new: make ACCEPT_{E,X} and ACCEPT_5_E converter-managed

Signed-off-by: Leonardo Di Giovanna <[email protected]>
falcosecurity · Dec 19, 2024 · b7131e0 · b7131e0
1 parent aad67bc
commit b7131e0
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 7 deletions.
diff --git a/driver/event_table.c b/driver/event_table.c
@@ -203,11 +203,13 @@ const struct ppm_event_info g_event_info[] = {
                                    {"backlog", PT_INT32, PF_DEC}}},
         [PPME_SOCKET_ACCEPT_E] = {"accept",
                                   EC_NET | EC_SYSCALL,
-                                  EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
+                                  EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION |
+                                          EF_TMP_CONVERTER_MANAGED,
                                   0},
         [PPME_SOCKET_ACCEPT_X] = {"accept",
                                   EC_NET | EC_SYSCALL,
-                                  EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION,
+                                  EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION |
+                                          EF_TMP_CONVERTER_MANAGED,
                                   3,
                                   {{"fd", PT_FD, PF_DEC},
                                    {"tuple", PT_SOCKTUPLE, PF_NA},
@@ -1408,7 +1410,7 @@ const struct ppm_event_info g_event_info[] = {
         [PPME_CPU_HOTPLUG_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0},
         [PPME_SOCKET_ACCEPT_5_E] = {"accept",
                                     EC_NET | EC_SYSCALL,
-                                    EF_CREATES_FD | EF_MODIFIES_STATE,
+                                    EF_CREATES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
                                     0},
         [PPME_SOCKET_ACCEPT_5_X] = {"accept",
                                     EC_NET | EC_SYSCALL,

diff --git a/test/libscap/test_suites/engines/savefile/converter.cpp b/test/libscap/test_suites/engines/savefile/converter.cpp
@@ -361,3 +361,55 @@ TEST_F(convert_event_test, PPME_SOCKET_LISTEN_X_to_3_params_with_enter) {
 	        create_safe_scap_event(ts, tid, PPME_SOCKET_LISTEN_X, 1, res),
 	        create_safe_scap_event(ts, tid, PPME_SOCKET_LISTEN_X, 3, res, fd, backlog));
 }
+
+////////////////////////////
+// ACCEPT
+////////////////////////////
+
+TEST_F(convert_event_test, PPME_SOCKET_ACCEPT_E_skip) {
+	uint64_t ts = 12;
+	int64_t tid = 25;
+
+	auto evt = create_safe_scap_event(ts, tid, PPME_SOCKET_ACCEPT_E, 0);
+	assert_single_conversion_skip(evt);
+}
+
+TEST_F(convert_event_test, PPME_SOCKET_ACCEPT_X_to_PPME_SOCKET_ACCEPT_5_X) {
+	uint64_t ts = 12;
+	int64_t tid = 25;
+
+	int64_t fd = 25;
+	char tuple[] = {'h', 'e', 'l', 'l', 'o'};
+	uint8_t queuepct = 3;
+
+	// Defaulted to 0
+	uint32_t queuelen = 0;
+	uint32_t queuemax = 0;
+
+	assert_single_conversion_success(
+	        conversion_result::CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts,
+	                               tid,
+	                               PPME_SOCKET_ACCEPT_X,
+	                               3,
+	                               fd,
+	                               scap_const_sized_buffer{tuple, sizeof(tuple)},
+	                               queuepct),
+	        create_safe_scap_event(ts,
+	                               tid,
+	                               PPME_SOCKET_ACCEPT_5_X,
+	                               5,
+	                               fd,
+	                               scap_const_sized_buffer{tuple, sizeof(tuple)},
+	                               queuepct,
+	                               queuelen,
+	                               queuemax));
+}
+
+TEST_F(convert_event_test, PPME_SOCKET_ACCEPT_5_E_skip) {
+	uint64_t ts = 12;
+	int64_t tid = 25;
+
+	auto evt = create_safe_scap_event(ts, tid, PPME_SOCKET_ACCEPT_5_E, 0);
+	assert_single_conversion_skip(evt);
+}
diff --git a/userspace/libscap/engine/savefile/converter/table.cpp b/userspace/libscap/engine/savefile/converter/table.cpp
@@ -53,4 +53,17 @@ const std::unordered_map<conversion_key, conversion_info> g_conversion_table = {
         {conversion_key{PPME_SOCKET_LISTEN_X, 1},
          conversion_info()
                  .action(C_ACTION_ADD_PARAMS)
-                 .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})}};
+                 .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})},
+        {conversion_key{PPME_SOCKET_ACCEPT_E, 0}, conversion_info().action(C_ACTION_SKIP)},
+        {conversion_key{PPME_SOCKET_ACCEPT_X, 3},
+         conversion_info()
+                 .desired_type(PPME_SOCKET_ACCEPT_5_X)
+                 .action(C_ACTION_CHANGE_TYPE)
+                 .instrs({
+                         {C_INSTR_FROM_OLD, 0},
+                         {C_INSTR_FROM_OLD, 1},
+                         {C_INSTR_FROM_OLD, 2},
+                         {C_INSTR_FROM_DEFAULT, 0},
+                         {C_INSTR_FROM_DEFAULT, 0},
+                 })},
+        {conversion_key{PPME_SOCKET_ACCEPT_5_E, 0}, conversion_info().action(C_ACTION_SKIP)}};
diff --git a/userspace/libscap/scap_event.c b/userspace/libscap/scap_event.c
@@ -520,7 +520,7 @@ int get_enter_event_fd_location(ppm_event_code etype) {
 	return location;
 }
 
-// In the exit events we don't have a precise convension on the fd parameter position.
+// In the exit events we don't have a precise convention on the fd parameter position.
 int get_exit_event_fd_location(ppm_event_code etype) {
 	ASSERT(etype < PPM_EVENT_MAX);
 	ASSERT(PPME_IS_EXIT(etype));
@@ -529,13 +529,14 @@ int get_exit_event_fd_location(ppm_event_code etype) {
 	// we want to return -1 as location if we forgot to handle something
 	int location = -1;
 	switch(etype) {
+	case PPME_SOCKET_LISTEN_X:
+		location = 1;
+		break;
 	case PPME_SYSCALL_READ_X:
 	case PPME_SYSCALL_PREAD_X:
 	case PPME_SOCKET_BIND_X:
 		location = 2;
 		break;
-	case PPME_SOCKET_LISTEN_X:
-		location = 1;
 	default:
 		break;
 	}