From ffe53cbf6d5271dbf439f038329915f465ef7e95 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Fri, 21 Jun 2024 08:37:39 +0000 Subject: [PATCH] fix: move setre*id args to exit event Signed-off-by: Roberto Scolaro --- driver/event_table.c | 8 +-- driver/fillers_table.c | 8 +-- .../definitions/events_dimensions.h | 8 +-- .../syscall_dispatched_events/setregid.bpf.c | 17 +++--- .../syscall_dispatched_events/setreuid.bpf.c | 16 ++--- .../syscall_enter_suite/setregid_e.cpp | 8 +-- .../syscall_enter_suite/setreuid_e.cpp | 8 +-- .../syscall_exit_suite/setregid_x.cpp | 8 ++- .../syscall_exit_suite/setreuid_x.cpp | 8 ++- userspace/libsinsp/parsers.cpp | 58 ++++++++++++++++--- userspace/libsinsp/parsers.h | 6 +- 11 files changed, 101 insertions(+), 52 deletions(-) diff --git a/driver/event_table.c b/driver/event_table.c index 02fe0b5d745..dda33eb007a 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -478,10 +478,10 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 3, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}}, [PPME_SYSCALL_DELETE_MODULE_E] = {"delete_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_DELETE_MODULE_X] = {"delete_module", EC_OTHER | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, delete_module_flags}}}, - [PPME_SYSCALL_SETREUID_E] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"ruid", PT_UID, PF_DEC}, {"euid", PT_UID, PF_DEC} } }, - [PPME_SYSCALL_SETREUID_X] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC}} }, - [PPME_SYSCALL_SETREGID_E] = {"setregid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"rgid", PT_UID, PF_DEC}, {"egid", PT_UID, PF_DEC} } }, - [PPME_SYSCALL_SETREGID_X] = {"setregid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC}} }, + [PPME_SYSCALL_SETREUID_E] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 0 }, + [PPME_SYSCALL_SETREUID_X] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"ruid", PT_UID, PF_DEC}, {"euid", PT_UID, PF_DEC}} }, + [PPME_SYSCALL_SETREGID_E] = {"setregid", EC_USER | EC_SYSCALL, EF_NONE, 0 }, + [PPME_SYSCALL_SETREGID_X] = {"setregid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"rgid", PT_UID, PF_DEC}, {"egid", PT_UID, PF_DEC}} }, }; #pragma GCC diagnostic pop diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 702139cf8ff..af39dae9ea1 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -363,8 +363,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {FILLER_REF(sys_process_vm_writev_x)}, [PPME_SYSCALL_DELETE_MODULE_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_DELETE_MODULE_X] = {FILLER_REF(sys_delete_module_x)}, - [PPME_SYSCALL_SETREUID_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1} } }, - [PPME_SYSCALL_SETREUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL} } }, - [PPME_SYSCALL_SETREGID_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1} } }, - [PPME_SYSCALL_SETREGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL} } }, + [PPME_SYSCALL_SETREUID_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_SETREUID_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1} } }, + [PPME_SYSCALL_SETREGID_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_SETREGID_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1} } }, }; diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 1d26acd943a..c498c6b2748 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -250,10 +250,10 @@ #define PROCESS_VM_READV_E_SIZE HEADER_LEN #define PROCESS_VM_WRITEV_E_SIZE HEADER_LEN #define DELETE_MODULE_E_SIZE HEADER_LEN -#define SETREUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + 2 * PARAM_LEN -#define SETREUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN -#define SETREGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + 2 * PARAM_LEN -#define SETREGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN +#define SETREUID_E_SIZE HEADER_LEN +#define SETREUID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN +#define SETREGID_E_SIZE HEADER_LEN +#define SETREGID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN /* Generic tracepoints events. */ #define SCHED_SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setregid.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setregid.bpf.c index 4657012f0d8..3c1018c4750 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setregid.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setregid.bpf.c @@ -25,14 +25,6 @@ int BPF_PROG(setregid_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Paraueter 1: rgid (type: PT_GID) */ - uid_t rgid = (uint32_t)extract__syscall_argument(regs, 0); - ringbuf__store_u32(&ringbuf, rgid); - - /* Parameter 2: euid (type: PT_GID) */ - uid_t egid = (uint32_t)extract__syscall_argument(regs, 1); - ringbuf__store_u32(&ringbuf, egid); - /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); @@ -62,6 +54,15 @@ int BPF_PROG(setregid_x, /* Parameter 1: res (type: PT_ERRNO)*/ ringbuf__store_s64(&ringbuf, ret); + /* Paraueter 2: rgid (type: PT_GID) */ + uid_t rgid = (uint32_t)extract__syscall_argument(regs, 0); + ringbuf__store_u32(&ringbuf, rgid); + + /* Parameter 3: euid (type: PT_GID) */ + uid_t egid = (uint32_t)extract__syscall_argument(regs, 1); + + ringbuf__store_u32(&ringbuf, egid); + /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setreuid.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setreuid.bpf.c index b134ac27a16..c9e790fd5d3 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setreuid.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setreuid.bpf.c @@ -25,14 +25,6 @@ int BPF_PROG(setreuid_e, /*=============================== COLLECT PARAMETERS ===========================*/ - /* Parameter 1: ruid (type: PT_GID) */ - uid_t ruid = (uint32_t)extract__syscall_argument(regs, 0); - ringbuf__store_u32(&ringbuf, ruid); - - /* Parameter 2: euid (type: PT_GID) */ - uid_t euid = (uint32_t)extract__syscall_argument(regs, 1); - ringbuf__store_u32(&ringbuf, euid); - /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); @@ -62,6 +54,14 @@ int BPF_PROG(setreuid_x, /* Parameter 1: res (type: PT_ERRNO)*/ ringbuf__store_s64(&ringbuf, ret); + /* Parameter 2: ruid (type: PT_GID) */ + uid_t ruid = (uint32_t)extract__syscall_argument(regs, 0); + ringbuf__store_u32(&ringbuf, ruid); + + /* Parameter 3: euid (type: PT_GID) */ + uid_t euid = (uint32_t)extract__syscall_argument(regs, 1); + ringbuf__store_u32(&ringbuf, euid); + /*=============================== COLLECT PARAMETERS ===========================*/ ringbuf__submit_event(&ringbuf); diff --git a/test/drivers/test_suites/syscall_enter_suite/setregid_e.cpp b/test/drivers/test_suites/syscall_enter_suite/setregid_e.cpp index 67c39458840..3ee8f1eec38 100644 --- a/test/drivers/test_suites/syscall_enter_suite/setregid_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/setregid_e.cpp @@ -31,14 +31,10 @@ TEST(SyscallEnter, setregidE) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: rgid (type: PT_GID) */ - evt_test->assert_numeric_param(1, (uint32_t)rgid); - - /* Parameter 2: egid (type: PT_GID) */ - evt_test->assert_numeric_param(2, (uint32_t)egid); + // Here we have no parameters to assert. /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(2); + evt_test->assert_num_params_pushed(0); } #endif diff --git a/test/drivers/test_suites/syscall_enter_suite/setreuid_e.cpp b/test/drivers/test_suites/syscall_enter_suite/setreuid_e.cpp index ea72547d51f..6c18ac3b51d 100644 --- a/test/drivers/test_suites/syscall_enter_suite/setreuid_e.cpp +++ b/test/drivers/test_suites/syscall_enter_suite/setreuid_e.cpp @@ -31,14 +31,10 @@ TEST(SyscallEnter, setreuidE) /*=============================== ASSERT PARAMETERS ===========================*/ - /* Parameter 1: ruid (type: PT_GID) */ - evt_test->assert_numeric_param(1, (uint32_t)ruid); - - /* Parameter 2: euid (type: PT_GID) */ - evt_test->assert_numeric_param(2, (uint32_t)euid); + // Here we have no parameters to assert. /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(2); + evt_test->assert_num_params_pushed(0); } #endif diff --git a/test/drivers/test_suites/syscall_exit_suite/setregid_x.cpp b/test/drivers/test_suites/syscall_exit_suite/setregid_x.cpp index 58013f5925f..5f5c8f99f8b 100644 --- a/test/drivers/test_suites/syscall_exit_suite/setregid_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/setregid_x.cpp @@ -34,8 +34,14 @@ TEST(SyscallExit, setregidX) /* Parameter 1: res (type: PT_ERRNO) */ evt_test->assert_numeric_param(1, (int64_t)0); + /* Parameter 1: rgid (type: PT_GID) */ + evt_test->assert_numeric_param(2, (uint32_t)rgid); + + /* Parameter 2: egid (type: PT_GID) */ + evt_test->assert_numeric_param(3, (uint32_t)egid); + /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(1); + evt_test->assert_num_params_pushed(3); } #endif diff --git a/test/drivers/test_suites/syscall_exit_suite/setreuid_x.cpp b/test/drivers/test_suites/syscall_exit_suite/setreuid_x.cpp index b352524b828..26239e811df 100644 --- a/test/drivers/test_suites/syscall_exit_suite/setreuid_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/setreuid_x.cpp @@ -34,8 +34,14 @@ TEST(SyscallExit, setreuidX) /* Parameter 1: res (type: PT_ERRNO) */ evt_test->assert_numeric_param(1, (int64_t)0); + /* Parameter 2: ruid (type: PT_GID) */ + evt_test->assert_numeric_param(2, (uint32_t)ruid); + + /* Parameter 3: euid (type: PT_GID) */ + evt_test->assert_numeric_param(3, (uint32_t)euid); + /*=============================== ASSERT PARAMETERS ===========================*/ - evt_test->assert_num_params_pushed(1); + evt_test->assert_num_params_pushed(3); } #endif diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp index edbe331d8e5..70f7d5cbc95 100644 --- a/userspace/libsinsp/parsers.cpp +++ b/userspace/libsinsp/parsers.cpp @@ -168,9 +168,7 @@ void sinsp_parser::process_event(sinsp_evt *evt) case PPME_SOCKET_SENDMSG_E: case PPME_SYSCALL_SENDFILE_E: case PPME_SYSCALL_SETRESUID_E: - case PPME_SYSCALL_SETREUID_E: case PPME_SYSCALL_SETRESGID_E: - case PPME_SYSCALL_SETREGID_E: case PPME_SYSCALL_SETUID_E: case PPME_SYSCALL_SETGID_E: case PPME_SYSCALL_SETPGID_E: @@ -384,16 +382,16 @@ void sinsp_parser::process_event(sinsp_evt *evt) parse_brk_munmap_mmap_exit(evt); break; case PPME_SYSCALL_SETRESUID_X: - parse_setresuid_setreuid_exit(evt); + parse_setresuid_exit(evt); break; case PPME_SYSCALL_SETREUID_X: - parse_setresuid_setreuid_exit(evt); + parse_setreuid_exit(evt); break; case PPME_SYSCALL_SETRESGID_X: - parse_setresgid_setregid_exit(evt); + parse_setresgid_exit(evt); break; case PPME_SYSCALL_SETREGID_X: - parse_setresgid_setregid_exit(evt); + parse_setregid_exit(evt); break; case PPME_SYSCALL_SETUID_X: parse_setuid_exit(evt); @@ -4895,7 +4893,7 @@ void sinsp_parser::parse_brk_munmap_mmap_exit(sinsp_evt* evt) evt->get_tinfo()->m_vmswap_kb = evt->get_param(3)->as(); } -void sinsp_parser::parse_setresuid_setreuid_exit(sinsp_evt *evt) +void sinsp_parser::parse_setresuid_exit(sinsp_evt *evt) { int64_t retval; sinsp_evt *enter_evt = &m_tmp_evt; @@ -4918,7 +4916,29 @@ void sinsp_parser::parse_setresuid_setreuid_exit(sinsp_evt *evt) } } -void sinsp_parser::parse_setresgid_setregid_exit(sinsp_evt *evt) +void sinsp_parser::parse_setreuid_exit(sinsp_evt *evt) +{ + int64_t retval; + + // + // Extract the return value + // + retval = evt->get_param(0)->as(); + + if(retval >= 0) + { + uint32_t new_euid = evt->get_param(1)->as(); + + if(new_euid < std::numeric_limits::max()) + { + if (evt->get_thread_info()) { + evt->get_thread_info()->set_user(new_euid); + } + } + } +} + +void sinsp_parser::parse_setresgid_exit(sinsp_evt *evt) { int64_t retval; sinsp_evt *enter_evt = &m_tmp_evt; @@ -4941,6 +4961,28 @@ void sinsp_parser::parse_setresgid_setregid_exit(sinsp_evt *evt) } } +void sinsp_parser::parse_setregid_exit(sinsp_evt *evt) +{ + int64_t retval; + + // + // Extract the return value + // + retval = evt->get_param(0)->as(); + + if(retval >= 0) + { + uint32_t new_egid = evt->get_param(1)->as(); + + if(new_egid < std::numeric_limits::max()) + { + if (evt->get_thread_info()) { + evt->get_thread_info()->set_group(new_egid); + } + } + } +} + void sinsp_parser::parse_setuid_exit(sinsp_evt *evt) { int64_t retval; diff --git a/userspace/libsinsp/parsers.h b/userspace/libsinsp/parsers.h index 57fab1e83bb..066c0b302c6 100644 --- a/userspace/libsinsp/parsers.h +++ b/userspace/libsinsp/parsers.h @@ -105,8 +105,10 @@ class sinsp_parser void parse_prctl_exit_event(sinsp_evt *evt); void parse_context_switch(sinsp_evt* evt); void parse_brk_munmap_mmap_exit(sinsp_evt* evt); - void parse_setresuid_setreuid_exit(sinsp_evt* evt); - void parse_setresgid_setregid_exit(sinsp_evt* evt); + void parse_setresuid_exit(sinsp_evt* evt); + void parse_setreuid_exit(sinsp_evt* evt); + void parse_setresgid_exit(sinsp_evt* evt); + void parse_setregid_exit(sinsp_evt* evt); void parse_setuid_exit(sinsp_evt* evt); void parse_setgid_exit(sinsp_evt* evt); void parse_container_evt(sinsp_evt* evt); // deprecated, only for backward-compatibility