Skip to content

Commit

Permalink
Changes after code review
Browse files Browse the repository at this point in the history
Signed-off-by: Eddy Duer <eddy.duer@sysdig.com>
  • Loading branch information
eddyduer-sysdig authored and Andreagit97 committed Aug 27, 2024
1 parent 1f10fe4 commit b3bebd5
Show file tree
Hide file tree
Showing 14 changed files with 86 additions and 73 deletions.
23 changes: 22 additions & 1 deletion driver/bpf/filler_helpers.h
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,28 @@ static __always_inline unsigned long bpf_encode_dev(dev_t dev)
return (minor & 0xff) | (major << 8) | ((minor & ~0xff) << 12);
}

static __always_inline void bpf_get_fd_dev_ino_file(int fd, unsigned long *dev, unsigned long *ino, struct file **file)
static __always_inline void bpf_get_ino_from_fd(int fd, unsigned long *ino)
{
struct super_block *sb;
struct inode *inode;
struct file *file;
dev_t kdev;

if (fd < 0)
return;

file = bpf_fget(fd);
if (!file)
return;

inode = _READ(file->f_inode);
if (!inode)
return;

*ino = _READ(inode->i_ino);
}

static __always_inline void bpf_get_dev_ino_file_from_fd(int fd, unsigned long *dev, unsigned long *ino, struct file **file)
{
struct super_block *sb;
struct inode *inode;
Expand Down
48 changes: 21 additions & 27 deletions driver/bpf/fillers.h
Original file line number Diff line number Diff line change
Expand Up @@ -404,7 +404,7 @@ FILLER(sys_open_x, true)
long retval;
int res;
struct file *file = NULL;
unsigned int fd_flags = 0;
unsigned short fd_flags = 0;

/* Parameter 1: ret (type: PT_FD) */
retval = bpf_syscall_get_retval(data->ctx);
Expand All @@ -430,7 +430,7 @@ FILLER(sys_open_x, true)
res = bpf_push_u32_to_ring(data, mode);
CHECK_RES(res);

bpf_get_fd_dev_ino_file(retval, &dev, &ino, &file);
bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);

/* Parameter 5: dev (type: PT_UINT32) */
res = bpf_push_u32_to_ring(data, (uint32_t)dev);
Expand All @@ -440,7 +440,7 @@ FILLER(sys_open_x, true)
res = bpf_push_u64_to_ring(data, (uint64_t)ino);
CHECK_RES(res);

/* Parameter 7: fd_flags (type: PT_UINT32) */
/* Parameter 7: fd_flags (type: PT_FLAGS16) */
if (likely(file))
{
enum ppm_overlay ol = get_overlay_layer(file);
Expand All @@ -453,7 +453,7 @@ FILLER(sys_open_x, true)
fd_flags |= PPM_FD_LOWER_LAYER;
}
}
return bpf_push_u32_to_ring(data, (uint32_t)fd_flags);
return bpf_push_u16_to_ring(data, (uint16_t)fd_flags);
}

FILLER(sys_read_e, true)
Expand Down Expand Up @@ -3215,7 +3215,7 @@ FILLER(sys_openat_x, true)
int32_t fd;
int res;
struct file *file = NULL;
unsigned int fd_flags = 0;
unsigned short fd_flags = 0;

retval = bpf_syscall_get_retval(data->ctx);
res = bpf_push_s64_to_ring(data, retval);
Expand Down Expand Up @@ -3257,7 +3257,7 @@ FILLER(sys_openat_x, true)
res = bpf_push_u32_to_ring(data, mode);
CHECK_RES(res);

bpf_get_fd_dev_ino_file(retval, &dev, &ino, &file);
bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);

/*
* Device
Expand Down Expand Up @@ -3286,7 +3286,7 @@ FILLER(sys_openat_x, true)
fd_flags |= PPM_FD_LOWER_LAYER;
}
}
return bpf_push_u32_to_ring(data, (uint32_t)fd_flags);
return bpf_push_u16_to_ring(data, (uint16_t)fd_flags);
}

FILLER(sys_openat2_e, true)
Expand Down Expand Up @@ -3368,7 +3368,7 @@ FILLER(sys_openat2_x, true)
int32_t fd;
int res;
struct file *file = NULL;
unsigned int fd_flags = 0;
unsigned short fd_flags = 0;
#ifdef __NR_openat2
struct open_how how;
#endif
Expand Down Expand Up @@ -3434,7 +3434,7 @@ FILLER(sys_openat2_x, true)
res = bpf_push_u32_to_ring(data, resolve);
CHECK_RES(res);

bpf_get_fd_dev_ino_file(retval, &dev, &ino, &file);
bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);

/*
* dev
Expand Down Expand Up @@ -3463,7 +3463,7 @@ FILLER(sys_openat2_x, true)
fd_flags |= PPM_FD_LOWER_LAYER;
}
}
return bpf_push_u32_to_ring(data, (uint32_t)fd_flags);
return bpf_push_u16_to_ring(data, (uint16_t)fd_flags);
}

FILLER(sys_open_by_handle_at_x, true)
Expand Down Expand Up @@ -3512,8 +3512,8 @@ FILLER(sys_open_by_handle_at_x, true)
res = bpf_push_u64_to_ring(data, 0);
CHECK_RES(res);

/* Parameter 7: fd_flags (type: PT_UINT32) */
return bpf_push_u32_to_ring(data, 0);
/* Parameter 7: fd_flags (type: PT_FLAGS16) */
return bpf_push_u16_to_ring(data, 0);

}

Expand All @@ -3523,9 +3523,9 @@ FILLER(open_by_handle_at_x_extra_tail_1, true)
struct file *f = NULL;
unsigned long dev = 0;
unsigned long ino = 0;
unsigned int fd_flags = 0;
unsigned short fd_flags = 0;

bpf_get_fd_dev_ino_file(retval, &dev, &ino, &f);
bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &f);

if(f == NULL)
{
Expand All @@ -3551,7 +3551,7 @@ FILLER(open_by_handle_at_x_extra_tail_1, true)
res = bpf_push_u64_to_ring(data, ino);
CHECK_RES(res);

/* Parameter 7: fd_flags (type: PT_UINT32) */
/* Parameter 7: fd_flags (type: PT_FLAGS16) */
if (likely(f))
{
enum ppm_overlay ol = get_overlay_layer(f);
Expand All @@ -3564,7 +3564,7 @@ FILLER(open_by_handle_at_x_extra_tail_1, true)
fd_flags |= PPM_FD_LOWER_LAYER;
}
}
return bpf_push_u32_to_ring(data, (uint32_t)fd_flags);
return bpf_push_u16_to_ring(data, (uint16_t)fd_flags);
}

FILLER(sys_io_uring_setup_x, true)
Expand Down Expand Up @@ -4646,7 +4646,7 @@ FILLER(sys_creat_x, true)
long retval;
int res;
struct file *file = NULL;
unsigned int fd_flags = 0;
unsigned short fd_flags = 0;

retval = bpf_syscall_get_retval(data->ctx);
res = bpf_push_s64_to_ring(data, retval);
Expand All @@ -4667,7 +4667,7 @@ FILLER(sys_creat_x, true)
res = bpf_push_u32_to_ring(data, mode);
CHECK_RES(res);

bpf_get_fd_dev_ino_file(retval, &dev, &ino, &file);
bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file);

/*
* Device
Expand Down Expand Up @@ -4696,7 +4696,7 @@ FILLER(sys_creat_x, true)
fd_flags |= PPM_FD_LOWER_LAYER;
}
}
return bpf_push_u32_to_ring(data, (uint32_t)fd_flags);
return bpf_push_u16_to_ring(data, (uint16_t)fd_flags);
}

FILLER(sys_pipe_x, true)
Expand Down Expand Up @@ -4724,13 +4724,10 @@ FILLER(sys_pipe_x, true)
CHECK_RES(res);

unsigned long ino = 0;
/* Not used, we use it just to call `bpf_get_fd_dev_ino_file` */
unsigned long dev = 0;
struct file *file = NULL;
/* On success, pipe returns `0` */
if(retval == 0)
{
bpf_get_fd_dev_ino_file(pipefd[0], &dev, &ino, &file);
bpf_get_ino_from_fd(pipefd[0], &ino);
}

/* Parameter 4: ino (type: PT_UINT64) */
Expand Down Expand Up @@ -4762,13 +4759,10 @@ FILLER(sys_pipe2_x, true)
CHECK_RES(res);

unsigned long ino = 0;
/* Not used, we use it just to call `bpf_get_fd_dev_ino_file` */
unsigned long dev = 0;
struct file *file = NULL;
/* On success, pipe returns `0` */
if(retval == 0)
{
bpf_get_fd_dev_ino_file(pipefd[0], &dev, &ino, &file);
bpf_get_ino_from_fd(pipefd[0], &ino);
}

/* Parameter 4: ino (type: PT_UINT64) */
Expand Down
12 changes: 7 additions & 5 deletions driver/event_table.c
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,8 @@ const struct ppm_event_info g_event_info[] = {
[PPME_GENERIC_E] = {"syscall", EC_OTHER | EC_SYSCALL, EF_NONE, 2, {{"ID", PT_SYSCALLID, PF_DEC}, {"nativeID", PT_UINT16, PF_DEC} } },
[PPME_GENERIC_X] = {"syscall", EC_OTHER | EC_SYSCALL, EF_NONE, 1, {{"ID", PT_SYSCALLID, PF_DEC} } },
[PPME_SYSCALL_OPEN_E] = {"open", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } },
[PPME_SYSCALL_OPEN_X] = {"open", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_UINT32, PF_DEC} } }, [PPME_SYSCALL_CLOSE_E] = {"close", EC_IO_OTHER | EC_SYSCALL, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
[PPME_SYSCALL_OPEN_X] = {"open", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } },
[PPME_SYSCALL_CLOSE_E] = {"close", EC_IO_OTHER | EC_SYSCALL, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
[PPME_SYSCALL_CLOSE_X] = {"close", EC_IO_OTHER | EC_SYSCALL, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } },
[PPME_SYSCALL_READ_E] = {"read", EC_IO_READ | EC_SYSCALL, EF_USES_FD | EF_READS_FROM_FD, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } },
[PPME_SYSCALL_READ_X] = {"read", EC_IO_READ | EC_SYSCALL, EF_USES_FD | EF_READS_FROM_FD, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
Expand Down Expand Up @@ -108,7 +109,8 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SOCKET_ACCEPT4_E] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"flags", PT_INT32, PF_HEX} } },
[PPME_SOCKET_ACCEPT4_X] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } },
[PPME_SYSCALL_CREAT_E] = {"creat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT} } },
[PPME_SYSCALL_CREAT_X] = {"creat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_UINT32, PF_DEC} } }, [PPME_SYSCALL_PIPE_E] = {"pipe", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
[PPME_SYSCALL_CREAT_X] = {"creat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } },
[PPME_SYSCALL_PIPE_E] = {"pipe", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
[PPME_SYSCALL_PIPE_X] = {"pipe", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"fd1", PT_FD, PF_DEC}, {"fd2", PT_FD, PF_DEC}, {"ino", PT_UINT64, PF_DEC} } },
[PPME_SYSCALL_EVENTFD_E] = {"eventfd", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"initval", PT_UINT64, PF_DEC}, {"flags", PT_UINT32, PF_HEX} } },
[PPME_SYSCALL_EVENTFD_X] = {"eventfd", EC_IPC | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD, PF_DEC} } },
Expand Down Expand Up @@ -357,7 +359,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SYSCALL_MKDIRAT_E] = {"mkdirat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
[PPME_SYSCALL_MKDIRAT_X] = {"mkdirat", EC_FILE | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"mode", PT_UINT32, PF_HEX} } },
[PPME_SYSCALL_OPENAT_2_E] = {"openat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } },
[PPME_SYSCALL_OPENAT_2_X] = {"openat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 8, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_UINT32, PF_DEC} } },
[PPME_SYSCALL_OPENAT_2_X] = {"openat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 8, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } },
[PPME_SYSCALL_LINK_2_E] = {"link", EC_FILE | EC_SYSCALL, EF_NONE, 0},
[PPME_SYSCALL_LINK_2_X] = {"link", EC_FILE | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA} } },
[PPME_SYSCALL_LINKAT_2_E] = {"linkat", EC_FILE | EC_SYSCALL, EF_NONE, 0},
Expand All @@ -377,7 +379,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_CONTAINER_JSON_2_E] = {"container", EC_PROCESS | EC_METAEVENT, EF_MODIFIES_STATE | EF_LARGE_PAYLOAD, 1, {{"json", PT_CHARBUF, PF_NA} } }, /// TODO: do we need SKIPPARSERESET flag?
[PPME_CONTAINER_JSON_2_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
[PPME_SYSCALL_OPENAT2_E] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } },
[PPME_SYSCALL_OPENAT2_X] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 9, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_UINT32, PF_DEC} } },
[PPME_SYSCALL_OPENAT2_X] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 9, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } },
[PPME_SYSCALL_MPROTECT_E] = {"mprotect", EC_MEMORY | EC_SYSCALL, EF_NONE, 3, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags} } },
[PPME_SYSCALL_MPROTECT_X] = {"mprotect", EC_MEMORY | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } },
[PPME_SYSCALL_EXECVEAT_E] = {"execveat", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"dirfd", PT_FD, PF_DEC}, {"pathname", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, execveat_flags} } },
Expand All @@ -387,7 +389,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SYSCALL_CLONE3_E] = {"clone3", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0},
[PPME_SYSCALL_CLONE3_X] = {"clone3", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 21, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID, PF_DEC}, {"vpid", PT_PID, PF_DEC}, {"pidns_init_start_ts", PT_UINT64, PF_DEC} } },
[PPME_SYSCALL_OPEN_BY_HANDLE_AT_E] = {"open_by_handle_at", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
[PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {"open_by_handle_at", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"mountfd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"path", PT_FSPATH, PF_NA}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_UINT32, PF_DEC} } },
[PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {"open_by_handle_at", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"mountfd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"path", PT_FSPATH, PF_NA}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } },
[PPME_SYSCALL_IO_URING_SETUP_E] = {"io_uring_setup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
[PPME_SYSCALL_IO_URING_SETUP_X] = {"io_uring_setup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 8, {{"res", PT_ERRNO, PF_DEC}, {"entries", PT_UINT32, PF_DEC}, {"sq_entries", PT_UINT32, PF_DEC},{"cq_entries", PT_UINT32, PF_DEC},{"flags", PT_FLAGS32, PF_HEX, io_uring_setup_flags},{"sq_thread_cpu", PT_UINT32, PF_DEC}, {"sq_thread_idle", PT_UINT32, PF_DEC},{"features", PT_FLAGS32, PF_HEX, io_uring_setup_feats}}},
[PPME_SYSCALL_IO_URING_ENTER_E] = {"io_uring_enter", EC_IO_OTHER | EC_SYSCALL, EF_NONE, 0},
Expand Down
3 changes: 2 additions & 1 deletion driver/modern_bpf/helpers/extract/extract_from_kernel.h
Original file line number Diff line number Diff line change
Expand Up @@ -903,8 +903,9 @@ static __always_inline bool extract__exe_from_memfd(struct file *file)
* @param fd generic file descriptor.
* @param dev pointer to the device number we have to fill.
* @param ino pointer to the inode number we have to fill.
* @param ol pointer to the overlay layer we have to fill.
*/
static __always_inline void extract__dev_ino_and_file_from_fd(int32_t fd, dev_t *dev, uint64_t *ino, enum ppm_overlay *ol)
static __always_inline void extract__dev_ino_overlay_from_fd(int32_t fd, dev_t *dev, uint64_t *ino, enum ppm_overlay *ol)
{
struct file *f = extract__file_struct_from_fd(fd);
if(!f)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -166,12 +166,11 @@ int BPF_PROG(t1_sched_p_exec,
struct inode *exe_inode = extract__exe_inode_from_task(task);
struct file *exe_file = extract__exe_file_from_task(task);

enum ppm_overlay overlay;
if(extract__exe_writable(task, exe_inode))
{
flags |= PPM_EXE_WRITABLE;
}
overlay = extract__overlay_layer(exe_file);
enum ppm_overlay overlay = extract__overlay_layer(exe_file);
if(overlay == PPM_OVERLAY_UPPER)
{
flags |= PPM_EXE_UPPER_LAYER;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,11 +75,11 @@ int BPF_PROG(creat_x,
dev_t dev = 0;
uint64_t ino = 0;
enum ppm_overlay ol = PPM_NOT_OVERLAY_FS;
uint32_t fd_flags = 0;
uint16_t fd_flags = 0;

if(ret > 0)
{
extract__dev_ino_and_file_from_fd(ret, &dev, &ino, &ol);
extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol);
}

/* Parameter 4: dev (type: PT_UINT32) */
Expand All @@ -88,7 +88,7 @@ int BPF_PROG(creat_x,
/* Parameter 5: ino (type: PT_UINT64) */
auxmap__store_u64_param(auxmap, ino);

/* Parameter 6: fd_flags (type: PT_UINT32) */
/* Parameter 6: fd_flags (type: PT_FLAGS16) */
if(ol == PPM_OVERLAY_UPPER)
{
fd_flags |= PPM_FD_UPPER_LAYER;
Expand All @@ -97,7 +97,7 @@ int BPF_PROG(creat_x,
{
fd_flags |= PPM_FD_LOWER_LAYER;
}
auxmap__store_u32_param(auxmap, fd_flags);
auxmap__store_u16_param(auxmap, fd_flags);
/*=============================== COLLECT PARAMETERS ===========================*/

auxmap__finalize_event_header(auxmap);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -226,13 +226,11 @@ int BPF_PROG(t1_execve_x,
struct inode *exe_inode = extract__exe_inode_from_task(task);
struct file *exe_file = extract__exe_file_from_task(task);

enum ppm_overlay overlay;

if(extract__exe_writable(task, exe_inode))
{
flags |= PPM_EXE_WRITABLE;
}
overlay = extract__overlay_layer(exe_file);
enum ppm_overlay overlay = extract__overlay_layer(exe_file);
if(overlay == PPM_OVERLAY_UPPER)
{
flags |= PPM_EXE_UPPER_LAYER;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -240,13 +240,11 @@ int BPF_PROG(t1_execveat_x,
struct inode *exe_inode = extract__exe_inode_from_task(task);
struct file *exe_file = extract__exe_file_from_task(task);

enum ppm_overlay overlay;

if(extract__exe_writable(task, exe_inode))
{
flags |= PPM_EXE_WRITABLE;
}
overlay = extract__overlay_layer(exe_file);
enum ppm_overlay overlay = extract__overlay_layer(exe_file);
if(overlay == PPM_OVERLAY_UPPER)
{
flags |= PPM_EXE_UPPER_LAYER;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,11 @@ int BPF_PROG(open_x,
dev_t dev = 0;
uint64_t ino = 0;
enum ppm_overlay ol = PPM_NOT_OVERLAY_FS;
uint32_t fd_flags = 0;
uint16_t fd_flags = 0;

if(ret > 0)
{
extract__dev_ino_and_file_from_fd(ret, &dev, &ino, &ol);
extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol);
}

/* Parameter 5: dev (type: PT_UINT32) */
Expand All @@ -99,7 +99,7 @@ int BPF_PROG(open_x,
/* Parameter 6: ino (type: PT_UINT64) */
auxmap__store_u64_param(auxmap, ino);

/* Parameter 7: fd_flags (type: PT_UINT32) */
/* Parameter 7: fd_flags (type: PT_FLAGS16) */
if(ol == PPM_OVERLAY_UPPER)
{
fd_flags |= PPM_FD_UPPER_LAYER;
Expand All @@ -108,7 +108,7 @@ int BPF_PROG(open_x,
{
fd_flags |= PPM_FD_LOWER_LAYER;
}
auxmap__store_u32_param(auxmap, fd_flags);
auxmap__store_u16_param(auxmap, fd_flags);

/*=============================== COLLECT PARAMETERS ===========================*/

Expand Down
Loading

0 comments on commit b3bebd5

Please sign in to comment.