From 5a7df98970f949ecacfccf3ca259077419a1ce38 Mon Sep 17 00:00:00 2001 From: Ofer Heifetz Date: Mon, 17 Jul 2023 15:14:02 +0300 Subject: [PATCH] fix umount2 syscall flags type, add conversion helper function - change the flags (param 1) from u32 to s32 - add a userspace to scap flag conversion helper routine Reported by: github issue #515 Signed-off-by: Ofer Heifetz --- driver/bpf/fillers.h | 4 +-- .../definitions/events_dimensions.h | 2 +- .../definitions/missing_definitions.h | 11 ++++++++ .../syscall_dispatched_events/umount2.bpf.c | 4 +-- driver/ppm_fillers.c | 2 +- driver/ppm_flag_helpers.h | 26 +++++++++++++++++++ .../syscall_enter_suite/umount2_e.cpp | 2 +- 7 files changed, 44 insertions(+), 7 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index d02cdbc8d12..b68c5a8cc0a 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -6214,8 +6214,8 @@ FILLER(sys_umount_x, true) FILLER(sys_umount2_e, true) { /* Parameter 1: flags (type: PT_FLAGS32) */ - u32 flags = (u32)bpf_syscall_get_argument(data, 1); - return bpf_push_u32_to_ring(data, flags); + int flags = (int)bpf_syscall_get_argument(data, 1); + return bpf_push_s32_to_ring(data, umount2_flags_to_scap(flags)); } FILLER(sys_umount2_x, true) diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index f1f4aec2e24..134131b5f5f 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -113,7 +113,7 @@ #define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN #define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN #define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN -#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN +#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN #define UMOUNT_E_SIZE HEADER_LEN #define LINK_E_SIZE HEADER_LEN #define LINKAT_E_SIZE HEADER_LEN diff --git a/driver/modern_bpf/definitions/missing_definitions.h b/driver/modern_bpf/definitions/missing_definitions.h index 538cd20fcda..fdc1361b2e0 100644 --- a/driver/modern_bpf/definitions/missing_definitions.h +++ b/driver/modern_bpf/definitions/missing_definitions.h @@ -552,6 +552,17 @@ #define MAY_WRITE 0x00000002 #define MAY_READ 0x00000004 +////////////////////////// +// umount options +////////////////////////// + +/* `include/linux/fs.h` from kernel source tree. */ + +#define MNT_FORCE 0x00000001 /* Attempt to forcibily umount */ +#define MNT_DETACH 0x00000002 /* Just detach from the tree */ +#define MNT_EXPIRE 0x00000004 /* Mark for expiry */ +#define UMOUNT_NOFOLLOW 0x00000008 /* Don't follow symlink on umount */ + ////////////////////////// // lseek whence ////////////////////////// diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c index a76d8320684..4d23273b40d 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c @@ -26,8 +26,8 @@ int BPF_PROG(umount2_e, /*=============================== COLLECT PARAMETERS ===========================*/ /* Parameter 1: flags (type: PT_FLAGS32) */ - u32 flags = (u32)extract__syscall_argument(regs, 1); - ringbuf__store_u32(&ringbuf, flags); + s32 flags = (s32)extract__syscall_argument(regs, 1); + ringbuf__store_s32(&ringbuf, umount2_flags_to_scap(flags)); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 05ff7d70e72..5a010aacc54 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -7278,7 +7278,7 @@ int f_sys_umount2_e(struct event_filler_arguments *args) /* Parameter 1: flags (type: PT_FLAGS32) */ syscall_get_arguments_deprecated(args, 1, 1, &val); - res = val_to_ring(args, val, 0, true, 0); + res = val_to_ring(args, (u64)umount2_flags_to_scap(val), 0, true, 0); CHECK_RES(res); return add_sentinel(args); diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index 668f69b6a65..ee7ce62518d 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -34,6 +34,9 @@ or GPL2.txt for full copies of the license. #ifdef __NR_io_uring_register #include #endif +#ifdef __NR_umount2 +#include +#endif #endif // ifndef UDIG #ifndef __always_inline @@ -1828,6 +1831,29 @@ static __always_inline u32 chmod_mode_to_scap(unsigned long modes) return res; } +static __always_inline u32 umount2_flags_to_scap(unsigned long flags) +{ + u32 res = 0; + +#ifdef MNT_FORCE + if (flags & MNT_FORCE) + res |= PPM_MNT_FORCE; +#endif +#ifdef MNT_DETACH + if (flags & MNT_DETACH) + res |= PPM_MNT_DETACH; +#endif +#ifdef MNT_EXPIRE + if (flags & MNT_EXPIRE) + res |= PPM_MNT_EXPIRE; +#endif +#ifdef UMOUNT_NOFOLLOW + if (flags & UMOUNT_NOFOLLOW) + res |= PPM_UMOUNT_NOFOLLOW; +#endif + return res; +} + static __always_inline u32 fchownat_flags_to_scap(unsigned long flags) { u32 res = 0; diff --git a/test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp b/test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp index 94032cab383..2a883130402 100644 --- a/test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/umount2_e.cpp @@ -34,7 +34,7 @@ TEST(SyscallEnter, umount2E) /*=============================== ASSERT PARAMETERS ===========================*/ /* Parameter 1: flags (type: PT_FLAGS32) */ - evt_test->assert_numeric_param(1, (uint32_t)(PPM_MNT_FORCE | PPM_MNT_DETACH | PPM_MNT_EXPIRE | PPM_UMOUNT_NOFOLLOW)); + evt_test->assert_numeric_param(1, (int32_t)(PPM_MNT_FORCE | PPM_MNT_DETACH | PPM_MNT_EXPIRE | PPM_UMOUNT_NOFOLLOW)); /*=============================== ASSERT PARAMETERS ===========================*/