From 8b8c7bb7fd7e9e2597124b02a64791e102b0fee9 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Tue, 3 Oct 2023 11:40:32 +0200 Subject: [PATCH] chore(driver,test): update ia32 script to call SYS_SEND and SYS_ACCEPT socketcalls. The behavior of these syscalls is different between modern bpf (whose jump table is syscalls-indexed), and other drivers (whose jump table is events-indexed). Signed-off-by: Federico Di Pierro --- driver/bpf/probe.c | 4 +-- .../attached/dispatchers/syscall_enter.bpf.c | 2 -- test/drivers/helpers/ia32.c | 2 ++ .../test_suites/actions_suite/ia32.cpp.in | 33 +++++++++++++++++++ 4 files changed, 37 insertions(+), 4 deletions(-) diff --git a/driver/bpf/probe.c b/driver/bpf/probe.c index 407a3aea546..5eeda372433 100644 --- a/driver/bpf/probe.c +++ b/driver/bpf/probe.c @@ -193,8 +193,8 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args) /* If we return an event code, it means we need to call directly `record_event_all_consumers` */ if(!is_syscall_return) { - evt_type = return_code; - drop_flags = return_code == PPME_GENERIC_E ? UF_ALWAYS_DROP : UF_USED; + evt_type = return_code + 1; // we are in sys_exit! + drop_flags = return_code == PPME_GENERIC_X ? UF_ALWAYS_DROP : UF_USED; } else { diff --git a/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c b/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c index 6902806610c..3138550c4c3 100644 --- a/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c +++ b/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c @@ -64,8 +64,6 @@ int BPF_PROG(sys_enter, return 0; } - - bpf_tail_call(ctx, &syscall_enter_tail_table, syscall_id); return 0; } diff --git a/test/drivers/helpers/ia32.c b/test/drivers/helpers/ia32.c index 4db7bc23595..47249877e56 100644 --- a/test/drivers/helpers/ia32.c +++ b/test/drivers/helpers/ia32.c @@ -14,5 +14,7 @@ int main() { unsigned long args[3] = {0}; syscall(__NR_socketcall, SYS_SOCKET, args); syscall(__NR_socketcall, SYS_ACCEPT4, args); + syscall(__NR_socketcall, SYS_SEND, args); + syscall(__NR_socketcall, SYS_ACCEPT, args); return 0; } \ No newline at end of file diff --git a/test/drivers/test_suites/actions_suite/ia32.cpp.in b/test/drivers/test_suites/actions_suite/ia32.cpp.in index 39bae3613df..e99d5525797 100644 --- a/test/drivers/test_suites/actions_suite/ia32.cpp.in +++ b/test/drivers/test_suites/actions_suite/ia32.cpp.in @@ -46,5 +46,38 @@ TEST(Actions, ia32) evt_test->assert_event_presence(ret_pid, PPME_SOCKET_SOCKET_X); evt_test->assert_event_presence(ret_pid, PPME_SOCKET_ACCEPT4_6_E); evt_test->assert_event_presence(ret_pid, PPME_SOCKET_ACCEPT4_6_X); + + /* + * Special cases: socketcalls whose SYS_foo code is defined but the syscall is not. + * See socketcall_to_syscall.h comment. + */ + if(evt_test->is_modern_bpf_engine()) + { + /* + * ModernBPF jump table is syscalls-indexed; + * Since SYS_SEND exists but __NR_send does not on x86_64, + * convert_network_syscalls() returns -1 and we don't push anything to consumers. + */ + evt_test->assert_event_absence(ret_pid, PPME_SOCKET_SEND_E); + evt_test->assert_event_absence(ret_pid, PPME_SOCKET_SEND_X); + + /* + * Same as above + */ + evt_test->assert_event_absence(ret_pid, PPME_SOCKET_ACCEPT4_6_E); + evt_test->assert_event_absence(ret_pid, PPME_SOCKET_ACCEPT4_6_X); + } + else + { + /* + * Kmod and old bpf jump table is events-indexed. + * We are able to fallback at sending the events. + */ + evt_test->assert_event_presence(ret_pid, PPME_SOCKET_SEND_E); + evt_test->assert_event_presence(ret_pid, PPME_SOCKET_SEND_X); + + evt_test->assert_event_presence(ret_pid, PPME_SOCKET_ACCEPT_5_E); + evt_test->assert_event_presence(ret_pid, PPME_SOCKET_ACCEPT_5_X); + } } #endif \ No newline at end of file