forked from falcosecurity/libs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ppm_events.h
133 lines (117 loc) · 4.19 KB
/
ppm_events.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
Copyright (C) 2023 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
#ifndef EVENTS_H_
#define EVENTS_H_
/* To know about __NR_socketcall */
#include <asm/unistd.h>
#include "ppm_consumer.h"
#ifdef CONFIG_COMPAT
#include <linux/compat.h>
#endif
#include "ppm_events_public.h"
/*
* Various crap that a callback might need
*/
struct fault_data_t {
unsigned long address;
struct pt_regs *regs;
unsigned long error_code;
};
struct event_filler_arguments {
ppm_consumer_t *consumer;
char *buffer; /* the buffer that will be filled with the data */
uint32_t buffer_size; /* the space in the ring buffer available for this event */
uint32_t syscall_id; /* the system call ID */
#ifdef PPM_ENABLE_SENTINEL
uint32_t sentinel;
#endif
uint32_t nevents;
uint32_t curarg;
uint32_t nargs;
uint32_t arg_data_offset;
uint32_t arg_data_size;
ppm_event_code event_type; /* the event type */
/* Eventually convert this to an event_info union and move all the
* below per-event params in this union, it's not good to waste kernel
* stack since all this stuff is always exclusive
*/
struct pt_regs *regs; /* the registers containing the call arguments */
struct task_struct
*sched_prev; /* for context switch events, the task that is being scheduled out */
struct task_struct
*sched_next; /* for context switch events, the task that is being scheduled in */
#ifdef CAPTURE_SCHED_PROC_FORK
struct task_struct *child; /* for sched_process_fork events, this is the child task */
#endif
char *str_storage; /* String storage. Size is one page. */
unsigned long args[6];
bool compat;
int fd; /* Passed by some of the fillers to val_to_ring to compute the snaplen dynamically */
bool enforce_snaplen;
int signo; /* Signal number */
__kernel_pid_t spid; /* PID of source process */
__kernel_pid_t dpid; /* PID of destination process */
struct fault_data_t fault_data; /* For page faults */
};
extern const struct ppm_event_entry g_ppm_events[];
/*
* HTTP markers
*/
#define HTTP_GET_STR "GET "
#define HTTP_OPTIONS_STR "OPTI"
#define HTTP_HEAD_STR "HEAD"
#define HTTP_POST_STR "POST"
#define HTTP_PUT_STR "PUT "
#define HTTP_DELETE_STR "DELE"
#define HTTP_TRACE_STR "TRAC"
#define HTTP_CONNECT_STR "CONN"
#define HTTP_RESP_STR "HTTP"
/*
* Functions
*/
int32_t dpi_lookahead_init(void);
int32_t push_empty_param(struct event_filler_arguments *args);
int32_t val_to_ring(struct event_filler_arguments *args,
uint64_t val,
uint32_t val_len,
bool fromuser,
uint8_t dyn_idx);
uint16_t pack_addr(struct sockaddr *usrsockaddr, int ulen, char *targetbuf, uint16_t targetbufsize);
uint16_t fd_to_socktuple(int fd,
struct sockaddr *usrsockaddr,
int ulen,
bool use_userdata,
bool is_inbound,
char *targetbuf,
uint16_t targetbufsize);
int addr_to_kernel(void __user *uaddr, int ulen, struct sockaddr *kaddr);
int32_t parse_readv_writev_bufs(struct event_filler_arguments *args,
const struct iovec __user *iovsrc,
unsigned long iovcnt,
int64_t retval,
int flags);
#ifdef CONFIG_COMPAT
int32_t compat_parse_readv_writev_bufs(struct event_filler_arguments *args,
const struct compat_iovec __user *iovsrc,
unsigned long iovcnt,
int64_t retval,
int flags);
#endif
static inline int add_sentinel(struct event_filler_arguments *args) {
#ifdef PPM_ENABLE_SENTINEL
if(likely(args->arg_data_size >= sizeof(uint32_t))) {
*(uint32_t *)(args->buffer + args->arg_data_offset) = args->sentinel;
args->arg_data_offset += 4;
args->arg_data_size -= 4;
return PPM_SUCCESS;
}
return PPM_FAILURE_BUFFER_FULL;
#else
return PPM_SUCCESS;
#endif
}
#endif /* EVENTS_H_ */