diff --git a/.github/workflows/gotests.yml b/.github/workflows/gotests.yml index a7375ff1dd0..56c17f767ab 100644 --- a/.github/workflows/gotests.yml +++ b/.github/workflows/gotests.yml @@ -27,6 +27,12 @@ jobs: with: go-version-file: 'go/src/github.com/cilium/tetragon/go.mod' + - name: Install dependencies x86 + with: + platforms: linux/amd64 + run: | + sudo apt-get -y install libc6-dev-i386 + - name: Install dependencies run: | sudo apt-get -y install libelf-dev netcat-traditional libcap-dev gcc diff --git a/.github/workflows/vmtests.yml b/.github/workflows/vmtests.yml index e6778bf2806..12833116ead 100644 --- a/.github/workflows/vmtests.yml +++ b/.github/workflows/vmtests.yml @@ -30,7 +30,7 @@ jobs: - name: Install build dependencies run: | - sudo apt install libelf-dev netcat-traditional libcap-dev gcc + sudo apt install libelf-dev netcat-traditional libcap-dev gcc libc6-dev-i386 echo `which clang` echo `which llc` echo `clang --version` diff --git a/bpf/lib/generic.h b/bpf/lib/generic.h index 4b06f7c859a..19d00d5cab1 100644 --- a/bpf/lib/generic.h +++ b/bpf/lib/generic.h @@ -31,6 +31,7 @@ struct msg_selector_data { #ifdef __CAP_CHANGES_FILTER __u64 match_cap; #endif + bool is32BitSyscall; }; struct msg_generic_kprobe { diff --git a/bpf/process/bpf_generic_tracepoint.c b/bpf/process/bpf_generic_tracepoint.c index 04758262e0f..b589ebeefde 100644 --- a/bpf/process/bpf_generic_tracepoint.c +++ b/bpf/process/bpf_generic_tracepoint.c @@ -62,6 +62,7 @@ static inline __attribute__((always_inline)) unsigned long get_ctx_ul(void *src, int type) { switch (type) { + case syscall64_type: case nop_s64_ty: case nop_u64_ty: case s64_ty: diff --git a/bpf/process/generic_calls.h b/bpf/process/generic_calls.h index 39a90e88ec4..a91ed0f195d 100644 --- a/bpf/process/generic_calls.h +++ b/bpf/process/generic_calls.h @@ -6,6 +6,7 @@ #include "bpf_tracing.h" #include "types/basic.h" +#include "vmlinux.h" #define MAX_TOTAL 9000 @@ -70,6 +71,29 @@ generic_process_event(void *ctx, struct bpf_map_def *heap_map, return 0; } +#define TS_COMPAT 0x0002 + +#ifdef __TARGET_ARCH_x86 +static inline __attribute__((always_inline)) void +generic_setup_32bit_syscall(struct msg_generic_kprobe *e, u8 op) +{ + struct thread_info *info; + __u32 status; + + switch (op) { + case MSG_OP_GENERIC_TRACEPOINT: + case MSG_OP_GENERIC_KPROBE: + info = (struct thread_info *)get_current_task(); + probe_read(&status, sizeof(status), _(&info->status)); + e->sel.is32BitSyscall = status & TS_COMPAT; + default: + break; + } +} +#else +#define generic_setup_32bit_syscall(e, op) +#endif + static inline __attribute__((always_inline)) void generic_process_init(struct msg_generic_kprobe *e, u8 op, struct event_config *config) { @@ -93,6 +117,9 @@ generic_process_init(struct msg_generic_kprobe *e, u8 op, struct event_config *c * At kprobes, tracpoints etc we report the calling thread ID to user space. */ e->tid = (__u32)get_current_pid_tgid(); + + /* Get 32-bit syscall emulation bit value. */ + generic_setup_32bit_syscall(e, op); } static inline __attribute__((always_inline)) int diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index e06da92892e..499b425bf07 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -61,6 +61,8 @@ enum { load_module_type = 26, kernel_module_type = 27, + syscall64_type = 28, + nop_s64_ty = -10, nop_u64_ty = -11, nop_u32_ty = -12, @@ -123,6 +125,8 @@ struct selector_arg_filters { #define FLAGS_EARLY_FILTER BIT(0) +#define IS_32BIT 0x80000000 + struct event_config { __u32 func_id; __s32 arg0; @@ -1298,7 +1302,7 @@ filter_64ty_selector_val(struct selector_arg_filter *filter, char *args) // use the selector value to determine a hash map, and do a lookup to determine whether the argument // is in the defined set. static inline __attribute__((always_inline)) long -filter_64ty_map(struct selector_arg_filter *filter, char *args) +filter_64ty_map(struct selector_arg_filter *filter, char *args, bool set32bit) { void *argmap; __u32 map_idx = filter->value; @@ -1308,6 +1312,10 @@ filter_64ty_map(struct selector_arg_filter *filter, char *args) return 0; __u64 arg = *((__u64 *)args); + + if (set32bit) + arg |= IS_32BIT; + __u8 *pass = map_lookup_elem(argmap, &arg); switch (filter->op) { @@ -1320,7 +1328,7 @@ filter_64ty_map(struct selector_arg_filter *filter, char *args) } static inline __attribute__((always_inline)) long -filter_64ty(struct selector_arg_filter *filter, char *args) +filter_64ty(struct selector_arg_filter *filter, char *args, bool set32bit) { switch (filter->op) { case op_filter_lt: @@ -1331,7 +1339,7 @@ filter_64ty(struct selector_arg_filter *filter, char *args) return filter_64ty_selector_val(filter, args); case op_filter_inmap: case op_filter_notinmap: - return filter_64ty_map(filter, args); + return filter_64ty_map(filter, args, set32bit); } return 0; @@ -1640,6 +1648,8 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx, for (i = 0; i < 5; i++) #endif { + bool set32bit = false; + argsoff = filters->argoff[i]; asm volatile("%[argsoff] &= 0x3ff;\n" ::[argsoff] "+r"(argsoff) :); @@ -1679,9 +1689,11 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx, */ pass &= filter_char_buf(filter, args, 8); break; + case syscall64_type: + set32bit = e->sel.is32BitSyscall; case s64_ty: case u64_ty: - pass &= filter_64ty(filter, args); + pass &= filter_64ty(filter, args, set32bit); break; case size_type: case int_type: @@ -2427,6 +2439,7 @@ read_call_arg(void *ctx, struct msg_generic_kprobe *e, int index, int type, case string_type: size = copy_strings(args, arg); break; + case syscall64_type: case size_type: case s64_ty: case u64_ty: diff --git a/contrib/tester-progs/Makefile b/contrib/tester-progs/Makefile index 1f735d563f1..76f18751c98 100644 --- a/contrib/tester-progs/Makefile +++ b/contrib/tester-progs/Makefile @@ -18,7 +18,8 @@ PROGS = sigkill-tester \ threads-tester \ bench-reader \ threads-exit \ - killer-tester + killer-tester \ + killer-tester-32 all: $(PROGS) @@ -61,6 +62,9 @@ uprobe-test-1: uprobe-test.c libuprobe.so uprobe-test-2: uprobe-test-1 cp uprobe-test-1 uprobe-test-2 +killer-tester-32: killer-tester.c + $(GCC) -Wall -m32 $< -o $@ + lseek-pipe: FORCE go build -o lseek-pipe ./go/lseek-pipe diff --git a/docs/content/en/docs/concepts/tracing-policy/hooks.md b/docs/content/en/docs/concepts/tracing-policy/hooks.md index 5641375326e..eeeeffea5bc 100644 --- a/docs/content/en/docs/concepts/tracing-policy/hooks.md +++ b/docs/content/en/docs/concepts/tracing-policy/hooks.md @@ -406,6 +406,24 @@ spec: - "sys_close" ``` +Syscalls specified with `sys_` prefix are translated to their 64 bit equivalent function names. + +It's possible to specify 32 bit syscall by using its full function name that +includes specific architecture native prefix (like `__ia32_` for `x86`): + +```yaml +spec: + lists: + - name: "dups" + type: "syscalls" + values: + - "sys_dup" + - "__ia32_sys_dup" + name: "another" + - "sys_open" + - "sys_close" +``` + Specific list can be referenced in kprobe's `call` field with `"list:NAME"` value. ```yaml @@ -520,3 +538,27 @@ spec: values: - "/usr/bin/kill" ``` + +Note that if syscall list is used in selector with InMap operator, the argument type needs to be `syscall64`, like. + +```yaml +spec: + lists: + - name: "dups" + type: "syscalls" + values: + - "sys_dup" + - "__ia32_sys_dup" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "syscall64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:dups" +``` diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md index e51bfc88ed5..517c7703ec2 100644 --- a/docs/content/en/docs/concepts/tracing-policy/selectors.md +++ b/docs/content/en/docs/concepts/tracing-policy/selectors.md @@ -1047,7 +1047,7 @@ spec: event: "sys_enter" args: - index: 4 - type: "uint64" + type: "syscall64" selectors: - matchArgs: - index: 0 diff --git a/examples/tracingpolicy/killer.yaml b/examples/tracingpolicy/killer.yaml index cc32c13327b..0c9f8ff2011 100644 --- a/examples/tracingpolicy/killer.yaml +++ b/examples/tracingpolicy/killer.yaml @@ -9,6 +9,7 @@ spec: values: - "sys_dup" - "sys_dup2" + - "__ia32_sys_dup" killers: - syscalls: - "list:dups" @@ -17,7 +18,7 @@ spec: event: "sys_enter" args: - index: 4 - type: "uint64" + type: "syscall64" selectors: - matchArgs: - index: 0 diff --git a/pkg/arch/arch.go b/pkg/arch/arch.go index 1b784e960c6..bf3cd92b7af 100644 --- a/pkg/arch/arch.go +++ b/pkg/arch/arch.go @@ -10,7 +10,7 @@ import ( "testing" ) -var supportedArchPrefix = map[string]string{"amd64": "__x64_", "arm64": "__arm64_"} +var supportedArchPrefix = map[string]string{"amd64": "__x64_", "arm64": "__arm64_", "i386": "__ia32_"} func addSyscallPrefix(symbol string, arch string) (string, error) { for prefix_arch, prefix := range supportedArchPrefix { @@ -59,11 +59,15 @@ func AddSyscallPrefixTestHelper(t *testing.T, symbol string) string { } // CutSyscallPrefix removes a potential arch specific prefix from the symbol -func CutSyscallPrefix(symbol string) string { - for _, prefix := range supportedArchPrefix { +// and returns true in second return argument if the prefix is 32 bits +func CutSyscallPrefix(symbol string) (string, bool) { + is32BitArch := func(arch string) bool { + return arch == "i386" + } + for arch, prefix := range supportedArchPrefix { if strings.HasPrefix(symbol, prefix) { - return symbol[len(prefix):] + return symbol[len(prefix):], is32BitArch(arch) } } - return symbol + return symbol, false } diff --git a/pkg/encoder/encoder.go b/pkg/encoder/encoder.go index e01c0e2b56e..f5397dce192 100644 --- a/pkg/encoder/encoder.go +++ b/pkg/encoder/encoder.go @@ -259,7 +259,8 @@ func (p *CompactEncoder) EventToString(response *tetragon.GetEventsResponse) (st return "", ErrMissingProcessInfo } processInfo, caps := p.Colorer.ProcessInfo(response.NodeName, kprobe.Process) - switch arch.CutSyscallPrefix(kprobe.FunctionName) { + sc, _ := arch.CutSyscallPrefix(kprobe.FunctionName) + switch sc { case "sys_write": event := p.Colorer.Blue.Sprintf("📝 %-7s", "write") file := "" diff --git a/pkg/generictypes/generictypes.go b/pkg/generictypes/generictypes.go index 2cfe330842e..9e6500ee3c9 100644 --- a/pkg/generictypes/generictypes.go +++ b/pkg/generictypes/generictypes.go @@ -37,6 +37,8 @@ const ( GenericLoadModule = 26 GenericKernelModule = 27 + GenericSyscall64 = 28 + GenericNopType = -1 GenericInvalidType = -2 ) @@ -97,6 +99,8 @@ func GenericTypeFromString(arg string) int { return GenericLoadModule case "module": return GenericKernelModule + case "syscall64": + return GenericSyscall64 default: return GenericInvalidType } diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index fd462c12e1d..9ba938e3281 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -121,6 +121,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index @@ -202,6 +203,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index @@ -752,6 +754,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 815d6a6fed9..a50691711db 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -121,6 +121,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index @@ -202,6 +203,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index @@ -752,6 +754,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 85a9203011a..61da63107c5 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -51,7 +51,7 @@ type KProbeArg struct { // +kubebuilder:validation:Minimum=0 // Position of the argument. Index uint32 `json:"index"` - // +kubebuilder:validation:Enum=auto;int;uint32;int32;uint64;int64;char_buf;char_iovec;size_t;skb;sock;string;fd;file;filename;path;nop;bpf_attr;perf_event;bpf_map;user_namespace;capability;kiocb;iov_iter;cred;load_info;module; + // +kubebuilder:validation:Enum=auto;int;uint32;int32;uint64;int64;char_buf;char_iovec;size_t;skb;sock;string;fd;file;filename;path;nop;bpf_attr;perf_event;bpf_map;user_namespace;capability;kiocb;iov_iter;cred;load_info;module;syscall64; // +kubebuilder:default=auto // Argument type. Type string `json:"type"` diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index ac339812513..3c618922d27 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -161,6 +161,9 @@ const ( argTypeUrl = 18 argTypeFqdn = 19 + + // mirrors gt.GenericSyscall64 + argTypeSyscall64 = 28 ) var argTypeTable = map[string]uint32{ @@ -180,6 +183,7 @@ var argTypeTable = map[string]uint32{ "sock": argTypeSock, "url": argTypeUrl, "fqdn": argTypeFqdn, + "syscall64": argTypeSyscall64, } var argTypeStringTable = map[uint32]string{ @@ -199,6 +203,7 @@ var argTypeStringTable = map[uint32]string{ argTypeSock: "sock", argTypeUrl: "url", argTypeFqdn: "fqdn", + argTypeSyscall64: "syscall64", } const ( @@ -515,7 +520,7 @@ func writeListValuesInMap(k *KernelSelectorState, v string, ty uint32, m *ValueM if k.listReader == nil { return fmt.Errorf("failed list values loading is not supported") } - values, err := k.listReader.Read(v) + values, err := k.listReader.Read(v, ty) if err != nil { return err } @@ -523,7 +528,7 @@ func writeListValuesInMap(k *KernelSelectorState, v string, ty uint32, m *ValueM var val [8]byte switch ty { - case argTypeS64, argTypeInt: + case argTypeS64, argTypeInt, argTypeSyscall64: binary.LittleEndian.PutUint64(val[:], uint64(values[idx])) case argTypeU64: binary.LittleEndian.PutUint64(val[:], uint64(values[idx])) @@ -556,7 +561,7 @@ func writeMatchValuesInMap(k *KernelSelectorState, values []string, ty uint32, o continue } switch ty { - case argTypeS64, argTypeInt: + case argTypeS64, argTypeInt, argTypeSyscall64: i, err := strconv.ParseInt(v, 10, 64) if err != nil { return fmt.Errorf("MatchArgs value %s invalid: %w", v, err) diff --git a/pkg/selectors/selectors.go b/pkg/selectors/selectors.go index 88cea1c1d34..a17fb7faf71 100644 --- a/pkg/selectors/selectors.go +++ b/pkg/selectors/selectors.go @@ -25,7 +25,7 @@ type ValueMap struct { } type ValueReader interface { - Read(value string) ([]uint32, error) + Read(value string, ty uint32) ([]uint32, error) } const ( diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 4f8d3a44d33..308e0a81c3a 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -673,7 +673,7 @@ func handleMsgGenericTracepoint( } switch out.genericTypeId { - case gt.GenericU64Type: + case gt.GenericU64Type, gt.GenericSyscall64: var val uint64 err := binary.Read(r, binary.LittleEndian, &val) if err != nil { diff --git a/pkg/sensors/tracing/killer_amd64_test.go b/pkg/sensors/tracing/killer_amd64_test.go new file mode 100644 index 00000000000..212ae5a0623 --- /dev/null +++ b/pkg/sensors/tracing/killer_amd64_test.go @@ -0,0 +1,212 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +//go:build amd64 && linux +// +build amd64,linux + +package tracing + +import ( + "syscall" + "testing" + + "github.com/cilium/tetragon/api/v1/tetragon" + "github.com/cilium/tetragon/pkg/bpf" + "github.com/cilium/tetragon/pkg/syscallinfo/i386" + "github.com/cilium/tetragon/pkg/testutils" + + ec "github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker" + lc "github.com/cilium/tetragon/pkg/matchers/listmatcher" +) + +func TestKillerOverride32(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + test := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") + configHook := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine" + type: "syscalls" + values: + - "__ia32_sys_prctl" + killers: + - syscalls: + - "list:mine" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "syscall64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine" + matchBinaries: + - operator: "In" + values: + - "` + test + `" + matchActions: + - action: "NotifyKiller" + argError: -17 # EEXIST +` + + tpChecker := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(i386.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + checker := ec.NewUnorderedEventChecker(tpChecker) + + checkerFunc := func(err error, rc int) { + if rc != int(syscall.EEXIST) { + t.Fatalf("Wrong exit code %d expected %d", rc, int(syscall.EEXIST)) + } + } + + testKiller(t, configHook, test, "", checker, checkerFunc) +} + +func TestKillerSignal32(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + test := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") + configHook := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine" + type: "syscalls" + values: + - "__ia32_sys_prctl" + killers: + - syscalls: + - "list:mine" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "syscall64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine" + matchBinaries: + - operator: "In" + values: + - "` + test + `" + matchActions: + - action: "NotifyKiller" + argSig: 9 # SIGKILL +` + + tpChecker := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(i386.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + checker := ec.NewUnorderedEventChecker(tpChecker) + + checkerFunc := func(err error, rc int) { + if err == nil || err.Error() != "signal: killed" { + t.Fatalf("Wrong error '%v' expected 'killed'", err) + } + } + + testKiller(t, configHook, test, "", checker, checkerFunc) +} + +func TestKillerOverrideBothBits(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + test32 := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") + test64 := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + + configHook := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine" + type: "syscalls" + values: + - "sys_prctl" + - "__ia32_sys_prctl" + killers: + - syscalls: + - "list:mine" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "syscall64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine" + matchBinaries: + - operator: "In" + values: + - "` + test32 + `" + - "` + test64 + `" + matchActions: + - action: "NotifyKiller" + argError: -17 # EEXIST +` + + tpChecker32 := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(i386.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + tpChecker64 := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(syscall.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + checker := ec.NewUnorderedEventChecker(tpChecker32, tpChecker64) + + checkerFunc := func(err error, rc int) { + if rc != int(syscall.EEXIST) { + t.Fatalf("Wrong exit code %d expected %d", rc, int(syscall.EEXIST)) + } + } + + testKiller(t, configHook, test64, test32, checker, checkerFunc) +} diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go index 6b02cc564cb..f01654f3072 100644 --- a/pkg/sensors/tracing/killer_test.go +++ b/pkg/sensors/tracing/killer_test.go @@ -23,7 +23,8 @@ import ( "github.com/stretchr/testify/assert" ) -func test_killer(t *testing.T, configHook string, test string, +func testKiller(t *testing.T, configHook string, + test string, test2 string, checker *eventchecker.UnorderedEventChecker, checkerFunc func(err error, rc int)) { @@ -50,6 +51,13 @@ func test_killer(t *testing.T, configHook string, test string, checkerFunc(err, cmd.ProcessState.ExitCode()) + if test2 != "" { + cmd := exec.Command(test2) + err = cmd.Run() + + checkerFunc(err, cmd.ProcessState.ExitCode()) + } + err = jsonchecker.JsonTestCheck(t, checker) assert.NoError(t, err) } @@ -79,7 +87,7 @@ spec: event: "sys_enter" args: - index: 4 - type: "uint64" + type: "syscall64" selectors: - matchArgs: - index: 0 @@ -111,7 +119,7 @@ spec: } } - test_killer(t, configHook, test, checker, checkerFunc) + testKiller(t, configHook, test, "", checker, checkerFunc) } func TestKillerSignal(t *testing.T) { @@ -139,7 +147,7 @@ spec: event: "sys_enter" args: - index: 4 - type: "uint64" + type: "syscall64" selectors: - matchArgs: - index: 0 @@ -171,7 +179,7 @@ spec: } } - test_killer(t, configHook, test, checker, checkerFunc) + testKiller(t, configHook, test, "", checker, checkerFunc) } func TestKillerMulti(t *testing.T) { @@ -204,7 +212,7 @@ spec: event: "sys_enter" args: - index: 4 - type: "uint64" + type: "syscall64" selectors: - matchArgs: - index: 0 diff --git a/pkg/sensors/tracing/lists.go b/pkg/sensors/tracing/lists.go index 0ed202e130c..252e8f85127 100644 --- a/pkg/sensors/tracing/lists.go +++ b/pkg/sensors/tracing/lists.go @@ -10,6 +10,7 @@ import ( "github.com/cilium/tetragon/pkg/arch" "github.com/cilium/tetragon/pkg/btf" "github.com/cilium/tetragon/pkg/ftrace" + gt "github.com/cilium/tetragon/pkg/generictypes" "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1" "github.com/cilium/tetragon/pkg/syscallinfo" ) @@ -30,6 +31,8 @@ const ( ListTypeSyscalls = 1 ListTypeGeneratedSyscalls = 2 ListTypeGeneratedFtrace = 3 + + Is32Bit = 0x80000000 ) var listTypeTable = map[string]uint32{ @@ -60,6 +63,10 @@ func validateList(list *v1alpha1.ListSpec) (err error) { // Add prefix to syscalls list if listTypeFromString(list.Type) == ListTypeSyscalls { for idx := range list.Values { + // keep symbols with '__' prefix + if strings.HasPrefix(list.Values[idx], "__") { + continue + } symbol, err := arch.AddSyscallPrefix(list.Values[idx]) if err != nil { return err @@ -117,7 +124,7 @@ type listReader struct { lists []v1alpha1.ListSpec } -func (lr *listReader) Read(name string) ([]uint32, error) { +func (lr *listReader) Read(name string, ty uint32) ([]uint32, error) { list := func() *v1alpha1.ListSpec { for idx := range lr.lists { if lr.lists[idx].Name == name { @@ -133,16 +140,31 @@ func (lr *listReader) Read(name string) ([]uint32, error) { if !isSyscallListType(list.Type) { return []uint32{}, fmt.Errorf("Error list '%s' is not syscall type", name) } + if ty != gt.GenericSyscall64 { + return []uint32{}, fmt.Errorf("Error list '%s' argument type is not syscall64", name) + } - var res []uint32 + var ( + res []uint32 + id int + ) for idx := range list.Values { - sc := arch.CutSyscallPrefix(list.Values[idx]) + sc, is32 := arch.CutSyscallPrefix(list.Values[idx]) sc = strings.TrimPrefix(sc, "sys_") - id := syscallinfo.GetSyscallID(sc) + + if is32 { + id = syscallinfo.GetSyscallID32(sc) + } else { + id = syscallinfo.GetSyscallID(sc) + } + if id == -1 { return []uint32{}, fmt.Errorf("failed list '%s' cannot translate syscall '%s'", name, sc) } + if is32 { + id |= Is32Bit + } res = append(res, uint32(id)) } diff --git a/pkg/sensors/tracing/tracepoint_amd64_test.go b/pkg/sensors/tracing/tracepoint_amd64_test.go index 3bd7d339f05..82f60e6ff73 100644 --- a/pkg/sensors/tracing/tracepoint_amd64_test.go +++ b/pkg/sensors/tracing/tracepoint_amd64_test.go @@ -76,7 +76,7 @@ spec: event: "sys_enter" args: - index: 4 - type: "uint64" + type: "syscall64" - index: 5 type: "uint64" selectors: diff --git a/pkg/sensors/tracing/tracepoint_test.go b/pkg/sensors/tracing/tracepoint_test.go index d7631a78a3d..eeb0169d40c 100644 --- a/pkg/sensors/tracing/tracepoint_test.go +++ b/pkg/sensors/tracing/tracepoint_test.go @@ -809,7 +809,7 @@ spec: event: "sys_enter" args: - index: 4 - type: "uint64" + type: "syscall64" - index: 5 type: "uint64" selectors: diff --git a/pkg/syscallinfo/i386/linux.go b/pkg/syscallinfo/i386/linux.go new file mode 100644 index 00000000000..c44b51223ac --- /dev/null +++ b/pkg/syscallinfo/i386/linux.go @@ -0,0 +1,452 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +//go:build amd64 && linux +// +build amd64,linux + +package i386 + +const ( + SYS_RESTART_SYSCALL = 0 + SYS_EXIT = 1 + SYS_FORK = 2 + SYS_READ = 3 + SYS_WRITE = 4 + SYS_OPEN = 5 + SYS_CLOSE = 6 + SYS_WAITPID = 7 + SYS_CREAT = 8 + SYS_LINK = 9 + SYS_UNLINK = 10 + SYS_EXECVE = 11 + SYS_CHDIR = 12 + SYS_TIME = 13 + SYS_MKNOD = 14 + SYS_CHMOD = 15 + SYS_LCHOWN = 16 + SYS_BREAK = 17 + SYS_OLDSTAT = 18 + SYS_LSEEK = 19 + SYS_GETPID = 20 + SYS_MOUNT = 21 + SYS_UMOUNT = 22 + SYS_SETUID = 23 + SYS_GETUID = 24 + SYS_STIME = 25 + SYS_PTRACE = 26 + SYS_ALARM = 27 + SYS_OLDFSTAT = 28 + SYS_PAUSE = 29 + SYS_UTIME = 30 + SYS_STTY = 31 + SYS_GTTY = 32 + SYS_ACCESS = 33 + SYS_NICE = 34 + SYS_FTIME = 35 + SYS_SYNC = 36 + SYS_KILL = 37 + SYS_RENAME = 38 + SYS_MKDIR = 39 + SYS_RMDIR = 40 + SYS_DUP = 41 + SYS_PIPE = 42 + SYS_TIMES = 43 + SYS_PROF = 44 + SYS_BRK = 45 + SYS_SETGID = 46 + SYS_GETGID = 47 + SYS_SIGNAL = 48 + SYS_GETEUID = 49 + SYS_GETEGID = 50 + SYS_ACCT = 51 + SYS_UMOUNT2 = 52 + SYS_LOCK = 53 + SYS_IOCTL = 54 + SYS_FCNTL = 55 + SYS_MPX = 56 + SYS_SETPGID = 57 + SYS_ULIMIT = 58 + SYS_OLDOLDUNAME = 59 + SYS_UMASK = 60 + SYS_CHROOT = 61 + SYS_USTAT = 62 + SYS_DUP2 = 63 + SYS_GETPPID = 64 + SYS_GETPGRP = 65 + SYS_SETSID = 66 + SYS_SIGACTION = 67 + SYS_SGETMASK = 68 + SYS_SSETMASK = 69 + SYS_SETREUID = 70 + SYS_SETREGID = 71 + SYS_SIGSUSPEND = 72 + SYS_SIGPENDING = 73 + SYS_SETHOSTNAME = 74 + SYS_SETRLIMIT = 75 + SYS_GETRLIMIT = 76 + SYS_GETRUSAGE = 77 + SYS_GETTIMEOFDAY = 78 + SYS_SETTIMEOFDAY = 79 + SYS_GETGROUPS = 80 + SYS_SETGROUPS = 81 + SYS_SELECT = 82 + SYS_SYMLINK = 83 + SYS_OLDLSTAT = 84 + SYS_READLINK = 85 + SYS_USELIB = 86 + SYS_SWAPON = 87 + SYS_REBOOT = 88 + SYS_READDIR = 89 + SYS_MMAP = 90 + SYS_MUNMAP = 91 + SYS_TRUNCATE = 92 + SYS_FTRUNCATE = 93 + SYS_FCHMOD = 94 + SYS_FCHOWN = 95 + SYS_GETPRIORITY = 96 + SYS_SETPRIORITY = 97 + SYS_PROFIL = 98 + SYS_STATFS = 99 + SYS_FSTATFS = 100 + SYS_IOPERM = 101 + SYS_SOCKETCALL = 102 + SYS_SYSLOG = 103 + SYS_SETITIMER = 104 + SYS_GETITIMER = 105 + SYS_STAT = 106 + SYS_LSTAT = 107 + SYS_FSTAT = 108 + SYS_OLDUNAME = 109 + SYS_IOPL = 110 + SYS_VHANGUP = 111 + SYS_IDLE = 112 + SYS_VM86OLD = 113 + SYS_WAIT4 = 114 + SYS_SWAPOFF = 115 + SYS_SYSINFO = 116 + SYS_IPC = 117 + SYS_FSYNC = 118 + SYS_SIGRETURN = 119 + SYS_CLONE = 120 + SYS_SETDOMAINNAME = 121 + SYS_UNAME = 122 + SYS_MODIFY_LDT = 123 + SYS_ADJTIMEX = 124 + SYS_MPROTECT = 125 + SYS_SIGPROCMASK = 126 + SYS_CREATE_MODULE = 127 + SYS_INIT_MODULE = 128 + SYS_DELETE_MODULE = 129 + SYS_GET_KERNEL_SYMS = 130 + SYS_QUOTACTL = 131 + SYS_GETPGID = 132 + SYS_FCHDIR = 133 + SYS_BDFLUSH = 134 + SYS_SYSFS = 135 + SYS_PERSONALITY = 136 + SYS_AFS_SYSCALL = 137 + SYS_SETFSUID = 138 + SYS_SETFSGID = 139 + SYS__LLSEEK = 140 + SYS_GETDENTS = 141 + SYS__NEWSELECT = 142 + SYS_FLOCK = 143 + SYS_MSYNC = 144 + SYS_READV = 145 + SYS_WRITEV = 146 + SYS_GETSID = 147 + SYS_FDATASYNC = 148 + SYS__SYSCTL = 149 + SYS_MLOCK = 150 + SYS_MUNLOCK = 151 + SYS_MLOCKALL = 152 + SYS_MUNLOCKALL = 153 + SYS_SCHED_SETPARAM = 154 + SYS_SCHED_GETPARAM = 155 + SYS_SCHED_SETSCHEDULER = 156 + SYS_SCHED_GETSCHEDULER = 157 + SYS_SCHED_YIELD = 158 + SYS_SCHED_GET_PRIORITY_MAX = 159 + SYS_SCHED_GET_PRIORITY_MIN = 160 + SYS_SCHED_RR_GET_INTERVAL = 161 + SYS_NANOSLEEP = 162 + SYS_MREMAP = 163 + SYS_SETRESUID = 164 + SYS_GETRESUID = 165 + SYS_VM86 = 166 + SYS_QUERY_MODULE = 167 + SYS_POLL = 168 + SYS_NFSSERVCTL = 169 + SYS_SETRESGID = 170 + SYS_GETRESGID = 171 + SYS_PRCTL = 172 + SYS_RT_SIGRETURN = 173 + SYS_RT_SIGACTION = 174 + SYS_RT_SIGPROCMASK = 175 + SYS_RT_SIGPENDING = 176 + SYS_RT_SIGTIMEDWAIT = 177 + SYS_RT_SIGQUEUEINFO = 178 + SYS_RT_SIGSUSPEND = 179 + SYS_PREAD64 = 180 + SYS_PWRITE64 = 181 + SYS_CHOWN = 182 + SYS_GETCWD = 183 + SYS_CAPGET = 184 + SYS_CAPSET = 185 + SYS_SIGALTSTACK = 186 + SYS_SENDFILE = 187 + SYS_GETPMSG = 188 + SYS_PUTPMSG = 189 + SYS_VFORK = 190 + SYS_UGETRLIMIT = 191 + SYS_MMAP2 = 192 + SYS_TRUNCATE64 = 193 + SYS_FTRUNCATE64 = 194 + SYS_STAT64 = 195 + SYS_LSTAT64 = 196 + SYS_FSTAT64 = 197 + SYS_LCHOWN32 = 198 + SYS_GETUID32 = 199 + SYS_GETGID32 = 200 + SYS_GETEUID32 = 201 + SYS_GETEGID32 = 202 + SYS_SETREUID32 = 203 + SYS_SETREGID32 = 204 + SYS_GETGROUPS32 = 205 + SYS_SETGROUPS32 = 206 + SYS_FCHOWN32 = 207 + SYS_SETRESUID32 = 208 + SYS_GETRESUID32 = 209 + SYS_SETRESGID32 = 210 + SYS_GETRESGID32 = 211 + SYS_CHOWN32 = 212 + SYS_SETUID32 = 213 + SYS_SETGID32 = 214 + SYS_SETFSUID32 = 215 + SYS_SETFSGID32 = 216 + SYS_PIVOT_ROOT = 217 + SYS_MINCORE = 218 + SYS_MADVISE = 219 + SYS_GETDENTS64 = 220 + SYS_FCNTL64 = 221 + SYS_GETTID = 224 + SYS_READAHEAD = 225 + SYS_SETXATTR = 226 + SYS_LSETXATTR = 227 + SYS_FSETXATTR = 228 + SYS_GETXATTR = 229 + SYS_LGETXATTR = 230 + SYS_FGETXATTR = 231 + SYS_LISTXATTR = 232 + SYS_LLISTXATTR = 233 + SYS_FLISTXATTR = 234 + SYS_REMOVEXATTR = 235 + SYS_LREMOVEXATTR = 236 + SYS_FREMOVEXATTR = 237 + SYS_TKILL = 238 + SYS_SENDFILE64 = 239 + SYS_FUTEX = 240 + SYS_SCHED_SETAFFINITY = 241 + SYS_SCHED_GETAFFINITY = 242 + SYS_SET_THREAD_AREA = 243 + SYS_GET_THREAD_AREA = 244 + SYS_IO_SETUP = 245 + SYS_IO_DESTROY = 246 + SYS_IO_GETEVENTS = 247 + SYS_IO_SUBMIT = 248 + SYS_IO_CANCEL = 249 + SYS_FADVISE64 = 250 + SYS_EXIT_GROUP = 252 + SYS_LOOKUP_DCOOKIE = 253 + SYS_EPOLL_CREATE = 254 + SYS_EPOLL_CTL = 255 + SYS_EPOLL_WAIT = 256 + SYS_REMAP_FILE_PAGES = 257 + SYS_SET_TID_ADDRESS = 258 + SYS_TIMER_CREATE = 259 + SYS_TIMER_SETTIME = 260 + SYS_TIMER_GETTIME = 261 + SYS_TIMER_GETOVERRUN = 262 + SYS_TIMER_DELETE = 263 + SYS_CLOCK_SETTIME = 264 + SYS_CLOCK_GETTIME = 265 + SYS_CLOCK_GETRES = 266 + SYS_CLOCK_NANOSLEEP = 267 + SYS_STATFS64 = 268 + SYS_FSTATFS64 = 269 + SYS_TGKILL = 270 + SYS_UTIMES = 271 + SYS_FADVISE64_64 = 272 + SYS_VSERVER = 273 + SYS_MBIND = 274 + SYS_GET_MEMPOLICY = 275 + SYS_SET_MEMPOLICY = 276 + SYS_MQ_OPEN = 277 + SYS_MQ_UNLINK = 278 + SYS_MQ_TIMEDSEND = 279 + SYS_MQ_TIMEDRECEIVE = 280 + SYS_MQ_NOTIFY = 281 + SYS_MQ_GETSETATTR = 282 + SYS_KEXEC_LOAD = 283 + SYS_WAITID = 284 + SYS_ADD_KEY = 286 + SYS_REQUEST_KEY = 287 + SYS_KEYCTL = 288 + SYS_IOPRIO_SET = 289 + SYS_IOPRIO_GET = 290 + SYS_INOTIFY_INIT = 291 + SYS_INOTIFY_ADD_WATCH = 292 + SYS_INOTIFY_RM_WATCH = 293 + SYS_MIGRATE_PAGES = 294 + SYS_OPENAT = 295 + SYS_MKDIRAT = 296 + SYS_MKNODAT = 297 + SYS_FCHOWNAT = 298 + SYS_FUTIMESAT = 299 + SYS_FSTATAT64 = 300 + SYS_UNLINKAT = 301 + SYS_RENAMEAT = 302 + SYS_LINKAT = 303 + SYS_SYMLINKAT = 304 + SYS_READLINKAT = 305 + SYS_FCHMODAT = 306 + SYS_FACCESSAT = 307 + SYS_PSELECT6 = 308 + SYS_PPOLL = 309 + SYS_UNSHARE = 310 + SYS_SET_ROBUST_LIST = 311 + SYS_GET_ROBUST_LIST = 312 + SYS_SPLICE = 313 + SYS_SYNC_FILE_RANGE = 314 + SYS_TEE = 315 + SYS_VMSPLICE = 316 + SYS_MOVE_PAGES = 317 + SYS_GETCPU = 318 + SYS_EPOLL_PWAIT = 319 + SYS_UTIMENSAT = 320 + SYS_SIGNALFD = 321 + SYS_TIMERFD_CREATE = 322 + SYS_EVENTFD = 323 + SYS_FALLOCATE = 324 + SYS_TIMERFD_SETTIME = 325 + SYS_TIMERFD_GETTIME = 326 + SYS_SIGNALFD4 = 327 + SYS_EVENTFD2 = 328 + SYS_EPOLL_CREATE1 = 329 + SYS_DUP3 = 330 + SYS_PIPE2 = 331 + SYS_INOTIFY_INIT1 = 332 + SYS_PREADV = 333 + SYS_PWRITEV = 334 + SYS_RT_TGSIGQUEUEINFO = 335 + SYS_PERF_EVENT_OPEN = 336 + SYS_RECVMMSG = 337 + SYS_FANOTIFY_INIT = 338 + SYS_FANOTIFY_MARK = 339 + SYS_PRLIMIT64 = 340 + SYS_NAME_TO_HANDLE_AT = 341 + SYS_OPEN_BY_HANDLE_AT = 342 + SYS_CLOCK_ADJTIME = 343 + SYS_SYNCFS = 344 + SYS_SENDMMSG = 345 + SYS_SETNS = 346 + SYS_PROCESS_VM_READV = 347 + SYS_PROCESS_VM_WRITEV = 348 + SYS_KCMP = 349 + SYS_FINIT_MODULE = 350 + SYS_SCHED_SETATTR = 351 + SYS_SCHED_GETATTR = 352 + SYS_RENAMEAT2 = 353 + SYS_SECCOMP = 354 + SYS_GETRANDOM = 355 + SYS_MEMFD_CREATE = 356 + SYS_BPF = 357 + SYS_EXECVEAT = 358 + SYS_SOCKET = 359 + SYS_SOCKETPAIR = 360 + SYS_BIND = 361 + SYS_CONNECT = 362 + SYS_LISTEN = 363 + SYS_ACCEPT4 = 364 + SYS_GETSOCKOPT = 365 + SYS_SETSOCKOPT = 366 + SYS_GETSOCKNAME = 367 + SYS_GETPEERNAME = 368 + SYS_SENDTO = 369 + SYS_SENDMSG = 370 + SYS_RECVFROM = 371 + SYS_RECVMSG = 372 + SYS_SHUTDOWN = 373 + SYS_USERFAULTFD = 374 + SYS_MEMBARRIER = 375 + SYS_MLOCK2 = 376 + SYS_COPY_FILE_RANGE = 377 + SYS_PREADV2 = 378 + SYS_PWRITEV2 = 379 + SYS_PKEY_MPROTECT = 380 + SYS_PKEY_ALLOC = 381 + SYS_PKEY_FREE = 382 + SYS_STATX = 383 + SYS_ARCH_PRCTL = 384 + SYS_IO_PGETEVENTS = 385 + SYS_RSEQ = 386 + SYS_SEMGET = 393 + SYS_SEMCTL = 394 + SYS_SHMGET = 395 + SYS_SHMCTL = 396 + SYS_SHMAT = 397 + SYS_SHMDT = 398 + SYS_MSGGET = 399 + SYS_MSGSND = 400 + SYS_MSGRCV = 401 + SYS_MSGCTL = 402 + SYS_CLOCK_GETTIME64 = 403 + SYS_CLOCK_SETTIME64 = 404 + SYS_CLOCK_ADJTIME64 = 405 + SYS_CLOCK_GETRES_TIME64 = 406 + SYS_CLOCK_NANOSLEEP_TIME64 = 407 + SYS_TIMER_GETTIME64 = 408 + SYS_TIMER_SETTIME64 = 409 + SYS_TIMERFD_GETTIME64 = 410 + SYS_TIMERFD_SETTIME64 = 411 + SYS_UTIMENSAT_TIME64 = 412 + SYS_PSELECT6_TIME64 = 413 + SYS_PPOLL_TIME64 = 414 + SYS_IO_PGETEVENTS_TIME64 = 416 + SYS_RECVMMSG_TIME64 = 417 + SYS_MQ_TIMEDSEND_TIME64 = 418 + SYS_MQ_TIMEDRECEIVE_TIME64 = 419 + SYS_SEMTIMEDOP_TIME64 = 420 + SYS_RT_SIGTIMEDWAIT_TIME64 = 421 + SYS_FUTEX_TIME64 = 422 + SYS_SCHED_RR_GET_INTERVAL_TIME64 = 423 + SYS_PIDFD_SEND_SIGNAL = 424 + SYS_IO_URING_SETUP = 425 + SYS_IO_URING_ENTER = 426 + SYS_IO_URING_REGISTER = 427 + SYS_OPEN_TREE = 428 + SYS_MOVE_MOUNT = 429 + SYS_FSOPEN = 430 + SYS_FSCONFIG = 431 + SYS_FSMOUNT = 432 + SYS_FSPICK = 433 + SYS_PIDFD_OPEN = 434 + SYS_CLONE3 = 435 + SYS_CLOSE_RANGE = 436 + SYS_OPENAT2 = 437 + SYS_PIDFD_GETFD = 438 + SYS_FACCESSAT2 = 439 + SYS_PROCESS_MADVISE = 440 + SYS_EPOLL_PWAIT2 = 441 + SYS_MOUNT_SETATTR = 442 + SYS_QUOTACTL_FD = 443 + SYS_LANDLOCK_CREATE_RULESET = 444 + SYS_LANDLOCK_ADD_RULE = 445 + SYS_LANDLOCK_RESTRICT_SELF = 446 + SYS_MEMFD_SECRET = 447 + SYS_PROCESS_MRELEASE = 448 + SYS_FUTEX_WAITV = 449 + SYS_SET_MEMPOLICY_HOME_NODE = 450 + SYS_CACHESTAT = 451 + SYS_FCHMODAT2 = 452 +) diff --git a/pkg/syscallinfo/syscallinfo.go b/pkg/syscallinfo/syscallinfo.go index ff063df9005..8efcebf50c2 100644 --- a/pkg/syscallinfo/syscallinfo.go +++ b/pkg/syscallinfo/syscallinfo.go @@ -43,6 +43,14 @@ var syscallIDs = func() map[string]int { return ret }() +var syscallIDs32 = func() map[string]int { + ret := make(map[string]int, len(syscallNames32)) + for k, v := range syscallNames32 { + ret[v] = k + } + return ret +}() + func SyscallsNames() []string { ret := make([]string, 0, len(syscallNames)) @@ -62,6 +70,16 @@ func GetSyscallID(sysName string) int { return -1 } +// GetSyscallID returns the id of a syscall based on its name +// returns -1, if no system call was found +func GetSyscallID32(sysName string) int { + k := fmt.Sprintf("sys_%s", sysName) + if id, ok := syscallIDs32[k]; ok { + return id + } + return -1 +} + // GetSyscallName returns the name of a syscall based on its i d func GetSyscallName(sysID int) string { if name, ok := syscallNames[sysID]; ok { diff --git a/pkg/syscallinfo/syscallnames_amd64.go b/pkg/syscallinfo/syscallnames_amd64.go index 1c572057a5c..c05477511c0 100644 --- a/pkg/syscallinfo/syscallnames_amd64.go +++ b/pkg/syscallinfo/syscallnames_amd64.go @@ -7,6 +7,7 @@ package syscallinfo import ( + "github.com/cilium/tetragon/pkg/syscallinfo/i386" "golang.org/x/sys/unix" ) @@ -374,3 +375,448 @@ var syscallNames = map[int]string{ // unix.SYS_FUTEX_WAITV: "sys_futex_waitv", // unix.SYS_SET_MEMPOLICY_HOME_NODE: "sys_set_mempolicy_home_node", } + +var syscallNames32 = map[int]string{ + i386.SYS_RESTART_SYSCALL: "sys_restart_syscall", + i386.SYS_EXIT: "sys_exit", + i386.SYS_FORK: "sys_fork", + i386.SYS_READ: "sys_read", + i386.SYS_WRITE: "sys_write", + i386.SYS_OPEN: "sys_open", + i386.SYS_CLOSE: "sys_close", + i386.SYS_WAITPID: "sys_waitpid", + i386.SYS_CREAT: "sys_creat", + i386.SYS_LINK: "sys_link", + i386.SYS_UNLINK: "sys_unlink", + i386.SYS_EXECVE: "sys_execve", + i386.SYS_CHDIR: "sys_chdir", + i386.SYS_TIME: "sys_time", + i386.SYS_MKNOD: "sys_mknod", + i386.SYS_CHMOD: "sys_chmod", + i386.SYS_LCHOWN: "sys_lchown", + i386.SYS_BREAK: "sys_break", + i386.SYS_OLDSTAT: "sys_oldstat", + i386.SYS_LSEEK: "sys_lseek", + i386.SYS_GETPID: "sys_getpid", + i386.SYS_MOUNT: "sys_mount", + i386.SYS_UMOUNT: "sys_umount", + i386.SYS_SETUID: "sys_setuid", + i386.SYS_GETUID: "sys_getuid", + i386.SYS_STIME: "sys_stime", + i386.SYS_PTRACE: "sys_ptrace", + i386.SYS_ALARM: "sys_alarm", + i386.SYS_OLDFSTAT: "sys_oldfstat", + i386.SYS_PAUSE: "sys_pause", + i386.SYS_UTIME: "sys_utime", + i386.SYS_STTY: "sys_stty", + i386.SYS_GTTY: "sys_gtty", + i386.SYS_ACCESS: "sys_access", + i386.SYS_NICE: "sys_nice", + i386.SYS_FTIME: "sys_ftime", + i386.SYS_SYNC: "sys_sync", + i386.SYS_KILL: "sys_kill", + i386.SYS_RENAME: "sys_rename", + i386.SYS_MKDIR: "sys_mkdir", + i386.SYS_RMDIR: "sys_rmdir", + i386.SYS_DUP: "sys_dup", + i386.SYS_PIPE: "sys_pipe", + i386.SYS_TIMES: "sys_times", + i386.SYS_PROF: "sys_prof", + i386.SYS_BRK: "sys_brk", + i386.SYS_SETGID: "sys_setgid", + i386.SYS_GETGID: "sys_getgid", + i386.SYS_SIGNAL: "sys_signal", + i386.SYS_GETEUID: "sys_geteuid", + i386.SYS_GETEGID: "sys_getegid", + i386.SYS_ACCT: "sys_acct", + i386.SYS_UMOUNT2: "sys_umount2", + i386.SYS_LOCK: "sys_lock", + i386.SYS_IOCTL: "sys_ioctl", + i386.SYS_FCNTL: "sys_fcntl", + i386.SYS_MPX: "sys_mpx", + i386.SYS_SETPGID: "sys_setpgid", + i386.SYS_ULIMIT: "sys_ulimit", + i386.SYS_OLDOLDUNAME: "sys_oldolduname", + i386.SYS_UMASK: "sys_umask", + i386.SYS_CHROOT: "sys_chroot", + i386.SYS_USTAT: "sys_ustat", + i386.SYS_DUP2: "sys_dup2", + i386.SYS_GETPPID: "sys_getppid", + i386.SYS_GETPGRP: "sys_getpgrp", + i386.SYS_SETSID: "sys_setsid", + i386.SYS_SIGACTION: "sys_sigaction", + i386.SYS_SGETMASK: "sys_sgetmask", + i386.SYS_SSETMASK: "sys_ssetmask", + i386.SYS_SETREUID: "sys_setreuid", + i386.SYS_SETREGID: "sys_setregid", + i386.SYS_SIGSUSPEND: "sys_sigsuspend", + i386.SYS_SIGPENDING: "sys_sigpending", + i386.SYS_SETHOSTNAME: "sys_sethostname", + i386.SYS_SETRLIMIT: "sys_setrlimit", + i386.SYS_GETRLIMIT: "sys_getrlimit", + i386.SYS_GETRUSAGE: "sys_getrusage", + i386.SYS_GETTIMEOFDAY: "sys_gettimeofday", + i386.SYS_SETTIMEOFDAY: "sys_settimeofday", + i386.SYS_GETGROUPS: "sys_getgroups", + i386.SYS_SETGROUPS: "sys_setgroups", + i386.SYS_SELECT: "sys_select", + i386.SYS_SYMLINK: "sys_symlink", + i386.SYS_OLDLSTAT: "sys_oldstat", + i386.SYS_READLINK: "sys_readlink", + i386.SYS_USELIB: "sys_uselib", + i386.SYS_SWAPON: "sys_swapon", + i386.SYS_REBOOT: "sys_reboot", + i386.SYS_READDIR: "sys_readdir", + i386.SYS_MMAP: "sys_mmap", + i386.SYS_MUNMAP: "sys_munmap", + i386.SYS_TRUNCATE: "sys_truncate", + i386.SYS_FTRUNCATE: "sys_ftruncate", + i386.SYS_FCHMOD: "sys_fchmod", + i386.SYS_FCHOWN: "sys_fchown", + i386.SYS_GETPRIORITY: "sys_getpriority", + i386.SYS_SETPRIORITY: "sys_setpriority", + i386.SYS_PROFIL: "sys_profil", + i386.SYS_STATFS: "sys_statfs", + i386.SYS_FSTATFS: "sys_fstatfs", + i386.SYS_IOPERM: "sys_ioperm", + i386.SYS_SOCKETCALL: "sys_socketcall", + i386.SYS_SYSLOG: "sys_syslog", + i386.SYS_SETITIMER: "sys_setitimer", + i386.SYS_GETITIMER: "sys_getitimer", + i386.SYS_STAT: "sys_stat", + i386.SYS_LSTAT: "sys_lstat", + i386.SYS_FSTAT: "sys_fstat", + i386.SYS_OLDUNAME: "sys_olduname", + i386.SYS_IOPL: "sys_iopl", + i386.SYS_VHANGUP: "sys_vhangup", + i386.SYS_IDLE: "sys_idle", + i386.SYS_VM86OLD: "sys_vm86old", + i386.SYS_WAIT4: "sys_wait4", + i386.SYS_SWAPOFF: "sys_swapoff", + i386.SYS_SYSINFO: "sys_sysinfo", + i386.SYS_IPC: "sys_ipc", + i386.SYS_FSYNC: "sys_fsync", + i386.SYS_SIGRETURN: "sys_sigreturn", + i386.SYS_CLONE: "sys_clone", + i386.SYS_SETDOMAINNAME: "sys_setdomainname", + i386.SYS_UNAME: "sys_uname", + i386.SYS_MODIFY_LDT: "sys_modify_ldt", + i386.SYS_ADJTIMEX: "sys_adjtimex", + i386.SYS_MPROTECT: "sys_mprotect", + i386.SYS_SIGPROCMASK: "sys_sigprocmask", + i386.SYS_CREATE_MODULE: "sys_create_module", + i386.SYS_INIT_MODULE: "sys_init_module", + i386.SYS_DELETE_MODULE: "sys_delete_module", + i386.SYS_GET_KERNEL_SYMS: "sys_get_kernel_syms", + i386.SYS_QUOTACTL: "sys_quotactl", + i386.SYS_GETPGID: "sys_getpgid", + i386.SYS_FCHDIR: "sys_fchdir", + i386.SYS_BDFLUSH: "sys_bdflush", + i386.SYS_SYSFS: "sys_sysfs", + i386.SYS_PERSONALITY: "sys_personality", + i386.SYS_AFS_SYSCALL: "sys_afs_syscall", + i386.SYS_SETFSUID: "sys_setfsuid", + i386.SYS_SETFSGID: "sys_setfsgid", + i386.SYS__LLSEEK: "sys__llseek", + i386.SYS_GETDENTS: "sys_getdents", + i386.SYS__NEWSELECT: "sys__newselect", + i386.SYS_FLOCK: "sys_flock", + i386.SYS_MSYNC: "sys_msync", + i386.SYS_READV: "sys_readv", + i386.SYS_WRITEV: "sys_writev", + i386.SYS_GETSID: "sys_getsid", + i386.SYS_FDATASYNC: "sys_fdatasync", + i386.SYS__SYSCTL: "sys__sysctl", + i386.SYS_MLOCK: "sys_mlock", + i386.SYS_MUNLOCK: "sys_munlock", + i386.SYS_MLOCKALL: "sys_mlockall", + i386.SYS_MUNLOCKALL: "sys_munlockall", + i386.SYS_SCHED_SETPARAM: "sys_sched_setparam", + i386.SYS_SCHED_GETPARAM: "sys_sched_getparam", + i386.SYS_SCHED_SETSCHEDULER: "sys_sched_setscheduler", + i386.SYS_SCHED_GETSCHEDULER: "sys_sched_getscheduler", + i386.SYS_SCHED_YIELD: "sys_sched_yield", + i386.SYS_SCHED_GET_PRIORITY_MAX: "sys_sched_get_priority_max", + i386.SYS_SCHED_GET_PRIORITY_MIN: "sys_sched_get_priority_min", + i386.SYS_SCHED_RR_GET_INTERVAL: "sys_sched_rr_get_interval", + i386.SYS_NANOSLEEP: "sys_nanosleep", + i386.SYS_MREMAP: "sys_mremap", + i386.SYS_SETRESUID: "sys_setresuid", + i386.SYS_GETRESUID: "sys_getresuid", + i386.SYS_VM86: "sys_vm86", + i386.SYS_QUERY_MODULE: "sys_query_module", + i386.SYS_POLL: "sys_poll", + i386.SYS_NFSSERVCTL: "sys_nfsservctl", + i386.SYS_SETRESGID: "sys_setresgid", + i386.SYS_GETRESGID: "sys_getresgid", + i386.SYS_PRCTL: "sys_prctl", + i386.SYS_RT_SIGRETURN: "sys_rt_sigreturn", + i386.SYS_RT_SIGACTION: "sys_rt_sigaction", + i386.SYS_RT_SIGPROCMASK: "sys_rt_sigprocmask", + i386.SYS_RT_SIGPENDING: "sys_rt_sigpending", + i386.SYS_RT_SIGTIMEDWAIT: "sys_rt_sigtimedwait", + i386.SYS_RT_SIGQUEUEINFO: "sys_rt_sigqueueinfo", + i386.SYS_RT_SIGSUSPEND: "sys_rt_sigsuspend", + i386.SYS_PREAD64: "sys_pread64", + i386.SYS_PWRITE64: "sys_pwrite64", + i386.SYS_CHOWN: "sys_chown", + i386.SYS_GETCWD: "sys_getcwd", + i386.SYS_CAPGET: "sys_capget", + i386.SYS_CAPSET: "sys_capset", + i386.SYS_SIGALTSTACK: "sys_sigaltstack", + i386.SYS_SENDFILE: "sys_sendfile", + i386.SYS_GETPMSG: "sys_getpmsg", + i386.SYS_PUTPMSG: "sys_putpmsg", + i386.SYS_VFORK: "sys_vfork", + i386.SYS_UGETRLIMIT: "sys_ugetrlimit", + i386.SYS_MMAP2: "sys_mmap2", + i386.SYS_TRUNCATE64: "sys_truncate64", + i386.SYS_FTRUNCATE64: "sys_ftruncate64", + i386.SYS_STAT64: "sys_stat64", + i386.SYS_LSTAT64: "sys_lstat64", + i386.SYS_FSTAT64: "sys_fstat64", + i386.SYS_LCHOWN32: "sys_lchown32", + i386.SYS_GETUID32: "sys_getuid32", + i386.SYS_GETGID32: "sys_getgid32", + i386.SYS_GETEUID32: "sys_geteuid32", + i386.SYS_GETEGID32: "sys_getegid32", + i386.SYS_SETREUID32: "sys_setreuid32", + i386.SYS_SETREGID32: "sys_setregid32", + i386.SYS_GETGROUPS32: "sys_getgroups32", + i386.SYS_SETGROUPS32: "sys_setgroups32", + i386.SYS_FCHOWN32: "sys_fchown32", + i386.SYS_SETRESUID32: "sys_setresuid32", + i386.SYS_GETRESUID32: "sys_getresuid32", + i386.SYS_SETRESGID32: "sys_setresgid32", + i386.SYS_GETRESGID32: "sys_getresgid32", + i386.SYS_CHOWN32: "sys_chown32", + i386.SYS_SETUID32: "sys_setuid32", + i386.SYS_SETGID32: "sys_setgid32", + i386.SYS_SETFSUID32: "sys_setfsuid32", + i386.SYS_SETFSGID32: "sys_setfsgid32", + i386.SYS_PIVOT_ROOT: "sys_pivot_root", + i386.SYS_MINCORE: "sys_mincore", + i386.SYS_MADVISE: "sys_madvise", + i386.SYS_GETDENTS64: "sys_getdents64", + i386.SYS_FCNTL64: "sys_fcntl64", + i386.SYS_GETTID: "sys_gettid", + i386.SYS_READAHEAD: "sys_readahead", + i386.SYS_SETXATTR: "sys_setxattr", + i386.SYS_LSETXATTR: "sys_lsetxattr", + i386.SYS_FSETXATTR: "sys_fsetxattr", + i386.SYS_GETXATTR: "sys_getxattr", + i386.SYS_LGETXATTR: "sys_lgetxattr", + i386.SYS_FGETXATTR: "sys_fgetxattr", + i386.SYS_LISTXATTR: "sys_listxattr", + i386.SYS_LLISTXATTR: "sys_llistxattr", + i386.SYS_FLISTXATTR: "sys_flistxattr", + i386.SYS_REMOVEXATTR: "sys_removexattr", + i386.SYS_LREMOVEXATTR: "sys_lremovexattr", + i386.SYS_FREMOVEXATTR: "sys_fremovexattr", + i386.SYS_TKILL: "sys_tkill", + i386.SYS_SENDFILE64: "sys_sendfile64", + i386.SYS_FUTEX: "sys_futex", + i386.SYS_SCHED_SETAFFINITY: "sys_sched_setaffinity", + i386.SYS_SCHED_GETAFFINITY: "sys_sched_getaffinity", + i386.SYS_SET_THREAD_AREA: "sys_set_thread_area", + i386.SYS_GET_THREAD_AREA: "sys_get_thread_area", + i386.SYS_IO_SETUP: "sys_io_setup", + i386.SYS_IO_DESTROY: "sys_io_destroy", + i386.SYS_IO_GETEVENTS: "sys_io_getevents", + i386.SYS_IO_SUBMIT: "sys_io_submit", + i386.SYS_IO_CANCEL: "sys_io_cancel", + i386.SYS_FADVISE64: "sys_fadvise64", + i386.SYS_EXIT_GROUP: "sys_exit_group", + i386.SYS_LOOKUP_DCOOKIE: "sys_lookup_dcookie", + i386.SYS_EPOLL_CREATE: "sys_epoll_create", + i386.SYS_EPOLL_CTL: "sys_epoll_ctl", + i386.SYS_EPOLL_WAIT: "sys_epoll_wait", + i386.SYS_REMAP_FILE_PAGES: "sys_remap_file_pages", + i386.SYS_SET_TID_ADDRESS: "sys_set_tid_address", + i386.SYS_TIMER_CREATE: "sys_timer_create", + i386.SYS_TIMER_SETTIME: "sys_timer_settime", + i386.SYS_TIMER_GETTIME: "sys_timer_gettime", + i386.SYS_TIMER_GETOVERRUN: "sys_timer_getoverrun", + i386.SYS_TIMER_DELETE: "sys_timer_delete", + i386.SYS_CLOCK_SETTIME: "sys_clock_settime", + i386.SYS_CLOCK_GETTIME: "sys_clock_gettime", + i386.SYS_CLOCK_GETRES: "sys_clock_getres", + i386.SYS_CLOCK_NANOSLEEP: "sys_clock_nanosleep", + i386.SYS_STATFS64: "sys_statfs64", + i386.SYS_FSTATFS64: "sys_fstatfs64", + i386.SYS_TGKILL: "sys_tgkill", + i386.SYS_UTIMES: "sys_utimes", + i386.SYS_FADVISE64_64: "sys_fadvise64_64", + i386.SYS_VSERVER: "sys_vserver", + i386.SYS_MBIND: "sys_mbind", + i386.SYS_GET_MEMPOLICY: "sys_get_mempolicy", + i386.SYS_SET_MEMPOLICY: "sys_set_mempolicy", + i386.SYS_MQ_OPEN: "sys_mq_open", + i386.SYS_MQ_UNLINK: "sys_mq_unlink", + i386.SYS_MQ_TIMEDSEND: "sys_mq_timedsend", + i386.SYS_MQ_TIMEDRECEIVE: "sys_mq_timedreceive", + i386.SYS_MQ_NOTIFY: "sys_mq_notify", + i386.SYS_MQ_GETSETATTR: "sys_mq_getsetattr", + i386.SYS_KEXEC_LOAD: "sys_kexec_load", + i386.SYS_WAITID: "sys_waitid", + i386.SYS_ADD_KEY: "sys_add_key", + i386.SYS_REQUEST_KEY: "sys_request_key", + i386.SYS_KEYCTL: "sys_keyctl", + i386.SYS_IOPRIO_SET: "sys_ioprio_set", + i386.SYS_IOPRIO_GET: "sys_ioprio_get", + i386.SYS_INOTIFY_INIT: "sys_inotify_init", + i386.SYS_INOTIFY_ADD_WATCH: "sys_inotify_add_watch", + i386.SYS_INOTIFY_RM_WATCH: "sys_inotify_rm_watch", + i386.SYS_MIGRATE_PAGES: "sys_migrate_pages", + i386.SYS_OPENAT: "sys_openat", + i386.SYS_MKDIRAT: "sys_mkdirat", + i386.SYS_MKNODAT: "sys_mknodat", + i386.SYS_FCHOWNAT: "sys_fchownat", + i386.SYS_FUTIMESAT: "sys_futimesat", + i386.SYS_FSTATAT64: "sys_fstatat64", + i386.SYS_UNLINKAT: "sys_unlinkat", + i386.SYS_RENAMEAT: "sys_renameat", + i386.SYS_LINKAT: "sys_linkat", + i386.SYS_SYMLINKAT: "sys_symlinkat", + i386.SYS_READLINKAT: "sys_readlinkat", + i386.SYS_FCHMODAT: "sys_fchmodat", + i386.SYS_FACCESSAT: "sys_faccessat", + i386.SYS_PSELECT6: "sys_pselect6", + i386.SYS_PPOLL: "sys_ppoll", + i386.SYS_UNSHARE: "sys_unshare", + i386.SYS_SET_ROBUST_LIST: "sys_set_robust_list", + i386.SYS_GET_ROBUST_LIST: "sys_get_robust_list", + i386.SYS_SPLICE: "sys_splice", + i386.SYS_SYNC_FILE_RANGE: "sys_sync_file_range", + i386.SYS_TEE: "sys_tee", + i386.SYS_VMSPLICE: "sys_vmsplice", + i386.SYS_MOVE_PAGES: "sys_move_pages", + i386.SYS_GETCPU: "sys_getcpu", + i386.SYS_EPOLL_PWAIT: "sys_epoll_pwait", + i386.SYS_UTIMENSAT: "sys_utimensat", + i386.SYS_SIGNALFD: "sys_signalfd", + i386.SYS_TIMERFD_CREATE: "sys_timerfd_create", + i386.SYS_EVENTFD: "sys_eventfd", + i386.SYS_FALLOCATE: "sys_fallocate", + i386.SYS_TIMERFD_SETTIME: "sys_timerfd_settime", + i386.SYS_TIMERFD_GETTIME: "sys_timerfd_gettime", + i386.SYS_SIGNALFD4: "sys_signalfd4", + i386.SYS_EVENTFD2: "sys_eventfd2", + i386.SYS_EPOLL_CREATE1: "sys_epoll_create1", + i386.SYS_DUP3: "sys_dup3", + i386.SYS_PIPE2: "sys_pipe2", + i386.SYS_INOTIFY_INIT1: "sys_inotify_init1", + i386.SYS_PREADV: "sys_preadv", + i386.SYS_PWRITEV: "sys_pwritev", + i386.SYS_RT_TGSIGQUEUEINFO: "sys_rt_tgsigqueueinfo", + i386.SYS_PERF_EVENT_OPEN: "sys_perf_event_open", + i386.SYS_RECVMMSG: "sys_recvmmsg", + i386.SYS_FANOTIFY_INIT: "sys_fanotify_init", + i386.SYS_FANOTIFY_MARK: "sys_fanotify_mark", + i386.SYS_PRLIMIT64: "sys_prlimit64", + i386.SYS_NAME_TO_HANDLE_AT: "sys_name_to_handle_at", + i386.SYS_OPEN_BY_HANDLE_AT: "sys_open_by_handle_at", + i386.SYS_CLOCK_ADJTIME: "sys_clock_adjtime", + i386.SYS_SYNCFS: "sys_syncfs", + i386.SYS_SENDMMSG: "sys_sendmmsg", + i386.SYS_SETNS: "sys_setns", + i386.SYS_PROCESS_VM_READV: "sys_process_vm_readv", + i386.SYS_PROCESS_VM_WRITEV: "sys_process_vm_writev", + i386.SYS_KCMP: "sys_kcmp", + i386.SYS_FINIT_MODULE: "sys_finit_module", + i386.SYS_SCHED_SETATTR: "sys_sched_setattr", + i386.SYS_SCHED_GETATTR: "sys_sched_getattr", + i386.SYS_RENAMEAT2: "sys_renameat2", + i386.SYS_SECCOMP: "sys_seccomp", + i386.SYS_GETRANDOM: "sys_getrandom", + i386.SYS_MEMFD_CREATE: "sys_memfd_create", + i386.SYS_BPF: "sys_bpf", + i386.SYS_EXECVEAT: "sys_execveat", + i386.SYS_SOCKET: "sys_socket", + i386.SYS_SOCKETPAIR: "sys_socketpair", + i386.SYS_BIND: "sys_bind", + i386.SYS_CONNECT: "sys_connect", + i386.SYS_LISTEN: "sys_listen", + i386.SYS_ACCEPT4: "sys_accept4", + i386.SYS_GETSOCKOPT: "sys_getsockopt", + i386.SYS_SETSOCKOPT: "sys_setsockopt", + i386.SYS_GETSOCKNAME: "sys_getsockname", + i386.SYS_GETPEERNAME: "sys_getpeername", + i386.SYS_SENDTO: "sys_sendto", + i386.SYS_SENDMSG: "sys_sendmsg", + i386.SYS_RECVFROM: "sys_recvfrom", + i386.SYS_RECVMSG: "sys_recvmsg", + i386.SYS_SHUTDOWN: "sys_shutdown", + i386.SYS_USERFAULTFD: "sys_userfaultfd", + i386.SYS_MEMBARRIER: "sys_membarrier", + i386.SYS_MLOCK2: "sys_mlock2", + i386.SYS_COPY_FILE_RANGE: "sys_copy_file_range", + i386.SYS_PREADV2: "sys_preadv2", + i386.SYS_PWRITEV2: "sys_pwritev2", + i386.SYS_PKEY_MPROTECT: "sys_pkey_mprotect", + i386.SYS_PKEY_ALLOC: "sys_pkey_alloc", + i386.SYS_PKEY_FREE: "sys_pkey_free", + i386.SYS_STATX: "sys_statx", + i386.SYS_ARCH_PRCTL: "sys_arch_prctl", + i386.SYS_IO_PGETEVENTS: "sys_io_pgetevents", + i386.SYS_RSEQ: "sys_rseq", + i386.SYS_SEMGET: "sys_semget", + i386.SYS_SEMCTL: "sys_semctl", + i386.SYS_SHMGET: "sys_shmget", + i386.SYS_SHMCTL: "sys_shmctl", + i386.SYS_SHMAT: "sys_shmat", + i386.SYS_SHMDT: "sys_shmdt", + i386.SYS_MSGGET: "sys_msgget", + i386.SYS_MSGSND: "sys_msgsnd", + i386.SYS_MSGRCV: "sys_msgrcv", + i386.SYS_MSGCTL: "sys_msgctl", + i386.SYS_CLOCK_GETTIME64: "sys_clock_gettime64", + i386.SYS_CLOCK_SETTIME64: "sys_clock_settime64", + i386.SYS_CLOCK_ADJTIME64: "sys_clock_adjtime64", + i386.SYS_CLOCK_GETRES_TIME64: "sys_clock_getres_time64", + i386.SYS_CLOCK_NANOSLEEP_TIME64: "sys_clock_nanosleep_time64", + i386.SYS_TIMER_GETTIME64: "sys_timer_gettime64", + i386.SYS_TIMER_SETTIME64: "sys_timer_settime64", + i386.SYS_TIMERFD_GETTIME64: "sys_timerfd_gettime64", + i386.SYS_TIMERFD_SETTIME64: "sys_timerfd_settime64", + i386.SYS_UTIMENSAT_TIME64: "sys_utimensat_time64", + i386.SYS_PSELECT6_TIME64: "sys_pselect6_time64", + i386.SYS_PPOLL_TIME64: "sys_ppoll_time64", + i386.SYS_IO_PGETEVENTS_TIME64: "sys_io_pgetevents_time64", + i386.SYS_RECVMMSG_TIME64: "sys_recvmsg_time64", + i386.SYS_MQ_TIMEDSEND_TIME64: "sys_mq_timedsend_time64", + i386.SYS_MQ_TIMEDRECEIVE_TIME64: "sys_mq_timedreceive_time64", + i386.SYS_SEMTIMEDOP_TIME64: "sys_semtimedop_time64", + i386.SYS_RT_SIGTIMEDWAIT_TIME64: "sys_rt_sigtimedwait_time64", + i386.SYS_FUTEX_TIME64: "sys_futex_time64", + i386.SYS_SCHED_RR_GET_INTERVAL_TIME64: "sys_sched_rr_get_interval_time64", + i386.SYS_PIDFD_SEND_SIGNAL: "sys_pidfd_send_signal", + i386.SYS_IO_URING_SETUP: "sys_io_uring_setup", + i386.SYS_IO_URING_ENTER: "sys_io_uring_enter", + i386.SYS_IO_URING_REGISTER: "sys_io_uring_register", + i386.SYS_OPEN_TREE: "sys_open_tree", + i386.SYS_MOVE_MOUNT: "sys_move_mount", + i386.SYS_FSOPEN: "sys_fsopen", + i386.SYS_FSCONFIG: "sys_fsconfig", + i386.SYS_FSMOUNT: "sys_fsmount", + i386.SYS_FSPICK: "sys_fspick", + i386.SYS_PIDFD_OPEN: "sys_pidfd_open", + i386.SYS_CLONE3: "sys_clone3", + i386.SYS_CLOSE_RANGE: "sys_close_range", + i386.SYS_OPENAT2: "sys_openat2", + i386.SYS_PIDFD_GETFD: "sys_pidfd_getfd", + i386.SYS_FACCESSAT2: "sys_faccessat2", + i386.SYS_PROCESS_MADVISE: "sys_process_madvise", + i386.SYS_EPOLL_PWAIT2: "sys_epoll_pwait2", + i386.SYS_MOUNT_SETATTR: "sys_mount_setattr", + i386.SYS_QUOTACTL_FD: "sys_quotactl_fd", + i386.SYS_LANDLOCK_CREATE_RULESET: "sys_landlock_create_ruleset", + i386.SYS_LANDLOCK_ADD_RULE: "sys_landlock_add_rule", + i386.SYS_LANDLOCK_RESTRICT_SELF: "sys_landlock_restrict_self", + i386.SYS_MEMFD_SECRET: "sys_memfd_secret", + i386.SYS_PROCESS_MRELEASE: "sys_process_mrelease", + i386.SYS_FUTEX_WAITV: "sys_futex_waitv", + i386.SYS_SET_MEMPOLICY_HOME_NODE: "sys_set_mempolicy_home_node", + i386.SYS_CACHESTAT: "sys_cachestat", + i386.SYS_FCHMODAT2: "sys_fchmodat2", +} diff --git a/pkg/syscallinfo/syscallnames_arm64.go b/pkg/syscallinfo/syscallnames_arm64.go index 88320235feb..b6c92bde2ce 100644 --- a/pkg/syscallinfo/syscallnames_arm64.go +++ b/pkg/syscallinfo/syscallnames_arm64.go @@ -317,3 +317,5 @@ var syscallNames = map[int]string{ // unix.SYS_FUTEX_WAITV: "sys_futex_waitv", // unix.SYS_SET_MEMPOLICY_HOME_NODE: "sys_set_mempolicy_home_node", } + +var syscallNames32 = map[int]string{} diff --git a/pkg/syscallinfo/syscallnames_darwin.go b/pkg/syscallinfo/syscallnames_darwin.go index badb3c67f4d..96ff5190f25 100644 --- a/pkg/syscallinfo/syscallnames_darwin.go +++ b/pkg/syscallinfo/syscallnames_darwin.go @@ -373,3 +373,5 @@ var syscallNames = map[int]string{ // unix.SYS_FUTEX_WAITV: "sys_futex_waitv", // unix.SYS_SET_MEMPOLICY_HOME_NODE: "sys_set_mempolicy_home_node", } + +var syscallNames32 = map[int]string{} diff --git a/pkg/syscallinfo/syscallnames_windows.go b/pkg/syscallinfo/syscallnames_windows.go index e4c8365bdc3..ffbe1112b05 100644 --- a/pkg/syscallinfo/syscallnames_windows.go +++ b/pkg/syscallinfo/syscallnames_windows.go @@ -7,3 +7,4 @@ package syscallinfo // Define syscalNames variable so that we can compile tetra CLI for windows. var syscallNames = map[int]string{} +var syscallNames32 = map[int]string{} diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index fd462c12e1d..9ba938e3281 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -121,6 +121,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index @@ -202,6 +203,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index @@ -752,6 +754,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 815d6a6fed9..a50691711db 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -121,6 +121,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index @@ -202,6 +203,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index @@ -752,6 +754,7 @@ spec: - cred - load_info - module + - syscall64 type: string required: - index diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 85a9203011a..61da63107c5 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -51,7 +51,7 @@ type KProbeArg struct { // +kubebuilder:validation:Minimum=0 // Position of the argument. Index uint32 `json:"index"` - // +kubebuilder:validation:Enum=auto;int;uint32;int32;uint64;int64;char_buf;char_iovec;size_t;skb;sock;string;fd;file;filename;path;nop;bpf_attr;perf_event;bpf_map;user_namespace;capability;kiocb;iov_iter;cred;load_info;module; + // +kubebuilder:validation:Enum=auto;int;uint32;int32;uint64;int64;char_buf;char_iovec;size_t;skb;sock;string;fd;file;filename;path;nop;bpf_attr;perf_event;bpf_map;user_namespace;capability;kiocb;iov_iter;cred;load_info;module;syscall64; // +kubebuilder:default=auto // Argument type. Type string `json:"type"`