Skip to content

Commit

Permalink
update(setrlimit): update args in setrlimit exit event
Browse files Browse the repository at this point in the history
Signed-off-by: rohith-raju <[email protected]>
  • Loading branch information
Rohith-Raju committed Sep 12, 2023
1 parent eaf6490 commit af74c01
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 28 deletions.
13 changes: 7 additions & 6 deletions driver/bpf/fillers.h
Original file line number Diff line number Diff line change
Expand Up @@ -1047,6 +1047,11 @@ FILLER(sys_getrlimit_setrlrimit_x, true)
res = bpf_push_s64_to_ring(data, retval);
CHECK_RES(res);

/* Parameter 2: resource (type: PT_ERRNO) */
unsigned long resource = bpf_syscall_get_argument(data, 0);
res = bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource));
CHECK_RES(res);

/*
* Copy the user structure and extract cur and max
*/
Expand All @@ -1065,15 +1070,11 @@ FILLER(sys_getrlimit_setrlrimit_x, true)
max = -1;
}

/*
* cur
*/
/* Parameter 3: resource (type: PT_ERRNO) */
res = bpf_push_s64_to_ring(data, cur);
CHECK_RES(res);

/*
* max
*/
/* Parameter 4: resource (type: PT_ERRNO) */
return bpf_push_s64_to_ring(data, max);
}

Expand Down
2 changes: 1 addition & 1 deletion driver/event_table.c
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SYSCALL_GETRLIMIT_E] = {"getrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
[PPME_SYSCALL_GETRLIMIT_X] = {"getrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
[PPME_SYSCALL_SETRLIMIT_E] = {"setrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 1, {{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
[PPME_SYSCALL_SETRLIMIT_X] = {"setrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
[PPME_SYSCALL_SETRLIMIT_X] = {"setrlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}, {"cur", PT_INT64, PF_DEC}, {"max", PT_INT64, PF_DEC} } },
[PPME_SYSCALL_PRLIMIT_E] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 2, {{"pid", PT_PID, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources} } },
[PPME_SYSCALL_PRLIMIT_X] = {"prlimit", EC_PROCESS | EC_SYSCALL, EF_NONE, 7, {{"res", PT_ERRNO, PF_DEC}, {"pid", PT_INT64, PF_DEC}, {"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}, {"newcur", PT_INT64, PF_DEC}, {"newmax", PT_INT64, PF_DEC}, {"oldcur", PT_INT64, PF_DEC}, {"oldmax", PT_INT64, PF_DEC}} },
[PPME_SCHEDSWITCH_1_E] = {"switch", EC_SCHEDULER | EC_TRACEPOINT, EF_SKIPPARSERESET | EF_OLD_VERSION, 1, {{"next", PT_PID, PF_DEC} } },
Expand Down
2 changes: 1 addition & 1 deletion driver/modern_bpf/definitions/events_dimensions.h
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@
#define SETSID_E_SIZE HEADER_LEN
#define SETSID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
#define SETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
#define SETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
#define PRLIMIT64_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define PRLIMIT64_X_SIZE HEADER_LEN + sizeof(int64_t) * 6 + sizeof(uint8_t) + PARAM_LEN * 7
#define GETSOCKOPT_E_SIZE HEADER_LEN
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,14 +57,18 @@ int BPF_PROG(setrlimit_x,
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);

/* Parameter 2: resource (type: PT_ENUMFLAGS8) */
unsigned long resource = extract__syscall_argument(regs, 0);
ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource));

struct rlimit rl = {0};
unsigned long rlimit_pointer = extract__syscall_argument(regs, 1);
bpf_probe_read_user((void *)&rl, bpf_core_type_size(struct rlimit), (void *)rlimit_pointer);

/* Parameter 2: cur (type: PT_INT64)*/
/* Parameter 3: cur (type: PT_INT64)*/
ringbuf__store_s64(&ringbuf, rl.rlim_cur);

/* Parameter 3: max (type: PT_INT64)*/
/* Parameter 4: max (type: PT_INT64)*/
ringbuf__store_s64(&ringbuf, rl.rlim_max);

/*=============================== COLLECT PARAMETERS ===========================*/
Expand Down
26 changes: 11 additions & 15 deletions driver/ppm_fillers.c
Original file line number Diff line number Diff line change
Expand Up @@ -4283,13 +4283,15 @@ int f_sys_getrlimit_setrlrimit_x(struct event_filler_arguments *args)
int64_t cur;
int64_t max;

/*
* res
*/
/* Parameter 1: res */
retval = (int64_t)(long)syscall_get_return_value(current, args->regs);
res = val_to_ring(args, retval, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
CHECK_RES(res);

/* Parameter 2: resource */
syscall_get_arguments_deprecated(args, 0, 1, &val);
res = val_to_ring(args, rlimit_resource_to_scap(val), 0, false, 0);
CHECK_RES(res);

/*
* Copy the user structure and extract cur and max
Expand Down Expand Up @@ -4317,19 +4319,13 @@ int f_sys_getrlimit_setrlrimit_x(struct event_filler_arguments *args)
max = -1;
}

/*
* cur
*/
/* Parameter 3: resource */
res = val_to_ring(args, cur, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
CHECK_RES(res);

/*
* max
*/
/* Parameter 4: resource */
res = val_to_ring(args, max, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
CHECK_RES(res);

return add_sentinel(args);
}
Expand Down
8 changes: 5 additions & 3 deletions test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,16 @@ TEST(SyscallExit, setrlimitX)
/* Parameter 1: res (type: PT_ERRNO) */
evt_test->assert_numeric_param(1, (int64_t)errno_value);

evt_test->assert_numeric_param(2, (uint8_t)resource);

/* Parameter 2: cur (type: PT_INT64) */
evt_test->assert_numeric_param(2, (int64_t)rlim.rlim_cur);
evt_test->assert_numeric_param(3, (int64_t)rlim.rlim_cur);

/* Parameter 3: max (type: PT_INT64) */
evt_test->assert_numeric_param(3, (int64_t)rlim.rlim_max);
evt_test->assert_numeric_param(4, (int64_t)rlim.rlim_max);

/*=============================== ASSERT PARAMETERS ===========================*/

evt_test->assert_num_params_pushed(3);
evt_test->assert_num_params_pushed(4);
}
#endif

0 comments on commit af74c01

Please sign in to comment.