diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION index 83ecbf1d7a..db65e2167e 100644 --- a/driver/SCHEMA_VERSION +++ b/driver/SCHEMA_VERSION @@ -1 +1 @@ -2.20.2 +2.21.0 diff --git a/driver/event_stats.h b/driver/event_stats.h index 992a48f793..2bb2f1319a 100644 --- a/driver/event_stats.h +++ b/driver/event_stats.h @@ -10,7 +10,7 @@ or GPL2.txt for full copies of the license. #pragma once /* These numbers must be updated when we add new events in the event table */ -#define SYSCALL_EVENTS_NUM 378 +#define SYSCALL_EVENTS_NUM 382 #define TRACEPOINT_EVENTS_NUM 6 #define METAEVENTS_NUM 20 #define PLUGIN_EVENTS_NUM 1 diff --git a/driver/event_table.c b/driver/event_table.c index 8b3a234628..dda33eb007 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -478,6 +478,10 @@ const struct ppm_event_info g_event_info[] = { [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 3, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}}, [PPME_SYSCALL_DELETE_MODULE_E] = {"delete_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0}, [PPME_SYSCALL_DELETE_MODULE_X] = {"delete_module", EC_OTHER | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, delete_module_flags}}}, + [PPME_SYSCALL_SETREUID_E] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 0 }, + [PPME_SYSCALL_SETREUID_X] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"ruid", PT_UID, PF_DEC}, {"euid", PT_UID, PF_DEC}} }, + [PPME_SYSCALL_SETREGID_E] = {"setregid", EC_USER | EC_SYSCALL, EF_NONE, 0 }, + [PPME_SYSCALL_SETREGID_X] = {"setregid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"rgid", PT_UID, PF_DEC}, {"egid", PT_UID, PF_DEC}} }, }; #pragma GCC diagnostic pop diff --git a/driver/fillers_table.c b/driver/fillers_table.c index 6b1ad8157e..af39dae9ea 100644 --- a/driver/fillers_table.c +++ b/driver/fillers_table.c @@ -363,5 +363,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = { [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {FILLER_REF(sys_process_vm_writev_x)}, [PPME_SYSCALL_DELETE_MODULE_E] = {FILLER_REF(sys_empty)}, [PPME_SYSCALL_DELETE_MODULE_X] = {FILLER_REF(sys_delete_module_x)}, + [PPME_SYSCALL_SETREUID_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_SETREUID_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1} } }, + [PPME_SYSCALL_SETREGID_E] = {FILLER_REF(sys_empty)}, + [PPME_SYSCALL_SETREGID_X] = {FILLER_REF(sys_autofill), 3, APT_REG, {{AF_ID_RETVAL}, {0}, {1} } }, }; -#pragma GCC diagnostic pop diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h index 18bc46f6a6..c498c6b274 100644 --- a/driver/modern_bpf/definitions/events_dimensions.h +++ b/driver/modern_bpf/definitions/events_dimensions.h @@ -250,6 +250,10 @@ #define PROCESS_VM_READV_E_SIZE HEADER_LEN #define PROCESS_VM_WRITEV_E_SIZE HEADER_LEN #define DELETE_MODULE_E_SIZE HEADER_LEN +#define SETREUID_E_SIZE HEADER_LEN +#define SETREUID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN +#define SETREGID_E_SIZE HEADER_LEN +#define SETREGID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN /* Generic tracepoints events. */ #define SCHED_SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6 diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setregid.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setregid.bpf.c new file mode 100644 index 0000000000..3c1018c475 --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setregid.bpf.c @@ -0,0 +1,73 @@ +// SPDX-License-Identifier: GPL-2.0-only OR MIT +/* + * Copyright (C) 2024 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(setregid_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, SETREGID_E_SIZE, PPME_SYSCALL_SETREGID_E)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(setregid_x, + struct pt_regs *regs, + long ret) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, SETREGID_X_SIZE, PPME_SYSCALL_SETREGID_X)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + ringbuf__store_s64(&ringbuf, ret); + + /* Paraueter 2: rgid (type: PT_GID) */ + uid_t rgid = (uint32_t)extract__syscall_argument(regs, 0); + ringbuf__store_u32(&ringbuf, rgid); + + /* Parameter 3: euid (type: PT_GID) */ + uid_t egid = (uint32_t)extract__syscall_argument(regs, 1); + + ringbuf__store_u32(&ringbuf, egid); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setreuid.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setreuid.bpf.c new file mode 100644 index 0000000000..c9e790fd5d --- /dev/null +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setreuid.bpf.c @@ -0,0 +1,72 @@ +// SPDX-License-Identifier: GPL-2.0-only OR MIT +/* + * Copyright (C) 2024 The Falco Authors. + * + * This file is dual licensed under either the MIT or GPL 2. See MIT.txt + * or GPL2.txt for full copies of the license. + */ + +#include + +/*=============================== ENTER EVENT ===========================*/ + +SEC("tp_btf/sys_enter") +int BPF_PROG(setreuid_e, + struct pt_regs *regs, + long id) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, SETREUID_E_SIZE, PPME_SYSCALL_SETREUID_E)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== ENTER EVENT ===========================*/ + +/*=============================== EXIT EVENT ===========================*/ + +SEC("tp_btf/sys_exit") +int BPF_PROG(setreuid_x, + struct pt_regs *regs, + long ret) +{ + struct ringbuf_struct ringbuf; + if(!ringbuf__reserve_space(&ringbuf, ctx, SETREUID_X_SIZE, PPME_SYSCALL_SETREUID_X)) + { + return 0; + } + + ringbuf__store_event_header(&ringbuf); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO)*/ + ringbuf__store_s64(&ringbuf, ret); + + /* Parameter 2: ruid (type: PT_GID) */ + uid_t ruid = (uint32_t)extract__syscall_argument(regs, 0); + ringbuf__store_u32(&ringbuf, ruid); + + /* Parameter 3: euid (type: PT_GID) */ + uid_t euid = (uint32_t)extract__syscall_argument(regs, 1); + ringbuf__store_u32(&ringbuf, euid); + + /*=============================== COLLECT PARAMETERS ===========================*/ + + ringbuf__submit_event(&ringbuf); + + return 0; +} + +/*=============================== EXIT EVENT ===========================*/ diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index f28bb962b9..104abd8f35 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -1476,7 +1476,11 @@ typedef enum { PPME_SYSCALL_PROCESS_VM_WRITEV_X = 423, PPME_SYSCALL_DELETE_MODULE_E = 424, PPME_SYSCALL_DELETE_MODULE_X = 425, - PPM_EVENT_MAX = 426 + PPME_SYSCALL_SETREUID_E = 426, + PPME_SYSCALL_SETREUID_X = 427, + PPME_SYSCALL_SETREGID_E = 428, + PPME_SYSCALL_SETREGID_X = 429, + PPM_EVENT_MAX = 430 } ppm_event_code; /*@}*/ diff --git a/driver/syscall_table.c b/driver/syscall_table.c index 1cebb66a3c..c9e0c15b92 100644 --- a/driver/syscall_table.c +++ b/driver/syscall_table.c @@ -437,6 +437,12 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { #endif #ifdef __NR_delete_module [__NR_delete_module - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_DELETE_MODULE_E, PPME_SYSCALL_DELETE_MODULE_X, PPM_SC_DELETE_MODULE}, +#endif +#ifdef __NR_setreuid + [__NR_setreuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETREUID_E, PPME_SYSCALL_SETREUID_X, PPM_SC_SETREUID}, +#endif +#ifdef __NR_setregid + [__NR_setregid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETREGID_E, PPME_SYSCALL_SETREGID_X, PPM_SC_SETREGID}, #endif [__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL }, [__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT}, @@ -505,9 +511,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = { [__NR_rt_sigqueueinfo - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGQUEUEINFO}, [__NR_rt_sigsuspend - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGSUSPEND}, [__NR_capget - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CAPGET}, - - [__NR_setreuid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETREUID}, - [__NR_setregid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETREGID}, [__NR_getgroups - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETGROUPS}, [__NR_setgroups - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETGROUPS}, #ifdef __NR_fchown diff --git a/test/drivers/test_suites/syscall_enter_suite/setregid_e.cpp b/test/drivers/test_suites/syscall_enter_suite/setregid_e.cpp new file mode 100644 index 0000000000..3ee8f1eec3 --- /dev/null +++ b/test/drivers/test_suites/syscall_enter_suite/setregid_e.cpp @@ -0,0 +1,40 @@ +#include "../../event_class/event_class.h" + +#ifdef __NR_setregid +TEST(SyscallEnter, setregidE) +{ + auto evt_test = get_syscall_event_test(__NR_setregid, ENTER_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + gid_t rgid = (uint32_t)-1; + gid_t egid = (uint32_t)-1; + /* If one of the arguments equals -1, the corresponding value is not changed. */ + assert_syscall_state(SYSCALL_SUCCESS, "setregid", syscall(__NR_setregid, rgid, egid), NOT_EQUAL, -1); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + // Here we have no parameters to assert. + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(0); +} +#endif diff --git a/test/drivers/test_suites/syscall_enter_suite/setreuid_e.cpp b/test/drivers/test_suites/syscall_enter_suite/setreuid_e.cpp new file mode 100644 index 0000000000..6c18ac3b51 --- /dev/null +++ b/test/drivers/test_suites/syscall_enter_suite/setreuid_e.cpp @@ -0,0 +1,40 @@ +#include "../../event_class/event_class.h" + +#ifdef __NR_setreuid +TEST(SyscallEnter, setreuidE) +{ + auto evt_test = get_syscall_event_test(__NR_setreuid, ENTER_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + uid_t ruid = (uint32_t)-1; + uid_t euid = (uint32_t)-1; + /* If one of the arguments equals -1, the corresponding value is not changed. */ + assert_syscall_state(SYSCALL_SUCCESS, "setreuid", syscall(__NR_setreuid, ruid, euid), NOT_EQUAL, -1); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + // Here we have no parameters to assert. + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(0); +} +#endif diff --git a/test/drivers/test_suites/syscall_exit_suite/setregid_x.cpp b/test/drivers/test_suites/syscall_exit_suite/setregid_x.cpp new file mode 100644 index 0000000000..5f5c8f99f8 --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/setregid_x.cpp @@ -0,0 +1,47 @@ +#include "../../event_class/event_class.h" + +#ifdef __NR_setresgid +TEST(SyscallExit, setregidX) +{ + auto evt_test = get_syscall_event_test(__NR_setregid, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + gid_t rgid = (uint32_t)-1; + gid_t egid = (uint32_t)-1; + /* If one of the arguments equals -1, the corresponding value is not changed. */ + assert_syscall_state(SYSCALL_SUCCESS, "setregid", syscall(__NR_setregid, rgid, egid), NOT_EQUAL, -1); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + evt_test->assert_numeric_param(1, (int64_t)0); + + /* Parameter 1: rgid (type: PT_GID) */ + evt_test->assert_numeric_param(2, (uint32_t)rgid); + + /* Parameter 2: egid (type: PT_GID) */ + evt_test->assert_numeric_param(3, (uint32_t)egid); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(3); +} +#endif diff --git a/test/drivers/test_suites/syscall_exit_suite/setreuid_x.cpp b/test/drivers/test_suites/syscall_exit_suite/setreuid_x.cpp new file mode 100644 index 0000000000..26239e811d --- /dev/null +++ b/test/drivers/test_suites/syscall_exit_suite/setreuid_x.cpp @@ -0,0 +1,47 @@ +#include "../../event_class/event_class.h" + +#ifdef __NR_setresuid +TEST(SyscallExit, setreuidX) +{ + auto evt_test = get_syscall_event_test(__NR_setreuid, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + uid_t ruid = (uint32_t)-1; + uid_t euid = (uint32_t)-1; + /* If one of the arguments equals -1, the corresponding value is not changed. */ + assert_syscall_state(SYSCALL_SUCCESS, "setreuid", syscall(__NR_setreuid, ruid, euid), NOT_EQUAL, -1); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + evt_test->assert_numeric_param(1, (int64_t)0); + + /* Parameter 2: ruid (type: PT_GID) */ + evt_test->assert_numeric_param(2, (uint32_t)ruid); + + /* Parameter 3: euid (type: PT_GID) */ + evt_test->assert_numeric_param(3, (uint32_t)euid); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(3); +} +#endif diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h index 73db84841e..bfccac5030 100644 --- a/userspace/libpman/src/events_prog_names.h +++ b/userspace/libpman/src/events_prog_names.h @@ -335,6 +335,10 @@ static const char* event_prog_names[PPM_EVENT_MAX] = { [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = "process_vm_writev_x", [PPME_SYSCALL_DELETE_MODULE_E] = "delete_module_e", [PPME_SYSCALL_DELETE_MODULE_X] = "delete_module_x", + [PPME_SYSCALL_SETREUID_E] = "setreuid_e", + [PPME_SYSCALL_SETREUID_X] = "setreuid_x", + [PPME_SYSCALL_SETREGID_E] = "setregid_e", + [PPME_SYSCALL_SETREGID_X] = "setregid_x", }; /* Some events can require more than one bpf program to collect all the data. */ diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c index 1012f01dfd..d126aaae5e 100644 --- a/userspace/libscap/linux/scap_ppm_sc.c +++ b/userspace/libscap/linux/scap_ppm_sc.c @@ -30,8 +30,8 @@ limitations under the License. * NOTE: first 2 lines are automatically bumped by syscalls-bumper. */ static const ppm_sc_code *g_events_to_sc_map[] = { - [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_MULTIPLEXER, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_LISTMOUNT, PPM_SC_STATMOUNT, PPM_SC_LSM_GET_SELF_ATTR, PPM_SC_LSM_SET_SELF_ATTR, PPM_SC_LSM_LIST_MODULES, PPM_SC_MSEAL, -1}, - [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_SETREUID, PPM_SC_SETREGID, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_MULTIPLEXER, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_LSM_SET_SELF_ATTR, PPM_SC_LSM_LIST_MODULES, PPM_SC_LISTMOUNT, PPM_SC_STATMOUNT, PPM_SC_LSM_GET_SELF_ATTR, PPM_SC_MSEAL, -1}, + [PPME_GENERIC_E] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_MULTIPLEXER, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_LISTMOUNT, PPM_SC_STATMOUNT, PPM_SC_LSM_GET_SELF_ATTR, PPM_SC_LSM_SET_SELF_ATTR, PPM_SC_LSM_LIST_MODULES, PPM_SC_MSEAL, -1}, + [PPME_GENERIC_X] = (ppm_sc_code[]){ PPM_SC_RESTART_SYSCALL, PPM_SC_EXIT, PPM_SC_TIME, PPM_SC_GETPID, PPM_SC_SYNC, PPM_SC_TIMES, PPM_SC_ACCT, PPM_SC_UMASK, PPM_SC_USTAT, PPM_SC_GETPPID, PPM_SC_GETPGRP, PPM_SC_SETHOSTNAME, PPM_SC_GETRUSAGE, PPM_SC_GETTIMEOFDAY, PPM_SC_SETTIMEOFDAY, PPM_SC_READLINK, PPM_SC_SWAPON, PPM_SC_REBOOT, PPM_SC_TRUNCATE, PPM_SC_FTRUNCATE, PPM_SC_GETPRIORITY, PPM_SC_SETPRIORITY, PPM_SC_STATFS, PPM_SC_FSTATFS, PPM_SC_SETITIMER, PPM_SC_GETITIMER, PPM_SC_UNAME, PPM_SC_VHANGUP, PPM_SC_WAIT4, PPM_SC_SWAPOFF, PPM_SC_SYSINFO, PPM_SC_FSYNC, PPM_SC_SETDOMAINNAME, PPM_SC_ADJTIMEX, PPM_SC_GETPGID, PPM_SC_SYSFS, PPM_SC_PERSONALITY, PPM_SC_MSYNC, PPM_SC_GETSID, PPM_SC_FDATASYNC, PPM_SC_SCHED_SETSCHEDULER, PPM_SC_SCHED_GETSCHEDULER, PPM_SC_SCHED_YIELD, PPM_SC_SCHED_GET_PRIORITY_MAX, PPM_SC_SCHED_GET_PRIORITY_MIN, PPM_SC_SCHED_RR_GET_INTERVAL, PPM_SC_MREMAP, PPM_SC_ARCH_PRCTL, PPM_SC_RT_SIGACTION, PPM_SC_RT_SIGPROCMASK, PPM_SC_RT_SIGPENDING, PPM_SC_RT_SIGTIMEDWAIT, PPM_SC_RT_SIGQUEUEINFO, PPM_SC_RT_SIGSUSPEND, PPM_SC_CAPGET, PPM_SC_GETGROUPS, PPM_SC_SETGROUPS, PPM_SC_SETFSUID, PPM_SC_SETFSGID, PPM_SC_PIVOT_ROOT, PPM_SC_MINCORE, PPM_SC_MADVISE, PPM_SC_GETTID, PPM_SC_SETXATTR, PPM_SC_LSETXATTR, PPM_SC_FSETXATTR, PPM_SC_GETXATTR, PPM_SC_LGETXATTR, PPM_SC_FGETXATTR, PPM_SC_LISTXATTR, PPM_SC_LLISTXATTR, PPM_SC_FLISTXATTR, PPM_SC_REMOVEXATTR, PPM_SC_LREMOVEXATTR, PPM_SC_FREMOVEXATTR,PPM_SC_SCHED_SETAFFINITY, PPM_SC_SCHED_GETAFFINITY, PPM_SC_SET_THREAD_AREA, PPM_SC_GET_THREAD_AREA, PPM_SC_IO_SETUP, PPM_SC_IO_DESTROY, PPM_SC_IO_GETEVENTS, PPM_SC_IO_SUBMIT, PPM_SC_IO_CANCEL, PPM_SC_EXIT_GROUP, PPM_SC_REMAP_FILE_PAGES, PPM_SC_SET_TID_ADDRESS, PPM_SC_TIMER_CREATE, PPM_SC_TIMER_SETTIME, PPM_SC_TIMER_GETTIME, PPM_SC_TIMER_GETOVERRUN, PPM_SC_TIMER_DELETE, PPM_SC_CLOCK_SETTIME, PPM_SC_CLOCK_GETTIME, PPM_SC_CLOCK_GETRES, PPM_SC_CLOCK_NANOSLEEP,PPM_SC_UTIMES, PPM_SC_MQ_OPEN, PPM_SC_MQ_UNLINK, PPM_SC_MQ_TIMEDSEND, PPM_SC_MQ_TIMEDRECEIVE, PPM_SC_MQ_NOTIFY, PPM_SC_MQ_GETSETATTR, PPM_SC_KEXEC_LOAD, PPM_SC_WAITID, PPM_SC_ADD_KEY, PPM_SC_REQUEST_KEY, PPM_SC_KEYCTL, PPM_SC_IOPRIO_SET, PPM_SC_IOPRIO_GET, PPM_SC_INOTIFY_ADD_WATCH, PPM_SC_INOTIFY_RM_WATCH, PPM_SC_FUTIMESAT, PPM_SC_READLINKAT, PPM_SC_FACCESSAT, PPM_SC_SET_ROBUST_LIST, PPM_SC_GET_ROBUST_LIST, PPM_SC_TEE, PPM_SC_VMSPLICE, PPM_SC_GETCPU, PPM_SC_EPOLL_PWAIT, PPM_SC_UTIMENSAT, PPM_SC_TIMERFD_SETTIME, PPM_SC_TIMERFD_GETTIME, PPM_SC_RT_TGSIGQUEUEINFO, PPM_SC_PERF_EVENT_OPEN, PPM_SC_FANOTIFY_INIT, PPM_SC_CLOCK_ADJTIME, PPM_SC_SYNCFS, PPM_SC_MSGSND, PPM_SC_MSGRCV, PPM_SC_MSGGET, PPM_SC_MSGCTL, PPM_SC_SHMDT, PPM_SC_SHMGET, PPM_SC_SHMCTL, PPM_SC_STATFS64, PPM_SC_FSTATFS64, PPM_SC_FSTATAT64, PPM_SC_BDFLUSH, PPM_SC_SIGPROCMASK, PPM_SC_IPC, PPM_SC__NEWSELECT, PPM_SC_SGETMASK, PPM_SC_SSETMASK, PPM_SC_SIGPENDING, PPM_SC_OLDUNAME, PPM_SC_SIGNAL, PPM_SC_NICE, PPM_SC_STIME, PPM_SC_WAITPID, PPM_SC_SHMAT, PPM_SC_RT_SIGRETURN, PPM_SC_FALLOCATE, PPM_SC_SIGALTSTACK, PPM_SC_GETRANDOM, PPM_SC_FADVISE64, PPM_SC_SOCKETCALL, PPM_SC_FSPICK, PPM_SC_FSMOUNT, PPM_SC_FSOPEN, PPM_SC_OPEN_TREE, PPM_SC_MOVE_MOUNT, PPM_SC_MOUNT_SETATTR, PPM_SC_MEMFD_SECRET, PPM_SC_IOPERM, PPM_SC_KEXEC_FILE_LOAD, PPM_SC_PIDFD_SEND_SIGNAL, PPM_SC_PKEY_ALLOC, PPM_SC_PKEY_MPROTECT, PPM_SC_PKEY_FREE, PPM_SC_LANDLOCK_CREATE_RULESET, PPM_SC_QUOTACTL_FD, PPM_SC_LANDLOCK_RESTRICT_SELF, PPM_SC_LANDLOCK_ADD_RULE, PPM_SC_EPOLL_PWAIT2, PPM_SC_MIGRATE_PAGES, PPM_SC_MOVE_PAGES, PPM_SC_PREADV2, PPM_SC_PWRITEV2, PPM_SC_QUERY_MODULE, PPM_SC_STATX, PPM_SC_SET_MEMPOLICY, PPM_SC_FANOTIFY_MARK, PPM_SC_SYNC_FILE_RANGE, PPM_SC_READAHEAD, PPM_SC_PROCESS_MRELEASE, PPM_SC_MBIND, PPM_SC_PROCESS_MADVISE, PPM_SC_MEMBARRIER, PPM_SC_MODIFY_LDT, PPM_SC_SEMTIMEDOP, PPM_SC_NAME_TO_HANDLE_AT, PPM_SC_KCMP, PPM_SC_EPOLL_CTL_OLD, PPM_SC_EPOLL_WAIT_OLD, PPM_SC_FUTEX_WAITV, PPM_SC_CREATE_MODULE, PPM_SC__SYSCTL, PPM_SC_LOOKUP_DCOOKIE, PPM_SC_IOPL, PPM_SC_IO_PGETEVENTS, PPM_SC_GETPMSG, PPM_SC_SCHED_SETATTR, PPM_SC_GET_KERNEL_SYMS, PPM_SC_RSEQ, PPM_SC_CLOSE_RANGE, PPM_SC_GET_MEMPOLICY, PPM_SC_SCHED_GETATTR, PPM_SC_NFSSERVCTL, PPM_SC_SET_MEMPOLICY_HOME_NODE, PPM_SC_FACCESSAT2, PPM_SC_EPOLL_CTL, PPM_SC_SCHED_GETPARAM, PPM_SC_PSELECT6, PPM_SC_SCHED_SETPARAM, PPM_SC_PAUSE, PPM_SC_UTIME, PPM_SC_SYSLOG, PPM_SC_USELIB, PPM_SC_ALARM, PPM_SC_TIMERFD, PPM_SC_S390_PCI_MMIO_READ, PPM_SC_SIGACTION, PPM_SC_S390_PCI_MMIO_WRITE, PPM_SC_READDIR, PPM_SC_S390_STHYI, PPM_SC_SIGSUSPEND, PPM_SC_IDLE, PPM_SC_S390_RUNTIME_INSTR, PPM_SC_SIGRETURN, PPM_SC_S390_GUARDED_STORAGE, PPM_SC_CACHESTAT, PPM_SC_FCHMODAT2, PPM_SC_MAP_SHADOW_STACK, PPM_SC_RISCV_FLUSH_ICACHE, PPM_SC_RISCV_HWPROBE, PPM_SC_FUTEX_WAKE, PPM_SC_FUTEX_REQUEUE, PPM_SC_FUTEX_WAIT, PPM_SC_OLDOLDUNAME, PPM_SC_SUBPAGE_PROT, PPM_SC_PCICONFIG_IOBASE, PPM_SC_OLDSTAT, PPM_SC_SWITCH_ENDIAN, PPM_SC_MULTIPLEXER, PPM_SC_OLDLSTAT, PPM_SC_SPU_CREATE, PPM_SC_SYNC_FILE_RANGE2, PPM_SC_OLDFSTAT, PPM_SC_SPU_RUN, PPM_SC_SWAPCONTEXT, PPM_SC_PCICONFIG_WRITE, PPM_SC_RTAS, PPM_SC_PCICONFIG_READ, PPM_SC_SYS_DEBUG_SETCONTEXT, PPM_SC_VM86, PPM_SC_LSM_SET_SELF_ATTR, PPM_SC_LSM_LIST_MODULES, PPM_SC_LISTMOUNT, PPM_SC_STATMOUNT, PPM_SC_LSM_GET_SELF_ATTR, PPM_SC_MSEAL, -1}, [PPME_SYSCALL_OPEN_E] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_OPEN_X] = (ppm_sc_code[]){PPM_SC_OPEN, -1}, [PPME_SYSCALL_CLOSE_E] = (ppm_sc_code[]){PPM_SC_CLOSE, -1}, @@ -456,6 +456,10 @@ static const ppm_sc_code *g_events_to_sc_map[] = { [PPME_SYSCALL_PROCESS_VM_WRITEV_X] = (ppm_sc_code[]){PPM_SC_PROCESS_VM_WRITEV, -1}, [PPME_SYSCALL_DELETE_MODULE_E] = (ppm_sc_code[]){PPM_SC_DELETE_MODULE, -1}, [PPME_SYSCALL_DELETE_MODULE_X] = (ppm_sc_code[]){PPM_SC_DELETE_MODULE, -1}, + [PPME_SYSCALL_SETREUID_E] = (ppm_sc_code[]){PPM_SC_SETREUID, -1}, + [PPME_SYSCALL_SETREUID_X] = (ppm_sc_code[]){PPM_SC_SETREUID, -1}, + [PPME_SYSCALL_SETREGID_E] = (ppm_sc_code[]){PPM_SC_SETREGID, -1}, + [PPME_SYSCALL_SETREGID_X] = (ppm_sc_code[]){PPM_SC_SETREGID, -1}, }; #if defined(__GNUC__) || (__STDC_VERSION__ >=201112L) diff --git a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp index 0e153f05f1..3f80fbf90d 100644 --- a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp +++ b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp @@ -138,6 +138,8 @@ libsinsp::events::set libsinsp::events::enforce_simple_sc_set(libsi PPM_SC_UNSHARE, PPM_SC_USERFAULTFD, PPM_SC_VFORK, + PPM_SC_SETREUID, + PPM_SC_SETREGID, }; static auto sinsp_state_ppm_sc = sinsp_state_sc_set(); static auto final_set = simple_set.merge(sinsp_state_ppm_sc); diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp index fae48f43ad..76c80d649b 100644 --- a/userspace/libsinsp/parsers.cpp +++ b/userspace/libsinsp/parsers.cpp @@ -384,9 +384,15 @@ void sinsp_parser::process_event(sinsp_evt *evt) case PPME_SYSCALL_SETRESUID_X: parse_setresuid_exit(evt); break; + case PPME_SYSCALL_SETREUID_X: + parse_setreuid_exit(evt); + break; case PPME_SYSCALL_SETRESGID_X: parse_setresgid_exit(evt); break; + case PPME_SYSCALL_SETREGID_X: + parse_setregid_exit(evt); + break; case PPME_SYSCALL_SETUID_X: parse_setuid_exit(evt); break; @@ -4897,14 +4903,38 @@ void sinsp_parser::parse_setresuid_exit(sinsp_evt *evt) // retval = evt->get_param(0)->as(); - if(retval >= 0 && retrieve_enter_event(enter_evt, evt)) + if(retval == 0 && retrieve_enter_event(enter_evt, evt)) { uint32_t new_euid = enter_evt->get_param(1)->as(); if(new_euid < std::numeric_limits::max()) { - if (evt->get_thread_info()) { - evt->get_thread_info()->set_user(new_euid); + sinsp_threadinfo* ti = evt->get_thread_info(); + if (ti) { + ti->set_user(new_euid); + } + } + } +} + +void sinsp_parser::parse_setreuid_exit(sinsp_evt *evt) +{ + int64_t retval; + + // + // Extract the return value + // + retval = evt->get_param(0)->as(); + + if(retval == 0) + { + uint32_t new_euid = evt->get_param(1)->as(); + + if(new_euid < std::numeric_limits::max()) + { + sinsp_threadinfo* ti = evt->get_thread_info(); + if (ti) { + ti->set_user(new_euid); } } } @@ -4920,14 +4950,38 @@ void sinsp_parser::parse_setresgid_exit(sinsp_evt *evt) // retval = evt->get_param(0)->as(); - if(retval >= 0 && retrieve_enter_event(enter_evt, evt)) + if(retval == 0 && retrieve_enter_event(enter_evt, evt)) { uint32_t new_egid = enter_evt->get_param(1)->as(); if(new_egid < std::numeric_limits::max()) { - if (evt->get_thread_info()) { - evt->get_thread_info()->set_group(new_egid); + sinsp_threadinfo* ti = evt->get_thread_info(); + if (ti) { + ti->set_group(new_egid); + } + } + } +} + +void sinsp_parser::parse_setregid_exit(sinsp_evt *evt) +{ + int64_t retval; + + // + // Extract the return value + // + retval = evt->get_param(0)->as(); + + if(retval == 0) + { + uint32_t new_egid = evt->get_param(1)->as(); + + if(new_egid < std::numeric_limits::max()) + { + sinsp_threadinfo* ti = evt->get_thread_info(); + if (ti) { + ti->set_group(new_egid); } } } @@ -4943,11 +4997,12 @@ void sinsp_parser::parse_setuid_exit(sinsp_evt *evt) // retval = evt->get_param(0)->as(); - if(retval >= 0 && retrieve_enter_event(enter_evt, evt)) + if(retval == 0 && retrieve_enter_event(enter_evt, evt)) { uint32_t new_euid = enter_evt->get_param(0)->as(); - if (evt->get_thread_info()) { - evt->get_thread_info()->set_user(new_euid); + sinsp_threadinfo* ti = evt->get_thread_info(); + if (ti) { + ti->set_user(new_euid); } } } @@ -4962,11 +5017,12 @@ void sinsp_parser::parse_setgid_exit(sinsp_evt *evt) // retval = evt->get_param(0)->as(); - if(retval >= 0 && retrieve_enter_event(enter_evt, evt)) + if(retval == 0 && retrieve_enter_event(enter_evt, evt)) { uint32_t new_egid = enter_evt->get_param(0)->as(); - if (evt->get_thread_info()) { - evt->get_thread_info()->set_group(new_egid); + sinsp_threadinfo* ti = evt->get_thread_info(); + if (ti) { + ti->set_group(new_egid); } } } diff --git a/userspace/libsinsp/parsers.h b/userspace/libsinsp/parsers.h index 07ab25c807..066c0b302c 100644 --- a/userspace/libsinsp/parsers.h +++ b/userspace/libsinsp/parsers.h @@ -106,7 +106,9 @@ class sinsp_parser void parse_context_switch(sinsp_evt* evt); void parse_brk_munmap_mmap_exit(sinsp_evt* evt); void parse_setresuid_exit(sinsp_evt* evt); + void parse_setreuid_exit(sinsp_evt* evt); void parse_setresgid_exit(sinsp_evt* evt); + void parse_setregid_exit(sinsp_evt* evt); void parse_setuid_exit(sinsp_evt* evt); void parse_setgid_exit(sinsp_evt* evt); void parse_container_evt(sinsp_evt* evt); // deprecated, only for backward-compatibility diff --git a/userspace/libsinsp/test/parsers/parse_setregid.cpp b/userspace/libsinsp/test/parsers/parse_setregid.cpp new file mode 100644 index 0000000000..e83524ca5f --- /dev/null +++ b/userspace/libsinsp/test/parsers/parse_setregid.cpp @@ -0,0 +1,45 @@ +// SPDX-License-Identifier: Apache-2.0 +/* +Copyright (C) 2024 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*/ + +#include "driver/ppm_events_public.h" +#include + +TEST_F(sinsp_with_test_input, SETREGID_failure) +{ + /* Instantiate the default tree */ + DEFAULT_TREE + + add_event_advance_ts(increasing_ts(), p2_t2_tid, PPME_SYSCALL_SETREGID_X, 3, (uint64_t)1, (uint32_t)0, (uint32_t)0); + + + sinsp_threadinfo* ti = m_inspector.get_thread_ref(p2_t2_tid, false).get(); + ASSERT_TRUE(ti); + ASSERT_TRUE(ti->m_user.gid() == 0); +} + +TEST_F(sinsp_with_test_input, SETREGID_success) +{ + /* Instantiate the default tree */ + DEFAULT_TREE + + add_event_advance_ts(increasing_ts(), p2_t2_tid, PPME_SYSCALL_SETREGID_X, 3, (uint64_t)0, (uint32_t)1337, (uint32_t)1337); + + sinsp_threadinfo* ti = m_inspector.get_thread_ref(p2_t2_tid, false).get(); + ASSERT_TRUE(ti); + ASSERT_TRUE(ti->m_user.gid() == 1337); +} diff --git a/userspace/libsinsp/test/parsers/parse_setreuid.cpp b/userspace/libsinsp/test/parsers/parse_setreuid.cpp new file mode 100644 index 0000000000..e428b96df6 --- /dev/null +++ b/userspace/libsinsp/test/parsers/parse_setreuid.cpp @@ -0,0 +1,45 @@ +// SPDX-License-Identifier: Apache-2.0 +/* +Copyright (C) 2024 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*/ + +#include "driver/ppm_events_public.h" +#include + +TEST_F(sinsp_with_test_input, SETREUID_failure) +{ + /* Instantiate the default tree */ + DEFAULT_TREE + + add_event_advance_ts(increasing_ts(), p2_t2_tid, PPME_SYSCALL_SETREUID_X, 3, (uint64_t)1, (uint32_t)0, (uint32_t)0); + + + sinsp_threadinfo* ti = m_inspector.get_thread_ref(p2_t2_tid, false).get(); + ASSERT_TRUE(ti); + ASSERT_TRUE(ti->m_user.uid() == 0); +} + +TEST_F(sinsp_with_test_input, SETREUID_success) +{ + /* Instantiate the default tree */ + DEFAULT_TREE + + add_event_advance_ts(increasing_ts(), p2_t2_tid, PPME_SYSCALL_SETREUID_X, 3, (uint64_t)0, (uint32_t)1337, (uint32_t)1337); + + sinsp_threadinfo* ti = m_inspector.get_thread_ref(p2_t2_tid, false).get(); + ASSERT_TRUE(ti); + ASSERT_TRUE(ti->m_user.uid() == 1337); +} diff --git a/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp b/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp index 176789411e..6a78fe02b5 100644 --- a/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp +++ b/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp @@ -211,7 +211,11 @@ const libsinsp::events::set expected_sinsp_state_event_set = { PPME_SYSCALL_PIDFD_GETFD_E, PPME_SYSCALL_PIDFD_GETFD_X, PPME_SYSCALL_PIDFD_OPEN_E, - PPME_SYSCALL_PIDFD_OPEN_X + PPME_SYSCALL_PIDFD_OPEN_X, + PPME_SYSCALL_SETREUID_E, + PPME_SYSCALL_SETREUID_X, + PPME_SYSCALL_SETREGID_E, + PPME_SYSCALL_SETREGID_X }; const libsinsp::events::set expected_sinsp_state_sc_set = { @@ -281,6 +285,8 @@ const libsinsp::events::set expected_sinsp_state_sc_set = { PPM_SC_MEMFD_CREATE, PPM_SC_PIDFD_OPEN, PPM_SC_PIDFD_GETFD, + PPM_SC_SETREUID, + PPM_SC_SETREGID, }; const libsinsp::events::set expected_unknown_event_set = {