fix(libsinsp): handle corner cases and special snowflakes in names_to…

…_sc_set in ppm sc API Extra back and forth mapping to resolve overloaded event <-> sc names, e.g. accept -> accept, accept4 Plus account for variants that share event codes, e.g. eventfd, eventfd2 share PPME_SYSCALL_EVENTFD_E, PPME_SYSCALL_EVENTFD_X Plus handle special snowflakes, e.g. "umount" event string maps to PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, but in actuality applies for "umount2" syscall as "umount" syscall is a generic event -> end result is activating both umount, umount2 Since names_to_event_set would resolve generic sc events, we only apply these extra lookups for non generic sc event codes New tests added as well. Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
falcosecurity · Feb 26, 2023 · 338bff0 · 338bff0
1 parent e83afc0
commit 338bff0
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 4 deletions.
diff --git a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp
@@ -244,7 +244,16 @@ libsinsp::events::set<ppm_sc_code> libsinsp::events::names_to_sc_set(const std::
 			ppm_sc_set.insert((ppm_sc_code)ppm_sc);
 		}
 	}
-	return ppm_sc_set;
+	/* Extra back and forth mapping to resolve overloaded event <-> sc names, e.g. accept -> accept, accept4
+	 * Plus account for variants that share event codes, e.g. eventfd, eventfd2 share PPME_SYSCALL_EVENTFD_E, PPME_SYSCALL_EVENTFD_X
+	 * Plus handle special snowflakes, e.g. "umount" event string maps to PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, but
+	 * in actuality applies for "umount2" syscall as "umount" syscall is a generic event -> end result is activating both umount, umount2
+	 *
+	 * Since names_to_event_set would resolve generic sc events, we only apply these extra lookups for non generic sc event codes
+	*/
+	auto tmp_event_set = libsinsp::events::all_non_generic_sc_event_set().intersect(libsinsp::events::names_to_event_set(syscalls));
+	auto tmp_sc_set = libsinsp::events::event_set_to_sc_set(tmp_event_set);
+	return ppm_sc_set.merge(tmp_sc_set);
 }
 
 libsinsp::events::set<ppm_event_code> libsinsp::events::sc_set_to_event_set(const libsinsp::events::set<ppm_sc_code> &ppm_sc_set)

diff --git a/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp b/userspace/libsinsp/test/public_sinsp_API/interesting_syscalls.cpp
@@ -401,10 +401,82 @@ TEST(interesting_syscalls, sc_set_to_names)
 
 TEST(interesting_syscalls, names_to_sc_set)
 {
-	// "syncfs" is a generic event / syscall
-	static libsinsp::events::set<ppm_sc_code> sc_set_truth = {PPM_SC_KILL, PPM_SC_READ, PPM_SC_SYNCFS};
-	auto sc_set = libsinsp::events::names_to_sc_set(std::unordered_set<std::string>{"kill", "read", "syncfs"});
+	static libsinsp::events::set<ppm_sc_code> sc_set_truth = {
+#ifdef __NR_kill
+	PPM_SC_KILL,
+#endif
+
+#ifdef __NR_read
+	PPM_SC_READ,
+#endif
+
+#ifdef __NR_syncfs
+	PPM_SC_SYNCFS,
+#endif
+
+#ifdef __NR_accept
+	PPM_SC_ACCEPT,
+#endif
+
+#ifdef __NR_accept4
+	PPM_SC_ACCEPT4,
+#endif
+
+#ifdef __NR_execve
+	PPM_SC_EXECVE,
+#endif
+
+#ifdef __NR_setresuid
+	PPM_SC_SETRESUID,
+#endif
+
+// #ifdef __NR_setresuid32 // TOOD later after ifdef cleanup
+// 	PPM_SC_SETRESUID32,
+// #endif
+
+// #ifdef __NR_eventfd
+// 	PPM_SC_EVENTFD,
+// #endif
+
+#ifdef __NR_eventfd2
+	PPM_SC_EVENTFD2,
+#endif
+
+// #ifdef __NR_umount
+// 	PPM_SC_UMOUNT,
+// #endif
+
+#ifdef __NR_umount2
+	PPM_SC_UMOUNT2,
+#endif
+
+// #ifdef __NR_pipe
+// 	PPM_SC_PIPE,
+// #endif
+
+#ifdef __NR_pipe2
+	PPM_SC_PIPE2,
+#endif
+
+// #ifdef __NR_signalfd
+// 	PPM_SC_SIGNALFD,
+// #endif
+
+#ifdef __NR_signalfd4
+	PPM_SC_SIGNALFD4
+#endif
+	};
+	auto sc_set = libsinsp::events::names_to_sc_set(std::unordered_set<std::string>{"kill",
+	"read", "syncfs", "accept", "execve", "setresuid", "eventfd2", "umount2", "pipe2", "signalfd4"});
 	ASSERT_PPM_SC_CODES_EQ(sc_set_truth, sc_set);
+
+	static std::unordered_set<std::string> sc_set_names_truth = {"accept",
+	"accept4", "execve", "syncfs", "eventfd", "eventfd2", "umount", "umount2",
+	"pipe", "pipe2", "signalfd", "signalfd4"};
+	auto tmp_sc_set = libsinsp::events::names_to_sc_set(std::unordered_set<std::string>{"accept",
+	"execve", "syncfs", "eventfd", "umount", "pipe", "signalfd"});
+	auto sc_set_names = libsinsp::events::sc_set_to_names(tmp_sc_set);
+	ASSERT_NAMES_EQ(sc_set_names_truth, sc_set_names);
 }
 
 // API limitations -> we can only map events to syscalls