From 2462249c95ef54d2026ad368d9274fe17e92c50c Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Sat, 30 Jul 2022 22:34:49 +0200 Subject: [PATCH] new(modern_bpf): add `rmdir` syscall Signed-off-by: Andrea Terzolo --- .../definitions/events_dimensions.h | 1 + .../syscall_dispatched_events/rmdir.bpf.c | 72 +++++++++++++++++++ .../syscall_enter_suite/rmdir_e.cpp | 38 ++++++++++ .../syscall_exit_suite/rmdir_x.cpp | 43 +++++++++++ userspace/libpman/src/events_prog_names.h | 2 + 5 files changed, 156 insertions(+) create mode 100644 driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c create mode 100644 test/modern_bpf/test_suites/syscall_enter_suite/rmdir_e.cpp create mode 100644 test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 9e5fe913237..c46a4dc6dcf 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -29,5 +29,6 @@ #define FCHMOD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3 #define FCHMODAT_E_SIZE HEADER_LEN #define MKDIRAT_E_SIZE HEADER_LEN +#define RMDIR_E_SIZE HEADER_LEN #endif /* __EVENT_DIMENSIONS_H__ */ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c new file mode 100644 index 00000000000..3106baa66c4 --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2022 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(rmdir_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, RMDIR_E_SIZE)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_RMDIR_2_E, RMDIR_E_SIZE); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + // Here we have no parameters to collect. + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(rmdir_x, + struct pt_regs *regs, + long ret) +{ + struct auxiliary_map *auxmap = auxmap__get(); + if(!auxmap) + { + return 0; + } + + auxmap__preload_event_header(auxmap, PPME_SYSCALL_RMDIR_2_X); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + auxmap__store_s64_param(auxmap, ret); + + /* Parameter 2: path (type: PT_CHARBUF) */ + unsigned long path_pointer = extract__syscall_argument(regs, 0); + auxmap__store_charbuf_param(auxmap, path_pointer, USER); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + auxmap__finalize_event_header(auxmap); + + auxmap__submit_event(auxmap); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/test/modern_bpf/test_suites/syscall_enter_suite/rmdir_e.cpp b/test/modern_bpf/test_suites/syscall_enter_suite/rmdir_e.cpp new file mode 100644 index 00000000000..435a100d0d9 --- /dev/null +++ b/test/modern_bpf/test_suites/syscall_enter_suite/rmdir_e.cpp @@ -0,0 +1,38 @@ +#include "../../event_class/event_class.h" + +#ifdef __NR_rmdir +TEST(SyscallEnter, rmdirE) +{ + auto evt_test = new event_test(__NR_rmdir, ENTER_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + const char* path = "*//null"; + assert_syscall_state(SYSCALL_FAILURE, "rmdir", syscall(__NR_rmdir, path)); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + // Here we have no parameters to assert. + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(0); +} +#endif diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp new file mode 100644 index 00000000000..fa3088024e3 --- /dev/null +++ b/test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp @@ -0,0 +1,43 @@ +#include "../../event_class/event_class.h" + +#ifdef __NR_rmdir +TEST(SyscallExit, rmdirX) +{ + auto evt_test = new event_test(__NR_rmdir, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + const char* path = "*//null"; + assert_syscall_state(SYSCALL_FAILURE, "rmdir", syscall(__NR_rmdir, path)); + int64_t errno_value = -errno; + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + evt_test->assert_numeric_param(1, (int64_t)errno_value); + + /* Parameter 2: path (type: PT_FSPATH) */ + evt_test->assert_charbuf_param(2, path); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(2); +} +#endif diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index d00ed77535d..6a566ece6ef 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -45,6 +45,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SYSCALL_FCHMODAT_X] = "fchmodat_x", [PPME_SYSCALL_MKDIRAT_E] = "mkdirat_e", [PPME_SYSCALL_MKDIRAT_X] = "mkdirat_x", + [PPME_SYSCALL_RMDIR_2_E] = "rmdir_e", + [PPME_SYSCALL_RMDIR_2_X] = "rmdir_x", }; /* Some events can require more than one bpf program to collect all the data. */