Fix 'mmap' and 'mmap2' system calls parsing so that they can be filte…

…red using the fd parameter
falcosecurity · May 3, 2024 · 6e3ca05 · 6e3ca05
1 parent 3e57e67
commit 6e3ca05
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/driver/event_table.c b/driver/event_table.c
@@ -28,8 +28,8 @@ or GPL2.txt for full copies of the license.
  *
  * - Events marked with `EC_UNKNOWN` must have a name equal to `NA`.
  *
- * - All events that have the "EF_USES_FD" flag should return as first parameter a file descriptor.
- *	 "libsinsp" will try to access the first parameter and use it as a file descriptor. If the event has
+ * - All events that have the "EF_USES_FD" flag should return as one of the parameters a file descriptor.
+ *	 "libsinsp" will try to access the parameter and use it as a file descriptor. If the event has
  *	 0 parameters but has the "EF_USES_FD" flag then a runtime error will occur shutting down the process.
  *   Furthermore if an exit event has the "EF_USES_FD" then also the related enter event must have
  *   it (following the logic described above). Otherwise the exit event will not trigger "libsinsp" code
@@ -212,9 +212,9 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_CLONE_16_X] = {"clone", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 16, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC} } },
 	[PPME_SYSCALL_BRK_4_E] = {"brk", EC_MEMORY | EC_SYSCALL, EF_NONE, 1, {{"addr", PT_UINT64, PF_HEX} } },
 	[PPME_SYSCALL_BRK_4_X] = {"brk", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_UINT64, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
-	[PPME_SYSCALL_MMAP_E] = {"mmap", EC_MEMORY | EC_SYSCALL, EF_NONE, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } },
+	[PPME_SYSCALL_MMAP_E] = {"mmap", EC_MEMORY | EC_SYSCALL, EF_USES_FD, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"offset", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_MMAP_X] = {"mmap", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
-	[PPME_SYSCALL_MMAP2_E] = {"mmap2", EC_MEMORY | EC_SYSCALL, EF_NONE, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"pgoffset", PT_UINT64, PF_DEC} } },
+	[PPME_SYSCALL_MMAP2_E] = {"mmap2", EC_MEMORY | EC_SYSCALL, EF_USES_FD, 6, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags}, {"flags", PT_FLAGS32, PF_HEX, mmap_flags}, {"fd", PT_FD, PF_DEC}, {"pgoffset", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_MMAP2_X] = {"mmap2", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_HEX}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },
 	[PPME_SYSCALL_MUNMAP_E] = {"munmap", EC_MEMORY | EC_SYSCALL, EF_NONE, 2, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC} } },
 	[PPME_SYSCALL_MUNMAP_X] = {"munmap", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } },

diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -694,10 +694,12 @@ bool sinsp_parser::reset(sinsp_evt *evt)
 		{
 			//
 			// Get the fd.
-			// The fd is always the first parameter of the enter event.
+			// An fd will usually be the first parameter of the enter event,
+			// but there are exceptions, as is the case with mmap, mmap2
 			//
-			ASSERT(evt->get_param_info(0)->type == PT_FD);
-			evt->get_tinfo()->m_lastevent_fd = evt->get_param(0)->as<int64_t>();
+			int fd_location = get_fd_location(etype);
+			ASSERT(evt->get_param_info(fd_location)->type == PT_FD);
+			evt->get_tinfo()->m_lastevent_fd = evt->get_param(fd_location)->as<int64_t>();
 			evt->set_fd_info(evt->get_tinfo()->get_fd(evt->get_tinfo()->m_lastevent_fd));
 		}
 
@@ -5758,3 +5760,19 @@ void sinsp_parser::parse_pidfd_getfd_exit(sinsp_evt *evt)
 	}
 	evt->get_tinfo()->add_fd(fd, targetfd_fdinfo->clone());
 }
+
+int sinsp_parser::get_fd_location(uint16_t etype)
+{
+	int location;
+	switch (etype)
+	{
+	case PPME_SYSCALL_MMAP_E:
+	case PPME_SYSCALL_MMAP2_E:
+		location = 4;
+		break;
+	default:
+		location = 0;
+		break;
+	}
+	return location;
+}
diff --git a/userspace/libsinsp/parsers.h b/userspace/libsinsp/parsers.h
@@ -138,6 +138,7 @@ class sinsp_parser
 	void swap_addresses(sinsp_fdinfo* fdinfo);
 	uint8_t* reserve_event_buffer();
 	void free_event_buffer(uint8_t*);
+	inline int get_fd_location(uint16_t etype);
 
 	//
 	// Pointers to inspector context