new(modern_bpf): add support for bpf, flock, ioctl, quotactl, unshare, mount, umount2
#549
Conversation
poiana
added
release-note
kind/feature
| /*=============================== COLLECT PARAMETERS ===========================*/ | ||
|
|
||
| /* Parameter 1: cmd (type: PT_FLAGS16) */ | ||
| unsigned long cmd = extract__syscall_argument(regs, 0); |
There was a problem hiding this comment.
Hi @Andreagit97 ,
here I get an test failure on s390x:
[ RUN ] SyscallEnter.quotactlE
/root/git/falcosecurity/libs/test/modern_bpf/event_class/event_class.cpp:212: Failure
Expected equality of these values:
*(T*)(m_event_params[m_current_param].valptr)
Which is: 0
param
Which is: 128
>>>>> value of the param is not correct. Param id = 1
[ FAILED ] SyscallEnter.quotactlE (0 ms)
With some bpf_printk() instrumentation:
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c
@@ -27,6 +27,7 @@ int BPF_PROG(quotactl_e,
/* Parameter 1: cmd (type: PT_FLAGS16) */
unsigned long cmd = extract__syscall_argument(regs, 0);
+ bpf_printk("quotctl cmd=%x (%x) scap=%x\n", cmd, cmd >> SUBCMDSHIFT, quotactl_cmd_to_scap(cmd));
u16 scap_cmd = quotactl_cmd_to_scap(cmd);
ringbuf__store_u16(&ringbuf, scap_cmd);
the following is printed:
bpf_test-11439 [001] d.... 326644.488183: bpf_trace_printk: quotctl cmd=80000100 (ff800001) scap=0
Changing from unsigned long (s390x defaults to 64-bit) to unsigned int (s390x defaults to 32-bit) let the test run successful:
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c
@@ -26,7 +26,8 @@ int BPF_PROG(quotactl_e,
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: cmd (type: PT_FLAGS16) */
- unsigned long cmd = extract__syscall_argument(regs, 0);
+ unsigned int cmd = extract__syscall_argument(regs, 0);
+ bpf_printk("quotctl cmd=%x (%x) scap=%x\n", cmd, cmd >> SUBCMDSHIFT, quotactl_cmd_to_scap(cmd));
u16 scap_cmd = quotactl_cmd_to_scap(cmd);
ringbuf__store_u16(&ringbuf, scap_cmd);
and for completeness the trace output:
bpf_test-11557 [000] d.... 326958.038886: bpf_trace_printk: quotctl cmd=80000100 (800001) scap=80
For reference, the Linux kernel quota syscall also uses an unsigned int.
There was a problem hiding this comment.
I will also give #550 a test run before I leave for vacation and a review then later when I am back.
There was a problem hiding this comment.
Thank you very much for this @hbrueckner! The fix seems good I will try it!
There was a problem hiding this comment.
I've applied the solution!! Thank you for the fix as always ❤️
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]> Co-authored-by: Hendrik Brueckner <[email protected]>
Andreagit97
force-pushed
the
miscellaneous_syscalls
branch
from
6e0aab9 to
9f649cd
Compare
| @@ -79,5 +79,16 @@ | |||
| #define RENAMEAT2_E_SIZE HEADER_LEN | |||
| #define PIPE_E_SIZE HEADER_LEN | |||
| #define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4 | |||
| #define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN | |||
There was a problem hiding this comment.
I definitely want to find a solution for this file :D
There was a problem hiding this comment.
yes probably we will add these dims in the event table at the end of the work 🤔
|
LGTM label has been added. Git tree hash: d2eca8cbc58506d31312cca3665d5e4b29a2e5b1
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, FedeDP The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| return 0; | ||
| } | ||
|
|
||
| /// TODO: This event should be called `PPME_SYSCALL_UMOUNT2_E`. |
There was a problem hiding this comment.
@Andreagit97 when renaming this event, will you then add a separate event for umount only? I guess this would then also change the schema version etc. Also adding introduction of umount syscall event to #515 ?
There was a problem hiding this comment.
Yeah, this would change the schema version the final idea will be to have for every syscall, it PPM_SC_CODE and its event pair enter and exit. Added it :)
| if(dqinfo.dqi_valid & IIF_FLAGS) | ||
| { | ||
| /* Parameter 13: dqi_flags (type: PT_FLAGS8) */ | ||
| auxmap__store_u8_param(auxmap, dqinfo.dqi_flags); |
There was a problem hiding this comment.
Probably yet another missing scap mapper for dqi_flags for #515 .
There was a problem hiding this comment.
Nice to see you again !! 🚀 Added! thank you
There was a problem hiding this comment.
:-) Looked thru your commits... and they are all nice. Catching up with the others PRs over the next days.
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area driver-modern-bpf
/area libpman
/area tests
Does this PR require a change in the driver versions?
What this PR does / why we need it:
This PR is part of a series #513, the final aim is to support the most important syscalls also in the new probe. This PR introduces:
bpfflockioctlquotactlunsharemountumount2Which issue(s) this PR fixes:
Special notes for your reviewer:
Today we define the events
PPME_SYSCALL_UMOUNT_EandPPME_SYSCALL_UMOUNT_X, but we use them for theumount2syscall, we don't instrument theumount. This is probably due to the fact that in many x64 architectures__NR_umountis not definedDoes this PR introduce a user-facing change?: