From 70b34201aaa68b08a28e9926c18b5c580decb0bc Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Mon, 5 Feb 2024 15:05:56 +0000 Subject: [PATCH 1/7] feat(driver): add support for process_vm syscalls Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 83 ++++++++++ driver/event_stats.h | 2 +- driver/event_table.c | 4 + driver/fillers_table.c | 6 +- .../definitions/events_dimensions.h | 2 + .../process_vm_readv.bpf.c | 104 +++++++++++++ .../process_vm_writev.bpf.c | 104 +++++++++++++ driver/ppm_events_public.h | 6 +- driver/ppm_fillers.c | 110 +++++++++++++ driver/ppm_fillers.h | 2 + driver/syscall_table.c | 12 +- .../syscall_exit_suite/process_vm_readv_x.cpp | 140 +++++++++++++++++ .../process_vm_writev_x.cpp | 144 ++++++++++++++++++ userspace/libpman/src/events_prog_names.h | 6 +- userspace/libscap/linux/scap_ppm_sc.c | 8 +- 15 files changed, 721 insertions(+), 12 deletions(-) create mode 100644 driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c create mode 100644 driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c create mode 100644 test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp create mode 100644 test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index e611ecaf4e..3afe4d08bd 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7319,4 +7319,87 @@ FILLER(sys_newfstatat_x, true) uint32_t flags = bpf_syscall_get_argument(data, 3); return bpf_push_u32_to_ring(data, newfstatat_flags_to_scap(flags)); } + + +FILLER(sys_process_vm_readv_x, true) +{ + const struct iovec __user *iov; + unsigned long iovcnt; + + /* Parameter 1: ret (type: PT_INT32) */ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, (int32_t)retval); + CHECK_RES(res); + + /* Parameter 2: pid (type: PT_PID) */ + pid_t pid = (int32_t)bpf_syscall_get_argument(data, 0); + res = bpf_push_s64_to_ring(data, (int64_t)pid); + CHECK_RES(res); + + /* + * data and size + */ + if (retval > 0) + { + iov = (const struct iovec __user *)bpf_syscall_get_argument(data, 3); + iovcnt = bpf_syscall_get_argument(data, 4); + + res = bpf_parse_readv_writev_bufs(data, + iov, + iovcnt, + retval, + PRB_FLAG_PUSH_ALL); + } + else + { + /* Parameter 2: size (type: PT_UINT32) */ + res = bpf_push_u32_to_ring(data, 0); + + /* Parameter 3: data (type: PT_BYTEBUF) */ + res = bpf_push_empty_param(data); + } + + return res; +} + +FILLER(sys_process_vm_writev_x, true) +{ + const struct iovec __user *iov; + unsigned long iovcnt; + + /* Parameter 1: ret (type: PT_INT32) */ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, (int32_t)retval); + CHECK_RES(res); + + /* Parameter 2: pid (type: PT_PID) */ + pid_t pid = (int32_t)bpf_syscall_get_argument(data, 0); + res = bpf_push_s64_to_ring(data, (int64_t)pid); + CHECK_RES(res); + + /* + * data and size + */ + if (retval > 0) + { + iov = (const struct iovec __user *)bpf_syscall_get_argument(data, 1); + iovcnt = bpf_syscall_get_argument(data, 2); + + res = bpf_parse_readv_writev_bufs(data, + iov, + iovcnt, + retval, + PRB_FLAG_PUSH_ALL); + } + else + { + /* Parameter 2: size (type: PT_UINT32) */ + res = bpf_push_u32_to_ring(data, 0); + + /* Parameter 3: data (type: PT_BYTEBUF) */ + res = bpf_push_empty_param(data); + } + + return res; +} #endif diff --git a/driver/event_stats.h b/driver/event_stats.h index bbb9b3afa5..122019c282 100644 --- a/driver/event_stats.h +++ b/driver/event_stats.h @@ -10,7 +10,7 @@ or GPL2.txt for full copies of the license. #pragma once /* These numbers must be updated when we add new events in the event table */ -#define SYSCALL_EVENTS_NUM 372 +#define SYSCALL_EVENTS_NUM 376 #define TRACEPOINT_EVENTS_NUM 6 #define METAEVENTS_NUM 20 #define PLUGIN_EVENTS_NUM 1 diff --git a/driver/event_table.c b/driver/event_table.c index 38e645b7d4..d7b419d103 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -472,6 +472,10 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_MKNODAT_X] = {"mknodat", EC_OTHER | EC_SYSCALL, EF_USES_FD, 5, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)},{"mode", PT_MODE, PF_OCT, mknod_mode},{"dev", PT_UINT32, PF_DEC}}}, [PPME_SYSCALL_NEWFSTATAT_E] = {"newfstatat", EC_FILE | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_NEWFSTATAT_X] = {"newfstatat", EC_FILE | EC_SYSCALL, EF_USES_FD, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, newfstatat_flags}}}, + [PPME_SYSCALL_PROCESS_VM_READV_E] = {"process_vm_readv", EC_SYSCALL | EC_IPC, EF_NONE, 0}, + [PPME_SYSCALL_PROCESS_VM_READV_X] = {"process_vm_readv", EC_SYSCALL | EC_IPC, EF_NONE, 4, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}}, + [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 0}, + [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 4, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}}, }; #pragma GCC diagnostic pop diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 07a9fd945f..af080e0f09 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -356,6 +356,10 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_MKNODAT_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_MKNODAT_X] = {FILLER_REF(sys_mknodat_x)}, [PPME_SYSCALL_NEWFSTATAT_E] = {FILLER_REF(sys_empty)}, - [PPME_SYSCALL_NEWFSTATAT_X] = {FILLER_REF(sys_newfstatat_x)} + [PPME_SYSCALL_NEWFSTATAT_X] = {FILLER_REF(sys_newfstatat_x)}, + [PPME_SYSCALL_PROCESS_VM_READV_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_PROCESS_VM_READV_X] = {FILLER_REF(sys_process_vm_readv_x)}, + [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {FILLER_REF(sys_process_vm_writev_x)} }; #pragma GCC diagnostic pop diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 9ca5df8cb4..24bbbb9a2f 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -247,6 +247,8 @@ #define MKNOD_E_SIZE HEADER_LEN #define MKNODAT_E_SIZE HEADER_LEN #define NEWFSTATAT_E_SIZE HEADER_LEN +#define PROCESS_VM_READV_E_SIZE HEADER_LEN +#define PROCESS_VM_WRITEV_E_SIZE HEADER_LEN /* Generic tracepoints events. */ #define SCHED_SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c new file mode 100644 index 0000000000..8ac7597cfa --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c @@ -0,0 +1,104 @@ +// SPDX-License-Identifier: GPL-2.0-only OR MIT +/* + * Copyright (C) 2024 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(process_vm_readv_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, PROCESS_VM_READV_E_SIZE, PPME_SYSCALL_PROCESS_VM_READV_E)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + // Here we have no parameters to collect. + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(process_vm_readv_x, + struct pt_regs *regs, + long ret) +{ + struct auxiliary_map *auxmap = auxmap__get(); + if(!auxmap) + { + return 0; + } + + auxmap__preload_event_header(auxmap, PPME_SYSCALL_PROCESS_VM_READV_X); + + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_INT32) */ + auxmap__store_s64_param(auxmap, ret); + + /* Parameter 2: pid (type: PT_PID) */ + int64_t pid = extract__syscall_argument(regs, 0); + auxmap__store_s64_param(auxmap, pid); + + if(ret > 0) + { + /* Parameter 2: size (type: PT_UINT32) */ + auxmap__store_u32_param(auxmap, (uint32_t)ret); + + /* We read the minimum between `snaplen` and what we really + * have in the buffer. + */ + uint16_t snaplen = maps__get_snaplen(); + apply_dynamic_snaplen(regs, &snaplen, true); + if(snaplen > ret) + { + snaplen = ret; + } + + unsigned long iov_pointer = extract__syscall_argument(regs, 3); + unsigned long iov_cnt = extract__syscall_argument(regs, 4); + + //* Parameter 3: data (type: PT_BYTEBUF) */ + auxmap__store_iovec_data_param(auxmap, iov_pointer, iov_cnt, snaplen); + } + else + { + /* Parameter 2: size (type: PT_UINT32) */ + auxmap__store_u32_param(auxmap, 0); + + /* Parameter 3: data (type: PT_BYTEBUF) */ + auxmap__store_empty_param(auxmap); + } + + /*=============================== COLLECT PARAMETERS ===========================*/ + + auxmap__finalize_event_header(auxmap); + + auxmap__submit_event(auxmap, ctx); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c new file mode 100644 index 0000000000..864b7f40a9 --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c @@ -0,0 +1,104 @@ +// SPDX-License-Identifier: GPL-2.0-only OR MIT +/* + * Copyright (C) 2024 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(process_vm_writev_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, PROCESS_VM_WRITEV_E_SIZE, PPME_SYSCALL_PROCESS_VM_WRITEV_E)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + // Here we have no parameters to collect. + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(process_vm_writev_x, + struct pt_regs *regs, + long ret) +{ + struct auxiliary_map *auxmap = auxmap__get(); + if(!auxmap) + { + return 0; + } + + auxmap__preload_event_header(auxmap, PPME_SYSCALL_PROCESS_VM_WRITEV_X); + + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_INT32) */ + auxmap__store_s64_param(auxmap, ret); + + /* Parameter 2: pid (type: PT_PID) */ + int64_t pid = extract__syscall_argument(regs, 0); + auxmap__store_s64_param(auxmap, pid); + + if(ret > 0) + { + /* Parameter 2: size (type: PT_UINT32) */ + auxmap__store_u32_param(auxmap, (uint32_t)ret); + + /* We read the minimum between `snaplen` and what we really + * have in the buffer. + */ + uint16_t snaplen = maps__get_snaplen(); + apply_dynamic_snaplen(regs, &snaplen, true); + if(snaplen > ret) + { + snaplen = ret; + } + + unsigned long iov_pointer = extract__syscall_argument(regs, 1); + unsigned long iov_cnt = extract__syscall_argument(regs, 2); + + //* Parameter 3: data (type: PT_BYTEBUF) */ + auxmap__store_iovec_data_param(auxmap, iov_pointer, iov_cnt, snaplen); + } + else + { + /* Parameter 2: size (type: PT_UINT32) */ + auxmap__store_u32_param(auxmap, 0); + + /* Parameter 3: data (type: PT_BYTEBUF) */ + auxmap__store_empty_param(auxmap); + } + + /*=============================== COLLECT PARAMETERS ===========================*/ + + auxmap__finalize_event_header(auxmap); + + auxmap__submit_event(auxmap, ctx); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 49d63c2b67..be0c743507 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -1422,7 +1422,11 @@ typedef enum { PPME_SYSCALL_MKNODAT_X = 417, PPME_SYSCALL_NEWFSTATAT_E = 418, PPME_SYSCALL_NEWFSTATAT_X = 419, - PPM_EVENT_MAX = 420 + PPME_SYSCALL_PROCESS_VM_READV_E = 420, + PPME_SYSCALL_PROCESS_VM_READV_X = 421, + PPME_SYSCALL_PROCESS_VM_WRITEV_E = 422, + PPME_SYSCALL_PROCESS_VM_WRITEV_X = 423, + PPM_EVENT_MAX = 424 } ppm_event_code; /*@}*/ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 405db71202..3cfb5c9944 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8124,3 +8124,113 @@ int f_sys_newfstatat_x(struct event_filler_arguments *args) return add_sentinel(args); } + +int f_sys_process_vm_readv_x(struct event_filler_arguments *args) +{ + unsigned long val; + long retval; + int res; + unsigned long iovcnt; + int32_t pid; + + /* Parameter 1: ret (type: PT_INT64) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, (int64_t)retval, 0, false, 0); + CHECK_RES(res); + + /* Parameter 2: pid (type: PT_PID) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + pid = (int32_t)val; + res = val_to_ring(args, (int64_t)pid, 0, false, 0); + CHECK_RES(res); + + + if(retval > 0) + { + /* Parameter 4: remote_iov (type: PT_UINT64) */ + syscall_get_arguments_deprecated(args, 3, 1, &val); + + /* Parameter 4: riovcnt (type: PT_INT32) */ + syscall_get_arguments_deprecated(args, 4, 1, &iovcnt); + + #ifdef CONFIG_COMPAT + if (unlikely(args->compat)) { + const struct compat_iovec __user *compat_iov = (const struct compat_iovec __user *)compat_ptr(val); + res = compat_parse_readv_writev_bufs(args, compat_iov, iovcnt, retval, PRB_FLAG_PUSH_ALL); + } else + #endif + { + const struct iovec __user *iov = (const struct iovec __user *)val; + res = parse_readv_writev_bufs(args, iov, iovcnt, retval, PRB_FLAG_PUSH_ALL); + } + + CHECK_RES(res); + } + else + { + /* pushing a zero size */ + res = val_to_ring(args, 0, 0, false, 0); + CHECK_RES(res); + + /* pushing empty data */ + res = push_empty_param(args); + CHECK_RES(res); + } + + return add_sentinel(args); +} + +int f_sys_process_vm_writev_x(struct event_filler_arguments *args) +{ + unsigned long val; + long retval; + int res; + unsigned long iovcnt; + int32_t pid; + + /* Parameter 1: ret (type: PT_INT64) */ + retval = (int64_t) syscall_get_return_value(current,args->regs); + res = val_to_ring(args, (int64_t)retval, 0, false, 0); + CHECK_RES(res); + + /* Parameter 2: pid (type: PT_PID) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + pid = (int32_t)val; + res = val_to_ring(args, (int64_t)pid, 0, false, 0); + CHECK_RES(res); + + + if(retval > 0) + { + /* Parameter 4: remote_iov (type: PT_UINT64) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + + /* Parameter 4: riovcnt (type: PT_INT32) */ + syscall_get_arguments_deprecated(args, 2, 1, &iovcnt); + + #ifdef CONFIG_COMPAT + if (unlikely(args->compat)) { + const struct compat_iovec __user *compat_iov = (const struct compat_iovec __user *)compat_ptr(val); + res = compat_parse_readv_writev_bufs(args, compat_iov, iovcnt, retval, PRB_FLAG_PUSH_ALL); + } else + #endif + { + const struct iovec __user *iov = (const struct iovec __user *)val; + res = parse_readv_writev_bufs(args, iov, iovcnt, retval, PRB_FLAG_PUSH_ALL); + } + + CHECK_RES(res); + } + else + { + /* pushing a zero size */ + res = val_to_ring(args, 0, 0, false, 0); + CHECK_RES(res); + + /* pushing empty data */ + res = push_empty_param(args); + CHECK_RES(res); + } + + return add_sentinel(args); +} diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index 68c431f1d2..9ed8f886ac 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -188,6 +188,8 @@ or GPL2.txt for full copies of the license. FN(sys_mknod_x) \ FN(sys_mknodat_x) \ FN(sys_newfstatat_x) \ + FN(sys_process_vm_readv_x) \ + FN(sys_process_vm_writev_x) \ FN(terminate_filler) #define FILLER_ENUM_FN(x) PPM_FILLER_##x, diff --git a/driver/syscall_table.c b/driver/syscall_table.c index ced1febc27..6d35e2b666 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -424,6 +424,12 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #endif #ifdef __NR_newfstatat [__NR_newfstatat - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_NEWFSTATAT_E, PPME_SYSCALL_NEWFSTATAT_X, PPM_SC_NEWFSTATAT}, +#endif +#ifdef __NR_process_vm_readv + [__NR_process_vm_readv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PROCESS_VM_READV_E, PPME_SYSCALL_PROCESS_VM_READV_X, PPM_SC_PROCESS_VM_READV}, +#endif +#ifdef __NR_process_vm_writev + [__NR_process_vm_writev - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PROCESS_VM_WRITEV_E, PPME_SYSCALL_PROCESS_VM_WRITEV_X, PPM_SC_PROCESS_VM_WRITEV}, #endif [__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, [__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, @@ -847,9 +853,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #ifdef __NR_epoll_ctl [__NR_epoll_ctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_CTL}, #endif -#ifdef __NR_process_vm_writev - [__NR_process_vm_writev - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_VM_WRITEV}, -#endif #ifdef __NR_sched_getparam [__NR_sched_getparam - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GETPARAM}, #endif @@ -859,9 +862,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #ifdef __NR_sched_setparam [__NR_sched_setparam - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_SETPARAM}, #endif -#ifdef __NR_process_vm_readv - [__NR_process_vm_readv - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PROCESS_VM_READV}, -#endif #ifdef __NR_pause [__NR_pause - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PAUSE}, #endif diff --git a/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp b/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp new file mode 100644 index 0000000000..a969f950ab --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp @@ -0,0 +1,140 @@ +#include "../../event_class/event_class.h" + +#ifdef __NR_process_vm_readv + +TEST(SyscallExit, process_vm_readvX_failure) +{ + auto evt_test = get_syscall_event_test(__NR_process_vm_readv, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + char buf[16]; + iovec iov[] = {{buf, 16}}; + int32_t iovcnt = 7; + + size_t res = syscall(__NR_process_vm_readv, getpid(), iov, iovcnt, iov, iovcnt, 0); + assert_syscall_state(SYSCALL_FAILURE, "process_vm_readv", res, EQUAL, -1); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_INT32) */ + evt_test->assert_numeric_param(1, (int64_t)-1, LESS_EQUAL); + + /* Parameter 2: pid (type: PT_PID) */ + evt_test->assert_numeric_param(2, (int64_t)getpid()); + + /* Parameter 3: local_iov (type: PT_UINT64) */ + evt_test->assert_numeric_param(3, (uint32_t)0); + + /* Parameter 4: liovcnt (type: PT_UINT32)*/ + evt_test->assert_empty_param(4); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} + +TEST(SyscallExit, process_vm_readvX_success) +{ + auto evt_test = get_syscall_event_test(__NR_process_vm_readv, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int pipe_fd[2]; + + ASSERT_GT(pipe(pipe_fd), -1); + + pid_t child_pid = fork(); + + if(child_pid == 0) + { + + char buf[10] = "QWERTYUIO"; + struct iovec remote[1]; + remote[0].iov_base = (void*)buf; + remote[0].iov_len = sizeof(buf); + void* target = &remote; + + close(pipe_fd[0]); + + ssize_t read = write(pipe_fd[1], &target, sizeof(void*)); + ASSERT_GT(read, 0); + + close(pipe_fd[1]); + + exit(EXIT_SUCCESS); + } + else + { + + char buffer[10]; + struct iovec local[1]; + local[0].iov_base = buffer; + local[0].iov_len = sizeof(buffer); + void* target; + + close(pipe_fd[1]); + + ssize_t read = syscall(__NR_read, pipe_fd[0], &target, sizeof(void*)); + ASSERT_GT(read, 0); + + read = syscall(__NR_process_vm_readv, child_pid, local, 1, target, 1, 0); + assert_syscall_state(SYSCALL_SUCCESS, "process_vm_readv", read, NOT_EQUAL, 0); + + close(pipe_fd[0]); + wait(NULL); + } + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_INT32) */ + evt_test->assert_numeric_param(1, (int64_t)10); + + /* Parameter 2: pid (type: PT_PID) */ + evt_test->assert_numeric_param(2, (int64_t)child_pid); + + /* Parameter 4: liovcnt (type: PT_UINT32)*/ + evt_test->assert_numeric_param(3, (uint32_t)10); + + /* Parameter 3: local_iov (type: PT_UINT64) */ + evt_test->assert_charbuf_param(4, "QWERTYUIO"); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} +#endif diff --git a/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp b/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp new file mode 100644 index 0000000000..55f3d1fe16 --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp @@ -0,0 +1,144 @@ +#include "../../event_class/event_class.h" +#include + +#ifdef __NR_process_vm_writev + +TEST(SyscallExit, process_vm_writevX_failure) +{ + auto evt_test = get_syscall_event_test(__NR_process_vm_writev, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + size_t res = syscall(__NR_process_vm_writev, getpid(), (void*)(0x41414141), 0, (void*)(0x42424242), 0, 0); + assert_syscall_state(SYSCALL_FAILURE, "process_vm_writev", res, EQUAL, 0); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_INT32) */ + evt_test->assert_numeric_param(1, (int64_t)0); + + /* Parameter 2: pid (type: PT_PID) */ + evt_test->assert_numeric_param(2, (int64_t)getpid()); + + /* Parameter 3: local_iov (type: PT_UINT64) */ + evt_test->assert_numeric_param(3, (uint32_t)0); + + /* Parameter 4: liovcnt (type: PT_UINT32)*/ + evt_test->assert_empty_param(4); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} + +TEST(SyscallExit, process_vm_writevX_success) +{ + auto evt_test = get_syscall_event_test(__NR_process_vm_writev, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int pipe_fd[2]; + + ASSERT_GT(pipe(pipe_fd), -1); + + pid_t child_pid = fork(); + + if(child_pid == 0) + { + + char buf[10] = "QWERTYUIO"; + struct iovec local[1]; + local[0].iov_base = buf; + local[0].iov_len = sizeof(buf); + void* target; + + close(pipe_fd[1]); + + ssize_t read = syscall(__NR_read, pipe_fd[0], &target, sizeof(void*)); + ASSERT_GT(read, 0); + + read = syscall(__NR_read, pipe_fd[0], (void*)&child_pid, sizeof(pid_t)); + ASSERT_GT(read, 0); + + read = syscall(__NR_process_vm_writev, child_pid, local, 1, target, 1, 0); + assert_syscall_state(SYSCALL_SUCCESS, "process_vm_writev", read, NOT_EQUAL, 0); + + close(pipe_fd[0]); + + exit(EXIT_SUCCESS); + } + else + { + + char buf[10]; + struct iovec local[1]; + local[0].iov_base = (void*)buf; + local[0].iov_len = sizeof(buf); + void* target = &local; + + close(pipe_fd[0]); + + ssize_t res = write(pipe_fd[1], &target, sizeof(void*)); + ASSERT_GT(res, 0); + + res = write(pipe_fd[1], (void*)&child_pid, sizeof(pid_t)); + ASSERT_GT(res, 0); + + close(pipe_fd[1]); + + wait(NULL); + } + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(child_pid); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_INT32) */ + evt_test->assert_numeric_param(1, (int64_t)10); + + /* Parameter 2: pid (type: PT_PID) */ + evt_test->assert_numeric_param(2, (int64_t)child_pid); + + /* Parameter 4: liovcnt (type: PT_UINT32)*/ + evt_test->assert_numeric_param(3, (uint32_t)10); + + /* Parameter 3: local_iov (type: PT_UINT64) */ + evt_test->assert_charbuf_param(4, "QWERTYUIO"); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} +#endif diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index 6f35720f1a..8a10b922be 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -328,7 +328,11 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SYSCALL_MKNODAT_E] = "mknodat_e", [PPME_SYSCALL_MKNODAT_X] = "mknodat_x", [PPME_SYSCALL_NEWFSTATAT_E] = "newfstatat_e", - [PPME_SYSCALL_NEWFSTATAT_X] = "newfstatat_x" + [PPME_SYSCALL_NEWFSTATAT_X] = "newfstatat_x", + [PPME_SYSCALL_PROCESS_VM_READV_E] = "process_vm_readv_e", + [PPME_SYSCALL_PROCESS_VM_READV_X] = "process_vm_readv_x", + [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = "process_vm_writev_e", + [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = "process_vm_writev_x" }; /* Some events can require more than one bpf program to collect all the data. */ diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c index 41b5fc6f42..7022e60eda 100644 --- a/userspace/libscap/linux/scap_ppm_sc.c +++ b/userspace/libscap/linux/scap_ppm_sc.c @@ -30,8 +30,8 @@ limitations under the License. * NOTE: first 2 lines are automatically bumped by syscalls-bumper. */ static const ppm_sc_code *g_events_to_sc_map[] = { - [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_MULTIPLEXER, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_LISTMOUNT, PPM_SC_STATMOUNT, PPM_SC_LSM_GET_SELF_ATTR, PPM_SC_LSM_SET_SELF_ATTR, PPM_SC_LSM_LIST_MODULES, -1}, - [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_PROCESS_VM_WRITEV, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PROCESS_VM_READV, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_MULTIPLEXER, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_LSM_SET_SELF_ATTR, PPM_SC_LSM_LIST_MODULES, PPM_SC_LISTMOUNT, PPM_SC_STATMOUNT, PPM_SC_LSM_GET_SELF_ATTR, -1}, + [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_MULTIPLEXER, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_LISTMOUNT, PPM_SC_STATMOUNT, PPM_SC_LSM_GET_SELF_ATTR, PPM_SC_LSM_SET_SELF_ATTR, PPM_SC_LSM_LIST_MODULES, -1}, + [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_DELETE_MODULE, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_MULTIPLEXER, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_LSM_SET_SELF_ATTR, PPM_SC_LSM_LIST_MODULES, PPM_SC_LISTMOUNT, PPM_SC_STATMOUNT, PPM_SC_LSM_GET_SELF_ATTR, -1}, [PPME_SYSCALL_OPEN_E] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_OPEN_X] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_CLOSE_E] = (ppm_sc_code[]){PPM_SC_CLOSE, -1}, @@ -450,6 +450,10 @@ static const ppm_sc_code *g_events_to_sc_map[] = { [PPME_SYSCALL_MKNODAT_X] = (ppm_sc_code[]){PPM_SC_MKNODAT, -1}, [PPME_SYSCALL_NEWFSTATAT_E] = (ppm_sc_code[]){PPM_SC_NEWFSTATAT, -1}, [PPME_SYSCALL_NEWFSTATAT_X] = (ppm_sc_code[]){PPM_SC_NEWFSTATAT, -1}, + [PPME_SYSCALL_PROCESS_VM_READV_E] = (ppm_sc_code[]){PPM_SC_PROCESS_VM_READV, -1}, + [PPME_SYSCALL_PROCESS_VM_READV_X] = (ppm_sc_code[]){PPM_SC_PROCESS_VM_READV, -1}, + [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = (ppm_sc_code[]){PPM_SC_PROCESS_VM_WRITEV, -1}, + [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = (ppm_sc_code[]){PPM_SC_PROCESS_VM_WRITEV, -1}, }; #if defined(__GNUC__) || (__STDC_VERSION__ >=201112L) From 720ed413b67979235d62aecbf5aeebe779cf7096 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Tue, 6 Feb 2024 10:02:09 +0000 Subject: [PATCH 2/7] fix(driver): don't push redundant size with process_vm syscall Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 24 +++++-------------- driver/event_table.c | 4 ++-- .../process_vm_readv.bpf.c | 10 ++------ .../process_vm_writev.bpf.c | 8 +------ driver/ppm_fillers.c | 24 +++++-------------- .../syscall_exit_suite/process_vm_readv_x.cpp | 22 +++++++---------- .../process_vm_writev_x.cpp | 22 +++++++---------- 7 files changed, 33 insertions(+), 81 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 3afe4d08bd..a885bfef8b 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7326,7 +7326,7 @@ FILLER(sys_process_vm_readv_x, true) const struct iovec __user *iov; unsigned long iovcnt; - /* Parameter 1: ret (type: PT_INT32) */ + /* Parameter 1: ret (type: PT_INT64) */ long retval = bpf_syscall_get_retval(data->ctx); int res = bpf_push_s64_to_ring(data, (int32_t)retval); CHECK_RES(res); @@ -7336,9 +7336,7 @@ FILLER(sys_process_vm_readv_x, true) res = bpf_push_s64_to_ring(data, (int64_t)pid); CHECK_RES(res); - /* - * data and size - */ + /* Parameter 3: data (type: PT_BYTEBUF) */ if (retval > 0) { iov = (const struct iovec __user *)bpf_syscall_get_argument(data, 3); @@ -7348,14 +7346,10 @@ FILLER(sys_process_vm_readv_x, true) iov, iovcnt, retval, - PRB_FLAG_PUSH_ALL); + PRB_FLAG_PUSH_DATA); } else { - /* Parameter 2: size (type: PT_UINT32) */ - res = bpf_push_u32_to_ring(data, 0); - - /* Parameter 3: data (type: PT_BYTEBUF) */ res = bpf_push_empty_param(data); } @@ -7367,7 +7361,7 @@ FILLER(sys_process_vm_writev_x, true) const struct iovec __user *iov; unsigned long iovcnt; - /* Parameter 1: ret (type: PT_INT32) */ + /* Parameter 1: ret (type: PT_INT64) */ long retval = bpf_syscall_get_retval(data->ctx); int res = bpf_push_s64_to_ring(data, (int32_t)retval); CHECK_RES(res); @@ -7377,9 +7371,7 @@ FILLER(sys_process_vm_writev_x, true) res = bpf_push_s64_to_ring(data, (int64_t)pid); CHECK_RES(res); - /* - * data and size - */ + /* Parameter 3: data (type: PT_BYTEBUF) */ if (retval > 0) { iov = (const struct iovec __user *)bpf_syscall_get_argument(data, 1); @@ -7389,14 +7381,10 @@ FILLER(sys_process_vm_writev_x, true) iov, iovcnt, retval, - PRB_FLAG_PUSH_ALL); + PRB_FLAG_PUSH_DATA); } else { - /* Parameter 2: size (type: PT_UINT32) */ - res = bpf_push_u32_to_ring(data, 0); - - /* Parameter 3: data (type: PT_BYTEBUF) */ res = bpf_push_empty_param(data); } diff --git a/driver/event_table.c b/driver/event_table.c index d7b419d103..72aeac7dd5 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -473,9 +473,9 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_NEWFSTATAT_E] = {"newfstatat", EC_FILE | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_NEWFSTATAT_X] = {"newfstatat", EC_FILE | EC_SYSCALL, EF_USES_FD, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, newfstatat_flags}}}, [PPME_SYSCALL_PROCESS_VM_READV_E] = {"process_vm_readv", EC_SYSCALL | EC_IPC, EF_NONE, 0}, - [PPME_SYSCALL_PROCESS_VM_READV_X] = {"process_vm_readv", EC_SYSCALL | EC_IPC, EF_NONE, 4, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}}, + [PPME_SYSCALL_PROCESS_VM_READV_X] = {"process_vm_readv", EC_SYSCALL | EC_IPC, EF_NONE, 3, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}}, [PPME_SYSCALL_PROCESS_VM_WRITEV_E] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 0}, - [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 4, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}}, + [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 3, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}}, }; #pragma GCC diagnostic pop diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c index 8ac7597cfa..81f446d1e1 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c @@ -55,7 +55,7 @@ int BPF_PROG(process_vm_readv_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_INT32) */ + /* Parameter 1: res (type: PT_INT64) */ auxmap__store_s64_param(auxmap, ret); /* Parameter 2: pid (type: PT_PID) */ @@ -64,9 +64,6 @@ int BPF_PROG(process_vm_readv_x, if(ret > 0) { - /* Parameter 2: size (type: PT_UINT32) */ - auxmap__store_u32_param(auxmap, (uint32_t)ret); - /* We read the minimum between `snaplen` and what we really * have in the buffer. */ @@ -80,14 +77,11 @@ int BPF_PROG(process_vm_readv_x, unsigned long iov_pointer = extract__syscall_argument(regs, 3); unsigned long iov_cnt = extract__syscall_argument(regs, 4); - //* Parameter 3: data (type: PT_BYTEBUF) */ + /* Parameter 3: data (type: PT_BYTEBUF) */ auxmap__store_iovec_data_param(auxmap, iov_pointer, iov_cnt, snaplen); } else { - /* Parameter 2: size (type: PT_UINT32) */ - auxmap__store_u32_param(auxmap, 0); - /* Parameter 3: data (type: PT_BYTEBUF) */ auxmap__store_empty_param(auxmap); } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c index 864b7f40a9..87901996a9 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_writev.bpf.c @@ -55,7 +55,7 @@ int BPF_PROG(process_vm_writev_x, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_INT32) */ + /* Parameter 1: res (type: PT_INT64) */ auxmap__store_s64_param(auxmap, ret); /* Parameter 2: pid (type: PT_PID) */ @@ -64,9 +64,6 @@ int BPF_PROG(process_vm_writev_x, if(ret > 0) { - /* Parameter 2: size (type: PT_UINT32) */ - auxmap__store_u32_param(auxmap, (uint32_t)ret); - /* We read the minimum between `snaplen` and what we really * have in the buffer. */ @@ -85,9 +82,6 @@ int BPF_PROG(process_vm_writev_x, } else { - /* Parameter 2: size (type: PT_UINT32) */ - auxmap__store_u32_param(auxmap, 0); - /* Parameter 3: data (type: PT_BYTEBUF) */ auxmap__store_empty_param(auxmap); } diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 3cfb5c9944..0d66446637 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8147,31 +8147,25 @@ int f_sys_process_vm_readv_x(struct event_filler_arguments *args) if(retval > 0) { - /* Parameter 4: remote_iov (type: PT_UINT64) */ + /* We only get the source iov */ syscall_get_arguments_deprecated(args, 3, 1, &val); - - /* Parameter 4: riovcnt (type: PT_INT32) */ syscall_get_arguments_deprecated(args, 4, 1, &iovcnt); #ifdef CONFIG_COMPAT if (unlikely(args->compat)) { const struct compat_iovec __user *compat_iov = (const struct compat_iovec __user *)compat_ptr(val); - res = compat_parse_readv_writev_bufs(args, compat_iov, iovcnt, retval, PRB_FLAG_PUSH_ALL); + res = compat_parse_readv_writev_bufs(args, compat_iov, iovcnt, retval, PRB_FLAG_PUSH_DATA); } else #endif { const struct iovec __user *iov = (const struct iovec __user *)val; - res = parse_readv_writev_bufs(args, iov, iovcnt, retval, PRB_FLAG_PUSH_ALL); + res = parse_readv_writev_bufs(args, iov, iovcnt, retval, PRB_FLAG_PUSH_DATA); } CHECK_RES(res); } else { - /* pushing a zero size */ - res = val_to_ring(args, 0, 0, false, 0); - CHECK_RES(res); - /* pushing empty data */ res = push_empty_param(args); CHECK_RES(res); @@ -8202,31 +8196,25 @@ int f_sys_process_vm_writev_x(struct event_filler_arguments *args) if(retval > 0) { - /* Parameter 4: remote_iov (type: PT_UINT64) */ + /* We only get the source iov */ syscall_get_arguments_deprecated(args, 1, 1, &val); - - /* Parameter 4: riovcnt (type: PT_INT32) */ syscall_get_arguments_deprecated(args, 2, 1, &iovcnt); #ifdef CONFIG_COMPAT if (unlikely(args->compat)) { const struct compat_iovec __user *compat_iov = (const struct compat_iovec __user *)compat_ptr(val); - res = compat_parse_readv_writev_bufs(args, compat_iov, iovcnt, retval, PRB_FLAG_PUSH_ALL); + res = compat_parse_readv_writev_bufs(args, compat_iov, iovcnt, retval, PRB_FLAG_PUSH_DATA); } else #endif { const struct iovec __user *iov = (const struct iovec __user *)val; - res = parse_readv_writev_bufs(args, iov, iovcnt, retval, PRB_FLAG_PUSH_ALL); + res = parse_readv_writev_bufs(args, iov, iovcnt, retval, PRB_FLAG_PUSH_DATA); } CHECK_RES(res); } else { - /* pushing a zero size */ - res = val_to_ring(args, 0, 0, false, 0); - CHECK_RES(res); - /* pushing empty data */ res = push_empty_param(args); CHECK_RES(res); diff --git a/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp b/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp index a969f950ab..1952ccfd1b 100644 --- a/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp @@ -34,21 +34,18 @@ TEST(SyscallExit, process_vm_readvX_failure) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_INT32) */ + /* Parameter 1: res (type: PT_INT64) */ evt_test->assert_numeric_param(1, (int64_t)-1, LESS_EQUAL); /* Parameter 2: pid (type: PT_PID) */ evt_test->assert_numeric_param(2, (int64_t)getpid()); - /* Parameter 3: local_iov (type: PT_UINT64) */ - evt_test->assert_numeric_param(3, (uint32_t)0); - - /* Parameter 4: liovcnt (type: PT_UINT32)*/ - evt_test->assert_empty_param(4); + /* Parameter 3: data (type: PT_BYTEBUF)*/ + evt_test->assert_empty_param(3); /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(4); + evt_test->assert_num_params_pushed(3); } TEST(SyscallExit, process_vm_readvX_success) @@ -121,20 +118,17 @@ TEST(SyscallExit, process_vm_readvX_success) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_INT32) */ + /* Parameter 1: res (type: PT_INT64) */ evt_test->assert_numeric_param(1, (int64_t)10); /* Parameter 2: pid (type: PT_PID) */ evt_test->assert_numeric_param(2, (int64_t)child_pid); - /* Parameter 4: liovcnt (type: PT_UINT32)*/ - evt_test->assert_numeric_param(3, (uint32_t)10); - - /* Parameter 3: local_iov (type: PT_UINT64) */ - evt_test->assert_charbuf_param(4, "QWERTYUIO"); + /* Parameter 3: data (type: PT_BYTEBUF) */ + evt_test->assert_charbuf_param(3, "QWERTYUIO"); /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(4); + evt_test->assert_num_params_pushed(3); } #endif diff --git a/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp b/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp index 55f3d1fe16..f936e6fe11 100644 --- a/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp @@ -31,21 +31,18 @@ TEST(SyscallExit, process_vm_writevX_failure) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_INT32) */ + /* Parameter 1: res (type: PT_INT64) */ evt_test->assert_numeric_param(1, (int64_t)0); /* Parameter 2: pid (type: PT_PID) */ evt_test->assert_numeric_param(2, (int64_t)getpid()); - /* Parameter 3: local_iov (type: PT_UINT64) */ - evt_test->assert_numeric_param(3, (uint32_t)0); - - /* Parameter 4: liovcnt (type: PT_UINT32)*/ - evt_test->assert_empty_param(4); + /* Parameter 3: data (type: PT_BYTEBUF)*/ + evt_test->assert_empty_param(3); /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(4); + evt_test->assert_num_params_pushed(3); } TEST(SyscallExit, process_vm_writevX_success) @@ -125,20 +122,17 @@ TEST(SyscallExit, process_vm_writevX_success) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: res (type: PT_INT32) */ + /* Parameter 1: res (type: PT_INT64) */ evt_test->assert_numeric_param(1, (int64_t)10); /* Parameter 2: pid (type: PT_PID) */ evt_test->assert_numeric_param(2, (int64_t)child_pid); - /* Parameter 4: liovcnt (type: PT_UINT32)*/ - evt_test->assert_numeric_param(3, (uint32_t)10); - - /* Parameter 3: local_iov (type: PT_UINT64) */ - evt_test->assert_charbuf_param(4, "QWERTYUIO"); + /* Parameter 3: data (type: PT_BYTEBUF) */ + evt_test->assert_charbuf_param(3, "QWERTYUIO"); /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(4); + evt_test->assert_num_params_pushed(3); } #endif From 3cd30e3273418606cbf3407552c6d8ae10deba30 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Tue, 6 Feb 2024 10:11:11 +0000 Subject: [PATCH 3/7] chore(driver): bump schema version Signed-off-by: Roberto Scolaro --- driver/SCHEMA_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION index 3b1fc7950f..0e7079b691 100644 --- a/driver/SCHEMA_VERSION +++ b/driver/SCHEMA_VERSION @@ -1 +1 @@ -2.15.1 +2.16.1 From 2b0bbfef6e487846eccbc8e336169cc299b26fbb Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Tue, 6 Feb 2024 10:32:49 +0000 Subject: [PATCH 4/7] fix(test/drivers): wait the right pid Signed-off-by: Roberto Scolaro --- .../test_suites/syscall_exit_suite/process_vm_readv_x.cpp | 4 +++- .../test_suites/syscall_exit_suite/process_vm_writev_x.cpp | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp b/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp index 1952ccfd1b..34eb232f4b 100644 --- a/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/process_vm_readv_x.cpp @@ -98,7 +98,9 @@ TEST(SyscallExit, process_vm_readvX_success) assert_syscall_state(SYSCALL_SUCCESS, "process_vm_readv", read, NOT_EQUAL, 0); close(pipe_fd[0]); - wait(NULL); + + int wstatus; + waitpid(child_pid, &wstatus, 0); } /*=============================== TRIGGER SYSCALL ===========================*/ diff --git a/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp b/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp index f936e6fe11..0aa9aee64b 100644 --- a/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp @@ -102,7 +102,8 @@ TEST(SyscallExit, process_vm_writevX_success) close(pipe_fd[1]); - wait(NULL); + int wstatus; + waitpid(child_pid, &wstatus, 0); } /*=============================== TRIGGER SYSCALL ===========================*/ From a34d5761a29881d5130d57768fa15aaa6fd4a93f Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Tue, 6 Feb 2024 11:01:54 +0000 Subject: [PATCH 5/7] fix(driver): set appropriate schema version Signed-off-by: Roberto Scolaro --- driver/SCHEMA_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION index 0e7079b691..7524906967 100644 --- a/driver/SCHEMA_VERSION +++ b/driver/SCHEMA_VERSION @@ -1 +1 @@ -2.16.1 +2.16.0 From 89d029b8ac21dcbf3b572098b8e713da6393d5ce Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Tue, 6 Feb 2024 11:14:01 +0000 Subject: [PATCH 6/7] fix(test/drivers): write on parent memory Signed-off-by: Roberto Scolaro --- .../syscall_exit_suite/process_vm_writev_x.cpp | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp b/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp index 0aa9aee64b..3c7aa55666 100644 --- a/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/process_vm_writev_x.cpp @@ -57,6 +57,7 @@ TEST(SyscallExit, process_vm_writevX_success) ASSERT_GT(pipe(pipe_fd), -1); + pid_t parent_pid = getpid(); pid_t child_pid = fork(); if(child_pid == 0) @@ -73,10 +74,7 @@ TEST(SyscallExit, process_vm_writevX_success) ssize_t read = syscall(__NR_read, pipe_fd[0], &target, sizeof(void*)); ASSERT_GT(read, 0); - read = syscall(__NR_read, pipe_fd[0], (void*)&child_pid, sizeof(pid_t)); - ASSERT_GT(read, 0); - - read = syscall(__NR_process_vm_writev, child_pid, local, 1, target, 1, 0); + read = syscall(__NR_process_vm_writev, parent_pid, local, 1, target, 1, 0); assert_syscall_state(SYSCALL_SUCCESS, "process_vm_writev", read, NOT_EQUAL, 0); close(pipe_fd[0]); @@ -97,9 +95,6 @@ TEST(SyscallExit, process_vm_writevX_success) ssize_t res = write(pipe_fd[1], &target, sizeof(void*)); ASSERT_GT(res, 0); - res = write(pipe_fd[1], (void*)&child_pid, sizeof(pid_t)); - ASSERT_GT(res, 0); - close(pipe_fd[1]); int wstatus; @@ -127,7 +122,7 @@ TEST(SyscallExit, process_vm_writevX_success) evt_test->assert_numeric_param(1, (int64_t)10); /* Parameter 2: pid (type: PT_PID) */ - evt_test->assert_numeric_param(2, (int64_t)child_pid); + evt_test->assert_numeric_param(2, (int64_t)parent_pid); /* Parameter 3: data (type: PT_BYTEBUF) */ evt_test->assert_charbuf_param(3, "QWERTYUIO"); From cea972575faeac3a975ddae7a1b4b0bb0bec6ccc Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Tue, 6 Feb 2024 11:22:35 +0000 Subject: [PATCH 7/7] fix(driver): always retrieve the local iov Signed-off-by: Roberto Scolaro --- driver/bpf/fillers.h | 4 ++-- .../syscall_dispatched_events/process_vm_readv.bpf.c | 4 ++-- driver/ppm_fillers.c | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index a885bfef8b..17c7ae7081 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -7339,8 +7339,8 @@ FILLER(sys_process_vm_readv_x, true) /* Parameter 3: data (type: PT_BYTEBUF) */ if (retval > 0) { - iov = (const struct iovec __user *)bpf_syscall_get_argument(data, 3); - iovcnt = bpf_syscall_get_argument(data, 4); + iov = (const struct iovec __user *)bpf_syscall_get_argument(data, 1); + iovcnt = bpf_syscall_get_argument(data, 2); res = bpf_parse_readv_writev_bufs(data, iov, diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c index 81f446d1e1..1d092ef2e1 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/process_vm_readv.bpf.c @@ -74,8 +74,8 @@ int BPF_PROG(process_vm_readv_x, snaplen = ret; } - unsigned long iov_pointer = extract__syscall_argument(regs, 3); - unsigned long iov_cnt = extract__syscall_argument(regs, 4); + unsigned long iov_pointer = extract__syscall_argument(regs, 1); + unsigned long iov_cnt = extract__syscall_argument(regs, 2); /* Parameter 3: data (type: PT_BYTEBUF) */ auxmap__store_iovec_data_param(auxmap, iov_pointer, iov_cnt, snaplen); diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 0d66446637..7298c543a8 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -8147,9 +8147,9 @@ int f_sys_process_vm_readv_x(struct event_filler_arguments *args) if(retval > 0) { - /* We only get the source iov */ - syscall_get_arguments_deprecated(args, 3, 1, &val); - syscall_get_arguments_deprecated(args, 4, 1, &iovcnt); + /* We only get the local iov */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + syscall_get_arguments_deprecated(args, 2, 1, &iovcnt); #ifdef CONFIG_COMPAT if (unlikely(args->compat)) { @@ -8196,7 +8196,7 @@ int f_sys_process_vm_writev_x(struct event_filler_arguments *args) if(retval > 0) { - /* We only get the source iov */ + /* We only get the local iov */ syscall_get_arguments_deprecated(args, 1, 1, &val); syscall_get_arguments_deprecated(args, 2, 1, &iovcnt);