Parse accept4 flags

[arossert]

This PR addressing #844.
This may break some other code that relies on the filtering of accept by name (I have fixed some chisels that I could find that use this filter).

[ret2libc]

This look ok to me, although without exporting the flags you won't get much information, except that it is an accept4.

[arossert]

I can try to implement this but I don't know where I can get the masking of the flags
like:

#define PPM_SOCK_NONBLOCK	(1 << 0)
#define PPM_SOCK_CLOEXEC	(2 << 0)

If you can give me a direction where to start I will start working on it

[ret2libc]

You can have a look at the open syscall[1] to see how flags are used and converted from native to PPM_* values[2].

[1] https://github.com/draios/sysdig/blob/dev/driver/event_table.c#L26
[2] https://github.com/draios/sysdig/blob/dev/driver/ppm_fillers.c#L554

[arossert]

Thanks for the tip but I have an issue with getting the flags.
This is my function:

static inline u32 accept4_flags_to_scap(unsigned long flags)
{
	u32 res = 0;

	if (flags & SOCK_NONBLOCK)
		res |= PPM_SOCK_NONBLOCK;

	if (flags & SOCK_CLOEXEC)
		res |= PPM_SOCK_CLOEXEC;

	return res;
}

When I'm sending args->socketcall_args[3] the result is always 0.

Do I need to do something to put the value in socketcall_args?

[ret2libc]

If I'm not wrong, socketcall_args is initialized only when socketcall syscall is used to multiplex socket-related operations(e.g. bind, recv, etc.). Nowadays x86-64 does not use it, for example. Have a look at https://github.com/draios/sysdig/blob/dev/driver/ppm_fillers.c#L2003 to see how to correctly retrieve the argument when socketcall is used and when it is not.

[arossert]

Can you please elaborate on

static inline void syscall_get_arguments(struct task_struct *task,
					 struct pt_regs *regs,
					 unsigned int i, unsigned int n,
					 unsigned long *args)

What does the i and n stands for?

[arossert]

I was able to make it work by using syscall_get_arguments(current, args->regs, 3, 1, &val);
I will appreciate if you can explain how to use syscall_get_arguments() (I was able to make it work by trial and error).

Let me know if I forgot something in the process.

[ret2libc]

I think reading the function at https://github.com/draios/sysdig/blob/dev/driver/ppm_syscall.h#L139 should give you a pretty good understanding of how syscall_get_arguments works. i selects the first argument of the syscall that you want to extract, n tells the number of arguments to extract.

[ret2libc]

Hi! This looks ok to me apart from the conflicts. I can resolve them when merging, if that's ok with you.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.