diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index deff436240..c4f3933776 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -133,6 +133,7 @@ FILLER_RAW(terminate_filler) case PPME_SYSCALL_MOUNT_E: case PPME_SYSCALL_UMOUNT_E: case PPME_SYSCALL_UMOUNT_1_E: + case PPME_SYSCALL_UMOUNT2_E: case PPME_SYSCALL_RENAME_E: case PPME_SYSCALL_RENAMEAT_E: case PPME_SYSCALL_RENAMEAT2_E: @@ -216,6 +217,7 @@ FILLER_RAW(terminate_filler) case PPME_SYSCALL_MOUNT_X: case PPME_SYSCALL_UMOUNT_X: case PPME_SYSCALL_UMOUNT_1_X: + case PPME_SYSCALL_UMOUNT2_X: case PPME_SYSCALL_RENAME_X: case PPME_SYSCALL_RENAMEAT_X: case PPME_SYSCALL_RENAMEAT2_X: @@ -6204,6 +6206,25 @@ FILLER(sys_umount_x, true) return bpf_val_to_ring(data, target_pointer); } +FILLER(sys_umount2_e, true) +{ + /* Parameter 1: flags (type: PT_FLAGS32) */ + u32 flags = (u32)bpf_syscall_get_argument(data, 1); + return bpf_val_to_ring(data, flags); +} + +FILLER(sys_umount2_x, true) +{ + /* Parameter 1: res (type: PT_ERRNO) */ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_val_to_ring_type(data, retval, PT_ERRNO); + CHECK_RES(res); + + /* Parameter 2: name (type: PT_FSPATH) */ + unsigned long target_pointer = bpf_syscall_get_argument(data, 0); + return bpf_val_to_ring(data, target_pointer); +} + #ifdef CAPTURE_SCHED_PROC_EXEC /* We set `is_syscall` flag to `false` since this is not * a real syscall, we only send the same event from another diff --git a/driver/event_table.c b/driver/event_table.c index fe74063d3e..eb63863369 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -270,8 +270,8 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_PPOLL_X] = {"ppoll", EC_WAIT | EC_SYSCALL, EF_WAITS, 2, {{"res", PT_ERRNO, PF_DEC}, {"fds", PT_FDLIST, PF_DEC} } }, [PPME_SYSCALL_MOUNT_E] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, mount_flags} } }, [PPME_SYSCALL_MOUNT_X] = {"mount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dev", PT_CHARBUF, PF_NA}, {"dir", PT_FSPATH, PF_NA}, {"type", PT_CHARBUF, PF_NA} } }, - [PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, // right now this event pair is used by umount2 syscall, we need to create a new event pair `PPME_SYSCALL_UMOUNT2_E/PPME_SYSCALL_UMOUNT2_X` with name "umount2" we cannot change the name here otherwise we break scap-files compatibility. - [PPME_SYSCALL_UMOUNT_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } }, + [PPME_SYSCALL_UMOUNT_E] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, + [PPME_SYSCALL_UMOUNT_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } }, [PPME_K8S_E] = {"k8s", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } }, [PPME_K8S_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0}, [PPME_SYSCALL_SEMGET_E] = {"semget", EC_PROCESS | EC_SYSCALL, EF_NONE, 3, {{"key", PT_INT32, PF_HEX}, {"nsems", PT_INT32, PF_DEC}, {"semflg", PT_FLAGS32, PF_HEX, semget_flags} } }, @@ -402,6 +402,8 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_UMOUNT_1_X] = {"umount", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } }, [PPME_SOCKET_ACCEPT4_6_E] = {"accept4", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_INT32, PF_HEX} } }, [PPME_SOCKET_ACCEPT4_6_X] = {"accept4", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC}, {"queuelen", PT_UINT32, PF_DEC}, {"queuemax", PT_UINT32, PF_DEC} } }, + [PPME_SYSCALL_UMOUNT2_E] = {"umount2", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS32, PF_HEX, umount_flags} } }, + [PPME_SYSCALL_UMOUNT2_X] = {"umount2", EC_FILE | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_FSPATH, PF_NA} } }, /* NB: Starting from scap version 1.2, event types will no longer be changed when an event is modified, and the only kind of change permitted for pre-existent events is adding parameters. * New event types are allowed only for new syscalls or new internal events. diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 88e0a9dd6d..11a6553cac 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -236,8 +236,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_poll_x)}, /* exit same for poll() and ppoll() */ [PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)}, [PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_autofill), 4, APT_REG, {{AF_ID_RETVAL}, {0}, {1}, {2} } }, - [PPME_SYSCALL_UMOUNT_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{1} } }, - [PPME_SYSCALL_UMOUNT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0} } }, [PPME_SYSCALL_SEMGET_E] = {FILLER_REF(sys_semget_e)}, [PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_single_x)}, [PPME_SYSCALL_ACCESS_E] = {FILLER_REF(sys_access_e)}, @@ -334,4 +332,6 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)}, [PPME_SOCKET_ACCEPT4_6_E] = {FILLER_REF(sys_accept4_e)}, [PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept_x)}, + [PPME_SYSCALL_UMOUNT2_E] = {FILLER_REF(sys_umount2_e)}, + [PPME_SYSCALL_UMOUNT2_X] = {FILLER_REF(sys_umount2_x)}, }; diff --git a/driver/flags_table.c b/driver/flags_table.c index 7588b6c82f..35fba19701 100644 --- a/driver/flags_table.c +++ b/driver/flags_table.c @@ -179,7 +179,9 @@ const struct ppm_name_value mount_flags[] = { {0, 0}, }; -/* http://lxr.free-electrons.com/source/include/linux/fs.h?v=4.2#L1251 */ +/* There is a 1:1 mapping between `umount2` flags and our `PPM` notation, so we don't + * need a dedicated helper for the conversion. + */ const struct ppm_name_value umount_flags[] = { {"FORCE", PPM_MNT_FORCE}, {"DETACH", PPM_MNT_DETACH}, @@ -642,4 +644,4 @@ const struct ppm_name_value fsconfig_cmds[] = { const struct ppm_name_value epoll_create1_flags[] = { {"EPOLL_CLOEXEC", PPM_EPOLL_CLOEXEC}, {0, 0}, -}; \ No newline at end of file +}; diff --git a/driver/main.c b/driver/main.c index 885ca50c5b..fbbf043a7a 100644 --- a/driver/main.c +++ b/driver/main.c @@ -1476,6 +1476,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event case PPME_SYSCALL_MOUNT_E: case PPME_SYSCALL_UMOUNT_E: case PPME_SYSCALL_UMOUNT_1_E: + case PPME_SYSCALL_UMOUNT2_E: case PPME_SYSCALL_RENAME_E: case PPME_SYSCALL_RENAMEAT_E: case PPME_SYSCALL_RENAMEAT2_E: @@ -1547,6 +1548,7 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event case PPME_SYSCALL_MOUNT_X: case PPME_SYSCALL_UMOUNT_X: case PPME_SYSCALL_UMOUNT_1_X: + case PPME_SYSCALL_UMOUNT2_X: case PPME_SYSCALL_RENAME_X: case PPME_SYSCALL_RENAMEAT_X: case PPME_SYSCALL_RENAMEAT2_X: diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c index e031ef007a..d4ef00a1a6 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2022 The Falco Authors. + * Copyright (C) 2023 The Falco Authors. * * This file is dual licensed under either the MIT or GPL 2. See MIT.txt * or GPL2.txt for full copies of the license. @@ -21,8 +21,7 @@ int BPF_PROG(umount2_e, return 0; } - /// TODO: This event should be called `PPME_SYSCALL_UMOUNT2_E`. - ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_UMOUNT_E); + ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_UMOUNT2_E); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -52,8 +51,7 @@ int BPF_PROG(umount2_x, return 0; } - /// TODO: This event should be called `PPME_SYSCALL_UMOUNT2_X`. - auxmap__preload_event_header(auxmap, PPME_SYSCALL_UMOUNT_X); + auxmap__preload_event_header(auxmap, PPME_SYSCALL_UMOUNT2_X); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 6638855d16..f03102560a 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -1192,7 +1192,9 @@ typedef enum { PPME_SYSCALL_UMOUNT_1_X = 387, PPME_SOCKET_ACCEPT4_6_E = 388, PPME_SOCKET_ACCEPT4_6_X = 389, - PPM_EVENT_MAX = 390 + PPME_SYSCALL_UMOUNT2_E = 390, + PPME_SYSCALL_UMOUNT2_X = 391, + PPM_EVENT_MAX = 392 } ppm_event_code; /*@}*/ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index d7a229621b..aa6a90a343 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7066,6 +7066,38 @@ int f_sys_umount_x(struct event_filler_arguments *args) return add_sentinel(args); } +int f_sys_umount2_e(struct event_filler_arguments *args) +{ + unsigned long val; + int res; + + /* Parameter 1: flags (type: PT_FLAGS32) */ + syscall_get_arguments_deprecated(current, args->regs, 1, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + +int f_sys_umount2_x(struct event_filler_arguments *args) +{ + unsigned long val; + int res; + int64_t retval; + + /* Parameter 1: res (type: PT_ERRNO) */ + retval = (int64_t)syscall_get_return_value(current, args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); + + /* Parameter 2: name (type: PT_FSPATH) */ + syscall_get_arguments_deprecated(current, args->regs, 0, 1, &val); + res = val_to_ring(args, val, 0, true, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + #ifdef CAPTURE_SCHED_PROC_EXEC int f_sched_prog_exec(struct event_filler_arguments *args) { diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index 82a3421d92..e54bc21fc1 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -159,6 +159,8 @@ or GPL2.txt for full copies of the license. FN(sys_signalfd_e) \ FN(sys_splice_e) \ FN(sys_umount_x) \ + FN(sys_umount2_e) \ + FN(sys_umount2_x) \ FN(terminate_filler) #define FILLER_ENUM_FN(x) PPM_FILLER_##x, diff --git a/driver/syscall_table.c b/driver/syscall_table.c index ca466b6718..bc7b21787e 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -178,7 +178,9 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_chmod - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_CHMOD_E, PPME_SYSCALL_CHMOD_X, PPM_SC_CHMOD}, #endif [__NR_mount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MOUNT_E, PPME_SYSCALL_MOUNT_X, PPM_SC_MOUNT}, - [__NR_umount2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT2}, +#ifdef __NR_umount2 + [__NR_umount2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT2_E, PPME_SYSCALL_UMOUNT2_X, PPM_SC_UMOUNT2}, +#endif [__NR_ptrace - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PTRACE_E, PPME_SYSCALL_PTRACE_X, PPM_SC_PTRACE}, #ifdef __NR_socket [__NR_socket - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPM_SC_SOCKET}, @@ -1018,7 +1020,9 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = { [__NR_ia32_chmod - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_CHMOD_E, PPME_SYSCALL_CHMOD_X, PPM_SC_CHMOD}, #endif [__NR_ia32_mount - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_MOUNT_E, PPME_SYSCALL_MOUNT_X, PPM_SC_MOUNT}, - [__NR_ia32_umount2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, PPM_SC_UMOUNT2}, +#ifdef __NR_ia32_umount2 + [__NR_ia32_umount2 - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_UMOUNT2_E, PPME_SYSCALL_UMOUNT2_X, PPM_SC_UMOUNT2}, +#endif [__NR_ia32_ptrace - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_PTRACE_E, PPME_SYSCALL_PTRACE_X, PPM_SC_PTRACE}, #ifndef __NR_ia32_socketcall diff --git a/test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp b/test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp index f2939a2dc5..94032cab38 100644 --- a/test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp @@ -12,8 +12,8 @@ TEST(SyscallEnter, umount2E) /*=============================== TRIGGER SYSCALL ===========================*/ - const char* target = "/no_mount_point/xyzk-target"; - unsigned long flags = MNT_FORCE; + const char* target = "//**null-file-path**//"; + unsigned long flags = MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW; assert_syscall_state(SYSCALL_FAILURE, "umount2", syscall(__NR_umount2, target, flags)); /*=============================== TRIGGER SYSCALL ===========================*/ @@ -34,7 +34,7 @@ TEST(SyscallEnter, umount2E) /*=============================== ASSERT PARAMETERS ===========================*/ /* Parameter 1: flags (type: PT_FLAGS32) */ - evt_test->assert_numeric_param(1, (uint32_t)MNT_FORCE); + evt_test->assert_numeric_param(1, (uint32_t)(PPM_MNT_FORCE | PPM_MNT_DETACH | PPM_MNT_EXPIRE | PPM_UMOUNT_NOFOLLOW)); /*=============================== ASSERT PARAMETERS ===========================*/ diff --git a/test/drivers/test_suites/syscall_exit_suite/umount2_x.cpp b/test/drivers/test_suites/syscall_exit_suite/umount2_x.cpp index 8e0b8f22f5..eeac8af2a5 100644 --- a/test/drivers/test_suites/syscall_exit_suite/umount2_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/umount2_x.cpp @@ -12,7 +12,7 @@ TEST(SyscallExit, umount2X) /*=============================== TRIGGER SYSCALL ===========================*/ - const char* target = "/no_mount_point/xyzk-target"; + const char* target = "//**null-file-path**//"; unsigned long flags = MNT_FORCE; assert_syscall_state(SYSCALL_FAILURE, "umount2", syscall(__NR_umount2, target, flags)); int64_t errno_value = -errno; diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index 2e972286d4..bb90fd6713 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -138,9 +138,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SYSCALL_UNSHARE_X] = "unshare_x", [PPME_SYSCALL_MOUNT_E] = "mount_e", [PPME_SYSCALL_MOUNT_X] = "mount_x", - /* These events should be called `PPME_SYSCALL_UMOUNT2_...` */ - [PPME_SYSCALL_UMOUNT_E] = "umount2_e", - [PPME_SYSCALL_UMOUNT_X] = "umount2_x", + [PPME_SYSCALL_UMOUNT2_E] = "umount2_e", + [PPME_SYSCALL_UMOUNT2_X] = "umount2_x", [PPME_SYSCALL_LINK_2_E] = "link_e", [PPME_SYSCALL_LINK_2_X] = "link_x", [PPME_SYSCALL_LINKAT_2_E] = "linkat_e", diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c index 1f314d0c54..b01964b4f8 100644 --- a/userspace/libscap/linux/scap_ppm_sc.c +++ b/userspace/libscap/linux/scap_ppm_sc.c @@ -290,8 +290,8 @@ static const ppm_sc_code *g_events_to_sc_map[] = { [PPME_SYSCALL_PPOLL_X] = (ppm_sc_code[]){PPM_SC_PPOLL, -1}, [PPME_SYSCALL_MOUNT_E] = (ppm_sc_code[]){PPM_SC_MOUNT, -1}, [PPME_SYSCALL_MOUNT_X] = (ppm_sc_code[]){PPM_SC_MOUNT, -1}, - [PPME_SYSCALL_UMOUNT_E] = (ppm_sc_code[]){PPM_SC_UMOUNT2, -1}, - [PPME_SYSCALL_UMOUNT_X] = (ppm_sc_code[]){PPM_SC_UMOUNT2, -1}, + [PPME_SYSCALL_UMOUNT_E] = (ppm_sc_code[]){PPM_SC_UMOUNT, -1}, + [PPME_SYSCALL_UMOUNT_X] = (ppm_sc_code[]){PPM_SC_UMOUNT, -1}, [PPME_K8S_E] = NULL, [PPME_K8S_X] = NULL, [PPME_SYSCALL_SEMGET_E] = (ppm_sc_code[]){PPM_SC_SEMGET, -1}, @@ -422,6 +422,8 @@ static const ppm_sc_code *g_events_to_sc_map[] = { [PPME_SYSCALL_UMOUNT_1_X] = (ppm_sc_code[]){PPM_SC_UMOUNT, -1}, [PPME_SOCKET_ACCEPT4_6_E] = (ppm_sc_code[]){PPM_SC_ACCEPT4, -1}, [PPME_SOCKET_ACCEPT4_6_X] = (ppm_sc_code[]){PPM_SC_ACCEPT4, -1}, + [PPME_SYSCALL_UMOUNT2_E] = (ppm_sc_code[]){PPM_SC_UMOUNT2, -1}, + [PPME_SYSCALL_UMOUNT2_X] = (ppm_sc_code[]){PPM_SC_UMOUNT2, -1}, }; _Static_assert(sizeof(g_events_to_sc_map) / sizeof(*g_events_to_sc_map) == PPM_EVENT_MAX, "Missing entries in g_events_to_sc_map table."); diff --git a/userspace/libsinsp/test/events_file.ut.cpp b/userspace/libsinsp/test/events_file.ut.cpp index 3079a20970..ac5ad8d5a4 100644 --- a/userspace/libsinsp/test/events_file.ut.cpp +++ b/userspace/libsinsp/test/events_file.ut.cpp @@ -220,3 +220,18 @@ TEST_F(sinsp_with_test_input, umount) ASSERT_EQ(get_field_as_string(evt, "evt.arg.res"), "0"); ASSERT_EQ(get_field_as_string(evt, "evt.arg.name"), "/target_name"); } + +TEST_F(sinsp_with_test_input, umount2) +{ + add_default_init_thread(); + + open_inspector(); + sinsp_evt* evt = NULL; + + add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_UMOUNT2_E, 1, 10); + evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_UMOUNT2_X, 2, 0, "/target_name"); + ASSERT_EQ(get_field_as_string(evt, "evt.type"), "umount2"); + ASSERT_EQ(get_field_as_string(evt, "evt.category"), "file"); + ASSERT_EQ(get_field_as_string(evt, "evt.arg.res"), "0"); + ASSERT_EQ(get_field_as_string(evt, "evt.arg.name"), "/target_name"); +} diff --git a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp index ae84a0ba29..25f3476cbf 100644 --- a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp +++ b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp @@ -197,14 +197,22 @@ TEST(interesting_syscalls, names_to_sc_set) "signalfd4", }); ASSERT_PPM_SC_CODES_EQ(sc_set_truth, sc_set); +} + +/* This test asserts the behavior of `names_to_sc_set` API when corner cases like `accept/accept4` are involved */ +/// todo: @Andreagit97 revisit this test after new APIs to convert from event_names -> sc_set and sc_set -> event_names. +TEST(interesting_syscalls, names_sc_set_names_corner_cases) +{ + /* INCONSISTENCY: `names_to_sc_set` is converting event names to ppm_sc, but this was not its original scope, the original scope was to convert sc_names -> to sc_set */ + std::unordered_set event_names{"accept", "execve", "syncfs", "eventfd", "umount", "pipe", "signalfd", "umount2"}; + auto sc_set = libsinsp::events::names_to_sc_set(event_names); + libsinsp::events::set expected_sc_set{PPM_SC_ACCEPT, PPM_SC_ACCEPT4, PPM_SC_EXECVE, PPM_SC_SYNCFS, PPM_SC_EVENTFD, PPM_SC_EVENTFD2, PPM_SC_UMOUNT, PPM_SC_PIPE, PPM_SC_PIPE2, PPM_SC_SIGNALFD, PPM_SC_SIGNALFD4, PPM_SC_UMOUNT2}; + ASSERT_PPM_SC_CODES_EQ(sc_set, expected_sc_set); - static std::unordered_set sc_set_names_truth = {"accept", - "accept4", "execve", "syncfs", "eventfd", "eventfd2", "umount", "umount2", - "pipe", "pipe2", "signalfd", "signalfd4"}; - auto tmp_sc_set = libsinsp::events::names_to_sc_set(std::unordered_set{"accept", - "execve", "syncfs", "eventfd", "umount", "pipe", "signalfd"}); - auto sc_set_names = libsinsp::events::sc_set_to_names(tmp_sc_set); - ASSERT_NAMES_EQ(sc_set_names_truth, sc_set_names); + /* Please note that here we are converting sc_set to sc_names not event_names! */ + auto sc_names = libsinsp::events::sc_set_to_names(sc_set); + static std::unordered_set expected_sc_names = {"accept", "accept4", "execve", "syncfs", "eventfd", "eventfd2", "umount", "pipe", "pipe2", "signalfd", "signalfd4", "umount2"}; + ASSERT_NAMES_EQ(expected_sc_names, sc_names); } TEST(interesting_syscalls, event_set_to_sc_set) diff --git a/userspace/libsinsp/test/table/event_table.cpp b/userspace/libsinsp/test/table/event_table.cpp index 46b35948ab..f9288f8225 100644 --- a/userspace/libsinsp/test/table/event_table.cpp +++ b/userspace/libsinsp/test/table/event_table.cpp @@ -2,7 +2,7 @@ #include /* These numbers must be updated when we add new events */ -#define SYSCALL_EVENTS_NUM 344 +#define SYSCALL_EVENTS_NUM 346 #define TRACEPOINT_EVENTS_NUM 6 #define METAEVENTS_NUM 19 #define PLUGIN_EVENTS_NUM 1 @@ -101,14 +101,59 @@ TEST(event_table, check_unique_events_syscall_category) case EC_SCHEDULER: case EC_INTERNAL: break; - + /* If we fall here it means that some events have more than one syscall category! */ default: goto end; break; - } + } } end: ASSERT_EQ(event_num, PPM_EVENT_MAX); } + +TEST(events, check_event_names) +{ + std::map event_names_count; + + for(int evt = 0; evt < PPM_EVENT_MAX; evt++) + { + if(libsinsp::events::is_old_version_event((ppm_event_code)evt)) + { + continue; + } + + event_names_count[scap_get_event_info_table()[evt].name]++; + } + + for(const auto& evt : event_names_count) + { + /* NA occurrences should be equal to unknown events number, so more than 2 */ + if(evt.first.compare("NA") != 0) + { + /* all events that use exit and enter events should have `evt.second == 2` + * while events paired with a `NA` event should have `evt.second == 1` + */ + ASSERT_TRUE(evt.second <= 2) << "[fail] " << evt.first << " = " << evt.second << std::endl; + } + } +} + +TEST(events, check_usage_of_EC_UNKNOWN_flag) +{ + /* Every time an event is marked with the `EC_UNKNOWN` flag we should use `NA` as its name */ + std::string unknown_name = "NA"; + for(int evt = 0; evt < PPM_EVENT_MAX; evt++) + { + if(unknown_name.compare(scap_get_event_info_table()[evt].name) == 0) + { + ASSERT_TRUE(libsinsp::events::is_unknown_event((ppm_event_code)evt)) << "[fail] event " << evt << " should have the EC_UNKNOWN flag"; + } + + if(libsinsp::events::is_unknown_event((ppm_event_code)evt)) + { + ASSERT_TRUE(unknown_name.compare(scap_get_event_info_table()[evt].name) == 0) << "[fail] event " << evt << " should have NA as its name"; + } + } +}