fix: move setre*id args to exit event

Signed-off-by: Roberto Scolaro <[email protected]>

driver/event_table.c

@@ -478,10 +478,10 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 3, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
 	[PPME_SYSCALL_DELETE_MODULE_E] = {"delete_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0},
 	[PPME_SYSCALL_DELETE_MODULE_X] = {"delete_module", EC_OTHER | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, delete_module_flags}}},
-	[PPME_SYSCALL_SETREUID_E] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"ruid", PT_UID, PF_DEC}, {"euid", PT_UID, PF_DEC} } },
-	[PPME_SYSCALL_SETREUID_X] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC}} },
-	[PPME_SYSCALL_SETREGID_E] = {"setregid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"rgid", PT_UID, PF_DEC}, {"egid", PT_UID, PF_DEC} } },
-	[PPME_SYSCALL_SETREGID_X] = {"setregid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC}} },
+	[PPME_SYSCALL_SETREUID_E] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 0 },
+	[PPME_SYSCALL_SETREUID_X] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"ruid", PT_UID, PF_DEC}, {"euid", PT_UID, PF_DEC}} },
+	[PPME_SYSCALL_SETREGID_E] = {"setregid", EC_USER | EC_SYSCALL, EF_NONE, 0 },
+	[PPME_SYSCALL_SETREGID_X] = {"setregid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"rgid", PT_UID, PF_DEC}, {"egid", PT_UID, PF_DEC}} },
 };
 #pragma GCC diagnostic pop
 

driver/fillers_table.c

@@ -363,8 +363,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {FILLER_REF(sys_process_vm_writev_x)},
 	[PPME_SYSCALL_DELETE_MODULE_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_DELETE_MODULE_X] = {FILLER_REF(sys_delete_module_x)},
-	[PPME_SYSCALL_SETREUID_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1} } },
-	[PPME_SYSCALL_SETREUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL} } },
-	[PPME_SYSCALL_SETREGID_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1} } },
-	[PPME_SYSCALL_SETREGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL} } },
+	[PPME_SYSCALL_SETREUID_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_SETREUID_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1} } },
+	[PPME_SYSCALL_SETREGID_E] = {FILLER_REF(sys_empty)},
+	[PPME_SYSCALL_SETREGID_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1} } },
 };

driver/modern_bpf/definitions/events_dimensions.h

@@ -250,10 +250,10 @@
 #define PROCESS_VM_READV_E_SIZE HEADER_LEN
 #define PROCESS_VM_WRITEV_E_SIZE HEADER_LEN
 #define DELETE_MODULE_E_SIZE HEADER_LEN
-#define SETREUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + 2 * PARAM_LEN
-#define SETREUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define SETREGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + 2 * PARAM_LEN
-#define SETREGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETREUID_E_SIZE HEADER_LEN
+#define SETREUID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
+#define SETREGID_E_SIZE HEADER_LEN
+#define SETREGID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
 
 /* Generic tracepoints events. */
 #define SCHED_SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setregid.bpf.c

@@ -25,14 +25,6 @@ int BPF_PROG(setregid_e,
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Paraueter 1: rgid (type: PT_GID) */
-	uid_t rgid = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u32(&ringbuf, rgid);
-
-	/* Parameter 2: euid (type: PT_GID) */
-	uid_t egid = (uint32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_u32(&ringbuf, egid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);
@@ -62,6 +54,15 @@ int BPF_PROG(setregid_x,
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Paraueter 2: rgid (type: PT_GID) */
+	uid_t rgid = (uint32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u32(&ringbuf, rgid);
+
+	/* Parameter 3: euid (type: PT_GID) */
+	uid_t egid = (uint32_t)extract__syscall_argument(regs, 1);
+
+	ringbuf__store_u32(&ringbuf, egid);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setreuid.bpf.c

@@ -25,14 +25,6 @@ int BPF_PROG(setreuid_e,
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	/* Parameter 1: ruid (type: PT_GID) */
-	uid_t ruid = (uint32_t)extract__syscall_argument(regs, 0);
-	ringbuf__store_u32(&ringbuf, ruid);
-
-	/* Parameter 2: euid (type: PT_GID) */
-	uid_t euid = (uint32_t)extract__syscall_argument(regs, 1);
-	ringbuf__store_u32(&ringbuf, euid);
-
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);
@@ -62,6 +54,14 @@ int BPF_PROG(setreuid_x,
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: ruid (type: PT_GID) */
+	uid_t ruid = (uint32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u32(&ringbuf, ruid);
+
+	/* Parameter 3: euid (type: PT_GID) */
+	uid_t euid = (uint32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_u32(&ringbuf, euid);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);

test/drivers/test_suites/syscall_enter_suite/setregid_e.cpp

@@ -31,14 +31,10 @@ TEST(SyscallEnter, setregidE)
 
     /*=============================== ASSERT PARAMETERS  ===========================*/
 
-    /* Parameter 1: rgid (type: PT_GID) */
-    evt_test->assert_numeric_param(1, (uint32_t)rgid);
-
-    /* Parameter 2: egid (type: PT_GID) */
-    evt_test->assert_numeric_param(2, (uint32_t)egid);
+	// Here we have no parameters to assert.
 
     /*=============================== ASSERT PARAMETERS  ===========================*/
 
-    evt_test->assert_num_params_pushed(2);
+    evt_test->assert_num_params_pushed(0);
 }
 #endif

test/drivers/test_suites/syscall_enter_suite/setreuid_e.cpp

@@ -31,14 +31,10 @@ TEST(SyscallEnter, setreuidE)
 
     /*=============================== ASSERT PARAMETERS  ===========================*/
 
-    /* Parameter 1: ruid (type: PT_GID) */
-    evt_test->assert_numeric_param(1, (uint32_t)ruid);
-
-    /* Parameter 2: euid (type: PT_GID) */
-    evt_test->assert_numeric_param(2, (uint32_t)euid);
+	// Here we have no parameters to assert.
 
     /*=============================== ASSERT PARAMETERS  ===========================*/
 
-    evt_test->assert_num_params_pushed(2);
+    evt_test->assert_num_params_pushed(0);
 }
 #endif

test/drivers/test_suites/syscall_exit_suite/setregid_x.cpp

@@ -34,8 +34,14 @@ TEST(SyscallExit, setregidX)
     /* Parameter 1: res (type: PT_ERRNO) */
     evt_test->assert_numeric_param(1, (int64_t)0);
 
+    /* Parameter 1: rgid (type: PT_GID) */
+    evt_test->assert_numeric_param(2, (uint32_t)rgid);
+
+    /* Parameter 2: egid (type: PT_GID) */
+    evt_test->assert_numeric_param(3, (uint32_t)egid);
+
     /*=============================== ASSERT PARAMETERS  ===========================*/
 
-    evt_test->assert_num_params_pushed(1);
+    evt_test->assert_num_params_pushed(3);
 }
 #endif

test/drivers/test_suites/syscall_exit_suite/setreuid_x.cpp

@@ -34,8 +34,14 @@ TEST(SyscallExit, setreuidX)
     /* Parameter 1: res (type: PT_ERRNO) */
     evt_test->assert_numeric_param(1, (int64_t)0);
 
+    /* Parameter 2: ruid (type: PT_GID) */
+    evt_test->assert_numeric_param(2, (uint32_t)ruid);
+
+    /* Parameter 3: euid (type: PT_GID) */
+    evt_test->assert_numeric_param(3, (uint32_t)euid);
+
     /*=============================== ASSERT PARAMETERS  ===========================*/
 
-    evt_test->assert_num_params_pushed(1);
+    evt_test->assert_num_params_pushed(3);
 }
 #endif

userspace/libsinsp/parsers.cpp

@@ -168,9 +168,7 @@ void sinsp_parser::process_event(sinsp_evt *evt)
 	case PPME_SOCKET_SENDMSG_E:
 	case PPME_SYSCALL_SENDFILE_E:
 	case PPME_SYSCALL_SETRESUID_E:
-	case PPME_SYSCALL_SETREUID_E:
 	case PPME_SYSCALL_SETRESGID_E:
-	case PPME_SYSCALL_SETREGID_E:
 	case PPME_SYSCALL_SETUID_E:
 	case PPME_SYSCALL_SETGID_E:
 	case PPME_SYSCALL_SETPGID_E:
@@ -384,16 +382,16 @@ void sinsp_parser::process_event(sinsp_evt *evt)
 		parse_brk_munmap_mmap_exit(evt);
 		break;
 	case PPME_SYSCALL_SETRESUID_X:
-		parse_setresuid_setreuid_exit(evt);
+		parse_setresuid_exit(evt);
 		break;
 	case PPME_SYSCALL_SETREUID_X:
-		parse_setresuid_setreuid_exit(evt);
+		parse_setreuid_exit(evt);
 		break;
 	case PPME_SYSCALL_SETRESGID_X:
-		parse_setresgid_setregid_exit(evt);
+		parse_setresgid_exit(evt);
 		break;
 	case PPME_SYSCALL_SETREGID_X:
-		parse_setresgid_setregid_exit(evt);
+		parse_setregid_exit(evt);
 		break;
 	case PPME_SYSCALL_SETUID_X:
 		parse_setuid_exit(evt);
@@ -4895,7 +4893,7 @@ void sinsp_parser::parse_brk_munmap_mmap_exit(sinsp_evt* evt)
 	evt->get_tinfo()->m_vmswap_kb = evt->get_param(3)->as<uint32_t>();
 }
 
-void sinsp_parser::parse_setresuid_setreuid_exit(sinsp_evt *evt)
+void sinsp_parser::parse_setresuid_exit(sinsp_evt *evt)
 {
 	int64_t retval;
 	sinsp_evt *enter_evt = &m_tmp_evt;
@@ -4918,7 +4916,29 @@ void sinsp_parser::parse_setresuid_setreuid_exit(sinsp_evt *evt)
 	}
 }
 
-void sinsp_parser::parse_setresgid_setregid_exit(sinsp_evt *evt)
+void sinsp_parser::parse_setreuid_exit(sinsp_evt *evt)
+{
+	int64_t retval;
+
+	//
+	// Extract the return value
+	//
+	retval = evt->get_param(0)->as<int64_t>();
+
+	if(retval >= 0)
+	{
+		uint32_t new_euid = evt->get_param(1)->as<uint32_t>();
+
+		if(new_euid < std::numeric_limits<uint32_t>::max())
+		{
+			if (evt->get_thread_info()) {
+				evt->get_thread_info()->set_user(new_euid);
+			}
+		}
+	}
+}
+
+void sinsp_parser::parse_setresgid_exit(sinsp_evt *evt)
 {
 	int64_t retval;
 	sinsp_evt *enter_evt = &m_tmp_evt;
@@ -4941,6 +4961,28 @@ void sinsp_parser::parse_setresgid_setregid_exit(sinsp_evt *evt)
 	}
 }
 
+void sinsp_parser::parse_setregid_exit(sinsp_evt *evt)
+{
+	int64_t retval;
+
+	//
+	// Extract the return value
+	//
+	retval = evt->get_param(0)->as<int64_t>();
+
+	if(retval >= 0)
+	{
+		uint32_t new_egid = evt->get_param(1)->as<uint32_t>();
+
+		if(new_egid < std::numeric_limits<uint32_t>::max())
+		{
+			if (evt->get_thread_info()) {
+				evt->get_thread_info()->set_group(new_egid);
+			}
+		}
+	}
+}
+
 void sinsp_parser::parse_setuid_exit(sinsp_evt *evt)
 {
 	int64_t retval;

userspace/libsinsp/parsers.h

@@ -105,8 +105,10 @@ class sinsp_parser
 	void parse_prctl_exit_event(sinsp_evt *evt);
 	void parse_context_switch(sinsp_evt* evt);
 	void parse_brk_munmap_mmap_exit(sinsp_evt* evt);
-	void parse_setresuid_setreuid_exit(sinsp_evt* evt);
-	void parse_setresgid_setregid_exit(sinsp_evt* evt);
+	void parse_setresuid_exit(sinsp_evt* evt);
+	void parse_setreuid_exit(sinsp_evt* evt);
+	void parse_setresgid_exit(sinsp_evt* evt);
+	void parse_setregid_exit(sinsp_evt* evt);
 	void parse_setuid_exit(sinsp_evt* evt);
 	void parse_setgid_exit(sinsp_evt* evt);
 	void parse_container_evt(sinsp_evt* evt); // deprecated, only for backward-compatibility