new: scap ppme to sc mapping table #937
Conversation
poiana
added
kind/cleanup
release-note-none
dco-signoff: yes
kind/feature
| * | ||
| * @return supported true or false. | ||
| */ | ||
| bool pman_check_support(); |
There was a problem hiding this comment.
While i was at it, exported this function in the libpman header. Otherwise compilation complained about it.
FedeDP
force-pushed
the
new/scap_ppme_to_sc_table
branch
from
5b86740
to
15e13d9
Compare
| [PPME_SOCKET_LISTEN_X] = (ppm_sc_code[]){PPM_SC_LISTEN, -1}, | ||
| [PPME_SOCKET_ACCEPT_E] = (ppm_sc_code[]){PPM_SC_ACCEPT, -1}, | ||
| [PPME_SOCKET_ACCEPT_X] = (ppm_sc_code[]){PPM_SC_ACCEPT, -1}, | ||
| [PPME_SOCKET_SEND_E] = NULL, // TODO (ppm_sc_code[]){PPM_SC_SEND, -1}, |
There was a problem hiding this comment.
This will be addressed by #936 .
There was a problem hiding this comment.
Idea here is:
- is event actually sent but we still miss the PPM_SC mapping it (tracepoint ppm_sc that will be introduced once we merge the ppm_sc table with the tb table)? Then use
PPM_SC_UNKNOWN. - else, use NULL
In this case, the event is not actually sent right now.
| [PPME_SOCKET_SEND_X] = NULL, // TODO (ppm_sc_code[]){PPM_SC_SEND, -1}, | ||
| [PPME_SOCKET_SENDTO_E] = (ppm_sc_code[]){PPM_SC_SENDTO, -1}, | ||
| [PPME_SOCKET_SENDTO_X] = (ppm_sc_code[]){PPM_SC_SENDTO, -1}, | ||
| [PPME_SOCKET_RECV_E] = NULL, // TODO (ppm_sc_code[]){PPM_SC_RECV, -1}, |
There was a problem hiding this comment.
This will be addressed by #936 .
|
/milestone 0.11.0 |
FedeDP
force-pushed
the
new/scap_ppme_to_sc_table
branch
from
15e13d9
to
c054a66
Compare
|
Rebased on top of new master. |
| #endif | ||
|
|
||
| #ifdef __NR_writev | ||
| //io_sc_set_truth.insert(PPM_SC_PWRITE); |
There was a problem hiding this comment.
why is this commented? I don't see any PPM_SC_PWRITE between our enums, is it correct?
There was a problem hiding this comment.
Yep exactly; i don't know what that was indeed :)
There was a problem hiding this comment.
I think we can clean it up later!
There was a problem hiding this comment.
🤷♀️ I don't remember either and I was probably the one who added it? Plz cleanup and adjust as needed 🙏
|
Need to rebase :( |
FedeDP
force-pushed
the
new/scap_ppme_to_sc_table
branch
2 times, most recently
from
8890f72
to
d5381c2
Compare
|
cc @falcosecurity/libs-maintainers for visibility. |
| auto generic_ev_set = libsinsp::events::set<ppm_event_code>({PPME_GENERIC_E, PPME_GENERIC_X}); | ||
| auto generic_sc_set = libsinsp::events::event_set_to_sc_set(generic_ev_set); | ||
| auto final_ev_set = libsinsp::events::sc_set_to_event_set(generic_sc_set); | ||
| ASSERT_EQ(final_ev_set, generic_ev_set); |
There was a problem hiding this comment.
Consider using the new macro we added for consistency ASSERT_PPM_EVENT_CODES_EQ.
Also we can and should do another extension to test coverage and @Andreagit97 already has bunch of more tests lined up 🎉
There was a problem hiding this comment.
Maybe another small test for this PR could be this test for non generic syscalls while also including non syscall events ...
| #include "syscall_compat_aarch64.h" | ||
| #elif __s390x__ | ||
| #include "syscall_compat_s390x.h" | ||
| #endif /* __x86_64__ */ |
| #endif | ||
|
|
||
| #ifdef __NR_writev | ||
| //io_sc_set_truth.insert(PPM_SC_PWRITE); |
There was a problem hiding this comment.
🤷♀️ I don't remember either and I was probably the one who added it? Plz cleanup and adjust as needed 🙏
…o map each PPME_EVENT to the PPM_SC that generate it. Moreover, small improvements to libsinsp::events API. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Moreover, cleaned up interesting_syscalls test and added a new events_set test. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
FedeDP
force-pushed
the
new/scap_ppme_to_sc_table
branch
from
d5381c2
to
da53d7d
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, FedeDP, incertum The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind cleanup
/kind feature
Any specific area of the project related to this PR?
/area libscap
/area libsinsp
Does this PR require a change in the driver versions?
What this PR does / why we need it:
This PR is extracted from #889 .
It implements:
Indeed, using the syscall_table to retrieve that information was very error prone because in userspace we only saw syscalls present on that architecture (included by our driver/syscall_compat_$arch.h); moreover there was no way to map OLD_VERSION events.
This allows us to reliably retrieve all ppm_sc related to an event set (because we are no more iterating over the syscalls_table, but we directly map event -> ppm_sc).
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Most of the changes are in userspace/libscap/linux/scap_ppm_sc.c.
Macos and win32 scap_ppm_sc API impl does nothing.
Tests were cleaned up of now useless
ifdef __NR_FOOchecks, and<sys/syscall.h>includes.Added a small test to guarantee that any new PPM_SC is also added to the new scap_ppm_sc.c table.
Other tests present in #889 will be added once all the PRs are in (ie: this one, #936 and the ppm_tp table refactor/merge into ppm_sc)
Does this PR introduce a user-facing change?: