falcosecurity · poiana · Nov 20, 2024 · Oct 16, 2024 · Nov 6, 2024 · Nov 6, 2024
diff --git a/driver/bpf/probe.c b/driver/bpf/probe.c
@@ -254,7 +254,7 @@ BPF_PROBE("sched/", sched_switch, sched_switch_args) {
 
 	evt_type = PPME_SCHEDSWITCH_6_E;
 
-	call_filler(ctx, ctx, evt_type, 0, -1);
+	call_filler(ctx, ctx, evt_type, UF_ALWAYS_DROP, -1);
 	return 0;
 }
 

diff --git a/driver/main.c b/driver/main.c
@@ -2393,7 +2393,7 @@ TRACEPOINT_PROBE(sched_switch_probe,
 	 * handler calling printk() and potentially deadlocking the system.
 	 */
 	record_event_all_consumers(PPME_SCHEDSWITCH_6_E,
-	                           UF_USED | UF_ATOMIC,
+	                           UF_ALWAYS_DROP | UF_ATOMIC,
 	                           &event_data,
 	                           KMOD_PROG_SCHED_SWITCH);
 }

diff --git a/driver/modern_bpf/helpers/base/maps_getters.h b/driver/modern_bpf/helpers/base/maps_getters.h
@@ -85,11 +85,6 @@ static __always_inline uint8_t maps__64bit_sampling_syscall_table(uint32_t sysca
 	return g_64bit_sampling_syscall_table[syscall_id & (SYSCALL_TABLE_SIZE - 1)];
 }
 
-static __always_inline uint8_t maps__64bit_sampling_tracepoint_table(uint32_t event_id) {
-	return g_64bit_sampling_tracepoint_table[event_id < PPM_EVENT_MAX ? event_id
-	                                                                  : PPM_EVENT_MAX - 1];
-}
-
 /*=============================== SAMPLING TABLES ===========================*/
 
 /*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/

diff --git a/driver/modern_bpf/helpers/extract/extract_from_kernel.h b/driver/modern_bpf/helpers/extract/extract_from_kernel.h
@@ -374,15 +374,15 @@ static __always_inline uint64_t extract__capability(struct task_struct *task,
 
 	switch(capability_type) {
 	case CAP_INHERITABLE:
-		READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_inheritable);
+		BPF_CORE_READ_INTO(&cap_struct, task, cred, cap_inheritable);
 		break;
 
 	case CAP_PERMITTED:
-		READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_permitted);
+		BPF_CORE_READ_INTO(&cap_struct, task, cred, cap_permitted);
 		break;
 
 	case CAP_EFFECTIVE:
-		READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_effective);
+		BPF_CORE_READ_INTO(&cap_struct, task, cred, cap_effective);
 		break;
 
 	default:
@@ -729,7 +729,7 @@ static __always_inline unsigned long extract__clone_flags(struct task_struct *ta
  */
 static __always_inline void extract__euid(struct task_struct *task, uint32_t *euid) {
 	*euid = UINT32_MAX;
-	READ_TASK_FIELD_INTO(euid, task, cred, euid.val);
+	BPF_CORE_READ_INTO(euid, task, cred, euid.val);
 }
 
 /**
@@ -739,7 +739,7 @@ static __always_inline void extract__euid(struct task_struct *task, uint32_t *eu
  * @param egid return value by reference
  */
 static __always_inline void extract__egid(struct task_struct *task, uint32_t *egid) {
-	READ_TASK_FIELD_INTO(egid, task, cred, egid.val);
+	BPF_CORE_READ_INTO(egid, task, cred, egid.val);
 }
 
 /////////////////////////
@@ -885,7 +885,7 @@ static __always_inline uint32_t bpf_map_id_up(struct uid_gid_map *map, uint32_t
 
 static __always_inline bool groups_search(struct task_struct *task, uint32_t grp) {
 	struct group_info *group_info = NULL;
-	READ_TASK_FIELD_INTO(&group_info, task, cred, group_info);
+	BPF_CORE_READ_INTO(&group_info, task, cred, group_info);
 	if(!group_info) {
 		return false;
 	}
@@ -934,8 +934,8 @@ static __always_inline bool extract__exe_writable(struct task_struct *task, stru
 
 	uint32_t fsuid;
 	uint32_t fsgid;
-	READ_TASK_FIELD_INTO(&fsuid, task, cred, fsuid.val);
-	READ_TASK_FIELD_INTO(&fsgid, task, cred, fsgid.val);
+	BPF_CORE_READ_INTO(&fsuid, task, cred, fsuid.val);
+	BPF_CORE_READ_INTO(&fsgid, task, cred, fsgid.val);
 
 	/* HAS_UNMAPPED_ID() */
 	if(i_uid == -1 || i_gid == -1) {
@@ -978,15 +978,15 @@ static __always_inline bool extract__exe_writable(struct task_struct *task, stru
 	}
 
 	struct user_namespace *ns;
-	READ_TASK_FIELD_INTO(&ns, task, cred, user_ns);
+	BPF_CORE_READ_INTO(&ns, task, cred, user_ns);
 	if(ns == NULL) {
 		return false;
 	}
 	bool kuid_mapped = bpf_map_id_up(&ns->uid_map, i_uid) != (uint32_t)-1;
 	bool kgid_mapped = bpf_map_id_up(&ns->gid_map, i_gid) != (uint32_t)-1;
 
 	kernel_cap_t cap_struct = {0};
-	READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_effective);
+	BPF_CORE_READ_INTO(&cap_struct, task, cred, cap_effective);
 	// Kernel 6.3 changed the kernel_cap_struct type from uint32_t[2] to uint64_t.
 	// Luckily enough, it also changed field name from cap to val.
 	if(bpf_core_field_exists(((struct kernel_cap_struct *)0)->cap)) {

diff --git a/driver/modern_bpf/helpers/interfaces/attached_programs.h b/driver/modern_bpf/helpers/interfaces/attached_programs.h
@@ -10,17 +10,11 @@
 
 #include <helpers/base/maps_getters.h>
 
-/* This enum is used to tell if we are considering a syscall or a tracepoint */
-enum intrumentation_type {
-	MODERN_BPF_SYSCALL = 0,
-	MODERN_BPF_TRACEPOINT = 1,
-};
-
 /* The sampling logic is used by all BPF programs attached to the kernel.
  * We treat the syscalls tracepoints in a dedicated way because they could generate
  * more than one event (1 for each syscall) for this reason we need a dedicated table.
  */
-static __always_inline bool sampling_logic(void* ctx, uint32_t id, enum intrumentation_type type) {
+static __always_inline bool sampling_logic(void* ctx, uint32_t id) {
 	/* If dropping mode is not enabled we don't perform any sampling
 	 * false: means don't drop the syscall
 	 * true: means drop the syscall
@@ -29,16 +23,7 @@ static __always_inline bool sampling_logic(void* ctx, uint32_t id, enum intrumen
 		return false;
 	}
 
-	uint8_t sampling_flag = 0;
-
-	/* If we have a syscall we use the sampling_syscall_table otherwise
-	 * with tracepoints we use the sampling_tracepoint_table.
-	 */
-	if(type == MODERN_BPF_SYSCALL) {
-		sampling_flag = maps__64bit_sampling_syscall_table(id);
-	} else {
-		sampling_flag = maps__64bit_sampling_tracepoint_table(id);
-	}
+	uint8_t sampling_flag = maps__64bit_sampling_syscall_table(id);
 
 	if(sampling_flag == UF_NEVER_DROP) {
 		return false;
@@ -59,15 +44,15 @@ static __always_inline bool sampling_logic(void* ctx, uint32_t id, enum intrumen
 			 * an iteration we will synchronize again the next time the logic is enabled.
 			 */
 			maps__set_is_dropping(true);
-			bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_DROP_E);
+			bpf_tail_call(ctx, &extra_syscall_calls, T1_DROP_E);
 			bpf_printk("unable to tail call into 'drop_e' prog");
 		}
 		return true;
 	}
 
 	if(maps__get_is_dropping()) {
 		maps__set_is_dropping(false);
-		bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_DROP_X);
+		bpf_tail_call(ctx, &extra_syscall_calls, T1_DROP_X);
 		bpf_printk("unable to tail call into 'drop_x' prog");
 	}
 

diff --git a/driver/modern_bpf/helpers/store/auxmap_store_params.h b/driver/modern_bpf/helpers/store/auxmap_store_params.h
@@ -117,13 +117,12 @@ static __always_inline void auxmap__finalize_event_header(struct auxiliary_map *
  * of events sent to userspace, otherwise we increment the dropped events.
  *
  * @param auxmap pointer to the auxmap in which we have already written the entire event.
- * @param ctx BPF prog context
  */
-static __always_inline void auxmap__submit_event(struct auxiliary_map *auxmap, void *ctx) {
+static __always_inline void auxmap__submit_event(struct auxiliary_map *auxmap) {
 	struct ringbuf_map *rb = maps__get_ringbuf_map();
 	if(!rb) {
-		bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_HOTPLUG_E);
-		bpf_printk("failed to tail call into the 'hotplug' prog");
+		// this should never happen because we check it in sys_enter/sys_exit
+		bpf_printk("FAILURE: unable to obtain the ring buffer");
 		return;
 	}
 

diff --git a/driver/modern_bpf/helpers/store/ringbuf_store_params.h b/driver/modern_bpf/helpers/store/ringbuf_store_params.h
@@ -90,18 +90,16 @@ struct ringbuf_struct {
  * to know the event dimension at compile time.
  *
  * @param ringbuf pointer to the `ringbuf_struct`
- * @param ctx BPF prog context
  * @param event_size exact size of the fixed-size event
  * @return `1` in case of success, `0` in case of failure.
  */
 static __always_inline uint32_t ringbuf__reserve_space(struct ringbuf_struct *ringbuf,
-                                                       void *ctx,
                                                        uint32_t event_size,
                                                        uint16_t event_type) {
 	struct ringbuf_map *rb = maps__get_ringbuf_map();
 	if(!rb) {
-		bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_HOTPLUG_E);
-		bpf_printk("failed to tail call into the 'hotplug' prog");
+		// this should never happen because we check it in sys_enter/sys_exit
+		bpf_printk("FAILURE: unable to obtain the ring buffer");
 		return 0;
 	}
 

diff --git a/driver/modern_bpf/maps/maps.h b/driver/modern_bpf/maps/maps.h
@@ -65,15 +65,6 @@ __weak bool g_64bit_interesting_syscalls_table[SYSCALL_TABLE_SIZE];
  */
 __weak uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
 
-/**
- * @brief Given the tracepoint enum returns:
- * - `UF_NEVER_DROP` if the syscall must not be dropped in the sampling logic.
- * - `UF_ALWAYS_DROP` if the syscall must always be dropped in the sampling logic.
- * - `UF_NONE` if we drop the syscall depends on the sampling ratio.
- */
-/// TOOD: we need to change the dimension! we need to create a dedicated enum for tracepoints!
-__weak uint8_t g_64bit_sampling_tracepoint_table[PPM_EVENT_MAX];
-
 /**
  * @brief Given the syscall id on 32-bit x86 arch returns
  * its x64 value. Used to support ia32 syscall emulation.
@@ -131,15 +122,15 @@ struct {
  * programs directly attached in the kernel (like page_faults,
  * context_switch, ...) and by syscall_events (like
  * ppme_syscall_execveat_x, ...).
- * Given a predefined tail-code (`extra_event_prog_code`), it calls
+ * Given a predefined tail-code (`extra_syscall_codes`), it calls
  * the right bpf program.
  */
 struct {
 	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
 	__uint(max_entries, TAIL_EXTRA_EVENT_PROG_MAX);
 	__type(key, uint32_t);
 	__type(value, uint32_t);
-} extra_event_prog_tail_table __weak SEC(".maps");
+} extra_syscall_calls __weak SEC(".maps");
 
 /*=============================== BPF_MAP_TYPE_PROG_ARRAY ===============================*/
 

diff --git a/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c b/driver/modern_bpf/programs/attached/dispatchers/syscall_enter.bpf.c
@@ -49,7 +49,7 @@ int BPF_PROG(sys_enter, struct pt_regs *regs, long syscall_id) {
 		return 0;
 	}
 
-	if(sampling_logic(ctx, syscall_id, MODERN_BPF_SYSCALL)) {
+	if(sampling_logic(ctx, syscall_id)) {
 		return 0;
 	}
 

diff --git a/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c b/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c
@@ -63,14 +63,24 @@ int BPF_PROG(sys_exit, struct pt_regs *regs, long ret) {
 		return 0;
 	}
 
-	if(sampling_logic(ctx, syscall_id, MODERN_BPF_SYSCALL)) {
+	if(sampling_logic(ctx, syscall_id)) {
 		return 0;
 	}
 
 	if(maps__get_drop_failed() && ret < 0) {
 		return 0;
 	}
 
+	// If we cannot find a ring buffer for this CPU we probably have an hotplug event. It's ok to
+	// check only in the exit path since we will always have at least one exit syscall enabled. If
+	// we change our architecture we may need to update this logic.
+	struct ringbuf_map *rb = maps__get_ringbuf_map();
+	if(!rb) {
+		bpf_tail_call(ctx, &extra_syscall_calls, T1_HOTPLUG_E);
+		bpf_printk("failed to tail call into the 'hotplug' prog");
+		return 0;
+	}
+
 	bpf_tail_call(ctx, &syscall_exit_tail_table, syscall_id);
 
 	return 0;

diff --git a/driver/modern_bpf/programs/attached/events/page_fault_kernel.bpf.c b/driver/modern_bpf/programs/attached/events/page_fault_kernel.bpf.c
@@ -16,12 +16,13 @@
 #ifdef CAPTURE_PAGE_FAULTS
 SEC("tp_btf/page_fault_kernel")
 int BPF_PROG(pf_kernel, unsigned long address, struct pt_regs *regs, unsigned long error_code) {
-	if(sampling_logic(ctx, PPME_PAGE_FAULT_E, MODERN_BPF_TRACEPOINT)) {
+	// In case of dropping mode we don't want this kind of events.
+	if(maps__get_dropping_mode()) {
 		return 0;
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, PAGE_FAULT_SIZE, PPME_PAGE_FAULT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, PAGE_FAULT_SIZE, PPME_PAGE_FAULT_E)) {
 		return 0;
 	}
 

diff --git a/driver/modern_bpf/programs/attached/events/page_fault_user.bpf.c b/driver/modern_bpf/programs/attached/events/page_fault_user.bpf.c
@@ -16,12 +16,13 @@
 #ifdef CAPTURE_PAGE_FAULTS
 SEC("tp_btf/page_fault_user")
 int BPF_PROG(pf_user, unsigned long address, struct pt_regs *regs, unsigned long error_code) {
-	if(sampling_logic(ctx, PPME_PAGE_FAULT_E, MODERN_BPF_TRACEPOINT)) {
+	// In case of dropping mode we don't want this kind of events.
+	if(maps__get_dropping_mode()) {
 		return 0;
 	}
 
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, PAGE_FAULT_SIZE, PPME_PAGE_FAULT_E)) {
+	if(!ringbuf__reserve_space(&ringbuf, PAGE_FAULT_SIZE, PPME_PAGE_FAULT_E)) {
 		return 0;
 	}
 

diff --git a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c
@@ -13,6 +13,37 @@
  *		 struct linux_binprm *bprm)
  */
 #ifdef CAPTURE_SCHED_PROC_EXEC
+
+enum extra_sched_proc_exec_codes {
+	T1_SCHED_PROC_EXEC,
+	T2_SCHED_PROC_EXEC,
+	// add more codes here.
+	T_SCHED_PROC_EXEC_MAX,
+};
+
+/*
+ * FORWARD DECLARATIONS:
+ * See the `BPF_PROG` macro in libbpf `libbpf/src/bpf_tracing.h`
+ * #define BPF_PROG(name, args...)		\
+ *    name(unsigned long long *ctx);	\
+ */
+int t1_sched_p_exec(unsigned long long *ctx);
+int t2_sched_p_exec(unsigned long long *ctx);
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+	__uint(max_entries, T_SCHED_PROC_EXEC_MAX);
+	__uint(key_size, sizeof(__u32));
+	__array(values, int(void *));
+} extra_sched_proc_exec_calls SEC(".maps") = {
+        .values =
+                {
+                        [T1_SCHED_PROC_EXEC] = (void *)&t1_sched_p_exec,
+                        [T2_SCHED_PROC_EXEC] = (void *)&t2_sched_p_exec,
+                        // add more tail calls here.
+                },
+};
+
 /* chose a short name for bpftool debugging*/
 SEC("tp_btf/sched_process_exec")
 int BPF_PROG(sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm) {
@@ -114,7 +145,7 @@ int BPF_PROG(sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux_bi
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T1_SCHED_PROC_EXEC);
+	bpf_tail_call(ctx, &extra_sched_proc_exec_calls, T1_SCHED_PROC_EXEC);
 	return 0;
 }
 
@@ -234,11 +265,11 @@ int BPF_PROG(t1_sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	bpf_tail_call(ctx, &extra_event_prog_tail_table, T2_SCHED_PROC_EXEC);
+	bpf_tail_call(ctx, &extra_sched_proc_exec_calls, T2_SCHED_PROC_EXEC);
 	return 0;
 }
 
-SEC("tp_btf/sys_exit")
+SEC("tp_btf/sched_process_exec")
 int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) {
 	struct auxiliary_map *auxmap = auxmap__get();
 	if(!auxmap) {
@@ -261,7 +292,7 @@ int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 	return 0;
 }
 

diff --git a/driver/modern_bpf/programs/attached/events/sched_process_exit.bpf.c b/driver/modern_bpf/programs/attached/events/sched_process_exit.bpf.c
@@ -201,7 +201,7 @@ int BPF_PROG(sched_proc_exit, struct task_struct *task) {
 
 	auxmap__finalize_event_header(auxmap);
 
-	auxmap__submit_event(auxmap, ctx);
+	auxmap__submit_event(auxmap);
 
 	return 0;
 }