diff --git a/driver/bpf/probe.c b/driver/bpf/probe.c index d10c40d73f..9a0e0e893b 100644 --- a/driver/bpf/probe.c +++ b/driver/bpf/probe.c @@ -50,9 +50,16 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) if (bpf_in_ia32_syscall()) { +#ifdef CONFIG_X86_64 id = convert_ia32_to_64(id); if (id == 0) + { return 0; + } +#else + // TODO: unsupported + return 0; +#endif } #if defined(CAPTURE_SOCKETCALL) && defined(BPF_SUPPORTS_RAW_TRACEPOINTS) @@ -111,9 +118,16 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args) if (bpf_in_ia32_syscall()) { +#ifdef CONFIG_X86_64 id = convert_ia32_to_64(id); - if (id == 0) + if(id == 0) + { return 0; + } +#else + // TODO: unsupported + return 0; +#endif } #if defined(CAPTURE_SOCKETCALL) && defined(BPF_SUPPORTS_RAW_TRACEPOINTS) diff --git a/driver/main.c b/driver/main.c index f9c3a3f5fc..da833e83b0 100644 --- a/driver/main.c +++ b/driver/main.c @@ -2109,6 +2109,25 @@ static inline void g_n_tracepoint_hit_inc(void) #endif } +static inline bool kmod_in_ia32_syscall(void) +{ +#if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0) + if (in_ia32_syscall()) +#else + if (unlikely(task_thread_info(current)->status & TS_COMPAT)) +#endif + return true; +#elif defined(CONFIG_ARM64) + if (unlikely(task_thread_info(current)->flags & _TIF_32BIT)) + return true; +#elif defined(CONFIG_S390) + if (unlikely(task_thread_info(current)->flags & _TIF_31BIT)) + return true; +#endif /* CONFIG_X86_64 */ + return false; +} + TRACEPOINT_PROBE(syscall_enter_probe, struct pt_regs *regs, long id) { struct event_data_t event_data = {}; @@ -2129,24 +2148,20 @@ TRACEPOINT_PROBE(syscall_enter_probe, struct pt_regs *regs, long id) event_data.event_info.syscall_data.id = id; event_data.compat = false; + if (kmod_in_ia32_syscall()) + { #if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION) - /* - * If this is a 32bit syscall running on a 64bit kernel (see the CONFIG_IA32_EMULATION - * kernel flag), we convert it to 64bit syscall. - */ -#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0) - if (in_ia32_syscall()) { -#else - if (unlikely(task_thread_info(current)->status & TS_COMPAT)) { -#endif event_data.compat = true; event_data.event_info.syscall_data.id = g_ia32_64_map[id]; - if (event_data.event_info.syscall_data.id == 0) + if(event_data.event_info.syscall_data.id == 0) { - return; + return; } - } +#else + // TODO: unsupported + return; #endif + } g_n_tracepoint_hit_inc(); @@ -2254,26 +2269,30 @@ TRACEPOINT_PROBE(syscall_exit_probe, struct pt_regs *regs, long ret) event_data.extract_socketcall_params = false; event_data.compat = false; + if (kmod_in_ia32_syscall()) + { #if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION) - /* - * When a process does execve from 64bit to 32bit, TS_COMPAT is marked true - * but the id of the syscall is __NR_execve, so to correctly parse it we need to - * use 64bit syscall table. On 32bit __NR_execve is equal to __NR_ia32_oldolduname - * which is a very old syscall, not used anymore by most applications - */ -#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0) - if (in_ia32_syscall() && event_data.event_info.syscall_data.id != __NR_execve) { -#else - if (unlikely((task_thread_info(current)->status & TS_COMPAT) && event_data.event_info.syscall_data.id != __NR_execve)) { -#endif - event_data.compat = true; - event_data.event_info.syscall_data.id = g_ia32_64_map[event_data.event_info.syscall_data.id]; - if (event_data.event_info.syscall_data.id == 0) + /* + * TODO: is this still needed? Do we need to add execveat too? + * When a process does execve from 64bit to 32bit, TS_COMPAT is marked true + * but the id of the syscall is __NR_execve, so to correctly parse it we need to + * use 64bit syscall table. On 32bit __NR_execve is equal to __NR_ia32_oldolduname + * which is a very old syscall, not used anymore by most applications + */ + if (event_data.event_info.syscall_data.id != __NR_execve) { - return; + event_data.compat = true; + event_data.event_info.syscall_data.id = g_ia32_64_map[event_data.event_info.syscall_data.id]; + if(event_data.event_info.syscall_data.id == 0) + { + return; + } } - } +#else + // TODO: unsupported + return; #endif + } g_n_tracepoint_hit_inc(); diff --git a/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c b/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c index ad45d9ef41..0eef81a603 100644 --- a/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c +++ b/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c @@ -19,11 +19,16 @@ int BPF_PROG(sys_enter, if(syscalls_dispatcher__check_32bit_syscalls()) { +#if defined(__TARGET_ARCH_x86) syscall_id = syscalls_dispatcher__convert_ia32_to_64(syscall_id); if (syscall_id == 0) { return 0; } +#else + // TODO: unsupported + return 0; +#endif } #ifdef CAPTURE_SOCKETCALL diff --git a/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c b/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c index a34c901ad9..66bee9374a 100644 --- a/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c +++ b/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c @@ -21,11 +21,16 @@ int BPF_PROG(sys_exit, if(syscalls_dispatcher__check_32bit_syscalls()) { +#if defined(__TARGET_ARCH_x86) syscall_id = syscalls_dispatcher__convert_ia32_to_64(syscall_id); - if (syscall_id == 0) + if(syscall_id == 0) { return 0; } +#else + // TODO: unsupported + return 0; +#endif } #ifdef CAPTURE_SOCKETCALL