falcosecurity · poiana · Mar 8, 2023 · Mar 2, 2023 · Mar 2, 2023 · Mar 6, 2023
diff --git a/userspace/libpman/include/libpman.h b/userspace/libpman/include/libpman.h
@@ -66,6 +66,13 @@ extern "C"
 	 */
 	int pman_get_required_buffers(void);
 
+	/**
+	 * @brief Return whether modern bpf is supported by running kernel.
+	 *
+	 * @return supported true or false.
+	 */
+	bool pman_check_support();
+
 	/////////////////////////////
 	// PROBE LIFECYCLE
 	/////////////////////////////

diff --git a/userspace/libscap/linux/CMakeLists.txt b/userspace/libscap/linux/CMakeLists.txt
@@ -1,2 +1,2 @@
-add_library(scap_platform scap_procs.c scap_fds.c scap_userlist.c scap_iflist.c)
+add_library(scap_platform scap_procs.c scap_fds.c scap_userlist.c scap_iflist.c scap_ppm_sc.c)
 target_link_libraries(scap_platform scap_error)
diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c
diff --git a/userspace/libscap/macos/CMakeLists.txt b/userspace/libscap/macos/CMakeLists.txt
@@ -1,3 +1,3 @@
 # note: since macOS is effectively non-existent, this library will go away
 # as soon as we clean up the interface enough
-add_library(scap_platform scap_procs.c)
+add_library(scap_platform scap_procs.c scap_ppm_sc.c)
diff --git a/userspace/libscap/macos/scap_ppm_sc.c b/userspace/libscap/macos/scap_ppm_sc.c
@@ -0,0 +1,47 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+*/
+
+#include "scap.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <inttypes.h>
+#include <unistd.h>
+
+int scap_get_modifies_state_ppm_sc(OUT uint8_t ppm_sc_array[PPM_SC_MAX])
+{
+	return SCAP_FAILURE;
+}
+
+int scap_get_events_from_ppm_sc(IN const uint8_t ppm_sc_array[PPM_SC_MAX], OUT uint8_t events_array[PPM_EVENT_MAX])
+{
+	return SCAP_FAILURE;
+}
+
+int scap_get_ppm_sc_from_events(IN const uint8_t events_array[PPM_EVENT_MAX], OUT uint8_t ppm_sc_array[PPM_SC_MAX])
+{
+	return SCAP_FAILURE;
+}
+
+ppm_sc_code scap_ppm_sc_from_name(const char *name)
+{
+	return PPM_SC_UNKNOWN;
+}
+
+ppm_sc_code scap_native_id_to_ppm_sc(int native_id)
+{
+	return PPM_SC_UNKNOWN;
+}
diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
@@ -851,138 +851,6 @@ int32_t scap_get_stats(scap_t* handle, OUT scap_stats* stats)
 	return SCAP_SUCCESS;
 }
 
-int scap_get_modifies_state_ppm_sc(OUT uint8_t ppm_sc_array[PPM_SC_MAX])
-{
-	if(ppm_sc_array == NULL)
-	{
-		return SCAP_FAILURE;
-	}
-
-	/* Clear the array before using it.
-	 * This is not necessary but just to be future-proof.
-	 */
-	memset(ppm_sc_array, 0, sizeof(*ppm_sc_array) * PPM_SC_MAX);
-
-#ifdef __linux__
-	// Collect EF_MODIFIES_STATE events
-	for (int event_nr = 0; event_nr < PPM_EVENT_MAX; event_nr++)
-	{
-		if (g_event_info[event_nr].flags & EF_MODIFIES_STATE)
-		{
-			for (int syscall_nr = 0; syscall_nr < SYSCALL_TABLE_SIZE; syscall_nr++)
-			{
-				if (g_syscall_table[syscall_nr].exit_event_type == event_nr || g_syscall_table[syscall_nr].enter_event_type == event_nr)
-				{
-					uint32_t ppm_sc_code = g_syscall_table[syscall_nr].ppm_sc;
-					ppm_sc_array[ppm_sc_code] = 1;
-				}
-			}
-		}
-	}
-
-	// Collect UF_NEVER_DROP syscalls
-	for (int syscall_nr = 0; syscall_nr < SYSCALL_TABLE_SIZE; syscall_nr++)
-	{
-		if (g_syscall_table[syscall_nr].flags & UF_NEVER_DROP)
-		{
-			uint32_t ppm_sc_code = g_syscall_table[syscall_nr].ppm_sc;
-			ppm_sc_array[ppm_sc_code] = 1;
-		}
-	}
-#endif
-	return SCAP_SUCCESS;
-}
-
-int scap_get_events_from_ppm_sc(IN const uint8_t ppm_sc_array[PPM_SC_MAX], OUT uint8_t events_array[PPM_EVENT_MAX])
-{
-	if(ppm_sc_array == NULL || events_array == NULL)
-	{
-		return SCAP_FAILURE;
-	}
-
-	/* Clear the array before using it.
-	 * This is not necessary but just to be future-proof.
-	 */
-	memset(events_array, 0, sizeof(*events_array) * PPM_EVENT_MAX);
-
-#ifdef __linux__
-	for(int ppm_code = 0; ppm_code < PPM_SC_MAX; ppm_code++)
-	{
-		if(!ppm_sc_array[ppm_code])
-		{
-			continue;
-		}
-
-		/* If we arrive here we want to know the events associated with this ppm_code. */
-		for(int syscall_nr = 0; syscall_nr < SYSCALL_TABLE_SIZE; syscall_nr++)
-		{
-			const struct syscall_evt_pair pair = g_syscall_table[syscall_nr];
-			if(pair.ppm_sc == ppm_code)
-			{
-				int enter_evt = pair.enter_event_type;
-				int exit_evt = pair.exit_event_type;
-				// Workaround for syscall table entries with just
-				// a .ppm_sc set: force-set exit event as PPME_GENERIC_X,
-				// that is the one actually sent by drivers in that case.
-				if (enter_evt == exit_evt && enter_evt == PPME_GENERIC_E)
-				{
-					exit_evt = PPME_GENERIC_X;
-				}
-				events_array[enter_evt] = 1;
-				events_array[exit_evt] = 1;
-			}
-		}
-	}
-#endif
-	return SCAP_SUCCESS;
-}
-
-int scap_get_ppm_sc_from_events(IN const uint8_t events_array[PPM_EVENT_MAX], OUT uint8_t ppm_sc_array[PPM_SC_MAX])
-{
-	if(events_array == NULL || ppm_sc_array == NULL)
-	{
-		return SCAP_FAILURE;
-	}
-
-	/* Clear the array before using it.
-	 * This is not necessary but just to be future-proof.
-	 */
-	memset(ppm_sc_array, 0, sizeof(*ppm_sc_array) * PPM_SC_MAX);
-
-#ifdef __linux__
-	for(int ev = 0; ev < PPM_EVENT_MAX; ev++)
-	{
-		if(!events_array[ev])
-		{
-			continue;
-		}
-
-		for(int syscall_nr = 0; syscall_nr < SYSCALL_TABLE_SIZE; syscall_nr++)
-		{
-			const struct syscall_evt_pair pair = g_syscall_table[syscall_nr];
-			if (pair.enter_event_type == ev || pair.exit_event_type == ev)
-			{
-				ppm_sc_array[pair.ppm_sc] = 1;
-			}
-		}
-	}
-#endif
-	return SCAP_SUCCESS;
-}
-
-ppm_sc_code scap_native_id_to_ppm_sc(int native_id)
-{
-#ifdef __linux__
-	if (native_id < 0 || native_id >= SYSCALL_TABLE_SIZE)
-	{
-		return -1;
-	}
-	return g_syscall_table[native_id].ppm_sc;
-#else
-	return -1;
-#endif
-}
-
 int scap_get_modifies_state_tracepoints(OUT uint8_t tp_array[TP_VAL_MAX])
 {
 	if(tp_array == NULL)

diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
@@ -732,6 +732,11 @@ int scap_get_events_from_ppm_sc(IN const uint8_t ppm_sc_array[PPM_SC_MAX], OUT u
 */
 int scap_get_ppm_sc_from_events(IN const uint8_t events_array[PPM_EVENT_MAX], OUT uint8_t ppm_sc_array[PPM_SC_MAX]);
 
+/*!
+  \brief Given a name, returns associated ppm_sc.
+*/
+ppm_sc_code scap_ppm_sc_from_name(const char *name);
+
 /*!
   \brief Convert a native syscall nr to ppm_sc
 */

diff --git a/userspace/libscap/win32/CMakeLists.txt b/userspace/libscap/win32/CMakeLists.txt
@@ -1 +1 @@
-add_library(scap_platform scap_procs.c)
+add_library(scap_platform scap_procs.c scap_ppm_sc.c)
diff --git a/userspace/libscap/win32/scap_ppm_sc.c b/userspace/libscap/win32/scap_ppm_sc.c
@@ -0,0 +1,46 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+*/
+
+#include "scap.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <inttypes.h>
+
+int scap_get_modifies_state_ppm_sc(OUT uint8_t ppm_sc_array[PPM_SC_MAX])
+{
+	return SCAP_FAILURE;
+}
+
+int scap_get_events_from_ppm_sc(IN const uint8_t ppm_sc_array[PPM_SC_MAX], OUT uint8_t events_array[PPM_EVENT_MAX])
+{
+	return SCAP_FAILURE;
+}
+
+int scap_get_ppm_sc_from_events(IN const uint8_t events_array[PPM_EVENT_MAX], OUT uint8_t ppm_sc_array[PPM_SC_MAX])
+{
+	return SCAP_FAILURE;
+}
+
+ppm_sc_code scap_ppm_sc_from_name(const char *name)
+{
+	return PPM_SC_UNKNOWN;
+}
+
+ppm_sc_code scap_native_id_to_ppm_sc(int native_id)
+{
+	return PPM_SC_UNKNOWN;
+}
diff --git a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp
@@ -237,12 +237,12 @@ libsinsp::events::set<ppm_sc_code> libsinsp::events::sys_sc_set()
 libsinsp::events::set<ppm_sc_code> libsinsp::events::names_to_sc_set(const std::unordered_set<std::string>& syscalls)
 {
 	libsinsp::events::set<ppm_sc_code> ppm_sc_set;
-	for (int ppm_sc = 0; ppm_sc < PPM_SC_MAX; ++ppm_sc)
+	for (const auto &syscall_name : syscalls)
 	{
-		std::string ppm_sc_name = scap_get_syscall_info_table()[ppm_sc].name;
-		if (syscalls.find(ppm_sc_name) != syscalls.end())
+		auto ppm_sc = scap_ppm_sc_from_name(syscall_name.c_str());
+		if(ppm_sc != -1)
 		{
-			ppm_sc_set.insert((ppm_sc_code)ppm_sc);
+			ppm_sc_set.insert(ppm_sc);
 		}
 	}
 	/* Extra back and forth mapping to resolve overloaded event <-> sc names, e.g. accept -> accept, accept4
@@ -287,7 +287,11 @@ libsinsp::events::set<ppm_sc_code> libsinsp::events::all_sc_set()
 	{
 		for(uint32_t ppm_sc = 0; ppm_sc < PPM_SC_MAX; ppm_sc++)
 		{
-			ppm_sc_set.insert((ppm_sc_code)ppm_sc);
+			if (scap_get_syscall_info_table()[ppm_sc].name[0] != '\0')
+			{
+				// Skip non-existent
+				ppm_sc_set.insert((ppm_sc_code)ppm_sc);
+			}
 		}
 	}
 	return ppm_sc_set;
@@ -299,7 +303,11 @@ std::unordered_set<std::string> libsinsp::events::sc_set_to_names(const libsinsp
 	for (const auto& val : ppm_sc_set)
 	{
 		std::string ppm_sc_name = scap_get_syscall_info_table()[val].name;
-	    ppm_sc_names_set.insert(ppm_sc_name);
+		if (ppm_sc_name != "")
+		{
+			// Skip non-existent
+			ppm_sc_names_set.insert(ppm_sc_name);
+		}
 	}
 	return ppm_sc_names_set;
 }