Add prctl option and ptrace request enums

tracee/event_monitor_ebpf.c

@@ -44,6 +44,8 @@
 #define SYSCALL_T     18UL
 #define PROT_FLAGS_T  19UL
 #define ACCESS_MODE_T 20UL
+#define PTRACE_REQ_T  21UL
+#define PRCTL_OPT_T   22UL
 #define TYPE_MAX      255UL
 
 #define CONFIG_CONT_MODE    0
@@ -958,6 +960,12 @@ static __always_inline int save_args_to_submit_buf(u64 types)
                     }
                 }
                 break;
+            case PTRACE_REQ_T:
+                save_to_submit_buf(submit_p, (void*)&(args.args[i]), sizeof(int), PTRACE_REQ_T);
+                break;
+            case PRCTL_OPT_T:
+                save_to_submit_buf(submit_p, (void*)&(args.args[i]), sizeof(int), PRCTL_OPT_T);
+                break;
         }
     }
 
@@ -1080,9 +1088,9 @@ TRACE_RET_SYSCALL(bind, SYS_BIND, ARG_TYPE0(INT_T)|ARG_TYPE1(SOCKADDR_T));
 TRACE_ENT_SYSCALL(getsockname);
 TRACE_RET_SYSCALL(getsockname, SYS_GETSOCKNAME, ARG_TYPE0(INT_T)|ARG_TYPE1(SOCKADDR_T));
 TRACE_ENT_SYSCALL(prctl);
-TRACE_RET_SYSCALL(prctl, SYS_PRCTL, ARG_TYPE0(INT_T)|ARG_TYPE1(ULONG_T)|ARG_TYPE2(ULONG_T)|ARG_TYPE3(ULONG_T)|ARG_TYPE4(ULONG_T));
+TRACE_RET_SYSCALL(prctl, SYS_PRCTL, ARG_TYPE0(PRCTL_OPT_T)|ARG_TYPE1(ULONG_T)|ARG_TYPE2(ULONG_T)|ARG_TYPE3(ULONG_T)|ARG_TYPE4(ULONG_T));
 TRACE_ENT_SYSCALL(ptrace);
-TRACE_RET_SYSCALL(ptrace, SYS_PTRACE, ARG_TYPE0(INT_T)|ARG_TYPE1(INT_T)|ARG_TYPE2(POINTER_T)|ARG_TYPE3(POINTER_T));
+TRACE_RET_SYSCALL(ptrace, SYS_PTRACE, ARG_TYPE0(PTRACE_REQ_T)|ARG_TYPE1(INT_T)|ARG_TYPE2(POINTER_T)|ARG_TYPE3(POINTER_T));
 TRACE_ENT_SYSCALL(process_vm_writev);
 TRACE_RET_SYSCALL(process_vm_writev, SYS_PROCESS_VM_WRITEV, ARG_TYPE0(INT_T)|ARG_TYPE1(POINTER_T)|ARG_TYPE2(ULONG_T)|ARG_TYPE3(POINTER_T)|ARG_TYPE4(ULONG_T)|ARG_TYPE5(ULONG_T));
 TRACE_ENT_SYSCALL(process_vm_readv);

tracee/tracer.py

@@ -127,6 +127,97 @@ class SupportedAF(object):
     10: "SOCK_PACKET",
 }
 
+ptrace_request = {
+    0: "PTRACE_TRACEME",
+    1: "PTRACE_PEEKTEXT",
+    2: "PTRACE_PEEKDATA",
+    3: "PTRACE_PEEKUSER",
+    4: "PTRACE_POKETEXT",
+    5: "PTRACE_POKEDATA",
+    6: "PTRACE_POKEUSER",
+    7: "PTRACE_CONT",
+    8: "PTRACE_KILL",
+    9: "PTRACE_SINGLESTEP",
+    12: "PTRACE_GETREGS",
+    13: "PTRACE_SETREGS",
+    14: "PTRACE_GETFPREGS",
+    15: "PTRACE_SETFPREGS",
+    16: "PTRACE_ATTACH",
+    17: "PTRACE_DETACH",
+    18: "PTRACE_GETFPXREGS",
+    19: "PTRACE_SETFPXREGS",
+    24: "PTRACE_SYSCALL",
+    0x4200: "PTRACE_SETOPTIONS",
+    0x4201: "PTRACE_GETEVENTMSG",
+    0x4202: "PTRACE_GETSIGINFO",
+    0x4203: "PTRACE_SETSIGINFO",
+    0x4204: "PTRACE_GETREGSET",
+    0x4205: "PTRACE_SETREGSET",
+    0x4206: "PTRACE_SEIZE",
+    0x4207: "PTRACE_INTERRUPT",
+    0x4208: "PTRACE_LISTEN",
+    0x4209: "PTRACE_PEEKSIGINFO",
+    0x420a: "PTRACE_GETSIGMASK",
+    0x420b: "PTRACE_SETSIGMASK",
+    0x420c: "PTRACE_SECCOMP_GET_FILTER",
+    0x420d: "PTRACE_SECCOMP_GET_METADATA",
+}
+
+prctl_option = {
+    1: "PR_SET_PDEATHSIG",
+    2: "PR_GET_PDEATHSIG",
+    3: "PR_GET_DUMPABLE",
+    4: "PR_SET_DUMPABLE",
+    5: "PR_GET_UNALIGN",
+    6: "PR_SET_UNALIGN",
+    7: "PR_GET_KEEPCAPS",
+    8: "PR_SET_KEEPCAPS",
+    9: "PR_GET_FPEMU",
+    10: "PR_SET_FPEMU",
+    11: "PR_GET_FPEXC",
+    12: "PR_SET_FPEXC",
+    13: "PR_GET_TIMING",
+    14: "PR_SET_TIMING",
+    15: "PR_SET_NAME",
+    16: "PR_GET_NAME",
+    19: "PR_GET_ENDIAN",
+    20: "PR_SET_ENDIAN",
+    21: "PR_GET_SECCOMP",
+    22: "PR_SET_SECCOMP",
+    23: "PR_CAPBSET_READ",
+    24: "PR_CAPBSET_DROP",
+    25: "PR_GET_TSC",
+    26: "PR_SET_TSC",
+    27: "PR_GET_SECUREBITS",
+    28: "PR_SET_SECUREBITS",
+    29: "PR_SET_TIMERSLACK",
+    30: "PR_GET_TIMERSLACK",
+    31: "PR_TASK_PERF_EVENTS_DISABLE",
+    32: "PR_TASK_PERF_EVENTS_ENABLE",
+    33: "PR_MCE_KILL",
+    34: "PR_MCE_KILL_GET",
+    35: "PR_SET_MM",
+    36: "PR_SET_CHILD_SUBREAPER",
+    37: "PR_GET_CHILD_SUBREAPER",
+    38: "PR_SET_NO_NEW_PRIVS",
+    39: "PR_GET_NO_NEW_PRIVS",
+    40: "PR_GET_TID_ADDRESS",
+    41: "PR_SET_THP_DISABLE",
+    42: "PR_GET_THP_DISABLE",
+    43: "PR_MPX_ENABLE_MANAGEMENT",
+    44: "PR_MPX_DISABLE_MANAGEMENT",
+    45: "PR_SET_FP_MODE",
+    46: "PR_GET_FP_MODE",
+    47: "PR_CAP_AMBIENT",
+    50: "PR_SVE_SET_VL",
+    51: "PR_SVE_GET_VL",
+    52: "PR_GET_SPECULATION_CTRL",
+    53: "PR_SET_SPECULATION_CTRL",
+    54: "PR_PAC_RESET_KEYS",
+    55: "PR_SET_TAGGED_ADDR_CTRL",
+    56: "PR_GET_TAGGED_ADDR_CTRL",
+}
+
 syscalls = ["execve", "execveat", "mmap", "mprotect", "clone", "fork", "vfork", "newstat",
             "newfstat", "newlstat", "mknod", "mknodat", "dup", "dup2", "dup3",
             "memfd_create", "socket", "close", "ioctl", "access", "faccessat", "kill", "listen",
@@ -507,6 +598,8 @@ class ArgType(object):
     SYSCALL_T       = 18
     PROT_FLAGS_T    = 19
     ACCESS_MODE_T   = 20
+    PTRACE_REQ_T    = 21
+    PRCTL_OPT_T     = 22
     TYPE_MAX        = 255
 
 class shared_config(object):
@@ -1069,6 +1162,18 @@ def parse_event(self, event_buf):
                         args.append('(%s)' % event_id[syscall])
                     else:
                         args.append('(%s)' % str(syscall))
+                elif argtype == ArgType.PTRACE_REQ_T:
+                    request = self.get_int_from_buf(event_buf)
+                    if request in ptrace_request:
+                        args.append(ptrace_request[request])
+                    else:
+                        args.append(str(request))
+                elif argtype == ArgType.PRCTL_OPT_T:
+                    option = self.get_int_from_buf(event_buf)
+                    if option in prctl_option:
+                        args.append(prctl_option[option])
+                    else:
+                        args.append(str(option))
         else:
             return