diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index b868fffe82e..01e1ae1aa5d 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -5795,8 +5795,8 @@ FILLER(sys_bpf_x, true) bpf_push_s64_to_ring(data, fd); /* Parameter 2: cmd (type: PT_INT32) */ - int32_t cmd = (int32_t)bpf_syscall_get_argument(data, 0); - return bpf_push_s32_to_ring(data, cmd); + unsigned long cmd = bpf_syscall_get_argument(data, 0); + return bpf_push_s32_to_ring(data, (int32_t)bpf_cmd_to_scap(cmd)); } FILLER(sys_unlinkat_x, true) diff --git a/driver/event_table.c b/driver/event_table.c index 6d6e23fd2e4..a3b66769e02 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -419,7 +419,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_DUP_1_E] = {"dup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } }, [PPME_SYSCALL_DUP_1_X] = {"dup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_FD, PF_DEC}, {"oldfd", PT_FD, PF_DEC} } }, [PPME_SYSCALL_BPF_2_E] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 1, {{"cmd", PT_INT64, PF_DEC} } }, - [PPME_SYSCALL_BPF_2_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 2, { {"fd", PT_FD, PF_DEC}, {"cmd",PT_INT32, PF_DEC} } }, + [PPME_SYSCALL_BPF_2_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD, 2, { {"fd", PT_FD, PF_DEC}, {"cmd", PT_FLAGS32, PF_DEC, bpf_commands} } }, [PPME_SYSCALL_MLOCK2_E] = {"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_MLOCK2_X] = {"mlock2", EC_MEMORY | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_UINT64, PF_HEX}, {"len", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX, mlock2_flags}}}, [PPME_SYSCALL_FSCONFIG_E] = {"fsconfig", EC_SYSTEM | EC_SYSCALL, EF_NONE, 0}, diff --git a/driver/flags_table.c b/driver/flags_table.c index 595d3f2448b..13cffb813eb 100644 --- a/driver/flags_table.c +++ b/driver/flags_table.c @@ -709,3 +709,12 @@ const struct ppm_name_value mknod_mode[] = { {0, 0}, }; +const struct ppm_name_value bpf_commands[] = { + {"BPF_MAP_CREATE", PPM_BPF_MAP_CREATE}, + {"BPF_MAP_LOOKUP_ELEM", PPM_BPF_MAP_LOOKUP_ELEM}, + {"BPF_MAP_UPDATE_ELEM", PPM_BPF_MAP_UPDATE_ELEM}, + {"BPF_MAP_DELETE_ELEM", PPM_BPF_MAP_DELETE_ELEM}, + {"BPF_MAP_GET_NEXT_KEY", PPM_BPF_MAP_GET_NEXT_KEY}, + {"BPF_PROG_LOAD", PPM_BPF_PROG_LOAD}, + {0,0}, +}; \ No newline at end of file diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c index a481f74fc6a..5e0c75cb0ef 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bpf.bpf.c @@ -59,8 +59,8 @@ int BPF_PROG(bpf_x, ringbuf__store_s64(&ringbuf, ret); /* Parameter 2: cmd (type: PT_INT32) */ - int32_t cmd = (int32_t)extract__syscall_argument(regs, 0); - ringbuf__store_s32(&ringbuf, cmd); + unsigned long cmd = extract__syscall_argument(regs, 0); + ringbuf__store_s32(&ringbuf,(int32_t)bpf_cmd_to_scap(cmd)); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 24c2547314d..4b227e02378 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -798,6 +798,16 @@ or GPL2.txt for full copies of the license. #define PPM_MODULE_INIT_IGNORE_VERMAGIC 2 #define PPM_MODULE_INIT_COMPRESSED_FILE 4 +/* + * bpf_commands +*/ +#define PPM_BPF_MAP_CREATE 0 +#define PPM_BPF_MAP_LOOKUP_ELEM 1 +#define PPM_BPF_MAP_UPDATE_ELEM 2 +#define PPM_BPF_MAP_DELETE_ELEM 3 +#define PPM_BPF_MAP_GET_NEXT_KEY 4 +#define PPM_BPF_PROG_LOAD 5 + /* * Get/set the timerslack as used by poll/select/nanosleep * A value of 0 means "use default" @@ -2154,10 +2164,10 @@ extern const struct ppm_name_value fchownat_flags[]; extern const struct ppm_name_value prctl_options[]; extern const struct ppm_name_value memfd_create_flags[]; extern const struct ppm_name_value pidfd_open_flags[]; +extern const struct ppm_name_value bpf_commands[]; extern const struct ppm_param_info sockopt_dynamic_param[]; extern const struct ppm_param_info ptrace_dynamic_param[]; extern const struct ppm_param_info bpf_dynamic_param[]; - /*! \brief Process information as returned by the PPM_IOCTL_GET_PROCLIST IOCTL. */ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index b32f9464907..f7fe847c19c 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -6732,7 +6732,7 @@ int f_sys_bpf_x(struct event_filler_arguments *args) /* Parameter 2: cmd (type: PT_INT64) */ syscall_get_arguments_deprecated(args, 0, 1, &val); - cmd = (int32_t)val; + cmd = (int32_t)bpf_cmd_to_scap(val); res = val_to_ring(args, cmd, 0, false, 0); CHECK_RES(res); return add_sentinel(args); diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index 3763f07b188..c77ff686b8b 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -2201,4 +2201,34 @@ static __always_inline uint32_t mknod_mode_to_scap(uint32_t modes) return res; } -#endif /* PPM_FLAG_HELPERS_H_ */ +static __always_inline uint32_t bpf_cmd_to_scap (unsigned long cmd){ + switch (cmd) + { +#ifdef BPF_MAP_CREATE + case BPF_MAP_CREATE: + return PPM_BPF_MAP_CREATE; +#endif +#ifdef BPF_MAP_LOOKUP_ELEM + case BPF_MAP_LOOKUP_ELEM: + return PPM_BPF_MAP_LOOKUP_ELEM; +#endif +#ifdef BPF_MAP_UPDATE_ELEM + case BPF_MAP_UPDATE_ELEM: + return PPM_BPF_MAP_UPDATE_ELEM; +#endif +#ifdef BPF_MAP_DELETE_ELEM + case BPF_MAP_DELETE_ELEM: + return PPM_BPF_MAP_DELETE_ELEM; +#endif +#ifdef BPF_MAP_GET_NEXT_KEY + case BPF_MAP_GET_NEXT_KEY: + return PPM_BPF_MAP_GET_NEXT_KEY; +#endif +#ifdef BPF_PROG_LOAD + case BPF_PROG_LOAD: + return PPM_BPF_PROG_LOAD; +#endif + } + return cmd; +} +#endif /* PPM_FLAG_HELPERS_H_ */ \ No newline at end of file diff --git a/test/drivers/test_suites/syscall_exit_suite/bpf_x.cpp b/test/drivers/test_suites/syscall_exit_suite/bpf_x.cpp index 238094d7d7c..3c73bda4669 100644 --- a/test/drivers/test_suites/syscall_exit_suite/bpf_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/bpf_x.cpp @@ -90,7 +90,7 @@ TEST(SyscallExit, bpfX_MAP_CREATE) /*=============================== TRIGGER SYSCALL ===========================*/ - int32_t cmd = 1; + int32_t cmd = BPF_MAP_CREATE; union bpf_attr *attr = NULL; @@ -148,7 +148,7 @@ TEST(SyscallExit, bpfX_MAP_CREATE) /* Parameter 1: fd (type: PT_FD) */ evt_test->assert_numeric_param(1, errno_value); /* Parameter 2: cmd (type: PT_INT32)*/ - evt_test->assert_numeric_param(2, cmd); + evt_test->assert_numeric_param(2, PPM_BPF_MAP_CREATE); /*=============================== ASSERT PARAMETERS ===========================*/