falcosecurity · poiana · Mar 7, 2023 · Mar 1, 2023 · Mar 1, 2023 · Mar 1, 2023
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -132,6 +132,7 @@ FILLER_RAW(terminate_filler)
 			case PPME_SYSCALL_MKDIRAT_E:
 			case PPME_SYSCALL_MOUNT_E:
 			case PPME_SYSCALL_UMOUNT_E:
+			case PPME_SYSCALL_UMOUNT_1_E:
 			case PPME_SYSCALL_RENAME_E:
 			case PPME_SYSCALL_RENAMEAT_E:
 			case PPME_SYSCALL_RENAMEAT2_E:
@@ -214,6 +215,7 @@ FILLER_RAW(terminate_filler)
 			case PPME_SYSCALL_MKDIRAT_X:
 			case PPME_SYSCALL_MOUNT_X:
 			case PPME_SYSCALL_UMOUNT_X:
+			case PPME_SYSCALL_UMOUNT_1_X:
 			case PPME_SYSCALL_RENAME_X:
 			case PPME_SYSCALL_RENAMEAT_X:
 			case PPME_SYSCALL_RENAMEAT2_X:
@@ -6126,6 +6128,18 @@ FILLER(sys_dup3_x, true)
 	return res;
 }
 
+FILLER(sys_umount_x, true)
+{
+	/* Parameter 1: ret (type: PT_FD) */
+	long retval = bpf_syscall_get_retval(data->ctx);
+	int res = bpf_val_to_ring_type(data, retval, PT_ERRNO);
+	CHECK_RES(res);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	unsigned long target_pointer = bpf_syscall_get_argument(data, 0);
+	return  bpf_val_to_ring(data, target_pointer);
+}
+
 #ifdef CAPTURE_SCHED_PROC_EXEC
 /* We set `is_syscall` flag to `false` since this is not
  * a real syscall, we only send the same event from another

diff --git a/driver/event_table.c b/driver/event_table.c
diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -340,4 +340,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_FCHOWN_X] = {FILLER_REF(sys_fchown_x)},
 	[PPME_SYSCALL_FCHOWNAT_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_FCHOWNAT_X] = {FILLER_REF(sys_fchownat_x)},
+	[PPME_SYSCALL_UMOUNT_1_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)},
 };
diff --git a/driver/main.c b/driver/main.c
@@ -1475,6 +1475,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
 	case PPME_SYSCALL_MKDIRAT_E:
 	case PPME_SYSCALL_MOUNT_E:
 	case PPME_SYSCALL_UMOUNT_E:
+	case PPME_SYSCALL_UMOUNT_1_E:
 	case PPME_SYSCALL_RENAME_E:
 	case PPME_SYSCALL_RENAMEAT_E:
 	case PPME_SYSCALL_RENAMEAT2_E:
@@ -1545,6 +1546,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
 	case PPME_SYSCALL_MKDIRAT_X:
 	case PPME_SYSCALL_MOUNT_X:
 	case PPME_SYSCALL_UMOUNT_X:
+	case PPME_SYSCALL_UMOUNT_1_X:
 	case PPME_SYSCALL_RENAME_X:
 	case PPME_SYSCALL_RENAMEAT_X:
 	case PPME_SYSCALL_RENAMEAT2_X:

diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -103,6 +103,7 @@
 #define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
+#define UMOUNT_E_SIZE HEADER_LEN
 #define LINK_E_SIZE HEADER_LEN
 #define LINKAT_E_SIZE HEADER_LEN
 #define SYMLINK_E_SIZE HEADER_LEN

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount.bpf.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2023 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/variable_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(umount_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, UMOUNT_E_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_UMOUNT_1_E);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to collect.
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(umount_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct auxiliary_map *auxmap = auxmap__get();
+	if(!auxmap)
+	{
+		return 0;
+	}
+
+	auxmap__preload_event_header(auxmap, PPME_SYSCALL_UMOUNT_1_X);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	auxmap__store_s64_param(auxmap, ret);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	unsigned long target_pointer = extract__syscall_argument(regs, 0);
+	auxmap__store_charbuf_param(auxmap, target_pointer, MAX_PATH, USER);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	auxmap__finalize_event_header(auxmap);
+
+	auxmap__submit_event(auxmap);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/
diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
@@ -1188,7 +1188,9 @@ typedef enum {
 	PPME_SYSCALL_FCHOWN_X = 383,
 	PPME_SYSCALL_FCHOWNAT_E = 384,
 	PPME_SYSCALL_FCHOWNAT_X = 385,
-	PPM_EVENT_MAX = 386
+	PPME_SYSCALL_UMOUNT_1_E = 386,
+	PPME_SYSCALL_UMOUNT_1_X = 387,
+	PPM_EVENT_MAX = 388
 } ppm_event_code;
 /*@}*/
 
@@ -1617,7 +1619,9 @@ enum extra_event_prog_code
 	PPM_SC_X(MEMBARRIER, 390) \
 	PPM_SC_X(IOPL, 391) \
 	PPM_SC_X(CLOSE_RANGE, 392) \
-	PPM_SC_X(FANOTIFY_MARK, 393)
+	PPM_SC_X(FANOTIFY_MARK, 393) \
+	PPM_SC_X(RECV, 394) \
+	PPM_SC_X(SEND, 395)
 
 typedef enum {
 #define PPM_SC_X(name, value) PPM_SC_##name = value,

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -6975,6 +6975,25 @@ int f_sys_splice_e(struct event_filler_arguments *args)
 	return add_sentinel(args);
 }
 
+int f_sys_umount_x(struct event_filler_arguments *args)
+{
+	unsigned long val;
+	int res;
+	int64_t retval;
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	retval = (int64_t)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	syscall_get_arguments_deprecated(current, args->regs, 0, 1, &val);
+	res = val_to_ring(args, val, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 #ifdef CAPTURE_SCHED_PROC_EXEC
 int f_sched_prog_exec(struct event_filler_arguments *args)
 {

diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h
@@ -156,6 +156,7 @@ or GPL2.txt for full copies of the license.
 	FN(sys_recvmsg_e)                 \
 	FN(sys_signalfd_e)                 \
 	FN(sys_splice_e)				\
+	FN(sys_umount_x)				\
 	FN(terminate_filler)
 
 #define FILLER_ENUM_FN(x) PPM_FILLER_##x,

diff --git a/driver/syscall_table.c b/driver/syscall_table.c
@@ -420,6 +420,18 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #endif
 #ifdef __NR_epoll_create1
 	[__NR_epoll_create1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE1_E, PPME_SYSCALL_EPOLL_CREATE1_X, PPM_SC_EPOLL_CREATE1},
+#endif
+#ifdef __NR_lstat64
+	[__NR_lstat64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LSTAT64_E, PPME_SYSCALL_LSTAT64_X, PPM_SC_LSTAT64},
+#endif
+#ifdef __NR_umount
+	[__NR_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_1_E, PPME_SYSCALL_UMOUNT_1_X, PPM_SC_UMOUNT},
+#endif
+#ifdef __NR_recv
+	[__NR_recv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECV_E, PPME_SOCKET_RECV_X, PPM_SC_RECV},
+#endif
+#ifdef __NR_send
+	[__NR_send - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SEND_E, PPME_SOCKET_SEND_X, PPM_SC_SEND},
 #endif
 	[__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL },
 	[__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT},
@@ -636,9 +648,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_ipc
 	[__NR_ipc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IPC},
 #endif
-#ifdef __NR_lstat64
-	[__NR_lstat64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LSTAT64},
-#endif
 #ifdef __NR__newselect
 	[__NR__newselect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC__NEWSELECT},
 #endif
@@ -654,9 +663,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_olduname
 	[__NR_olduname - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OLDUNAME},
 #endif
-#ifdef __NR_umount
-	[__NR_umount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UMOUNT},
-#endif
 #ifdef __NR_signal
 	[__NR_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGNAL},
 #endif
@@ -1227,6 +1233,18 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 #endif
 #ifdef __NR_ia32_epoll_create1
 	[__NR_ia32_epoll_create1 - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EPOLL_CREATE1_E, PPME_SYSCALL_EPOLL_CREATE1_X, PPM_SC_EPOLL_CREATE1},
+#endif
+#ifdef __NR_ia32_lstat64
+	[__NR_ia32_lstat64 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_LSTAT64_E, PPME_SYSCALL_LSTAT64_X, PPM_SC_LSTAT64},
+#endif
+#ifdef __NR_ia32_umount
+	[__NR_ia32_umount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_1_E, PPME_SYSCALL_UMOUNT_1_X, PPM_SC_UMOUNT},
+#endif
+#ifdef __NR_ia32_recv
+	[__NR_ia32_recv - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_RECV_E, PPME_SOCKET_RECV_X, PPM_SC_RECV},
+#endif
+#ifdef __NR_ia32_send
+	[__NR_ia32_send - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SEND_E, PPME_SOCKET_SEND_X, PPM_SC_SEND},
 #endif
 	[__NR_ia32_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL },
 	[__NR_ia32_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT},
@@ -1443,9 +1461,6 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_ia32_ipc
 	[__NR_ia32_ipc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IPC},
 #endif
-#ifdef __NR_ia32_lstat64
-	[__NR_ia32_lstat64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LSTAT64},
-#endif
 #ifdef __NR_ia32__newselect
 	[__NR_ia32__newselect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC__NEWSELECT},
 #endif
@@ -1461,9 +1476,6 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_ia32_olduname
 	[__NR_ia32_olduname - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OLDUNAME},
 #endif
-#ifdef __NR_ia32_umount
-	[__NR_ia32_umount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_UMOUNT},
-#endif
 #ifdef __NR_ia32_signal
 	[__NR_ia32_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SIGNAL},
 #endif

diff --git a/test/drivers/test_suites/syscall_enter_suite/umount_e.cpp b/test/drivers/test_suites/syscall_enter_suite/umount_e.cpp
@@ -0,0 +1,39 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_umount
+
+TEST(SyscallEnter, umountE)
+{
+	auto evt_test = get_syscall_event_test(__NR_umount, ENTER_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	const char* target = "//**null-file-path**//";
+	assert_syscall_state(SYSCALL_FAILURE, "umount", syscall(__NR_umount, target));
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence();
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to assert.
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(0);
+}
+#endif
diff --git a/test/drivers/test_suites/syscall_exit_suite/umount_x.cpp b/test/drivers/test_suites/syscall_exit_suite/umount_x.cpp
@@ -0,0 +1,44 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_umount
+
+TEST(SyscallExit, umountX)
+{
+	auto evt_test = get_syscall_event_test(__NR_umount, EXIT_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	const char* target = "//**null-file-path**//";
+	assert_syscall_state(SYSCALL_FAILURE, "umount", syscall(__NR_umount, target));
+	int64_t errno_value = -errno;
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence();
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	evt_test->assert_numeric_param(1, (int64_t)errno_value);
+
+	/* Parameter 2: name (type: PT_FSPATH) */
+	evt_test->assert_charbuf_param(2, target);
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(2);
+}
+#endif
diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h
@@ -263,6 +263,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_FCHOWNAT_X] = "fchownat_x",
 	[PPME_SYSCALL_NANOSLEEP_E] = "nanosleep_e",
 	[PPME_SYSCALL_NANOSLEEP_X] = "nanosleep_x",
+	[PPME_SYSCALL_UMOUNT_1_E] = "umount_e",
+	[PPME_SYSCALL_UMOUNT_1_X] = "umount_x",
 };
 
 /* Some events can require more than one bpf program to collect all the data. */

diff --git a/userspace/libscap/examples/01-open/scap_open.c b/userspace/libscap/examples/01-open/scap_open.c
@@ -139,6 +139,7 @@ static int simple_set[] = {
 	PPM_SC_TGKILL,
 	PPM_SC_TIMERFD_CREATE,
 	PPM_SC_TKILL,
+	PPM_SC_UMOUNT,
 	PPM_SC_UMOUNT2,
 	PPM_SC_UNLINK,
 	PPM_SC_UNLINKAT,

diff --git a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp
@@ -122,6 +122,7 @@ libsinsp::events::set<ppm_sc_code> libsinsp::events::enforce_simple_sc_set(libsi
 		PPM_SC_TGKILL,
 		PPM_SC_TIMERFD_CREATE,
 		PPM_SC_TKILL,
+		PPM_SC_UMOUNT,
 		PPM_SC_UMOUNT2,
 		PPM_SC_UNLINK,
 		PPM_SC_UNLINKAT,
@@ -301,4 +302,4 @@ std::unordered_set<std::string> libsinsp::events::sc_set_to_names(const libsinsp
 	    ppm_sc_names_set.insert(ppm_sc_name);
 	}
 	return ppm_sc_names_set;
-}
+}