fix(driver): ported dynamic_params to new PT_PID32, PT_FD32, PT_FDLIS…

…T32, PT_ERRNO32 types. I kept backward compatibility with existing dynamic params too. Signed-off-by: Federico Di Pierro <[email protected]>
falcosecurity · Aug 2, 2022 · 704f40d · 704f40d
1 parent b44f5e5
commit 704f40d
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 15 deletions.
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -1280,7 +1280,7 @@ static int __always_inline parse_sockopt(struct filler_data *data, int level, in
 			case SO_ERROR:
 				if (bpf_probe_read(&u.val32, sizeof(u.val32), optval))
 					return PPM_FAILURE_INVALID_USER_MEMORY;
-				return bpf_val_to_ring_dyn(data, -u.val32, PT_ERRNO32, PPM_SOCKOPT_IDX_ERRNO);
+				return bpf_val_to_ring_dyn(data, -u.val32, PT_ERRNO32, PPM_SOCKOPT_IDX_ERRNO32);
 #endif
 
 #ifdef SO_RCVTIMEO
@@ -5413,9 +5413,9 @@ FILLER(sys_bpf_x, true)
 	 * fd, depending on cmd
 	 */
 	if (retval >= 0 && (cmd == BPF_MAP_CREATE || cmd == BPF_PROG_LOAD))
-		res = bpf_val_to_ring_dyn(data, retval, PT_FD32, PPM_BPF_IDX_FD);
+		res = bpf_val_to_ring_dyn(data, retval, PT_FD32, PPM_BPF_IDX_FD32);
 	else
-		res = bpf_val_to_ring_dyn(data, retval, PT_ERRNO32, PPM_BPF_IDX_RES);
+		res = bpf_val_to_ring_dyn(data, retval, PT_ERRNO32, PPM_BPF_IDX_RES32);
 
 	return res;
 }

diff --git a/driver/dynamic_params_table.c b/driver/dynamic_params_table.c
@@ -15,6 +15,7 @@ const struct ppm_param_info sockopt_dynamic_param[PPM_SOCKOPT_IDX_MAX] = {
 	[PPM_SOCKOPT_IDX_UINT32] = {{0}, PT_UINT32, PF_DEC},
 	[PPM_SOCKOPT_IDX_UINT64] = {{0}, PT_UINT64, PF_DEC},
 	[PPM_SOCKOPT_IDX_TIMEVAL] = {{0}, PT_RELTIME, PF_DEC},
+	[PPM_SOCKOPT_IDX_ERRNO32] = {{0}, PT_ERRNO32, PF_DEC},
 };
 
 const struct ppm_param_info ptrace_dynamic_param[PPM_PTRACE_IDX_MAX] = {
@@ -25,4 +26,6 @@ const struct ppm_param_info ptrace_dynamic_param[PPM_PTRACE_IDX_MAX] = {
 const struct ppm_param_info bpf_dynamic_param[PPM_BPF_IDX_MAX] = {
 	[PPM_BPF_IDX_FD] = {{0}, PT_FD, PF_DEC},
 	[PPM_BPF_IDX_RES] = {{0}, PT_ERRNO, PF_DEC},
+	[PPM_BPF_IDX_FD32] = {{0}, PT_FD32, PF_DEC},
+	[PPM_BPF_IDX_RES32] = {{0}, PT_ERRNO32, PF_DEC},
 };
diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
@@ -408,7 +408,8 @@ or GPL2.txt for full copies of the license.
 #define PPM_SOCKOPT_IDX_UINT32 2
 #define PPM_SOCKOPT_IDX_UINT64 3
 #define PPM_SOCKOPT_IDX_TIMEVAL 4
-#define PPM_SOCKOPT_IDX_MAX 5
+#define PPM_SOCKOPT_IDX_ERRNO32 5
+#define PPM_SOCKOPT_IDX_MAX 6
 
  /*
  * ptrace requests
@@ -463,8 +464,9 @@ or GPL2.txt for full copies of the license.
 
 #define PPM_BPF_IDX_FD 0
 #define PPM_BPF_IDX_RES 1
-
-#define PPM_BPF_IDX_MAX 2
+#define PPM_BPF_IDX_FD32 3
+#define PPM_BPF_IDX_RES32 4
+#define PPM_BPF_IDX_MAX 5
 
 /*
  * memory protection flags

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -1743,7 +1743,7 @@ static int parse_sockopt(struct event_filler_arguments *args, int level, int opt
 			case SO_ERROR:
 				if (unlikely(ppm_copy_from_user(&u.val32, optval, sizeof(u.val32))))
 					return PPM_FAILURE_INVALID_USER_MEMORY;
-				return val_to_ring(args, -(int)u.val32, 0, false, PPM_SOCKOPT_IDX_ERRNO);
+				return val_to_ring(args, -(int)u.val32, 0, false, PPM_SOCKOPT_IDX_ERRNO32);
 #endif
 
 #ifdef SO_RCVTIMEO
@@ -6113,16 +6113,16 @@ int f_sys_access_e(struct event_filler_arguments *args)
 
 int f_sys_bpf_x(struct event_filler_arguments *args)
 {
-	int64_t retval;
+	int32_t retval;
 	unsigned long cmd;
 	int res;
 
 	/*
 	 * res, if failure or depending on cmd
 	 */
-	retval = (int64_t)(long)syscall_get_return_value(current, args->regs);
+	retval = (int32_t)syscall_get_return_value(current, args->regs);
 	if (retval < 0) {
-		res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_RES);
+		res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_RES32);
 		if (unlikely(res != PPM_SUCCESS))
 			return res;
 
@@ -6142,11 +6142,11 @@ int f_sys_bpf_x(struct event_filler_arguments *args)
 #endif
 #endif /* UDIG */
 	{
-		res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_FD);
+		res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_FD32);
 	}
 	else
 	{
-		res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_RES);
+		res = val_to_ring(args, retval, 0, false, PPM_BPF_IDX_RES32);
 	}
 	if (unlikely(res != PPM_SUCCESS))
 		return res;

diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -5607,9 +5607,17 @@ void sinsp_parser::parse_getsockopt_exit(sinsp_evt *evt)
 		}
 
 		parinfo = evt->get_param(4);
-		ASSERT(*parinfo->m_val == PPM_SOCKOPT_IDX_ERRNO);
-		ASSERT(parinfo->m_len == sizeof(int64_t) + 1);
-		err = *(int64_t *)(parinfo->m_val + 1); // add 1 byte to skip over PT_DYN param index
+		ASSERT(*parinfo->m_val == PPM_SOCKOPT_IDX_ERRNO || *parinfo->m_val == PPM_SOCKOPT_IDX_ERRNO32);
+		if (*parinfo->m_val == PPM_SOCKOPT_IDX_ERRNO)
+		{
+			ASSERT(parinfo->m_len == sizeof(int64_t) + 1);
+			err = *(int64_t *)(parinfo->m_val + 1); // add 1 byte to skip over PT_DYN param index
+		}
+		else
+		{
+			ASSERT(parinfo->m_len == sizeof(int32_t) + 1);
+			err = *(int32_t *)(parinfo->m_val + 1); // add 1 byte to skip over PT_DYN param index
+		}
 
 		evt->m_errorcode = (int32_t)err;
 		if (err < 0)