diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 2486ecb45f0..3009ac20829 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -99,6 +99,10 @@ static __always_inline struct inode *get_file_inode(struct file *file) static __always_inline enum ppm_overlay get_overlay_layer(struct file *file) { + if (!file) + { + return PPM_NOT_OVERLAY_FS; + } struct dentry* dentry = NULL; bpf_probe_read_kernel(&dentry, sizeof(dentry), &file->f_path.dentry); struct super_block* sb = (struct super_block*)_READ(dentry->d_sb); @@ -404,7 +408,6 @@ FILLER(sys_open_x, true) long retval; int res; struct file *file = NULL; - unsigned short fd_flags = 0; /* Parameter 1: ret (type: PT_FD) */ retval = bpf_syscall_get_retval(data->ctx); @@ -416,11 +419,22 @@ FILLER(sys_open_x, true) res = bpf_val_to_ring(data, val); CHECK_RES(res); + bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file); + /* Parameter 3: flags (type: PT_FLAGS32) */ val = bpf_syscall_get_argument(data, 1); flags = open_flags_to_scap(val); /* update flags if file is created*/ flags |= bpf_get_fd_fmode_created(retval); + enum ppm_overlay ol = get_overlay_layer(file); + if (ol == PPM_OVERLAY_UPPER) + { + flags |= PPM_O_F_UPPER_LAYER; + } + else if (ol == PPM_OVERLAY_LOWER) + { + flags |= PPM_O_F_LOWER_LAYER; + } res = bpf_push_u32_to_ring(data, flags); CHECK_RES(res); @@ -430,30 +444,12 @@ FILLER(sys_open_x, true) res = bpf_push_u32_to_ring(data, mode); CHECK_RES(res); - bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file); - /* Parameter 5: dev (type: PT_UINT32) */ res = bpf_push_u32_to_ring(data, (uint32_t)dev); CHECK_RES(res); /* Parameter 6: ino (type: PT_UINT64) */ - res = bpf_push_u64_to_ring(data, (uint64_t)ino); - CHECK_RES(res); - - /* Parameter 7: fd_flags (type: PT_FLAGS16) */ - if (likely(file)) - { - enum ppm_overlay ol = get_overlay_layer(file); - if (ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if (ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - } - return bpf_push_u16_to_ring(data, (uint16_t)fd_flags); + return bpf_push_u64_to_ring(data, (uint64_t)ino); } FILLER(sys_read_e, true) @@ -3215,7 +3211,6 @@ FILLER(sys_openat_x, true) int32_t fd; int res; struct file *file = NULL; - unsigned short fd_flags = 0; retval = bpf_syscall_get_retval(data->ctx); res = bpf_push_s64_to_ring(data, retval); @@ -3238,6 +3233,8 @@ FILLER(sys_openat_x, true) res = bpf_val_to_ring(data, val); CHECK_RES(res); + bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file); + /* * Flags * Note that we convert them into the ppm portable representation before pushing them to the ring @@ -3246,6 +3243,15 @@ FILLER(sys_openat_x, true) flags = open_flags_to_scap(val); /* update flags if file is created*/ flags |= bpf_get_fd_fmode_created(retval); + enum ppm_overlay ol = get_overlay_layer(file); + if (ol == PPM_OVERLAY_UPPER) + { + flags |= PPM_O_F_UPPER_LAYER; + } + else if (ol == PPM_OVERLAY_LOWER) + { + flags |= PPM_O_F_LOWER_LAYER; + } res = bpf_push_u32_to_ring(data, flags); CHECK_RES(res); @@ -3257,8 +3263,6 @@ FILLER(sys_openat_x, true) res = bpf_push_u32_to_ring(data, mode); CHECK_RES(res); - bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file); - /* * Device */ @@ -3268,25 +3272,7 @@ FILLER(sys_openat_x, true) /* * Ino */ - res = bpf_push_u64_to_ring(data, ino); - CHECK_RES(res); - - /* - * fd_flags - */ - if (likely(file)) - { - enum ppm_overlay ol = get_overlay_layer(file); - if (ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if (ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - } - return bpf_push_u16_to_ring(data, (uint16_t)fd_flags); + return bpf_push_u64_to_ring(data, ino); } FILLER(sys_openat2_e, true) @@ -3368,7 +3354,6 @@ FILLER(sys_openat2_x, true) int32_t fd; int res; struct file *file = NULL; - unsigned short fd_flags = 0; #ifdef __NR_openat2 struct open_how how; #endif @@ -3411,12 +3396,23 @@ FILLER(sys_openat2_x, true) resolve = 0; #endif + bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file); + /* * flags (extracted from open_how structure) * Note that we convert them into the ppm portable representation before pushing them to the ring */ /* update flags if file is created*/ flags |= bpf_get_fd_fmode_created(retval); + enum ppm_overlay ol = get_overlay_layer(file); + if (ol == PPM_OVERLAY_UPPER) + { + flags |= PPM_O_F_UPPER_LAYER; + } + else if (ol == PPM_OVERLAY_LOWER) + { + flags |= PPM_O_F_LOWER_LAYER; + } res = bpf_push_u32_to_ring(data, flags); CHECK_RES(res); @@ -3434,8 +3430,6 @@ FILLER(sys_openat2_x, true) res = bpf_push_u32_to_ring(data, resolve); CHECK_RES(res); - bpf_get_dev_ino_file_from_fd(retval, &dev, &ino, &file); - /* * dev */ @@ -3445,31 +3439,15 @@ FILLER(sys_openat2_x, true) /* * ino */ - res = bpf_push_u64_to_ring(data, ino); - CHECK_RES(res); - - /* - * fd_flags - */ - if (likely(file)) - { - enum ppm_overlay ol = get_overlay_layer(file); - if (ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if (ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - } - return bpf_push_u16_to_ring(data, (uint16_t)fd_flags); + return bpf_push_u64_to_ring(data, ino); } FILLER(sys_open_by_handle_at_x, true) { - /* Parameter 1: ret (type: PT_FD) */ long retval = bpf_syscall_get_retval(data->ctx); + struct file *file = bpf_fget(retval); + + /* Parameter 1: ret (type: PT_FD) */ int res = bpf_push_s64_to_ring(data, retval); CHECK_RES(res); @@ -3490,6 +3468,15 @@ FILLER(sys_open_by_handle_at_x, true) flags = (uint32_t)open_flags_to_scap(flags); /* update flags if file is created*/ flags |= bpf_get_fd_fmode_created(retval); + enum ppm_overlay ol = get_overlay_layer(file); + if (ol == PPM_OVERLAY_UPPER) + { + flags |= PPM_O_F_UPPER_LAYER; + } + else if (ol == PPM_OVERLAY_LOWER) + { + flags |= PPM_O_F_LOWER_LAYER; + } res = bpf_val_to_ring(data, flags); CHECK_RES(res); @@ -3509,12 +3496,7 @@ FILLER(sys_open_by_handle_at_x, true) CHECK_RES(res); /* Parameter 6: ino (type: PT_UINT64) */ - res = bpf_push_u64_to_ring(data, 0); - CHECK_RES(res); - - /* Parameter 7: fd_flags (type: PT_FLAGS16) */ - return bpf_push_u16_to_ring(data, 0); - + return bpf_push_u64_to_ring(data, 0); } FILLER(open_by_handle_at_x_extra_tail_1, true) @@ -3548,23 +3530,7 @@ FILLER(open_by_handle_at_x_extra_tail_1, true) CHECK_RES(res); /* Parameter 6: ino (type: PT_UINT64) */ - res = bpf_push_u64_to_ring(data, ino); - CHECK_RES(res); - - /* Parameter 7: fd_flags (type: PT_FLAGS16) */ - if (likely(f)) - { - enum ppm_overlay ol = get_overlay_layer(f); - if (ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if (ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - } - return bpf_push_u16_to_ring(data, (uint16_t)fd_flags); + return bpf_push_u64_to_ring(data, ino); } FILLER(sys_io_uring_setup_x, true) diff --git a/driver/event_table.c b/driver/event_table.c index aa661e64a2f..1e8cf966fcc 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -53,7 +53,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_GENERIC_E] = {"syscall", EC_OTHER | EC_SYSCALL, EF_NONE, 2, {{"ID", PT_SYSCALLID, PF_DEC}, {"nativeID", PT_UINT16, PF_DEC} } }, [PPME_GENERIC_X] = {"syscall", EC_OTHER | EC_SYSCALL, EF_NONE, 1, {{"ID", PT_SYSCALLID, PF_DEC} } }, [PPME_SYSCALL_OPEN_E] = {"open", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 3, {{"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } }, - [PPME_SYSCALL_OPEN_X] = {"open", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } }, + [PPME_SYSCALL_OPEN_X] = {"open", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"name", PT_FSPATH, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, [PPME_SYSCALL_CLOSE_E] = {"close", EC_IO_OTHER | EC_SYSCALL, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"fd", PT_FD, PF_DEC} } }, [PPME_SYSCALL_CLOSE_X] = {"close", EC_IO_OTHER | EC_SYSCALL, EF_DESTROYS_FD | EF_USES_FD | EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC} } }, [PPME_SYSCALL_READ_E] = {"read", EC_IO_READ | EC_SYSCALL, EF_USES_FD | EF_READS_FROM_FD, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } }, @@ -359,7 +359,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_MKDIRAT_E] = {"mkdirat", EC_FILE | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_MKDIRAT_X] = {"mkdirat", EC_FILE | EC_SYSCALL, EF_NONE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"path", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"mode", PT_UINT32, PF_HEX} } }, [PPME_SYSCALL_OPENAT_2_E] = {"openat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 4, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT} } }, - [PPME_SYSCALL_OPENAT_2_X] = {"openat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 8, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } }, + [PPME_SYSCALL_OPENAT_2_X] = {"openat", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, [PPME_SYSCALL_LINK_2_E] = {"link", EC_FILE | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_LINK_2_X] = {"link", EC_FILE | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"oldpath", PT_FSPATH, PF_NA}, {"newpath", PT_FSPATH, PF_NA} } }, [PPME_SYSCALL_LINKAT_2_E] = {"linkat", EC_FILE | EC_SYSCALL, EF_NONE, 0}, @@ -379,7 +379,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_CONTAINER_JSON_2_E] = {"container", EC_PROCESS | EC_METAEVENT, EF_MODIFIES_STATE | EF_LARGE_PAYLOAD, 1, {{"json", PT_CHARBUF, PF_NA} } }, /// TODO: do we need SKIPPARSERESET flag? [PPME_CONTAINER_JSON_2_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0}, [PPME_SYSCALL_OPENAT2_E] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags} } }, - [PPME_SYSCALL_OPENAT2_X] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 9, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } }, + [PPME_SYSCALL_OPENAT2_X] = {"openat2", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 8, {{"fd", PT_FD, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"name", PT_FSRELPATH, PF_NA, DIRFD_PARAM(1)}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"mode", PT_UINT32, PF_OCT}, {"resolve", PT_FLAGS32, PF_HEX, openat2_flags}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, [PPME_SYSCALL_MPROTECT_E] = {"mprotect", EC_MEMORY | EC_SYSCALL, EF_NONE, 3, {{"addr", PT_UINT64, PF_HEX}, {"length", PT_UINT64, PF_DEC}, {"prot", PT_FLAGS32, PF_HEX, prot_flags} } }, [PPME_SYSCALL_MPROTECT_X] = {"mprotect", EC_MEMORY | EC_SYSCALL, EF_NONE, 1, {{"res", PT_ERRNO, PF_DEC} } }, [PPME_SYSCALL_EXECVEAT_E] = {"execveat", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"dirfd", PT_FD, PF_DEC}, {"pathname", PT_FSRELPATH, PF_NA, DIRFD_PARAM(0)}, {"flags", PT_FLAGS32, PF_HEX, execveat_flags} } }, @@ -389,7 +389,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_CLONE3_E] = {"clone3", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 0}, [PPME_SYSCALL_CLONE3_X] = {"clone3", EC_PROCESS | EC_SYSCALL, EF_MODIFIES_STATE, 21, {{"res", PT_PID, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_INT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, clone_flags}, {"uid", PT_UINT32, PF_DEC}, {"gid", PT_UINT32, PF_DEC}, {"vtid", PT_PID, PF_DEC}, {"vpid", PT_PID, PF_DEC}, {"pidns_init_start_ts", PT_UINT64, PF_DEC} } }, [PPME_SYSCALL_OPEN_BY_HANDLE_AT_E] = {"open_by_handle_at", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0}, - [PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {"open_by_handle_at", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 7, {{"fd", PT_FD, PF_DEC}, {"mountfd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"path", PT_FSPATH, PF_NA}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC}, {"fd_flags", PT_FLAGS16, PF_HEX} } }, + [PPME_SYSCALL_OPEN_BY_HANDLE_AT_X] = {"open_by_handle_at", EC_FILE | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 6, {{"fd", PT_FD, PF_DEC}, {"mountfd", PT_FD, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags}, {"path", PT_FSPATH, PF_NA}, {"dev", PT_UINT32, PF_HEX}, {"ino", PT_UINT64, PF_DEC} } }, [PPME_SYSCALL_IO_URING_SETUP_E] = {"io_uring_setup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 0}, [PPME_SYSCALL_IO_URING_SETUP_X] = {"io_uring_setup", EC_IO_OTHER | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE, 8, {{"res", PT_ERRNO, PF_DEC}, {"entries", PT_UINT32, PF_DEC}, {"sq_entries", PT_UINT32, PF_DEC},{"cq_entries", PT_UINT32, PF_DEC},{"flags", PT_FLAGS32, PF_HEX, io_uring_setup_flags},{"sq_thread_cpu", PT_UINT32, PF_DEC}, {"sq_thread_idle", PT_UINT32, PF_DEC},{"features", PT_FLAGS32, PF_HEX, io_uring_setup_feats}}}, [PPME_SYSCALL_IO_URING_ENTER_E] = {"io_uring_enter", EC_IO_OTHER | EC_SYSCALL, EF_NONE, 0}, diff --git a/driver/flags_table.c b/driver/flags_table.c index d4b37f41183..c91248b6360 100644 --- a/driver/flags_table.c +++ b/driver/flags_table.c @@ -72,6 +72,8 @@ const struct ppm_name_value file_flags[] = { {"O_NONE", PPM_O_NONE}, {"O_TMPFILE", PPM_O_TMPFILE}, {"O_F_CREATED", PPM_O_F_CREATED}, + {"O_F_UPPER_LAYER", PPM_O_F_UPPER_LAYER}, + {"O_F_LOWER_LAYER", PPM_O_F_LOWER_LAYER}, {0, 0}, }; diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c index aaac0cd03d6..74767c16e41 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c @@ -65,6 +65,15 @@ int BPF_PROG(open_x, /*=============================== COLLECT PARAMETERS ===========================*/ + dev_t dev = 0; + uint64_t ino = 0; + enum ppm_overlay ol = PPM_NOT_OVERLAY_FS; + + if(ret > 0) + { + extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol); + } + /* Parameter 1: ret (type: PT_FD) */ auxmap__store_s64_param(auxmap, ret); @@ -77,39 +86,26 @@ int BPF_PROG(open_x, uint32_t scap_flags = (uint32_t)open_flags_to_scap(flags); /* update scap flags if file is created */ scap_flags |= extract__fmode_created_from_fd(ret); + if(ol == PPM_OVERLAY_UPPER) + { + scap_flags |= PPM_O_F_UPPER_LAYER; + } + else if(ol == PPM_OVERLAY_LOWER) + { + scap_flags |= PPM_O_F_LOWER_LAYER; + } auxmap__store_u32_param(auxmap, scap_flags); /* Parameter 4: mode (type: PT_UINT32) */ unsigned long mode = extract__syscall_argument(regs, 2); auxmap__store_u32_param(auxmap, open_modes_to_scap(flags, mode)); - dev_t dev = 0; - uint64_t ino = 0; - enum ppm_overlay ol = PPM_NOT_OVERLAY_FS; - uint16_t fd_flags = 0; - - if(ret > 0) - { - extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol); - } - /* Parameter 5: dev (type: PT_UINT32) */ auxmap__store_u32_param(auxmap, dev); /* Parameter 6: ino (type: PT_UINT64) */ auxmap__store_u64_param(auxmap, ino); - /* Parameter 7: fd_flags (type: PT_FLAGS16) */ - if(ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if(ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - auxmap__store_u16_param(auxmap, fd_flags); - /*=============================== COLLECT PARAMETERS ===========================*/ auxmap__finalize_event_header(auxmap); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c index 568a2a2b8a3..5bf33b7a608 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open_by_handle_at.bpf.c @@ -70,7 +70,16 @@ int BPF_PROG(open_by_handle_at_x, flags = (uint32_t)open_flags_to_scap(flags); /* update flags if file is created */ flags |= extract__fmode_created_from_fd(ret); - + struct file *f = extract__file_struct_from_fd(ret); + enum ppm_overlay ol = extract__overlay_layer(f); + if(ol == PPM_OVERLAY_UPPER) + { + flags |= PPM_O_F_UPPER_LAYER; + } + else if(ol == PPM_OVERLAY_LOWER) + { + flags |= PPM_O_F_LOWER_LAYER; + } auxmap__store_u32_param(auxmap, flags); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -122,17 +131,6 @@ int BPF_PROG(t1_open_by_handle_at_x, struct pt_regs *regs, long ret) /* Parameter 6: ino (type: PT_UINT64) */ auxmap__store_u64_param(auxmap, ino); - /* Parameter 7: fd_flags (type: PT_FLAGS16) */ - if(ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if(ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - auxmap__store_u16_param(auxmap, fd_flags); - /*=============================== COLLECT PARAMETERS ===========================*/ auxmap__finalize_event_header(auxmap); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c index 87e5270f0f6..7738143c70a 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c @@ -73,6 +73,15 @@ int BPF_PROG(openat_x, /*=============================== COLLECT PARAMETERS ===========================*/ + dev_t dev = 0; + uint64_t ino = 0; + enum ppm_overlay ol = PPM_NOT_OVERLAY_FS; + + if(ret > 0) + { + extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol); + } + /* Parameter 1: fd (type: PT_FD) */ auxmap__store_s64_param(auxmap, ret); @@ -93,40 +102,26 @@ int BPF_PROG(openat_x, uint32_t scap_flags = (uint32_t)open_flags_to_scap(flags); /* update flags if file is created */ scap_flags |= extract__fmode_created_from_fd(ret); - + if(ol == PPM_OVERLAY_UPPER) + { + scap_flags |= PPM_O_F_UPPER_LAYER; + } + else if(ol == PPM_OVERLAY_LOWER) + { + scap_flags |= PPM_O_F_LOWER_LAYER; + } auxmap__store_u32_param(auxmap, scap_flags); /* Parameter 5: mode (type: PT_UINT32) */ unsigned long mode = extract__syscall_argument(regs, 3); auxmap__store_u32_param(auxmap, open_modes_to_scap(flags, mode)); - dev_t dev = 0; - uint64_t ino = 0; - enum ppm_overlay ol = PPM_NOT_OVERLAY_FS; - uint16_t fd_flags = 0; - - if(ret > 0) - { - extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol); - } - /* Parameter 6: dev (type: PT_UINT32) */ auxmap__store_u32_param(auxmap, dev); /* Parameter 7: ino (type: PT_UINT64) */ auxmap__store_u64_param(auxmap, ino); - /* Parameter 8: fd_flags (type: PT_FLAGS16) */ - if(ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if(ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - auxmap__store_u16_param(auxmap, fd_flags); - /*=============================== COLLECT PARAMETERS ===========================*/ auxmap__finalize_event_header(auxmap); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c index e8928d68188..af14ab7a530 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c @@ -79,6 +79,15 @@ int BPF_PROG(openat2_x, /*=============================== COLLECT PARAMETERS ===========================*/ + dev_t dev = 0; + uint64_t ino = 0; + enum ppm_overlay ol = PPM_NOT_OVERLAY_FS; + + if(ret > 0) + { + extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol); + } + /* Parameter 1: fd (type: PT_FD) */ auxmap__store_s64_param(auxmap, ret); @@ -103,6 +112,14 @@ int BPF_PROG(openat2_x, uint32_t flags = open_flags_to_scap(how.flags); /* update flags if file is created */ flags |= extract__fmode_created_from_fd(ret); + if(ol == PPM_OVERLAY_UPPER) + { + flags |= PPM_O_F_UPPER_LAYER; + } + else if(ol == PPM_OVERLAY_LOWER) + { + flags |= PPM_O_F_LOWER_LAYER; + } auxmap__store_u32_param(auxmap, flags); @@ -112,33 +129,12 @@ int BPF_PROG(openat2_x, /* Parameter 6: resolve (type: PT_FLAGS32) */ auxmap__store_u32_param(auxmap, openat2_resolve_to_scap(how.resolve)); - dev_t dev = 0; - uint64_t ino = 0; - enum ppm_overlay ol = PPM_NOT_OVERLAY_FS; - uint16_t fd_flags = 0; - - if(ret > 0) - { - extract__dev_ino_overlay_from_fd(ret, &dev, &ino, &ol); - } - /* Parameter 7: dev (type: PT_UINT32) */ auxmap__store_u32_param(auxmap, dev); /* Parameter 8: ino (type: PT_UINT64) */ auxmap__store_u64_param(auxmap, ino); - /* Parameter 9: fd_flags (type: PT_FLAGS16) */ - if(ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if(ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - auxmap__store_u16_param(auxmap, fd_flags); - /*=============================== COLLECT PARAMETERS ===========================*/ auxmap__finalize_event_header(auxmap); diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index e30dde3b290..980b66bcf21 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -103,7 +103,10 @@ or GPL2.txt for full copies of the license. #define PPM_O_LARGEFILE (1 << 11) #define PPM_O_CLOEXEC (1 << 12) #define PPM_O_TMPFILE (1 << 13) +/* Flags added by syscall probe: */ #define PPM_O_F_CREATED (1 << 14) /* file created during the syscall */ +#define PPM_O_F_UPPER_LAYER (1 << 15) /* file is from upper layer */ +#define PPM_O_F_LOWER_LAYER (1 << 16) /* file is from upper layer */ /* * File modes diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 25b6f9367fc..51d9a4893b6 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -300,7 +300,6 @@ int f_sys_open_x(struct event_filler_arguments *args) int64_t retval; struct file *file = NULL; enum ppm_overlay ol; - int16_t fd_flags = 0; /* * fd @@ -317,6 +316,8 @@ int f_sys_open_x(struct event_filler_arguments *args) res = val_to_ring(args, val, 0, true, 0); CHECK_RES(res); + get_fd_dev_ino_file(retval, &dev, &ino, &file); + /* * Flags * Note that we convert them into the ppm portable representation before pushing them to the ring @@ -325,6 +326,15 @@ int f_sys_open_x(struct event_filler_arguments *args) scap_flags = open_flags_to_scap(flags); /* update scap flags if file is created */ get_fd_fmode_created(retval, &scap_flags); + ol = ppm_get_overlay_layer(file); + if (ol == PPM_OVERLAY_UPPER) + { + scap_flags |= PPM_O_F_UPPER_LAYER; + } + else if (ol == PPM_OVERLAY_LOWER) + { + scap_flags |= PPM_O_F_LOWER_LAYER; + } res = val_to_ring(args, scap_flags, 0, false, 0); CHECK_RES(res); @@ -335,8 +345,6 @@ int f_sys_open_x(struct event_filler_arguments *args) res = val_to_ring(args, open_modes_to_scap(flags, modes), 0, false, 0); CHECK_RES(res); - get_fd_dev_ino_file(retval, &dev, &ino, &file); - /* * dev */ @@ -349,24 +357,6 @@ int f_sys_open_x(struct event_filler_arguments *args) res = val_to_ring(args, ino, 0, false, 0); CHECK_RES(res); - /* - * fd_flags - */ - if (likely(file)) - { - ol = ppm_get_overlay_layer(file); - if (ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if (ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - } - res = val_to_ring(args, fd_flags, 0, false, 0); - CHECK_RES(res); - return add_sentinel(args); } @@ -3031,17 +3021,14 @@ int f_sys_creat_x(struct event_filler_arguments *args) /* * fd_flags */ - if (likely(file)) + ol = ppm_get_overlay_layer(file); + if (ol == PPM_OVERLAY_UPPER) { - ol = ppm_get_overlay_layer(file); - if (ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if (ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } + fd_flags |= PPM_FD_UPPER_LAYER; + } + else if (ol == PPM_OVERLAY_LOWER) + { + fd_flags |= PPM_FD_LOWER_LAYER; } res = val_to_ring(args, fd_flags, 0, false, 0); CHECK_RES(res); @@ -3584,7 +3571,6 @@ int f_sys_openat_x(struct event_filler_arguments *args) int64_t retval; struct file *file = NULL; enum ppm_overlay ol; - int16_t fd_flags = 0; retval = (int64_t)syscall_get_return_value(current, args->regs); res = val_to_ring(args, retval, 0, false, 0); @@ -3608,6 +3594,7 @@ int f_sys_openat_x(struct event_filler_arguments *args) res = val_to_ring(args, val, 0, true, 0); CHECK_RES(res); + get_fd_dev_ino_file(retval, &dev, &ino, &file); /* * Flags * Note that we convert them into the ppm portable representation before pushing them to the ring @@ -3616,6 +3603,15 @@ int f_sys_openat_x(struct event_filler_arguments *args) scap_flags = open_flags_to_scap(flags); /* update scap flags if file is created */ get_fd_fmode_created(retval, &scap_flags); + ol = ppm_get_overlay_layer(file); + if (ol == PPM_OVERLAY_UPPER) + { + scap_flags |= PPM_O_F_UPPER_LAYER; + } + else if (ol == PPM_OVERLAY_LOWER) + { + scap_flags |= PPM_O_F_LOWER_LAYER; + } res = val_to_ring(args, scap_flags, 0, false, 0); CHECK_RES(res); /* @@ -3624,7 +3620,6 @@ int f_sys_openat_x(struct event_filler_arguments *args) syscall_get_arguments_deprecated(args, 3, 1, &modes); res = val_to_ring(args, open_modes_to_scap(flags, modes), 0, false, 0); CHECK_RES(res); - get_fd_dev_ino_file(retval, &dev, &ino, &file); /* * dev @@ -3637,24 +3632,6 @@ int f_sys_openat_x(struct event_filler_arguments *args) res = val_to_ring(args, ino, 0, false, 0); CHECK_RES(res); - /* - * fd_flags - */ - if (likely(file)) - { - ol = ppm_get_overlay_layer(file); - if (ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if (ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - } - res = val_to_ring(args, fd_flags, 0, false, 0); - CHECK_RES(res); - return add_sentinel(args); } @@ -5028,7 +5005,6 @@ int f_sys_openat2_x(struct event_filler_arguments *args) int64_t retval; struct file *file = NULL; enum ppm_overlay ol; - int16_t fd_flags = 0; #ifdef __NR_openat2 struct open_how how; #endif @@ -5073,12 +5049,24 @@ int f_sys_openat2_x(struct event_filler_arguments *args) mode = 0; resolve = 0; #endif + + get_fd_dev_ino_file(retval, &dev, &ino, &file); + /* * flags (extracted from open_how structure) * Note that we convert them into the ppm portable representation before pushing them to the ring */ /* update flags if file is created */ get_fd_fmode_created(retval, &flags); + ol = ppm_get_overlay_layer(file); + if (ol == PPM_OVERLAY_UPPER) + { + flags |= PPM_O_F_UPPER_LAYER; + } + else if (ol == PPM_OVERLAY_LOWER) + { + flags |= PPM_O_F_LOWER_LAYER; + } res = val_to_ring(args, flags, 0, true, 0); CHECK_RES(res); @@ -5096,8 +5084,6 @@ int f_sys_openat2_x(struct event_filler_arguments *args) res = val_to_ring(args, resolve, 0, true, 0); CHECK_RES(res); - get_fd_dev_ino_file(retval, &dev, &ino, &file); - /* * dev */ @@ -5110,24 +5096,6 @@ int f_sys_openat2_x(struct event_filler_arguments *args) res = val_to_ring(args, ino, 0, false, 0); CHECK_RES(res); - /* - * fd_flags - */ - if (likely(file)) - { - ol = ppm_get_overlay_layer(file); - if (ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if (ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - } - res = val_to_ring(args, fd_flags, 0, false, 0); - CHECK_RES(res); - return add_sentinel(args); } @@ -5201,7 +5169,6 @@ int f_sys_open_by_handle_at_x(struct event_filler_arguments *args) int32_t mountfd = 0; struct file *file = NULL; enum ppm_overlay ol; - int16_t fd_flags = 0; /* Parameter 1: ret (type: PT_FD) */ retval = syscall_get_return_value(current, args->regs); @@ -5218,11 +5185,22 @@ int f_sys_open_by_handle_at_x(struct event_filler_arguments *args) res = val_to_ring(args, (int64_t)mountfd, 0, false, 0); CHECK_RES(res); + get_fd_dev_ino_file(retval, &dev, &ino, &file); + /* Parameter 3: flags (type: PT_FLAGS32) */ syscall_get_arguments_deprecated(args, 2, 1, &val); flags = open_flags_to_scap(val); /* update flags if file is created */ get_fd_fmode_created(retval, &flags); + ol = ppm_get_overlay_layer(file); + if (ol == PPM_OVERLAY_UPPER) + { + flags |= PPM_O_F_UPPER_LAYER; + } + else if (ol == PPM_OVERLAY_LOWER) + { + flags |= PPM_O_F_LOWER_LAYER; + } res = val_to_ring(args, flags, 0, false, 0); CHECK_RES(res); @@ -5249,8 +5227,6 @@ int f_sys_open_by_handle_at_x(struct event_filler_arguments *args) res = val_to_ring(args, (unsigned long)pathname, 0, false, 0); CHECK_RES(res); - get_fd_dev_ino_file(retval, &dev, &ino, &file); - /* Parameter 5: dev (type: PT_UINT32) */ res = val_to_ring(args, dev, 0, false, 0); CHECK_RES(res); @@ -5259,24 +5235,6 @@ int f_sys_open_by_handle_at_x(struct event_filler_arguments *args) res = val_to_ring(args, ino, 0, false, 0); CHECK_RES(res); - /* - * fd_flags - */ - if (likely(file)) - { - ol = ppm_get_overlay_layer(file); - if (ol == PPM_OVERLAY_UPPER) - { - fd_flags |= PPM_FD_UPPER_LAYER; - } - else if (ol == PPM_OVERLAY_LOWER) - { - fd_flags |= PPM_FD_LOWER_LAYER; - } - } - res = val_to_ring(args, fd_flags, 0, false, 0); - CHECK_RES(res); - return add_sentinel(args); } diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp index a221a161633..c8982154e69 100644 --- a/userspace/libsinsp/parsers.cpp +++ b/userspace/libsinsp/parsers.cpp @@ -2569,7 +2569,6 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) uint16_t etype = evt->get_type(); uint32_t dev = 0; uint64_t ino = 0; - uint16_t fd_flags = 0; bool lastevent_retrieved = false; if(evt->get_tinfo() == nullptr) @@ -2604,10 +2603,6 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) if (evt->get_num_params() > 5) { ino = evt->get_param(5)->as(); - if (evt->get_num_params() > 6) - { - fd_flags = evt->get_param(6)->as(); - } } } @@ -2623,11 +2618,10 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) { name = enter_evt_name; - // keep PPM_O_F_CREATED flag if present - if (flags & PPM_O_F_CREATED) - flags = enter_evt_flags | PPM_O_F_CREATED; - else - flags = enter_evt_flags; + // keep flags added by the syscall exit probe if present + uint32_t mask = ~(PPM_O_F_CREATED - 1); + uint32_t added_flags = flags & mask; + flags = enter_evt_flags | added_flags; } } @@ -2647,7 +2641,15 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) ino = evt->get_param(4)->as(); if (evt->get_num_params() > 5) { - fd_flags = evt->get_param(5)->as(); + uint16_t fd_flags = evt->get_param(5)->as(); + if (fd_flags & PPM_FD_UPPER_LAYER) + { + flags |= PPM_O_F_UPPER_LAYER; + } + else if (fd_flags & PPM_FD_LOWER_LAYER) + { + flags |= PPM_O_F_LOWER_LAYER; + } } } } @@ -2661,11 +2663,7 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) { name = enter_evt_name; - // keep PPM_O_F_CREATED flag if present - if (flags & PPM_O_F_CREATED) - flags = enter_evt_flags | PPM_O_F_CREATED; - else - flags = enter_evt_flags; + flags |= enter_evt_flags; } } @@ -2695,10 +2693,6 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) if (evt->get_num_params() > 6) { ino = evt->get_param(6)->as(); - if (evt->get_num_params() > 7) - { - fd_flags = evt->get_param(7)->as(); - } } } else if(etype == PPME_SYSCALL_OPENAT2_X && evt->get_num_params() > 6) @@ -2707,10 +2701,6 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) if (evt->get_num_params() > 7) { ino = evt->get_param(7)->as(); - if (evt->get_num_params() > 8) - { - fd_flags = evt->get_param(8)->as(); - } } } @@ -2727,11 +2717,10 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) { name = enter_evt_name; - // keep PPM_O_F_CREATED flag if present - if (flags & PPM_O_F_CREATED) - flags = enter_evt_flags | PPM_O_F_CREATED; - else - flags = enter_evt_flags; + // keep flags added by the syscall exit probe if present + uint32_t mask = ~(PPM_O_F_CREATED - 1); + uint32_t added_flags = flags & mask; + flags = enter_evt_flags | added_flags; dirfd = enter_evt_dirfd; } @@ -2751,10 +2740,6 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) if (evt->get_num_params() > 5) { ino = evt->get_param(5)->as(); - if (evt->get_num_params() > 6) - { - fd_flags = evt->get_param(6)->as(); - } } } @@ -2795,11 +2780,11 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt) fdi->m_ino = ino; fdi->add_filename_raw(name); fdi->add_filename(fullpath); - if(fd_flags & PPM_FD_UPPER_LAYER) + if(flags & PPM_O_F_UPPER_LAYER) { fdi->set_overlay_upper(); } - if(fd_flags & PPM_FD_LOWER_LAYER) + if(flags & PPM_O_F_LOWER_LAYER) { fdi->set_overlay_lower(); }