forked from falcosecurity/libs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
socketcall_to_syscall.h
258 lines (207 loc) · 4.56 KB
/
socketcall_to_syscall.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
Copyright (C) 2023 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
#ifndef SOCKETCALL_TO_SYSCALL_H
#define SOCKETCALL_TO_SYSCALL_H
#include "ppm_events_public.h"
/* Right now we don't support architectures that have
* socket-calls both on 64 and 32-bit
*/
#include <linux/net.h>
static inline int socketcall_code_to_syscall_code(int socketcall_code, bool* is_syscall_return) {
/* First we check if we can convert a valid syscall code */
*is_syscall_return = true;
switch(socketcall_code) {
#ifdef __NR_socket
case SYS_SOCKET:
return __NR_socket;
#endif
#ifdef __NR_socketpair
case SYS_SOCKETPAIR:
return __NR_socketpair;
#endif
#ifdef __NR_accept
case SYS_ACCEPT:
return __NR_accept;
#endif
#ifdef __NR_accept4
case SYS_ACCEPT4:
return __NR_accept4;
#endif
#ifdef __NR_bind
case SYS_BIND:
return __NR_bind;
#endif
#ifdef __NR_listen
case SYS_LISTEN:
return __NR_listen;
#endif
#ifdef __NR_connect
case SYS_CONNECT:
return __NR_connect;
#endif
#ifdef __NR_getsockname
case SYS_GETSOCKNAME:
return __NR_getsockname;
#endif
#ifdef __NR_getpeername
case SYS_GETPEERNAME:
return __NR_getpeername;
#endif
#ifdef __NR_getsockopt
case SYS_GETSOCKOPT:
return __NR_getsockopt;
#endif
#ifdef __NR_setsockopt
case SYS_SETSOCKOPT:
return __NR_setsockopt;
#endif
#ifdef __NR_recv
case SYS_RECV:
return __NR_recv;
#endif
#ifdef __NR_recvfrom
case SYS_RECVFROM:
return __NR_recvfrom;
#endif
#ifdef __NR_recvmsg
case SYS_RECVMSG:
return __NR_recvmsg;
#endif
#ifdef __NR_recvmmsg
case SYS_RECVMMSG:
return __NR_recvmmsg;
#endif
#ifdef __NR_send
case SYS_SEND:
return __NR_send;
#endif
#ifdef __NR_sendto
case SYS_SENDTO:
return __NR_sendto;
#endif
#ifdef __NR_sendmsg
case SYS_SENDMSG:
return __NR_sendmsg;
#endif
#ifdef __NR_sendmmsg
case SYS_SENDMMSG:
return __NR_sendmmsg;
#endif
#ifdef __NR_shutdown
case SYS_SHUTDOWN:
return __NR_shutdown;
#endif
default:
break;
}
/* If we cannot convert to a valid syscall id, there are 2 possibilities:
* 1. the user provided the wrong socket call code.
* In this case we will send a generic event at the end of this method
* 2. The socket call code is defined but the corresponding
* syscall call is not defined. For example on s390x machines
* `SYS_ACCEPT` is defined but `__NR_accept` is not.
* In this way we will send the corresponding event.
*
* Known cases in which the socket call code is defined but
* the corresponding syscall code is not:
*
* ----- s390x
* - `SYS_ACCEPT` is defined but `__NR_accept` is not defined
*
* ----- x86 with CONFIG_IA32_EMULATION
* - `SYS_ACCEPT` is defined but `__NR_accept` is not defined
* - `SYS_SEND` is defined but `__NR_send` is not defined
* - `SYS_RECV` is defined but `__NR_recv` is not defined
*/
*is_syscall_return = false;
switch(socketcall_code) {
#ifdef SYS_SOCKET
case SYS_SOCKET:
return PPME_SOCKET_SOCKET_E;
#endif
#ifdef SYS_SOCKETPAIR
case SYS_SOCKETPAIR:
return PPME_SOCKET_SOCKETPAIR_E;
#endif
#ifdef SYS_ACCEPT
case SYS_ACCEPT:
return PPME_SOCKET_ACCEPT_5_E;
#endif
#ifdef SYS_ACCEPT4
case SYS_ACCEPT4:
return PPME_SOCKET_ACCEPT4_6_E;
#endif
#ifdef SYS_BIND
case SYS_BIND:
return PPME_SOCKET_BIND_E;
#endif
#ifdef SYS_LISTEN
case SYS_LISTEN:
return PPME_SOCKET_LISTEN_E;
#endif
#ifdef SYS_CONNECT
case SYS_CONNECT:
return PPME_SOCKET_CONNECT_E;
#endif
#ifdef SYS_GETSOCKNAME
case SYS_GETSOCKNAME:
return PPME_SOCKET_GETSOCKNAME_E;
#endif
#ifdef SYS_GETPEERNAME
case SYS_GETPEERNAME:
return PPME_SOCKET_GETPEERNAME_E;
#endif
#ifdef SYS_GETSOCKOPT
case SYS_GETSOCKOPT:
return PPME_SOCKET_GETSOCKOPT_E;
#endif
#ifdef SYS_SETSOCKOPT
case SYS_SETSOCKOPT:
return PPME_SOCKET_SETSOCKOPT_E;
#endif
#ifdef SYS_RECV
case SYS_RECV:
return PPME_SOCKET_RECV_E;
#endif
#ifdef SYS_RECVFROM
case SYS_RECVFROM:
return PPME_SOCKET_RECVFROM_E;
#endif
#ifdef SYS_RECVMSG
case SYS_RECVMSG:
return PPME_SOCKET_RECVMSG_E;
#endif
#ifdef SYS_RECVMMSG
case SYS_RECVMMSG:
return PPME_SOCKET_RECVMMSG_E;
#endif
#ifdef SYS_SEND
case SYS_SEND:
return PPME_SOCKET_SEND_E;
#endif
#ifdef SYS_SENDTO
case SYS_SENDTO:
return PPME_SOCKET_SENDTO_E;
#endif
#ifdef SYS_SENDMSG
case SYS_SENDMSG:
return PPME_SOCKET_SENDMSG_E;
#endif
#ifdef SYS_SENDMMSG
case SYS_SENDMMSG:
return PPME_SOCKET_SENDMMSG_E;
#endif
#ifdef SYS_SHUTDOWN
case SYS_SHUTDOWN:
return PPME_SOCKET_SHUTDOWN_E;
#endif
default:
break;
}
return -1;
}
#endif /* SOCKETCALL_TO_SYSCALL_H */