c b/driver/syscall_table.c index 52b33a8024..d95ea5adda 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -414,14 +414,17 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #endif #ifdef __NR_finit_module [__NR_finit_module - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FINIT_MODULE_E, PPME_SYSCALL_FINIT_MODULE_X, PPM_SC_FINIT_MODULE}, +#endif +#ifdef __NR_mknod + [__NR_mknod - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MKNOD_E, PPME_SYSCALL_MKNOD_X, PPM_SC_MKNOD}, +#endif +#ifdef __NR_mknodat + [__NR_mknodat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MKNODAT_E, PPME_SYSCALL_MKNODAT_X, PPM_SC_MKNODAT}, #endif [__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, [__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, #ifdef __NR_time [__NR_time - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_TIME}, -#endif -#ifdef __NR_mknod - [__NR_mknod - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MKNOD}, #endif [__NR_getpid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETPID}, [__NR_sync - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SYNC}, @@ -558,7 +561,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_ioprio_get - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPRIO_GET}, [__NR_inotify_add_watch - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_INOTIFY_ADD_WATCH}, [__NR_inotify_rm_watch - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_INOTIFY_RM_WATCH}, - [__NR_mknodat - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MKNODAT}, #ifdef __NR_fchownat [__NR_fchownat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_FCHOWNAT_E, PPME_SYSCALL_FCHOWNAT_X, PPM_SC_FCHOWNAT}, #endif diff --git a/test/drivers/test_suites/syscall_exit_suite/mknod_e.cpp b/test/drivers/test_suites/syscall_exit_suite/mknod_e.cpp new file mode 100644 index 0000000000..7802534978 --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/mknod_e.cpp @@ -0,0 +1,43 @@ +#include "../../event_class/event_class.h" +#if defined(__NR_mknod) +#include +TEST(SyscallEnter, mknodE_failure) +{ + auto evt_test = get_syscall_event_test(__NR_mknod, ENTER_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char path[] = "/tmp/"; + + uint32_t mode = 0060000 | 0666; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknod", syscall(__NR_mknod, (void *)(path), (mode_t)mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + // Here we have no parameters to assert. + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(0); + +} +#endif diff --git a/test/drivers/test_suites/syscall_exit_suite/mknod_x.cpp b/test/drivers/test_suites/syscall_exit_suite/mknod_x.cpp new file mode 100644 index 0000000000..ec3270ea60 --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/mknod_x.cpp @@ -0,0 +1,303 @@ +#include "../../event_class/event_class.h" +#if defined(__NR_mknod) +#include +TEST(SyscallExit, mknodX_failure) +{ + auto evt_test = get_syscall_event_test(__NR_mknod, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char path[] = "/tmp/"; + + uint32_t mode = 0060000 | 0666; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknod", syscall(__NR_mknod, (void *)(path), (mode_t)mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(2, path); + + /* Parameter 3: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(3, mode); + + /* Parameter 4: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(4, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); + +} + +TEST(SyscallExit, mknodX_failure_S_IFREG) +{ + auto evt_test = get_syscall_event_test(__NR_mknod, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char path[] = "/tmp"; + + mode_t mode = S_IXUSR | S_IFREG; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknod", syscall(__NR_mknod, (void *)(path), (mode_t)mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(2, path); + + /* Parameter 3: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(3, PPM_S_IXUSR | PPM_S_IFREG); + + /* Parameter 4: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(4, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); + +} + +TEST(SyscallExit, mknodX_failure_S_IFCHR) +{ + auto evt_test = get_syscall_event_test(__NR_mknod, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char path[] = "/tmp/"; + + mode_t mode = S_IXUSR | S_IFCHR; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknod", syscall(__NR_mknod, (void *)(path), (mode_t)mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(2, path); + + /* Parameter 3: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(3, PPM_S_IXUSR | PPM_S_IFCHR); + + /* Parameter 4: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(4, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); + +} + +TEST(SyscallExit, mknodX_failure_S_IFBLK) +{ + auto evt_test = get_syscall_event_test(__NR_mknod, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char path[] = "/tmp/"; + + mode_t mode = S_IXUSR | S_IFBLK; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknod", syscall(__NR_mknod, (void *)(path), (mode_t)mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(2, path); + + /* Parameter 3: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(3, PPM_S_IXUSR | PPM_S_IFBLK); + + /* Parameter 4: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(4, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); + +} + +TEST(SyscallExit, mknodX_failure_S_IFIFO) +{ + auto evt_test = get_syscall_event_test(__NR_mknod, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char path[] = "/tmp/"; + + mode_t mode = S_IXUSR | S_IFIFO; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknod", syscall(__NR_mknod, (void *)(path), (mode_t)mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(2, path); + + /* Parameter 3: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(3, PPM_S_IXUSR | PPM_S_IFIFO); + + /* Parameter 4: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(4, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); + +} + +TEST(SyscallExit, mknodX_failure_S_IFSOCK) +{ + auto evt_test = get_syscall_event_test(__NR_mknod, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char path[] = "/tmp/"; + + mode_t mode = S_IXUSR | S_IFSOCK; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknod", syscall(__NR_mknod, (void *)(path), (mode_t)mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(2, path); + + /* Parameter 3: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(3, PPM_S_IXUSR | PPM_S_IFSOCK); + + /* Parameter 4: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(4, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); + +} +#endif diff --git a/test/drivers/test_suites/syscall_exit_suite/mknodat_e.cpp b/test/drivers/test_suites/syscall_exit_suite/mknodat_e.cpp new file mode 100644 index 0000000000..93c8e0f33a --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/mknodat_e.cpp @@ -0,0 +1,40 @@ +#include "../../event_class/event_class.h" +#if defined(__NR_mknodat) +TEST(SyscallEnter, mknodatE_failure) +{ + auto evt_test = get_syscall_event_test(__NR_mknodat, ENTER_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int mock_fd = -1; + char mock_buf[100]; + + assert_syscall_state(SYSCALL_FAILURE, "mknodat", syscall(__NR_mknodat, mock_fd, (void *)(mock_buf), NULL, 0)); + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + // Here we have no parameters to assert. + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(0); + +} +#endif diff --git a/test/drivers/test_suites/syscall_exit_suite/mknodat_x.cpp b/test/drivers/test_suites/syscall_exit_suite/mknodat_x.cpp new file mode 100644 index 0000000000..c13b442881 --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/mknodat_x.cpp @@ -0,0 +1,321 @@ +#include "../../event_class/event_class.h" +#if defined(__NR_mknodat) +#include +TEST(SyscallExit, mknodatX_failure) +{ + auto evt_test = get_syscall_event_test(__NR_mknodat, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int64_t fd = -1; + char path[] = "/tmp/"; + uint32_t mode = 0060000 | 0666; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknodat", syscall(__NR_mknodat, fd, (void *)(path), (mode_t)mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: mode (type: PT_FD) */ + evt_test->assert_numeric_param(2, fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, path); + + /* Parameter 4: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(4, mode); + + /* Parameter 5: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(5, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(5); + +} + +TEST(SyscallExit, mknodatX_failure_S_IFREG) +{ + auto evt_test = get_syscall_event_test(__NR_mknodat, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int64_t fd = -1; + char path[] = "/tmp/"; + mode_t mode = S_IXUSR | S_IFREG; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknodat", syscall(__NR_mknodat, fd, (void *)(path), mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: mode (type: PT_FD) */ + evt_test->assert_numeric_param(2, fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, path); + + /* Parameter 4: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(4, PPM_S_IXUSR | PPM_S_IFREG); + + /* Parameter 5: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(5, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(5); + +} + +TEST(SyscallExit, mknodatX_failure_S_IFCHR) +{ + auto evt_test = get_syscall_event_test(__NR_mknodat, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int64_t fd = -1; + char path[] = "/tmp/"; + mode_t mode = S_IXUSR | S_IFCHR; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknodat", syscall(__NR_mknodat, fd, (void *)(path), mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: mode (type: PT_FD) */ + evt_test->assert_numeric_param(2, fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, path); + + /* Parameter 4: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(4, PPM_S_IXUSR | PPM_S_IFCHR); + + /* Parameter 5: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(5, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(5); + +} + +TEST(SyscallExit, mknodatX_failure_S_IFBLK) +{ + auto evt_test = get_syscall_event_test(__NR_mknodat, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int64_t fd = -1; + char path[] = "/tmp/"; + mode_t mode = S_IXUSR | S_IFBLK; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknodat", syscall(__NR_mknodat, fd, (void *)(path), mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: mode (type: PT_FD) */ + evt_test->assert_numeric_param(2, fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, path); + + /* Parameter 4: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(4, PPM_S_IXUSR | PPM_S_IFBLK); + + /* Parameter 5: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(5, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(5); + +} + +TEST(SyscallExit, mknodatX_failure_S_IFIFO) +{ + auto evt_test = get_syscall_event_test(__NR_mknodat, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int64_t fd = -1; + char path[] = "/tmp/"; + mode_t mode = S_IXUSR | S_IFIFO; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknodat", syscall(__NR_mknodat, fd, (void *)(path), mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: mode (type: PT_FD) */ + evt_test->assert_numeric_param(2, fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, path); + + /* Parameter 4: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(4, PPM_S_IXUSR | PPM_S_IFIFO); + + /* Parameter 5: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(5, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(5); + +} + +TEST(SyscallExit, mknodatX_failure_S_IFSOCK) +{ + auto evt_test = get_syscall_event_test(__NR_mknodat, EXIT_EVENT); + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int64_t fd = -1; + char path[] = "/tmp/"; + mode_t mode = S_IXUSR | S_IFSOCK; + uint32_t dev = 61440; + assert_syscall_state(SYSCALL_FAILURE, "mknodat", syscall(__NR_mknodat, fd, (void *)(path), mode, (dev_t)dev)); + int64_t errno_value = -errno; + + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (uint64_t)errno_value); + + /* Parameter 2: mode (type: PT_FD) */ + evt_test->assert_numeric_param(2, fd); + + /* Parameter 3: uargs (type: PT_CHARBUF) */ + evt_test->assert_charbuf_param(3, path); + + /* Parameter 4: mode (type: PT_MODE) */ + evt_test->assert_numeric_param(4, PPM_S_IXUSR | PPM_S_IFSOCK); + + /* Parameter 5: dev (type: PT_UINT32) */ + evt_test->assert_numeric_param(5, 251658240); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(5); + +} +#endif diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index a1aa1fa826..88ee6aef8e 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -322,6 +322,10 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SYSCALL_INIT_MODULE_X] = "init_module_x", [PPME_SYSCALL_FINIT_MODULE_E] = "finit_module_e", [PPME_SYSCALL_FINIT_MODULE_X] = "finit_module_x", + [PPME_SYSCALL_MKNOD_E] = "mknod_e", + [PPME_SYSCALL_MKNOD_X] = "mknod_x", + [PPME_SYSCALL_MKNODAT_E] = "mknodat_e", + [PPME_SYSCALL_MKNODAT_X] = "mknodat_x" }; /* Some events can require more than one bpf program to collect all the data. */ diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c index dc9576d3d2..becc42eb74 100644 --- a/userspace/libscap/linux/scap_ppm_sc.c +++ b/userspace/libscap/linux/scap_ppm_sc.c @@ -29,8 +29,8 @@ limitations under the License. * NOTE: first 2 lines are automatically bumped by syscalls-bumper. */ static const ppm_sc_code *g_events_to_sc_map[] = { - [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, -1}, - [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_MKNOD, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_MKNODAT, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, -1}, + [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, -1}, + [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_NEWFSTATAT, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, -1}, [PPME_SYSCALL_OPEN_E] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_OPEN_X] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_CLOSE_E] = (ppm_sc_code[]){PPM_SC_CLOSE, -1}, @@ -443,6 +443,10 @@ static const ppm_sc_code *g_events_to_sc_map[] = { [PPME_SYSCALL_INIT_MODULE_X] = (ppm_sc_code[]){PPM_SC_INIT_MODULE, -1}, [PPME_SYSCALL_FINIT_MODULE_E] = (ppm_sc_code[]){PPM_SC_FINIT_MODULE, -1}, [PPME_SYSCALL_FINIT_MODULE_X] = (ppm_sc_code[]){PPM_SC_FINIT_MODULE, -1}, + [PPME_SYSCALL_MKNOD_E] = (ppm_sc_code[]){PPM_SC_MKNOD, -1}, + [PPME_SYSCALL_MKNOD_X] = (ppm_sc_code[]){PPM_SC_MKNOD, -1}, + [PPME_SYSCALL_MKNODAT_E] = (ppm_sc_code[]){PPM_SC_MKNODAT, -1}, + [PPME_SYSCALL_MKNODAT_X] = (ppm_sc_code[]){PPM_SC_MKNODAT, -1}, }; #if defined(__GNUC__) || (__STDC_VERSION__ >=201112L)