Skip to content

Commit

Permalink
update: handle 2 params in seccomp enter event
Browse files Browse the repository at this point in the history
Signed-off-by: Andrea Terzolo <[email protected]>
  • Loading branch information
Andreagit97 authored and poiana committed Sep 27, 2023
1 parent a4a7dc8 commit 52bcabb
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 4 deletions.
2 changes: 1 addition & 1 deletion driver/fillers_table.c
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
#endif
[PPME_SYSCALL_BPF_2_E] = {FILLER_REF(sys_bpf_e)},
[PPME_SYSCALL_BPF_2_X] = {FILLER_REF(sys_bpf_x)},
[PPME_SYSCALL_SECCOMP_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}, {1} } },
[PPME_SYSCALL_SECCOMP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1} } },
[PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL} } },
[PPME_SYSCALL_UNLINK_2_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_UNLINK_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0} } },
Expand Down
2 changes: 1 addition & 1 deletion driver/modern_bpf/definitions/events_dimensions.h
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@
#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
#define CAPSET_E_SIZE HEADER_LEN
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ int BPF_PROG(seccomp_e,
u64 operation = (u64)extract__syscall_argument(regs, 0);
ringbuf__store_u64(&ringbuf, operation);

u32 flags = (u32)extract__syscall_argument(regs, 1);
ringbuf__store_u64(&ringbuf, (u64)flags);

/*=============================== COLLECT PARAMETERS ===========================*/

ringbuf__submit_event(&ringbuf);
Expand Down
7 changes: 5 additions & 2 deletions test/drivers/test_suites/syscall_enter_suite/seccomp_e.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ TEST(SyscallEnter, seccompE)
/*=============================== TRIGGER SYSCALL ===========================*/

uint32_t operation = SECCOMP_SET_MODE_FILTER;
uint32_t flags = 0;
uint32_t flags = 32;
void* args = NULL;
assert_syscall_state(SYSCALL_FAILURE, "seccomp", syscall(__NR_seccomp, operation, flags, args));

Expand All @@ -37,8 +37,11 @@ TEST(SyscallEnter, seccompE)
/* Parameter 1: operation (type: PT_UINT64) */
evt_test->assert_numeric_param(1, (uint64_t)operation);

/* Parameter 2: flags (type: PT_UINT64) */
evt_test->assert_numeric_param(2, (uint64_t)flags);

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(1);
evt_test->assert_num_params_pushed(2);
}
#endif

0 comments on commit 52bcabb

Please sign in to comment.