new(libsinsp, libscap): Support full argument retrieval on both entry…

… and exit for some syscalls Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
falcosecurity · Mar 3, 2022 · 7e7a512 · 7e7a512
1 parent 86d06a8
commit 7e7a512
Show file tree

Hide file tree

Showing 7 changed files with 716 additions and 85 deletions.
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -177,6 +177,43 @@ FILLER(sys_single_x, true)
 	return res;
 }
 
+FILLER(sys_open_e, true)
+{
+	unsigned long flags;
+	unsigned long val;
+	unsigned long mode;
+	int res;
+
+	/*
+	 * name
+	 */
+	val = bpf_syscall_get_argument(data, 0);
+	res = bpf_val_to_ring(data, val);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * Flags
+	 * Note that we convert them into the ppm portable representation before pushing them to the ring
+	 */
+	val = bpf_syscall_get_argument(data, 1);
+	flags = open_flags_to_scap(val);
+	res = bpf_val_to_ring(data, flags);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * mode
+	 */
+	mode = bpf_syscall_get_argument(data, 2);
+	mode = open_modes_to_scap(val, mode);
+	res = bpf_val_to_ring(data, mode);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	return res;
+}
+
 FILLER(sys_open_x, true)
 {
 	unsigned int flags;
@@ -925,6 +962,51 @@ FILLER(sys_getrlimit_setrlrimit_x, true)
 	return res;
 }
 
+FILLER(sys_connect_e, true)
+{
+	struct sockaddr *usrsockaddr;
+	unsigned long val;
+	long size = 0;
+	long retval;
+	int err;
+	int res;
+	int fd;
+
+	fd = bpf_syscall_get_argument(data, 0);
+	res = bpf_val_to_ring_type(data, fd, PT_FD);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	if (fd >= 0) {
+		usrsockaddr = (struct sockaddr *)bpf_syscall_get_argument(data, 1);
+		val = bpf_syscall_get_argument(data, 2);
+
+		if (usrsockaddr && val != 0) {
+			/*
+			 * Copy the address
+			 */
+			err = bpf_addr_to_kernel(usrsockaddr, val,
+						 (struct sockaddr *)data->tmp_scratch);
+			if (err >= 0) {
+				/*
+				 * Convert the fd into socket endpoint information
+				 */
+				size = bpf_pack_addr(data,
+					(struct sockaddr *)data->tmp_scratch,
+					val);
+			}
+		}
+	}
+
+	/*
+	 * Copy the endpoint info into the ring
+	 */
+	data->curarg_already_on_frame = true;
+	res = bpf_val_to_ring_len(data, 0, size);
+
+	return res;
+}
+
 FILLER(sys_connect_x, true)
 {
 	struct sockaddr *usrsockaddr;
@@ -2684,6 +2766,54 @@ FILLER(sys_generic, true)
 	return res;
 }
 
+FILLER(sys_openat_e, true)
+{
+	unsigned long flags;
+	unsigned long val;
+	unsigned long mode;
+	int res;
+
+	/*
+	 * dirfd
+	 */
+	val = bpf_syscall_get_argument(data, 0);
+	if ((int)val == AT_FDCWD)
+		val = PPM_AT_FDCWD;
+
+	res = bpf_val_to_ring(data, val);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * name
+	 */
+	val = bpf_syscall_get_argument(data, 1);
+	res = bpf_val_to_ring(data, val);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * Flags
+	 * Note that we convert them into the ppm portable representation before pushing them to the ring
+	 */
+	val = bpf_syscall_get_argument(data, 2);
+	flags = open_flags_to_scap(val);
+	res = bpf_val_to_ring(data, flags);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * mode
+	 */
+	mode = bpf_syscall_get_argument(data, 3);
+	mode = open_modes_to_scap(val, mode);
+	res = bpf_val_to_ring(data, mode);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	return res;
+}
+
 FILLER(sys_openat_x, true)
 {
 	unsigned long dev;
@@ -2747,6 +2877,77 @@ FILLER(sys_openat_x, true)
 	return res;
 }
 
+FILLER(sys_openat2_e, true)
+{
+	unsigned long resolve;
+	unsigned long flags;
+	unsigned long val;
+	unsigned long mode;
+	int res;
+#ifdef __NR_openat2
+	struct open_how how;
+#endif
+	/*
+	 * dirfd
+	 */
+	val = bpf_syscall_get_argument(data, 0);
+	if ((int)val == AT_FDCWD)
+		val = PPM_AT_FDCWD;
+
+	res = bpf_val_to_ring(data, val);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * name
+	 */
+	val = bpf_syscall_get_argument(data, 1);
+	res = bpf_val_to_ring(data, val);
+	if (res != PPM_SUCCESS)
+		return res;
+
+#ifdef __NR_openat2
+	/*
+	 * how: we get the data structure, and put its fields in the buffer one by one
+	 */
+	val = bpf_syscall_get_argument(data, 2);
+	if (bpf_probe_read(&how, sizeof(struct open_how), (void *)val)) {
+		return PPM_FAILURE_INVALID_USER_MEMORY;
+	}
+	flags = open_flags_to_scap(how.flags);
+	mode = open_modes_to_scap(how.flags, how.mode);
+	resolve = openat2_resolve_to_scap(how.resolve);
+#else
+	flags = 0;
+	mode = 0;
+	resolve = 0;
+#endif
+
+	/*
+	 * flags (extracted from open_how structure)
+	 * Note that we convert them into the ppm portable representation before pushing them to the ring
+	 */
+	res = bpf_val_to_ring(data, flags);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * mode (extracted from open_how structure)
+	 * Note that we convert them into the ppm portable representation before pushing them to the ring
+	 */
+	res = bpf_val_to_ring(data, mode);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * resolve (extracted from open_how structure)
+	 * Note that we convert them into the ppm portable representation before pushing them to the ring
+	 */
+	res = bpf_val_to_ring(data, resolve);
+	return res;
+}
+
+
 FILLER(sys_openat2_x, true)
 {
 	unsigned long resolve;
@@ -3459,6 +3660,32 @@ FILLER(sys_sendmsg_x, true)
 	return res;
 }
 
+FILLER(sys_creat_e, true)
+{
+	unsigned long val;
+	unsigned long mode;
+	int res;
+
+	/*
+	 * name
+	 */
+	val = bpf_syscall_get_argument(data, 0);
+	res = bpf_val_to_ring(data, val);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	/*
+	 * mode
+	 */
+	mode = bpf_syscall_get_argument(data, 1);
+	mode = open_modes_to_scap(O_CREAT, mode);
+	res = bpf_val_to_ring(data, mode);
+	if (res != PPM_SUCCESS)
+		return res;
+
+	return res;
+}
+
 FILLER(sys_creat_x, true)
 {
 	unsigned long dev;

diff --git a/driver/event_table.c b/driver/event_table.c
@@ -12,7 +12,7 @@ or GPL2.txt for full copies of the license.
 const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_GENERIC_E */{"syscall", EC_OTHER, EF_NONE, 2, {{"ID", PT_SYSCALLID, PF_DEC}, {"nativeID", PT_UINT16, PF_DEC} } },
 	/* PPME_GENERIC_X */{"syscall", EC_OTHER, EF_NONE, 1, {{"ID", PT_SYSCALLID, PF_DEC} } },
-	/* PPME_SYSCALL_OPEN_E */{"open", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
+	/* PPME_SYSCALL_OPEN_E */{"open", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } },
 	/* PPME_SYSCALL_OPEN_X */{"open", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX} } },
 	/* PPME_SYSCALL_CLOSE_E */{"close", EC_IO_OTHER, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"fd", PT_FD, PF_DEC} } },
 	/* PPME_SYSCALL_CLOSE_X */{"close", EC_IO_OTHER, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE | EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } },
@@ -32,7 +32,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SOCKET_SOCKET_X */{"socket", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
 	/* PPME_SOCKET_BIND_E */{"bind", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
 	/* PPME_SOCKET_BIND_X */{"bind", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } },
-	/* PPME_SOCKET_CONNECT_E */{"connect", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } },
+	/* PPME_SOCKET_CONNECT_E */{"connect", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } },
 	/* PPME_SOCKET_CONNECT_X */{"connect", EC_NET, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } },
 	/* PPME_SOCKET_LISTEN_E */{"listen", EC_NET, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_UINT32, PF_DEC} } },
 	/* PPME_SOCKET_LISTEN_X */{"listen", EC_NET, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
@@ -68,7 +68,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SOCKET_RECVMMSG_X */{"recvmmsg", EC_IO_READ, EF_DROP_SIMPLE_CONS, 0},
 	/* PPME_SOCKET_ACCEPT4_E */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 1, {{"flags", PT_INT32, PF_HEX} } },
 	/* PPME_SOCKET_ACCEPT4_X */{"accept", EC_NET, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } },
-	/* PPME_SYSCALL_CREAT_E */{"creat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
+	/* PPME_SYSCALL_CREAT_E */{"creat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT} } },
 	/* PPME_SYSCALL_CREAT_X */{"creat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX} } },
 	/* PPME_SOCKET_PIPE_E */{"pipe", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
 	/* PPME_SOCKET_PIPE_X */{"pipe", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"fd1", PT_FD, PF_DEC}, {"fd2", PT_FD, PF_DEC}, {"ino", PT_UINT64, PF_DEC} } },
@@ -318,7 +318,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_UNLINKAT_2_X */{"unlinkat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, unlinkat_flags} } },
 	/* PPME_SYSCALL_MKDIRAT_E */{"mkdirat", EC_FILE, EF_NONE, 0},
 	/* PPME_SYSCALL_MKDIRAT_X */{"mkdirat", EC_FILE, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"mode", PT_UINT32, PF_HEX} } },
-	/* PPME_SYSCALL_OPENAT_2_E */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
+	/* PPME_SYSCALL_OPENAT_2_E */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } },
 	/* PPME_SYSCALL_OPENAT_2_X */{"openat", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX} } },
 	/* PPME_SYSCALL_LINK_2_E */{"link", EC_FILE, EF_NONE, 0},
 	/* PPME_SYSCALL_LINK_2_X */{"link", EC_FILE, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA} } },
@@ -338,7 +338,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_NA1 */{"pluginevent", EC_OTHER, EF_UNUSED, 0},
 	/* PPME_CONTAINER_JSON_2_E */{"container", EC_PROCESS, EF_MODIFIES_STATE | EF_LARGE_PAYLOAD, 1, {{"json", PT_CHARBUF, PF_NA} } },
 	/* PPME_CONTAINER_JSON_2_X */{"container", EC_PROCESS, EF_UNUSED, 0},
-	/* PPME_SYSCALL_OPENAT2_E */{"openat2", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
+	/* PPME_SYSCALL_OPENAT2_E */{"openat2", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } },
 	/* PPME_SYSCALL_OPENAT2_X */{"openat2", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } },
 	/* PPME_SYSCALL_MPROTECT_E */{"mprotect", EC_MEMORY, EF_DROP_SIMPLE_CONS, 3, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags} } }, 
 	/* PPME_SYSCALL_MPROTECT_X */{"mprotect", EC_MEMORY, EF_DROP_SIMPLE_CONS, 1, {{"res", PT_ERRNO, PF_DEC} } },	

diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -30,7 +30,7 @@ or GPL2.txt for full copies of the license.
 const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_GENERIC_E] = {FILLER_REF(sys_generic)},
 	[PPME_GENERIC_X] = {FILLER_REF(sys_generic)},
-	[PPME_SYSCALL_OPEN_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_OPEN_E] = {FILLER_REF(sys_open_e)},
 	[PPME_SYSCALL_OPEN_X] = {FILLER_REF(sys_open_x)},
 	[PPME_SYSCALL_CLOSE_E] = {FILLER_REF(sys_single)},
 	[PPME_SYSCALL_CLOSE_X] = {FILLER_REF(sys_single_x)},
@@ -43,7 +43,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SOCKET_SOCKET_X] = {FILLER_REF(sys_socket_x)},
 	[PPME_SOCKET_BIND_E] = {FILLER_REF(sys_autofill), 1, APT_SOCK, {{0} } },
 	[PPME_SOCKET_BIND_X] = {FILLER_REF(sys_socket_bind_x)},
-	[PPME_SOCKET_CONNECT_E] = {FILLER_REF(sys_autofill), 1, APT_SOCK, {{0} } },
+	[PPME_SOCKET_CONNECT_E] = {FILLER_REF(sys_connect_e)},
 	[PPME_SOCKET_CONNECT_X] = {FILLER_REF(sys_connect_x)},
 	[PPME_SOCKET_LISTEN_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {1} } },
 	[PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_single_x)},
@@ -78,7 +78,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SOCKET_RECVMSG_X] = {FILLER_REF(sys_recvmsg_x)},
 	[PPME_SOCKET_RECVMMSG_E] = {FILLER_REF(sys_empty)},
 	[PPME_SOCKET_RECVMMSG_X] = {FILLER_REF(sys_empty)},
-	[PPME_SYSCALL_CREAT_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_CREAT_E] = {FILLER_REF(sys_creat_e)},
 	[PPME_SYSCALL_CREAT_X] = {FILLER_REF(sys_creat_x)},
 	[PPME_SYSCALL_PIPE_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_PIPE_X] = {FILLER_REF(sys_pipe_x)},
@@ -291,7 +291,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_UNLINKAT_2_X] = {FILLER_REF(sys_unlinkat_x)},
 	[PPME_SYSCALL_MKDIRAT_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_MKDIRAT_X] = {FILLER_REF(sys_mkdirat_x)},
-	[PPME_SYSCALL_OPENAT_2_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_OPENAT_2_E] = {FILLER_REF(sys_openat_e)},
 	[PPME_SYSCALL_OPENAT_2_X] = {FILLER_REF(sys_openat_x)},
 	[PPME_SYSCALL_LINK_2_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_LINK_2_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1} } },
@@ -307,7 +307,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_RENAMEAT2_X] = {FILLER_REF(sys_renameat2_x)},
 	[PPME_SYSCALL_USERFAULTFD_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_USERFAULTFD_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0} } },
-	[PPME_SYSCALL_OPENAT2_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_OPENAT2_E] = {FILLER_REF(sys_openat2_e)},
 	[PPME_SYSCALL_OPENAT2_X] = {FILLER_REF(sys_openat2_x)},
 	[PPME_SYSCALL_MPROTECT_E] = {FILLER_REF(sys_mprotect_e)},
 	[PPME_SYSCALL_MPROTECT_X] = {FILLER_REF(sys_mprotect_x)},