new(modern_bpf): add rmdir syscall

Signed-off-by: Andrea Terzolo <[email protected]>
falcosecurity · Aug 1, 2022 · 9011ea8 · 9011ea8
1 parent bc90ab1
commit 9011ea8
Show file tree

Hide file tree

Showing 5 changed files with 156 additions and 0 deletions.
diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -39,5 +39,6 @@
 #define FCHMOD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
 #define FCHMODAT_E_SIZE HEADER_LEN
 #define MKDIRAT_E_SIZE HEADER_LEN
+#define RMDIR_E_SIZE HEADER_LEN
 
 #endif /* __EVENT_DIMENSIONS_H__ */
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2022 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/variable_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(rmdir_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, RMDIR_E_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_RMDIR_2_E, RMDIR_E_SIZE);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to collect.
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(rmdir_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct auxiliary_map *auxmap = auxmap__get();
+	if(!auxmap)
+	{
+		return 0;
+	}
+
+	auxmap__preload_event_header(auxmap, PPME_SYSCALL_RMDIR_2_X);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	auxmap__store_s64_param(auxmap, ret);
+
+	/* Parameter 2: path (type: PT_CHARBUF) */
+	unsigned long path_pointer = extract__syscall_argument(regs, 0);
+	auxmap__store_charbuf_param(auxmap, path_pointer, USER);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	auxmap__finalize_event_header(auxmap);
+
+	auxmap__submit_event(auxmap);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/
diff --git a/test/modern_bpf/test_suites/syscall_enter_suite/rmdir_e.cpp b/test/modern_bpf/test_suites/syscall_enter_suite/rmdir_e.cpp
@@ -0,0 +1,38 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_rmdir
+TEST(SyscallEnter, rmdirE)
+{
+	auto evt_test = new event_test(__NR_rmdir, ENTER_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL  ===========================*/
+
+	const char* path = "*//null";
+	assert_syscall_state(SYSCALL_FAILURE, "rmdir", syscall(__NR_rmdir, path));
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence();
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to assert.
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(0);
+}
+#endif
diff --git a/test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp b/test/modern_bpf/test_suites/syscall_exit_suite/rmdir_x.cpp
@@ -0,0 +1,43 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_rmdir
+TEST(SyscallExit, rmdirX)
+{
+	auto evt_test = new event_test(__NR_rmdir, EXIT_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL  ===========================*/
+
+	const char* path = "*//null";
+	assert_syscall_state(SYSCALL_FAILURE, "rmdir", syscall(__NR_rmdir, path));
+	int64_t errno_value = -errno;
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence();
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO)*/
+	evt_test->assert_numeric_param(1, (int64_t)errno_value);
+
+	/* Parameter 2: path (type: PT_FSPATH) */
+	evt_test->assert_charbuf_param(2, path);
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(2);
+}
+#endif
diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h
@@ -57,6 +57,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_FCHMODAT_X] = "fchmodat_x",
 	[PPME_SYSCALL_MKDIRAT_E] = "mkdirat_e",
 	[PPME_SYSCALL_MKDIRAT_X] = "mkdirat_x",
+	[PPME_SYSCALL_RMDIR_2_E] = "rmdir_e",
+	[PPME_SYSCALL_RMDIR_2_X] = "rmdir_x",
 };
 
 /* Some events can require more than one bpf program to collect all the data. */