diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 5a7668c952..a6eb368a68 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -1088,11 +1088,6 @@ FILLER(sys_setrlrimit_x, true) res = bpf_push_s64_to_ring(data, retval); CHECK_RES(res); - /* Parameter 2: resource (type: PT_ERRNO) */ - unsigned long resource = bpf_syscall_get_argument(data, 0); - res = bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource)); - CHECK_RES(res); - /* * Copy the user structure and extract cur and max */ @@ -1111,12 +1106,17 @@ FILLER(sys_setrlrimit_x, true) max = -1; } - /* Parameter 3: cur (type: PT_ERRNO) */ + /* Parameter 2: cur (type: PT_ERRNO) */ res = bpf_push_s64_to_ring(data, cur); CHECK_RES(res); - /* Parameter 4: max (type: PT_ERRNO) */ - return bpf_push_s64_to_ring(data, max); + /* Parameter 3: max (type: PT_ERRNO) */ + res = bpf_push_s64_to_ring(data, max); + CHECK_RES(res); + + /* Parameter 4: resource (type: PT_ERRNO) */ + unsigned long resource = bpf_syscall_get_argument(data, 0); + return bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource)); } FILLER(sys_connect_e, true) @@ -3861,23 +3861,11 @@ FILLER(sys_prlimit_x, true) s64 oldmax; int res; - /* - * res - */ + /* Parameter 1: res */ retval = bpf_syscall_get_retval(data->ctx); res = bpf_push_s64_to_ring(data, retval); CHECK_RES(res); - /* Parameter 1: pid */ - pid_t pid = bpf_syscall_get_argument(data, 0); - res = bpf_push_s64_to_ring(data, (s64)pid); - CHECK_RES(res); - - /* Parameter 2: resource */ - unsigned long resource = bpf_syscall_get_argument(data, 1); - res = bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource)); - CHECK_RES(res); - /* * Copy the user structure and extract cur and max */ @@ -3904,20 +3892,30 @@ FILLER(sys_prlimit_x, true) oldmax = rl.rlim_max; } - /* Parameter 3: newcur */ + /* Parameter 2: newcur */ res = bpf_push_s64_to_ring(data, newcur); CHECK_RES(res); - /* Parameter 4: newmax */ + /* Parameter 3: newmax */ res = bpf_push_s64_to_ring(data, newmax); CHECK_RES(res); - /* Parameter 5: oldcur */ + /* Parameter 4: oldcur */ res = bpf_push_s64_to_ring(data, oldcur); CHECK_RES(res); /* Parameter 5: oldmax */ - return bpf_push_s64_to_ring(data, oldmax); + res = bpf_push_s64_to_ring(data, oldmax); + CHECK_RES(res); + + /* Parameter 6: pid */ + pid_t pid = bpf_syscall_get_argument(data, 0); + res = bpf_push_s64_to_ring(data, (s64)pid); + CHECK_RES(res); + + /* Parameter 7: resource */ + unsigned long resource = bpf_syscall_get_argument(data, 1); + return bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource)); } FILLER(sys_pwritev_e, true) diff --git a/driver/event_table.c b/driver/event_table.c index 4f0537bb91..7f3491dfe1 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -192,9 +192,9 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_GETRLIMIT_E] = {"getrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } }, [PPME_SYSCALL_GETRLIMIT_X] = {"getrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } }, [PPME_SYSCALL_SETRLIMIT_E] = {"setrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } }, - [PPME_SYSCALL_SETRLIMIT_X] = {"setrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } }, + [PPME_SYSCALL_SETRLIMIT_X] = {"setrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC},{"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } }, [PPME_SYSCALL_PRLIMIT_E] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 2, {{"pid", PT_PID, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } }, - [PPME_SYSCALL_PRLIMIT_X] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 7, {{"res", PT_ERRNO, PF_DEC}, {"pid", PT_INT64, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC}} }, + [PPME_SYSCALL_PRLIMIT_X] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 7, {{"res", PT_ERRNO, PF_DEC}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC}, {"pid", PT_INT64, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } }, [PPME_SCHEDSWITCH_1_E] = {"switch", EC_SCHEDULER | EC_TRACEPOINT, EF_SKIPPARSERESET | EF_OLD_VERSION, 1, {{"next", PT_PID, PF_DEC} } }, [PPME_SCHEDSWITCH_1_X] = {"NA", EC_UNKNOWN, EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION, 0}, [PPME_DROP_E] = {"drop", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET, 1, {{"ratio", PT_UINT32, PF_DEC} } }, diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c index 1985f547c9..cd5af6ee10 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c @@ -61,22 +61,14 @@ int BPF_PROG(prlimit64_x, /* Parameter 1: res (type: PT_ERRNO) */ ringbuf__store_s64(&ringbuf, ret); - /* Parameter 2: pid (type: PT_PID) */ - pid_t pid = (s32)extract__syscall_argument(regs, 0); - ringbuf__store_s64(&ringbuf, (s64)pid); - - /* Parameter 3: resource (type: PT_ENUMFLAGS8) */ - unsigned long resource = extract__syscall_argument(regs, 1); - ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource)); - struct rlimit new_rlimit = {0}; unsigned long rlimit_pointer = extract__syscall_argument(regs, 2); bpf_probe_read_user((void *)&new_rlimit, bpf_core_type_size(struct rlimit), (void *)rlimit_pointer); - /* Parameter 4: newcur (type: PT_INT64) */ + /* Parameter 2: newcur (type: PT_INT64) */ ringbuf__store_s64(&ringbuf, new_rlimit.rlim_cur); - /* Parameter 5: newmax (type: PT_INT64) */ + /* Parameter 3: newmax (type: PT_INT64) */ ringbuf__store_s64(&ringbuf, new_rlimit.rlim_max); /* We take the old `rlimit` only if the syscall is successful otherwise this @@ -89,12 +81,20 @@ int BPF_PROG(prlimit64_x, bpf_probe_read_user((void *)&old_rlimit, bpf_core_type_size(struct rlimit), (void *)rlimit_pointer); } - /* Parameter 6: oldcur (type: PT_INT64) */ + /* Parameter 4: oldcur (type: PT_INT64) */ ringbuf__store_s64(&ringbuf, old_rlimit.rlim_cur); - /* Parameter 7: oldmax (type: PT_INT64) */ + /* Parameter 5: oldmax (type: PT_INT64) */ ringbuf__store_s64(&ringbuf, old_rlimit.rlim_max); + /* Parameter 6: pid (type: PT_PID) */ + pid_t pid = (s32)extract__syscall_argument(regs, 0); + ringbuf__store_s64(&ringbuf, (s64)pid); + + /* Parameter 7: resource (type: PT_ENUMFLAGS8) */ + unsigned long resource = extract__syscall_argument(regs, 1); + ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource)); + /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setrlimit.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setrlimit.bpf.c index e088f6b076..a3618d027f 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setrlimit.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setrlimit.bpf.c @@ -57,20 +57,20 @@ int BPF_PROG(setrlimit_x, /* Parameter 1: res (type: PT_ERRNO)*/ ringbuf__store_s64(&ringbuf, ret); - /* Parameter 2: resource (type: PT_ENUMFLAGS8) */ - unsigned long resource = extract__syscall_argument(regs, 0); - ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource)); - struct rlimit rl = {0}; unsigned long rlimit_pointer = extract__syscall_argument(regs, 1); bpf_probe_read_user((void *)&rl, bpf_core_type_size(struct rlimit), (void *)rlimit_pointer); - /* Parameter 3: cur (type: PT_INT64)*/ + /* Parameter 2: cur (type: PT_INT64)*/ ringbuf__store_s64(&ringbuf, rl.rlim_cur); - /* Parameter 4: max (type: PT_INT64)*/ + /* Parameter 3: max (type: PT_INT64)*/ ringbuf__store_s64(&ringbuf, rl.rlim_max); + /* Parameter 4: resource (type: PT_ENUMFLAGS8) */ + unsigned long resource = extract__syscall_argument(regs, 0); + ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource)); + /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index cb7cecf25b..9878e291cb 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -4345,16 +4345,11 @@ int f_sys_setrlrimit_x(struct event_filler_arguments *args) int64_t cur; int64_t max; - /* Parameter 1: res */ + /* Parameter 1: res (type: PT_ERRNO) */ retval = (int64_t)(long)syscall_get_return_value(current, args->regs); res = val_to_ring(args, retval, 0, false, 0); CHECK_RES(res); - /* Parameter 2: resource */ - syscall_get_arguments_deprecated(args, 0, 1, &val); - res = val_to_ring(args, rlimit_resource_to_scap(val), 0, false, 0); - CHECK_RES(res); - /* * Copy the user structure and extract cur and max */ @@ -4381,14 +4376,19 @@ int f_sys_setrlrimit_x(struct event_filler_arguments *args) max = -1; } - /* Parameter 3: cur */ + /* Parameter 2: (type: PT_INT64) */ res = val_to_ring(args, cur, 0, false, 0); CHECK_RES(res); - /* Parameter 4: max */ + /* Parameter 3: max (type: PT_INT64) */ res = val_to_ring(args, max, 0, false, 0); CHECK_RES(res); + /* Parameter 4: resource (type: PT_ENUMFLAGS8) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + res = val_to_ring(args, rlimit_resource_to_scap(val), 0, false, 0); + CHECK_RES(res); + return add_sentinel(args); } @@ -4427,25 +4427,12 @@ int f_sys_prlimit_x(struct event_filler_arguments *args) int64_t oldmax; pid_t pid = 0; - /* - * res - */ + /* Parameter 1: res ((type: PT_ERRNO) */ retval = (int64_t)(long)syscall_get_return_value(current, args->regs); res = val_to_ring(args, retval, 0, false, 0); if (unlikely(res != PPM_SUCCESS)) return res; - /* Parameter 1: pid */ - syscall_get_arguments_deprecated(args, 0, 1, &val); - pid = (s32)val; - res = val_to_ring(args, (s64)pid, 0, false, 0); - CHECK_RES(res); - - /* Parameter 2: resource (type: PT_ENUMFLAGS8) */ - syscall_get_arguments_deprecated(args, 1, 1, &val); - res = val_to_ring(args, rlimit_resource_to_scap(val), 0, false, 0); - CHECK_RES(res); - /* * Copy the user structure and extract cur and max */ @@ -4499,25 +4486,32 @@ int f_sys_prlimit_x(struct event_filler_arguments *args) } } #endif - /* Parameter 3: newcur (PT_INT64)*/ + /* Parameter 2: newcur (type: PT_INT64) */ res = val_to_ring(args, newcur, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - return res; + CHECK_RES(res); - /* Parameter 4: newmax (PT_INT64)*/ + /* Parameter 3: newmax (type: PT_INT64) */ res = val_to_ring(args, newmax, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - return res; + CHECK_RES(res); - /* Parameter 5: oldcur (PT_INT64)*/ + /* Parameter 4: oldcur (type: PT_INT64) */ res = val_to_ring(args, oldcur, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - return res; + CHECK_RES(res); - /* Parameter 6: oldmax (PT_INT64)*/ + /* Parameter 5: oldmax (type: PT_INT64) */ res = val_to_ring(args, oldmax, 0, false, 0); - if (unlikely(res != PPM_SUCCESS)) - return res; + CHECK_RES(res); + + /* Parameter 6: pid (type: PT_INT64) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + pid = (s32)val; + res = val_to_ring(args, (s64)pid, 0, false, 0); + CHECK_RES(res); + + /* Parameter 7: resource (type: PT_ENUMFLAGS8) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, rlimit_resource_to_scap(val), 0, false, 0); + CHECK_RES(res); return add_sentinel(args); } diff --git a/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp index 20a1e807c5..d0b75d2953 100644 --- a/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp @@ -46,23 +46,23 @@ TEST(SyscallExit, prlimit64X) /* Parameter 1: res (type: PT_ERRNO) */ evt_test->assert_numeric_param(1, (int64_t)0); - /* Parameter 2: pid (type: PT_INT64) */ - evt_test->assert_numeric_param(2, (int64_t)pid); + /* Parameter 2: newcur (type: PT_INT64) */ + evt_test->assert_numeric_param(2, (int64_t)file_rlimit.rlim_cur); - /* Parameter 3: resource (type: PT_ENUMFLAGS8) */ - evt_test->assert_numeric_param(3, (uint8_t)PPM_RLIMIT_NOFILE); + /* Parameter 3: newmax (type: PT_INT64) */ + evt_test->assert_numeric_param(3, (int64_t)file_rlimit.rlim_max); - /* Parameter 4: newcur (type: PT_INT64) */ + /* Parameter 4: oldcur (type: PT_INT64) */ evt_test->assert_numeric_param(4, (int64_t)file_rlimit.rlim_cur); - /* Parameter 5: newmax (type: PT_INT64) */ + /* Parameter 5: oldmax (type: PT_INT64) */ evt_test->assert_numeric_param(5, (int64_t)file_rlimit.rlim_max); - /* Parameter 6: oldcur (type: PT_INT64) */ - evt_test->assert_numeric_param(6, (int64_t)file_rlimit.rlim_cur); + /* Parameter 6: pid (type: PT_INT64) */ + evt_test->assert_numeric_param(6, (int64_t)pid); - /* Parameter 7: oldmax (type: PT_INT64) */ - evt_test->assert_numeric_param(7, (int64_t)file_rlimit.rlim_max); + /* Parameter 7: resource (type: PT_ENUMFLAGS8) */ + evt_test->assert_numeric_param(7, (uint8_t)PPM_RLIMIT_NOFILE); /*=============================== ASSERT PARAMETERS ===========================*/ diff --git a/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp b/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp index c69117a49a..6a7a1c839d 100644 --- a/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp @@ -39,13 +39,14 @@ TEST(SyscallExit, setrlimitX) /* Parameter 1: res (type: PT_ERRNO) */ evt_test->assert_numeric_param(1, (int64_t)errno_value); - evt_test->assert_numeric_param(2, (uint8_t)resource); - /* Parameter 2: cur (type: PT_INT64) */ - evt_test->assert_numeric_param(3, (int64_t)rlim.rlim_cur); + evt_test->assert_numeric_param(2, (int64_t)rlim.rlim_cur); /* Parameter 3: max (type: PT_INT64) */ - evt_test->assert_numeric_param(4, (int64_t)rlim.rlim_max); + evt_test->assert_numeric_param(3, (int64_t)rlim.rlim_max); + + /* Parameter 4: resource (type: PT_ENUMFLAGS8) */ + evt_test->assert_numeric_param(4, (uint8_t)resource); /*=============================== ASSERT PARAMETERS ===========================*/