fix(driver)!: create dedicated events for umount2 syscall and rename them to "umount2"

[Andreagit97]

What type of PR is this?

/kind bug

/kind cleanup

Any specific area of the project related to this PR?

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libsinsp

/area tests

Does this PR require a change in the driver versions?

No

What this PR does / why we need it:

This PR addresses part of the #911 issue.
Before this patch, umount2 was associated with event pair PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X and "umount" name. Every syscall should have its own events pair, with the right name (in this case "umount2"). This PR is the first step in that direction!

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

fix(driver)!: create dedicated events for `umount2` syscall and rename them to "umount2"

[FedeDP]

LGTM!
Thank you!
/approve

[poiana]

LGTM label has been added.

Git tree hash: b8c53e06e94bc1b472039562ba633b4fabc90873

[incertum]

LGTM!

/hold until we formalize agreement around non-shared event names across the board, see #936 (comment).

[Andreagit97]

I need to rebase it on master, after #937

[Andreagit97]

adapted using the new ppm_sc table

[FedeDP]

I'd add umount2 in the tmp_sc_set isntead of removing it from here.
Or, we could also completely drop umount2 from here since it is not a corner case anymore.

[FedeDP]

Interestingly, the test is also failing now:

Expected equality of these values:
  std::set<std::string>(sc_set_names_truth.begin(), sc_set_names_truth.end())
    Which is: { "accept", "accept4", "eventfd", "eventfd2", "execve", "pipe", "pipe2", "signalfd", "signalfd4", "syncfs", "umount" }
  std::set<std::string>(sc_set_names.begin(), sc_set_names.end())
    Which is: { "accept", "accept4", "eventfd", "eventfd2", "execve", "pipe", "pipe2", "signalfd", "signalfd4", "syncfs", "umount", "umount2" }

Didn't expect that; why is it retrieving "umount2" in the sc_set_names?

[FedeDP]

Oh of course, because [PPME_SYSCALL_UMOUNT_E] = (ppm_sc_code[]){PPM_SC_UMOUNT2, -1}, is mapped to UMOUNT2 here.

[Andreagit97]

See #944 (comment)

[FedeDP]

Found a couple of minor issues, otherwise this LGTM!

[Andreagit97]

Hey, folks here there is something strange.. we are using libsinsp::events::names_to_sc_set() API to convert event_names to sc_set while its dual libsinsp::events::sc_set_to_names convert sc_set to sc_names :/ this is quite confusing in my opinion. Right now we can keep it as it is in this PR but my proposal would be:

1. create 2 methods that convert event_names -> sc_set (what is doing names_to_sc_set) and vice-versa sc_set -> event_names
2. restore original behavior of libsinsp::events::names_to_sc_set() so sc_names -> sc_set
3. rename all methods like names_to_sc_set in something more meaningful like sc_names_to_sc_set, "names" alone is too generic IMHO

@FedeDP @jasondellaluce @incertum

[Andreagit97]

after the rebase the CI is failing on ARM64 i suppose that there is something strange under the hood, I will take a look 👀

[incertum]

Hey, folks here there is something strange.. we are using libsinsp::events::names_to_sc_set() API to convert event_names to sc_set while its dual libsinsp::events::sc_set_to_names convert sc_set to sc_names :/ this is quite confusing in my opinion. Right now we can keep it as it is in this PR but my proposal would be:

1. create 2 methods that convert `event_names` -> `sc_set` (what is doing `names_to_sc_set`) and vice-versa `sc_set` -> `event_names`

2. restore original behavior of `libsinsp::events::names_to_sc_set()`  so `sc_names` -> `sc_set`

3. rename all methods like `names_to_sc_set` in something more meaningful like `sc_names_to_sc_set`, "names" alone is too generic IMHO

@FedeDP @jasondellaluce @incertum

It is the expected current behavior given shared event names across syscalls, e.g. Falco rule calls accept -> activate both accept, accept4. Would propose to hold this PR or any further back and forth until @jasondellaluce formalizes agreement on "requiring Falco to call the real syscall string name in the rules at all times in case of a syscall event".

Then perhaps we should first have another PR that changes this for other shared event cases, e.g. the accept -> activate both accept, accept4 case and similar ones. The current workaround in names_to_sc_set can then be removed again in that very same PR as it will then be redundant, but it's a big ! for all Falco end users.

re names_to_sc_set, I think it is fine to keep the name, but we could rename it (on board either way).

Last step -> rebasing this PR one more time and the confusion and hiccups should have gone away by then.

[FedeDP]

Does this PR require a change in the driver versions?

No

I think we actually need a schema minor version bump. I'm going to do that in #975

[FedeDP]

I think we actually need a schema minor version bump. I'm going to do that in #975

Minor SCHEMA version was already bumped since last release in dae8bc2

[incertum]

We now have umount2 as event name and system call name so old tests should pass? Would prefer not purging umount2 from the tests.

Agreed on revisiting all tests after all new APIs are finalized.

We already put this on
/hold until after 2023-03-15 community call formal agreement, see falcosecurity/falco#2443

plus need to decide which one to merge first and which one needs subsequent rebasing <-> #975

[Andreagit97]

now this test is correctly retrieving only PPM_SC_UMOUNT from the umount name, I have to purge "PPM_SC_UMOUNT2" from the expected sc_set otherwise the test won't pass 🤔

[Andreagit97]

i've added again UMOUNT_2 and its associated PPM_SC_UMOUNT2 and obviously tests are green again :)

[Andreagit97]

just to avoid other "accept/accept4" cases in the next future 😆

[incertum]

Thanks a lot @Andreagit97 !!!

Also quickly tested it with some dummy setup:

-- Filter event types names: mount, umount2
-- Start capture
{"evt.dir":">","evt.type":"mount","proc.cmdline":"mount --bind foo2 foo","proc.name":"mount"}
{"evt.dir":"<","evt.type":"mount","proc.cmdline":"mount --bind foo2 foo","proc.name":"mount"}
{"evt.dir":">","evt.type":"umount2","proc.cmdline":"umount foo","proc.name":"umount"}
{"evt.dir":"<","evt.type":"umount2","proc.cmdline":"umount foo","proc.name":"umount"}
{"evt.dir":">","evt.type":"umount2","proc.cmdline":"systemd --user","proc.name":"systemd"}
{"evt.dir":"<","evt.type":"umount2","proc.cmdline":"systemd --user","proc.name":"systemd"}
{"evt.dir":">","evt.type":"umount2","proc.cmdline":"systemd rhgb --switched-root --system --deserialize 35","proc.name":"systemd"}
{"evt.dir":"<","evt.type":"umount2","proc.cmdline":"systemd rhgb --switched-root --system --deserialize 35","proc.name":"systemd"}

/approve

/unhold

[poiana]

LGTM label has been added.

Git tree hash: 3f534979c4f5549e3a6bf168f6d91b0da3703167

[FedeDP]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, incertum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment