diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION index 834f262953..c8e38b6140 100644 --- a/driver/SCHEMA_VERSION +++ b/driver/SCHEMA_VERSION @@ -1 +1 @@ -2.8.0 +2.9.0 diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index d0469a1d33..20f1d2c226 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -1000,6 +1000,25 @@ FILLER(sys_fcntl_e, true) return bpf_push_u8_to_ring(data, fcntl_cmd_to_scap(cmd)); } +FILLER(sys_fcntl_x, true) +{ + long retval; + + /* Parameter 1: Return Value */ + retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, (s64)retval); + CHECK_RES(res); + + /* Parameter 2: fd (type: PT_FD) */ + s32 fd = (s32)bpf_syscall_get_argument(data, 0); + res = bpf_push_s64_to_ring(data, (s64)fd); + CHECK_RES(res); + + /* Parameter 3: cmd (type: PT_ENUMFLAGS8) */ + s32 cmd = (s32)bpf_syscall_get_argument(data, 1); + return bpf_push_u8_to_ring(data, fcntl_cmd_to_scap(cmd)); +} + FILLER(sys_access_e, true) { /* Parameter 1: mode (type: PT_UINT32) */ diff --git a/driver/event_table.c b/driver/event_table.c index c26028b704..8c2078793b 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -200,7 +200,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_DROP_E] = {"drop", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET, 1, {{"ratio", PT_UINT32, PF_DEC} } }, [PPME_DROP_X] = {"drop", EC_INTERNAL | EC_METAEVENT, EF_SKIPPARSERESET, 1, {{"ratio", PT_UINT32, PF_DEC} } }, [PPME_SYSCALL_FCNTL_E] = {"fcntl", EC_IO_OTHER | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands} } }, - [PPME_SYSCALL_FCNTL_X] = {"fcntl", EC_IO_OTHER | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_FD, PF_DEC} } }, + [PPME_SYSCALL_FCNTL_X] = {"fcntl", EC_IO_OTHER | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 3, {{"res", PT_FD, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"cmd", PT_ENUMFLAGS8, PF_DEC, fcntl_commands} } }, [PPME_SCHEDSWITCH_6_E] = {"switch", EC_SCHEDULER | EC_TRACEPOINT, EF_NONE, 6, {{"next", PT_PID, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC} } }, /// TODO: do we need SKIPPARSERESET flag? [PPME_SCHEDSWITCH_6_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0}, [PPME_SYSCALL_EXECVE_13_E] = {"execve", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE | EF_OLD_VERSION, 0}, diff --git a/driver/fillers_table.c b/driver/fillers_table.c index e33804992d..6caf9511ac 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -152,7 +152,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_DROP_E] = {FILLER_REF(sched_drop)}, [PPME_DROP_X] = {FILLER_REF(sched_drop)}, [PPME_SYSCALL_FCNTL_E] = {FILLER_REF(sys_fcntl_e)}, - [PPME_SYSCALL_FCNTL_X] = {FILLER_REF(sys_single_x)}, + [PPME_SYSCALL_FCNTL_X] = {FILLER_REF(sys_fcntl_x)}, #ifdef CAPTURE_CONTEXT_SWITCHES [PPME_SCHEDSWITCH_6_E] = {FILLER_REF(sched_switch_e)}, #endif diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 1e3615dfa7..f3f99a4640 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -147,7 +147,7 @@ #define PREAD64_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3 #define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2 #define FCNTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2 -#define FCNTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN +#define FCNTL_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 3 #define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2 #define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN #define FSCONFIG_E_SIZE HEADER_LEN diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fcntl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fcntl.bpf.c index 3d56903413..724e4df1d0 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fcntl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fcntl.bpf.c @@ -81,6 +81,14 @@ int BPF_PROG(fcntl_x, /* Parameter 1: res (type: PT_FD)*/ ringbuf__store_s64(&ringbuf, ret); + /* Parameter 2: fd (type: PT_FD) */ + s32 fd = (s32)extract__syscall_argument(regs, 0); + ringbuf__store_s64(&ringbuf, (s64)fd); + + /* Parameter 3: cmd (type: PT_ENUMFLAGS8) */ + int cmd = (s32)extract__syscall_argument(regs, 1); + ringbuf__store_u8(&ringbuf, fcntl_cmd_to_scap(cmd)); + /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index c4f8cd60b1..43d8a56513 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -4510,6 +4510,32 @@ int f_sys_fcntl_e(struct event_filler_arguments *args) return add_sentinel(args); } +int f_sys_fcntl_x(struct event_filler_arguments *args) +{ + int64_t retval; + unsigned long val = 0; + int res = 0; + s32 fd = 0; + + /* Parameter 1: return value */ + retval = (int64_t)(long)syscall_get_return_value(current, args->regs); + res = val_to_ring(args, retval, 0, false, 0); + CHECK_RES(res); + + /* Parameter 2: fd (type: PT_FD) */ + syscall_get_arguments_deprecated(args, 0, 1, &val); + fd = (s32)val; + res = val_to_ring(args, (s64)fd, 0, false, 0); + CHECK_RES(res); + + /* Parameter 3: cmd (type: PT_ENUMFLAGS8) */ + syscall_get_arguments_deprecated(args, 1, 1, &val); + res = val_to_ring(args, fcntl_cmd_to_scap(val), 0, false, 0); + CHECK_RES(res); + + return add_sentinel(args); +} + static inline int parse_ptrace_addr(struct event_filler_arguments *args, u16 request) { unsigned long val; diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h index 377f6b3ed1..8f2d8b738a 100644 --- a/driver/ppm_fillers.h +++ b/driver/ppm_fillers.h @@ -72,6 +72,7 @@ or GPL2.txt for full copies of the license. FN(sched_switch_e) \ FN(sched_drop) \ FN(sys_fcntl_e) \ + FN(sys_fcntl_x) \ FN(sys_ptrace_e) \ FN(sys_ptrace_x) \ FN(sys_mmap_e) \ diff --git a/test/drivers/test_suites/syscall_exit_suite/fcntl_x.cpp b/test/drivers/test_suites/syscall_exit_suite/fcntl_x.cpp index 39032d96d2..9e988193f6 100644 --- a/test/drivers/test_suites/syscall_exit_suite/fcntl_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/fcntl_x.cpp @@ -37,8 +37,14 @@ TEST(SyscallExit, fcntlX) /* Parameter 1: ret (type: PT_FD)*/ evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 2: fd (type: PT_FD) */ + evt_test->assert_numeric_param(2, (int64_t)invalid_fd); + + /* Parameter 3: cmd (type: PT_ENUMFLAGS8) */ + evt_test->assert_numeric_param(3, (uint8_t)PPM_FCNTL_F_DUPFD_CLOEXEC); + /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(1); + evt_test->assert_num_params_pushed(3); } #endif