Skip to content

Commit

Permalink
chore(driver,test): update ia32 script to call SYS_SEND and SYS_ACCEP…
Browse files Browse the repository at this point in the history
…T socketcalls.

The behavior of these syscalls is different between modern bpf (whose jump table is syscalls-indexed),
and other drivers (whose jump table is events-indexed).

Signed-off-by: Federico Di Pierro <[email protected]>
  • Loading branch information
FedeDP committed Oct 3, 2023
1 parent 934f776 commit 8b8c7bb
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 4 deletions.
4 changes: 2 additions & 2 deletions driver/bpf/probe.c
Original file line number Diff line number Diff line change
Expand Up @@ -193,8 +193,8 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args)
/* If we return an event code, it means we need to call directly `record_event_all_consumers` */
if(!is_syscall_return)
{
evt_type = return_code;
drop_flags = return_code == PPME_GENERIC_E ? UF_ALWAYS_DROP : UF_USED;
evt_type = return_code + 1; // we are in sys_exit!
drop_flags = return_code == PPME_GENERIC_X ? UF_ALWAYS_DROP : UF_USED;
}
else
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,6 @@ int BPF_PROG(sys_enter,
return 0;
}



bpf_tail_call(ctx, &syscall_enter_tail_table, syscall_id);
return 0;
}
2 changes: 2 additions & 0 deletions test/drivers/helpers/ia32.c
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,7 @@ int main() {
unsigned long args[3] = {0};
syscall(__NR_socketcall, SYS_SOCKET, args);
syscall(__NR_socketcall, SYS_ACCEPT4, args);
syscall(__NR_socketcall, SYS_SEND, args);
syscall(__NR_socketcall, SYS_ACCEPT, args);
return 0;
}
33 changes: 33 additions & 0 deletions test/drivers/test_suites/actions_suite/ia32.cpp.in
Original file line number Diff line number Diff line change
Expand Up @@ -46,5 +46,38 @@ TEST(Actions, ia32)
evt_test->assert_event_presence(ret_pid, PPME_SOCKET_SOCKET_X);
evt_test->assert_event_presence(ret_pid, PPME_SOCKET_ACCEPT4_6_E);
evt_test->assert_event_presence(ret_pid, PPME_SOCKET_ACCEPT4_6_X);

/*
* Special cases: socketcalls whose SYS_foo code is defined but the syscall is not.
* See socketcall_to_syscall.h comment.
*/
if(evt_test->is_modern_bpf_engine())
{
/*
* ModernBPF jump table is syscalls-indexed;
* Since SYS_SEND exists but __NR_send does not on x86_64,
* convert_network_syscalls() returns -1 and we don't push anything to consumers.
*/
evt_test->assert_event_absence(ret_pid, PPME_SOCKET_SEND_E);
evt_test->assert_event_absence(ret_pid, PPME_SOCKET_SEND_X);

/*
* Same as above
*/
evt_test->assert_event_absence(ret_pid, PPME_SOCKET_ACCEPT4_6_E);
evt_test->assert_event_absence(ret_pid, PPME_SOCKET_ACCEPT4_6_X);
}
else
{
/*
* Kmod and old bpf jump table is events-indexed.
* We are able to fallback at sending the events.
*/
evt_test->assert_event_presence(ret_pid, PPME_SOCKET_SEND_E);
evt_test->assert_event_presence(ret_pid, PPME_SOCKET_SEND_X);

evt_test->assert_event_presence(ret_pid, PPME_SOCKET_ACCEPT_5_E);
evt_test->assert_event_presence(ret_pid, PPME_SOCKET_ACCEPT_5_X);
}
}
#endif

0 comments on commit 8b8c7bb

Please sign in to comment.