diff --git a/driver/modern_bpf/maps/maps.h b/driver/modern_bpf/maps/maps.h index 59cdb3dd54..850133f41a 100644 --- a/driver/modern_bpf/maps/maps.h +++ b/driver/modern_bpf/maps/maps.h @@ -117,20 +117,17 @@ struct { } syscall_exit_tail_table __weak SEC(".maps"); /** - * @brief This tail table is used when a bpf program needs another program - * to complete its execution flow. This table could be used both by - * programs directly attached in the kernel (like page_faults, - * context_switch, ...) and by syscall_events (like - * ppme_syscall_execveat_x, ...). - * Given a predefined tail-code (`extra_syscall_codes`), it calls + * @brief This tail table is used when a sys exit bpf program needs another program + * to complete its execution flow. + * Given a predefined tail-code (`sys_exit_extra_code`), it calls * the right bpf program. */ struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); - __uint(max_entries, TAIL_EXTRA_EVENT_PROG_MAX); + __uint(max_entries, SYS_EXIT_EXTRA_CODE_MAX); __type(key, uint32_t); __type(value, uint32_t); -} extra_syscall_calls __weak SEC(".maps"); +} syscall_exit_extra_tail_table __weak SEC(".maps"); /*=============================== BPF_MAP_TYPE_PROG_ARRAY ===============================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c index c38c3f02c3..83b8ec85c2 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c @@ -150,7 +150,7 @@ int BPF_PROG(clone_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise, it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T1_CLONE_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_CLONE_X); return 0; } @@ -206,7 +206,7 @@ int BPF_PROG(t1_clone_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise, it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T2_CLONE_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_CLONE_X); return 0; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c index ac8ba9e41a..fca6d958bd 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c @@ -150,7 +150,7 @@ int BPF_PROG(clone3_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise, it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T1_CLONE3_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_CLONE3_X); return 0; } @@ -204,7 +204,7 @@ int BPF_PROG(t1_clone3_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise, it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T2_CLONE3_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_CLONE3_X); return 0; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c index 22d0ef76f9..870c99215d 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c @@ -155,7 +155,7 @@ int BPF_PROG(execve_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise, it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T1_EXECVE_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_EXECVE_X); return 0; } @@ -284,7 +284,7 @@ int BPF_PROG(t1_execve_x, struct pt_regs *regs, long ret) { /*=============================== COLLECT PARAMETERS ===========================*/ - bpf_tail_call(ctx, &extra_syscall_calls, T2_EXECVE_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_EXECVE_X); return 0; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c index beed1e9c13..878d3f94f6 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c @@ -168,7 +168,7 @@ int BPF_PROG(execveat_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T1_EXECVEAT_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_EXECVEAT_X); return 0; } @@ -296,7 +296,7 @@ int BPF_PROG(t1_execveat_x, struct pt_regs *regs, long ret) { /*=============================== COLLECT PARAMETERS ===========================*/ - bpf_tail_call(ctx, &extra_syscall_calls, T2_EXECVEAT_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_EXECVEAT_X); return 0; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fork.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fork.bpf.c index 983130d87f..a8b2026f0d 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fork.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fork.bpf.c @@ -152,7 +152,7 @@ int BPF_PROG(fork_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise, it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T1_FORK_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_FORK_X); return 0; } @@ -198,7 +198,7 @@ int BPF_PROG(t1_fork_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise, it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T2_FORK_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_FORK_X); return 0; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c index 274d84a03b..5bf799808a 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c @@ -60,7 +60,7 @@ int BPF_PROG(open_by_handle_at_x, struct pt_regs *regs, long ret) { /*=============================== COLLECT PARAMETERS ===========================*/ - bpf_tail_call(ctx, &extra_syscall_calls, T1_OPEN_BY_HANDLE_AT_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_OPEN_BY_HANDLE_AT_X); return 0; } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/vfork.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/vfork.bpf.c index 8ede844bc1..3c73d519b4 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/vfork.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/vfork.bpf.c @@ -150,7 +150,7 @@ int BPF_PROG(vfork_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise, it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T1_VFORK_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T1_VFORK_X); return 0; } @@ -196,7 +196,7 @@ int BPF_PROG(t1_vfork_x, struct pt_regs *regs, long ret) { /* We have to split here the bpf program, otherwise, it is too large * for the verifier (limit 1000000 instructions). */ - bpf_tail_call(ctx, &extra_syscall_calls, T2_VFORK_X); + bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_VFORK_X); return 0; } diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 86728d4196..83e06c9d71 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -1521,11 +1521,9 @@ typedef enum { * "Tx_" stands for "extra tail call number x for the event after '_'". * For example "T1_EXECVE_X" stands for: * - `T1` = extra tail call number 1. - * - `EXECVE` = name of the syscall for which we need an extra tail call. - * - `X` = means that we need this extra tail call for the exit event, `E` means enter the event. - * + * - `EXECVE_X` = name of the syscall for which we need an extra tail call. */ -enum extra_syscall_codes { +enum sys_exit_extra_code { T1_EXECVE_X, T1_EXECVEAT_X, T1_CLONE_X, @@ -1540,7 +1538,7 @@ enum extra_syscall_codes { T2_EXECVE_X, T2_EXECVEAT_X, // Add new codes here... - TAIL_EXTRA_EVENT_PROG_MAX, + SYS_EXIT_EXTRA_CODE_MAX, }; /* diff --git a/userspace/libpman/include/libpman.h b/userspace/libpman/include/libpman.h index b916bb6164..aa8cc827e8 100644 --- a/userspace/libpman/include/libpman.h +++ b/userspace/libpman/include/libpman.h @@ -396,19 +396,18 @@ uint64_t pman_get_probe_api_ver(void); uint64_t pman_get_probe_schema_ver(void); /** - * @brief Some bpf programs exceed the maximum complexity + * @brief Some sys exit bpf programs exceed the maximum complexity * so they have to tail-call other programs. To do that, they - * need a particular tail table that we call `extra_syscall_calls`. + * need a particular tail table that we call `syscall_exit_extra_tail_table`. * - * -> EXTRA EVENT PROG TAIL TABLE - * extra_syscall_calls(extra_syscall_codes, program_fd). + * syscall_exit_extra_tail_table(sys_exit_extra_code, program_fd). * - * `extra_syscall_codes` is an enum defined in + * `sys_exit_extra_code` is an enum defined in * `/driver/ppm_events_public.h` * * @return `0` on success, `errno` in case of error. */ -int pman_fill_extra_syscall_calls_table(void); +int pman_fill_syscall_exit_extra_tail_table(void); /** * @brief The syscall dispatchers will look into these tables diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index 688130ea41..2aba445b90 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -341,8 +341,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SYSCALL_SETREGID_X] = "setregid_x", }; -/* Some events can require more than one bpf program to collect all the data. */ -static const char* extra_event_prog_names[TAIL_EXTRA_EVENT_PROG_MAX] = { +/* Some exit events can require more than one bpf program to collect all the data. */ +static const char* sys_exit_extra_event_names[SYS_EXIT_EXTRA_CODE_MAX] = { [T1_EXECVE_X] = "t1_execve_x", [T1_EXECVEAT_X] = "t1_execveat_x", [T1_CLONE_X] = "t1_clone_x", diff --git a/userspace/libpman/src/maps.c b/userspace/libpman/src/maps.c index 759e43cd8d..36cb2c0829 100644 --- a/userspace/libpman/src/maps.c +++ b/userspace/libpman/src/maps.c @@ -249,24 +249,25 @@ int pman_fill_syscalls_tail_table() { return errno; } -int pman_fill_extra_syscall_calls_table() { - int extra_syscall_call_table_fd = bpf_map__fd(g_state.skel->maps.extra_syscall_calls); - if(extra_syscall_call_table_fd <= 0) { - pman_print_error("unable to get the extra event programs tail table"); +int pman_fill_syscall_exit_extra_tail_table() { + int extra_sys_exit_tail_table_fd = + bpf_map__fd(g_state.skel->maps.syscall_exit_extra_tail_table); + if(extra_sys_exit_tail_table_fd <= 0) { + pman_print_error("unable to get the extra sys exit tail table"); return errno; } const char* tail_prog_name = NULL; - for(int j = 0; j < TAIL_EXTRA_EVENT_PROG_MAX; j++) { - tail_prog_name = extra_event_prog_names[j]; + for(int j = 0; j < SYS_EXIT_EXTRA_CODE_MAX; j++) { + tail_prog_name = sys_exit_extra_event_names[j]; if(!tail_prog_name) { - pman_print_error("unknown entry in the extra event programs tail table"); + pman_print_error("unknown entry in the extra sys exit tail table"); return -1; } - if(add_bpf_program_to_tail_table(extra_syscall_call_table_fd, tail_prog_name, j)) { - close(extra_syscall_call_table_fd); + if(add_bpf_program_to_tail_table(extra_sys_exit_tail_table_fd, tail_prog_name, j)) { + close(extra_sys_exit_tail_table_fd); return errno; } } @@ -331,6 +332,6 @@ int pman_finalize_maps_after_loading() { pman_fill_syscall_sampling_table(); pman_fill_ia32_to_64_table(); err = pman_fill_syscalls_tail_table(); - err = err ?: pman_fill_extra_syscall_calls_table(); + err = err ?: pman_fill_syscall_exit_extra_tail_table(); return err; }