new(driver,userspace): automatically generate syscall_info_table entr…

…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
stackrox · Nov 30, 2022 · b9bc046 · b9bc046
1 parent cebcb4b
commit b9bc046
Show file tree

Hide file tree

Showing 8 changed files with 577 additions and 709 deletions.
diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
diff --git a/driver/syscall_table.c b/driver/syscall_table.c
@@ -720,6 +720,81 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_socketcall
 	[__NR_socketcall - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SOCKETCALL },
 #endif
+#ifdef __NR_fspick
+	[__NR_fspick - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSPICK},
+#endif
+#ifdef __NR_fsmount
+	[__NR_fsmount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSMOUNT},
+#endif
+#ifdef __NR_fsopen
+	[__NR_fsopen - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSOPEN},
+#endif
+#ifdef __NR_open_tree
+	[__NR_open_tree - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OPEN_TREE},
+#endif
+#ifdef __NR_move_mount
+	[__NR_move_mount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_MOUNT},
+#endif
+#ifdef __NR_mount_setattr
+	[__NR_mount_setattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOUNT_SETATTR},
+#endif
+#ifdef __NR_memfd_create
+	[__NR_memfd_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_CREATE},
+#endif
+#ifdef __NR_memfd_secret
+	[__NR_memfd_secret - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_SECRET},
+#endif
+#ifdef __NR_ioperm
+	[__NR_ioperm - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPERM},
+#endif
+#ifdef __NR_kexec_file_load
+	[__NR_kexec_file_load - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEXEC_FILE_LOAD},
+#endif
+#ifdef __NR_pidfd_getfd
+	[__NR_pidfd_getfd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_GET_FD},
+#endif
+#ifdef __NR_pidfd_open
+	[__NR_pidfd_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_OPEN},
+#endif
+#ifdef __NR_pidfd_send_signal
+	[__NR_pidfd_send_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_SEND_SIGNAL},
+#endif
+#ifdef __NR_pkey_alloc
+	[__NR_pkey_alloc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_ALLOC},
+#endif
+#ifdef __NR_pkey_mprotect
+	[__NR_pkey_mprotect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_MPROTECT},
+#endif
+#ifdef __NR_pkey_free
+	[__NR_pkey_free - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_FREE},
+#endif
+#ifdef __NR_landlock_create_ruleset
+	[__NR_landlock_create_ruleset - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_CREATE_RULESET},
+#endif
+#ifdef __NR_quotactl_fd
+	[__NR_quotactl_fd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_QUOTACTL_FD},
+#endif
+#ifdef __NR_landlock_restrict_self
+	[__NR_landlock_restrict_self - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_RESTRICT_SELF},
+#endif
+#ifdef __NR_landlock_add_rule
+	[__NR_landlock_add_rule - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_ADD_RULE},
+#endif
+#ifdef __NR_epoll_pwait2
+	[__NR_epoll_pwait2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_PWAIT2},
+#endif
+#ifdef __NR_migrate_pages
+	[__NR_migrate_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MIGRATE_PAGES},
+#endif
+#ifdef __NR_move_pages
+	[__NR_move_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_PAGES},
+#endif
+#ifdef __NR_preadv2
+	[__NR_preadv2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PREADV2},
+#endif
+#ifdef __NR_pwritev2
+	[__NR_pwritev2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PWRITEV2},
+#endif
 };
 
 #ifdef CONFIG_IA32_EMULATION
@@ -1339,6 +1414,81 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 #ifdef __NR_ia32_fadvise64
 	[__NR_ia32_fadvise64 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FADVISE64},
 #endif
+#ifdef __NR_ia32_fspick
+	[__NR_ia32_fspick - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSPICK},
+#endif
+#ifdef __NR_ia32_fsmount
+	[__NR_ia32_fsmount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSMOUNT},
+#endif
+#ifdef __NR_ia32_fsopen
+	[__NR_ia32_fsopen - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_FSOPEN},
+#endif
+#ifdef __NR_ia32_open_tree
+	[__NR_ia32_open_tree - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_OPEN_TREE},
+#endif
+#ifdef __NR_ia32_move_mount
+	[__NR_ia32_move_mount - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_MOUNT},
+#endif
+#ifdef __NR_ia32_mount_setattr
+	[__NR_ia32_mount_setattr - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOUNT_SETATTR},
+#endif
+#ifdef __NR_ia32_memfd_create
+	[__NR_ia32_memfd_create - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_CREATE},
+#endif
+#ifdef __NR_ia32_memfd_secret
+	[__NR_ia32_memfd_secret - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MEMFD_SECRET},
+#endif
+#ifdef __NR_ia32_ioperm
+	[__NR_ia32_ioperm - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_IOPERM},
+#endif
+#ifdef __NR_ia32_kexec_file_load
+	[__NR_ia32_kexec_file_load - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_KEXEC_FILE_LOAD},
+#endif
+#ifdef __NR_ia32_pidfd_getfd
+	[__NR_ia32_pidfd_getfd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_GET_FD},
+#endif
+#ifdef __NR_ia32_pidfd_open
+	[__NR_ia32_pidfd_open - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_OPEN},
+#endif
+#ifdef __NR_ia32_pidfd_send_signal
+	[__NR_ia32_pidfd_send_signal - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PIDFD_SEND_SIGNAL},
+#endif
+#ifdef __NR_ia32_pkey_alloc
+	[__NR_ia32_pkey_alloc - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_ALLOC},
+#endif
+#ifdef __NR_ia32_pkey_mprotect
+	[__NR_ia32_pkey_mprotect - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_MPROTECT},
+#endif
+#ifdef __NR_ia32_pkey_free
+	[__NR_ia32_pkey_free - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PKEY_FREE},
+#endif
+#ifdef __NR_ia32_landlock_create_ruleset
+	[__NR_ia32_landlock_create_ruleset - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_CREATE_RULESET},
+#endif
+#ifdef __NR_ia32_quotactl_fd
+	[__NR_ia32_quotactl_fd - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_QUOTACTL_FD},
+#endif
+#ifdef __NR_ia32_landlock_restrict_self
+	[__NR_ia32_landlock_restrict_self - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_RESTRICT_SELF},
+#endif
+#ifdef __NR_ia32_landlock_add_rule
+	[__NR_ia32_landlock_add_rule - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_LANDLOCK_ADD_RULE},
+#endif
+#ifdef __NR_ia32_epoll_pwait2
+	[__NR_ia32_epoll_pwait2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EPOLL_PWAIT2},
+#endif
+#ifdef __NR_ia32_migrate_pages
+	[__NR_ia32_migrate_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MIGRATE_PAGES},
+#endif
+#ifdef __NR_ia32_move_pages
+	[__NR_ia32_move_pages - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MOVE_PAGES},
+#endif
+#ifdef __NR_ia32_preadv2
+	[__NR_ia32_preadv2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PREADV2},
+#endif
+#ifdef __NR_ia32_pwritev2
+	[__NR_ia32_pwritev2 - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_PWRITEV2},
+#endif	
 };
 
 #endif /* CONFIG_IA32_EMULATION */
diff --git a/userspace/libscap/examples/01-open/scap_open.c b/userspace/libscap/examples/01-open/scap_open.c
@@ -44,24 +44,25 @@ limitations under the License.
 #define PRINT_SYSCALLS_OPTION "--print_syscalls"
 #define PRINT_HELP_OPTION "--help"
 
-extern const struct ppm_syscall_desc g_syscall_info_table[PPM_SC_MAX];
 extern const struct ppm_event_info g_event_info[PPM_EVENT_MAX];
 extern const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE];
 
+static const struct ppm_syscall_desc *g_syscall_info_table;
+
 /* Engine params */
-struct scap_bpf_engine_params bpf_params = {0};
-struct scap_kmod_engine_params kmod_params = {0};
-struct scap_modern_bpf_engine_params modern_bpf_params = {0};
-struct scap_savefile_engine_params savefile_params = {0};
+static struct scap_bpf_engine_params bpf_params;
+static struct scap_kmod_engine_params kmod_params;
+static struct scap_modern_bpf_engine_params modern_bpf_params;
+static struct scap_savefile_engine_params savefile_params;
 
 /* Configuration variables set through CLI. */
-uint64_t num_events = UINT64_MAX; /* max number of events to catch. */
-int evt_type = -1;		  /* event type to print. */
-bool ppm_sc_is_set = 0;
-bool tp_is_set = 0;
-unsigned long buffer_bytes_dim = DEFAULT_DRIVER_BUFFER_BYTES_DIM;
+static uint64_t num_events = UINT64_MAX; /* max number of events to catch. */
+static int evt_type = -1;		  /* event type to print. */
+static bool ppm_sc_is_set = 0;
+static bool tp_is_set = 0;
+static unsigned long buffer_bytes_dim = DEFAULT_DRIVER_BUFFER_BYTES_DIM;
 
-int simple_set[] = {
+static int simple_set[] = {
 	PPM_SC_ACCEPT,
 	PPM_SC_ACCEPT4,
 	PPM_SC_BIND,
@@ -146,14 +147,14 @@ int simple_set[] = {
 };
 
 /* Generic global variables. */
-scap_open_args oargs = {.engine_name = UNKNOWN_ENGINE};			    /* scap oargs used in `scap_open`. */
-uint64_t g_nevts = 0;							    /* total number of events captured. */
-scap_t* g_h = NULL;							    /* global scap handler. */
-uint16_t* lens16 = NULL;						    /* pointer used to print the length of event params. */
-char* valptr = NULL; /* pointer used to print the value of event params. */ /* pointer used to print the value of event params. */
-struct timeval tval_start, tval_end, tval_result;
-unsigned long number_of_timeouts = 0; /* Times in which there were no events in the buffer. */
-unsigned long number_of_scap_next = 0; /* Times in which the 'scap-next' method is called. */
+static scap_open_args oargs = {.engine_name = UNKNOWN_ENGINE};			    /* scap oargs used in `scap_open`. */
+static uint64_t g_nevts = 0;							    /* total number of events captured. */
+static scap_t* g_h = NULL;							    /* global scap handler. */
+static uint16_t* lens16 = NULL;						    /* pointer used to print the length of event params. */
+static char* valptr = NULL; /* pointer used to print the value of event params. */ /* pointer used to print the value of event params. */
+static struct timeval tval_start, tval_end, tval_result;
+static unsigned long number_of_timeouts; /* Times in which there were no events in the buffer. */
+static unsigned long number_of_scap_next; /* Times in which the 'scap-next' method is called. */
 
 /*=============================== PRINT SUPPORTED SYSCALLS ===========================*/
 
@@ -990,6 +991,8 @@ int main(int argc, char** argv)
 		return EXIT_FAILURE;
 	}
 
+	g_syscall_info_table = scap_get_syscall_info_table();
+
 	parse_CLI_options(argc, argv);
 
 	print_scap_source();

diff --git a/userspace/libscap/scap-int.h b/userspace/libscap/scap-int.h
@@ -302,9 +302,7 @@ int32_t scap_os_getpid_global(struct scap_engine_handle engine, int64_t *pid, ch
 
 extern const struct syscall_evt_pair g_syscall_table[];
 extern const struct ppm_event_info g_event_info[];
-extern const struct ppm_syscall_desc g_syscall_info_table[];
 extern const struct ppm_event_entry g_ppm_events[];
-extern bool validate_info_table_size();
 
 extern unsigned char g_bpf_drop_syscalls[];
 

diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
@@ -522,8 +522,7 @@ typedef struct scap_dumper scap_dumper_t;
 */
 struct ppm_syscall_desc {
 	enum ppm_event_category category; /**< System call category. */
-	enum ppm_event_flags flags;
-	char *name; /**< System call name, e.g. 'open'. */
+	char name[PPM_MAX_NAME_LEN]; /**< System call name, e.g. 'open'. */
 };
 
 /*!

diff --git a/userspace/libscap/scap_event.c b/userspace/libscap/scap_event.c
@@ -35,7 +35,6 @@ limitations under the License.
 //
 const struct ppm_event_info* scap_get_event_info_table()
 {
-	ASSERT(validate_info_table_size());
 	return g_event_info;
 }