resolve inotify_init

Signed-off-by: Everett Badeaux <[email protected]>
falcosecurity · Oct 4, 2023 · 8d3f364 · 8d3f364
1 parent 98d7df6
commit 8d3f364
Show file tree

Hide file tree

Showing 9 changed files with 8 additions and 36 deletions.
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -3470,15 +3470,6 @@ FILLER(sys_io_uring_register_x, true)
 	return bpf_push_u32_to_ring(data, nr_args);
 }
 
-FILLER(sys_inotify_init_e, true)
-{
-	/* Parameter 1: flags (type: PT_FLAGS8) */
-	/* We have nothing to extract from the kernel here so we send `0`.
-	 * This is done to preserve the `PPME_SYSCALL_INOTIFY_INIT_E` event with 1 param.
-	 */
-	return bpf_push_u8_to_ring(data, 0);
-}
-
 FILLER(sys_inotify_init1_x, true)
 {
 	/* Parameter 1: res (type: PT_ERRNO) */

diff --git a/driver/event_table.c b/driver/event_table.c
@@ -187,7 +187,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_NANOSLEEP_X] = {"nanosleep", EC_SLEEP | EC_SYSCALL, EF_WAITS, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SYSCALL_TIMERFD_CREATE_E] = {"timerfd_create", EC_TIME | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"clockid", PT_UINT8, PF_DEC}, {"flags", PT_FLAGS8, PF_HEX} } },
 	[PPME_SYSCALL_TIMERFD_CREATE_X] = {"timerfd_create", EC_TIME | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD, PF_DEC} } },
-	[PPME_SYSCALL_INOTIFY_INIT_E] = {"inotify_init", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"flags", PT_FLAGS8, PF_HEX} } },
+	[PPME_SYSCALL_INOTIFY_INIT_E] = {"inotify_init", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
 	[PPME_SYSCALL_INOTIFY_INIT_X] = {"inotify_init", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD, PF_DEC} } },
 	[PPME_SYSCALL_GETRLIMIT_E] = {"getrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
 	[PPME_SYSCALL_GETRLIMIT_X] = {"getrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },

diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -141,7 +141,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_single_x)},
 	[PPME_SYSCALL_TIMERFD_CREATE_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_USEDEFAULT, 0}, {AF_ID_USEDEFAULT, 0} } },
 	[PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_single_x)},
-	[PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_REF(sys_inotify_init_e)},
+	[PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_single_x)},
 	[PPME_SYSCALL_GETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
 	[PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_setrlrimit_x)},

diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -66,7 +66,7 @@
 #define RMDIR_E_SIZE HEADER_LEN
 #define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 2
 #define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
+#define INOTIFY_INIT_E_SIZE HEADER_LEN
 #define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
 #define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init.bpf.c
@@ -24,12 +24,7 @@ int BPF_PROG(inotify_init_e,
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: flags (type: PT_FLAGS8) */
-	/* We have nothing to extract from the kernel here so we send `0`.
-	 * This is done to preserve the `PPME_SYSCALL_INOTIFY_INIT_E` event with 1 param.
-	 */
-	u8 flags = 0;
-	ringbuf__store_u8(&ringbuf, flags);
+	// Here we have no parameters to collect.
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -5489,18 +5489,6 @@ int f_sys_io_uring_register_x (struct event_filler_arguments *args)
 	return add_sentinel(args);
 }
 
-int f_sys_inotify_init_e(struct event_filler_arguments *args)
-{
-	/* Parameter 1: flags (type: PT_FLAGS8) */
-	/* We have nothing to extract from the kernel here so we send `0`.
-	 * This is done to preserve the `PPME_SYSCALL_INOTIFY_INIT_E` event with 1 param.
-	 */
-	int res = val_to_ring(args, 0, 0, true, 0);
-	CHECK_RES(res);
-
-	return add_sentinel(args);
-}
-
 int f_sys_inotify_init1_x(struct event_filler_arguments *args)
 {
 	int res = 0;

diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h
@@ -171,7 +171,6 @@ or GPL2.txt for full copies of the license.
 	FN(sys_umount2_e)				\
 	FN(sys_umount2_x)				\
 	FN(sys_pipe2_x)                 \
-	FN(sys_inotify_init_e)          \
 	FN(sys_inotify_init1_x)          \
 	FN(sys_eventfd2_e)          \
 	FN(sys_eventfd2_x)          \

diff --git a/test/drivers/test_suites/syscall_enter_suite/inotify_init_e.cpp b/test/drivers/test_suites/syscall_enter_suite/inotify_init_e.cpp
@@ -31,11 +31,10 @@ TEST(SyscallEnter, inotify_initE)
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	/* Parameter 1: flags (type: PT_FLAGS8) */
-	evt_test->assert_numeric_param(1, (uint8_t)0);
+	// Here we have no parameters to assert.
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(1);
+	evt_test->assert_num_params_pushed(0);
 }
 #endif
diff --git a/userspace/libsinsp/test/events_file.ut.cpp b/userspace/libsinsp/test/events_file.ut.cpp
@@ -190,7 +190,7 @@ TEST_F(sinsp_with_test_input, creates_fd_generic)
 	ASSERT_EQ(get_field_as_string(evt, "fd.num"), "6");
 
 	fd = 7;
-	add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_E, 1, 0);
+	add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_E, 0);
 	evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_X, 1, fd);
 	ASSERT_EQ(get_field_as_string(evt, "fd.type"), "inotify");
 	ASSERT_EQ(get_field_as_string(evt, "fd.typechar"), "i");
@@ -404,7 +404,7 @@ TEST_F(sinsp_with_test_input, inotify_init)
 	int64_t res = 15;
 	uint8_t flags = 79;
 
-	add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_E, 1, flags);
+	add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_E, 0);
 	evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_INOTIFY_INIT_X, 1, res);
 
 	ASSERT_EQ(get_field_as_string(evt, "fd.num"), std::to_string(res));