diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION index 10c2c0c3d6..46b81d815a 100644 --- a/driver/SCHEMA_VERSION +++ b/driver/SCHEMA_VERSION @@ -1 +1 @@ -2.10.0 +2.11.0 diff --git a/driver/event_table.c b/driver/event_table.c index fe02696526..c5a7693af3 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -347,7 +347,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_SETPGID_X] = {"setpgid", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_PID, PF_DEC} } }, [PPME_SYSCALL_BPF_E] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_OLD_VERSION, 1, {{"cmd", PT_INT64, PF_DEC} } }, [PPME_SYSCALL_BPF_X] = {"bpf", EC_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_OLD_VERSION, 1, {{"res_or_fd", PT_DYN, PF_DEC, bpf_dynamic_param, PPM_BPF_IDX_MAX} } }, - [PPME_SYSCALL_SECCOMP_E] = {"seccomp", EC_OTHER | EC_SYSCALL, EF_NONE, 1, {{"op", PT_UINT64, PF_DEC}, {"flags", PT_UINT64, PF_HEX} } }, + [PPME_SYSCALL_SECCOMP_E] = {"seccomp", EC_OTHER | EC_SYSCALL, EF_NONE, 2, {{"op", PT_UINT64, PF_DEC}, {"flags", PT_UINT64, PF_HEX} } }, [PPME_SYSCALL_SECCOMP_X] = {"seccomp", EC_OTHER | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } }, [PPME_SYSCALL_UNLINK_2_E] = {"unlink", EC_FILE | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_UNLINK_2_X] = {"unlink", EC_FILE | EC_SYSCALL, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } }, diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 6caf9511ac..ffbcc85f29 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -254,7 +254,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { #endif [PPME_SYSCALL_BPF_2_E] = {FILLER_REF(sys_bpf_e)}, [PPME_SYSCALL_BPF_2_X] = {FILLER_REF(sys_bpf_x)}, - [PPME_SYSCALL_SECCOMP_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}, {1} } }, + [PPME_SYSCALL_SECCOMP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1} } }, [PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL} } }, [PPME_SYSCALL_UNLINK_2_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_UNLINK_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0} } }, diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index f3f99a4640..b512d7b096 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -80,7 +80,7 @@ #define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN #define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2 #define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN -#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN +#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2 #define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN #define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2 #define CAPSET_E_SIZE HEADER_LEN diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/seccomp.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/seccomp.bpf.c index 4a24166312..e6f3ef3f81 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/seccomp.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/seccomp.bpf.c @@ -28,6 +28,9 @@ int BPF_PROG(seccomp_e, u64 operation = (u64)extract__syscall_argument(regs, 0); ringbuf__store_u64(&ringbuf, operation); + u32 flags = (u32)extract__syscall_argument(regs, 1); + ringbuf__store_u64(&ringbuf, (u64)flags); + /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); diff --git a/test/drivers/test_suites/syscall_enter_suite/seccomp_e.cpp b/test/drivers/test_suites/syscall_enter_suite/seccomp_e.cpp index fcb9e7bcc4..7293cc2aea 100644 --- a/test/drivers/test_suites/syscall_enter_suite/seccomp_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/seccomp_e.cpp @@ -13,7 +13,7 @@ TEST(SyscallEnter, seccompE) /*=============================== TRIGGER SYSCALL ===========================*/ uint32_t operation = SECCOMP_SET_MODE_FILTER; - uint32_t flags = 0; + uint32_t flags = 32; void* args = NULL; assert_syscall_state(SYSCALL_FAILURE, "seccomp", syscall(__NR_seccomp, operation, flags, args)); @@ -37,8 +37,11 @@ TEST(SyscallEnter, seccompE) /* Parameter 1: operation (type: PT_UINT64) */ evt_test->assert_numeric_param(1, (uint64_t)operation); + /* Parameter 2: flags (type: PT_UINT64) */ + evt_test->assert_numeric_param(2, (uint64_t)flags); + /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(1); + evt_test->assert_num_params_pushed(2); } #endif