From b7131e0d60e9152b09fad95dc4f1fcfc5f7f0911 Mon Sep 17 00:00:00 2001 From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com> Date: Thu, 19 Dec 2024 14:59:52 +0100 Subject: [PATCH] new: make ACCEPT_{E,X} and ACCEPT_5_E converter-managed Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com> --- driver/event_table.c | 8 +-- .../engines/savefile/converter.cpp | 52 +++++++++++++++++++ .../engine/savefile/converter/table.cpp | 15 +++++- userspace/libscap/scap_event.c | 7 +-- 4 files changed, 75 insertions(+), 7 deletions(-) diff --git a/driver/event_table.c b/driver/event_table.c index a707ec0237..5e580891a7 100644 --- a/driver/event_table.c +++ b/driver/event_table.c @@ -203,11 +203,13 @@ const struct ppm_event_info g_event_info[] = { {"backlog", PT_INT32, PF_DEC}}}, [PPME_SOCKET_ACCEPT_E] = {"accept", EC_NET | EC_SYSCALL, - EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, + EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION | + EF_TMP_CONVERTER_MANAGED, 0}, [PPME_SOCKET_ACCEPT_X] = {"accept", EC_NET | EC_SYSCALL, - EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, + EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION | + EF_TMP_CONVERTER_MANAGED, 3, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, @@ -1408,7 +1410,7 @@ const struct ppm_event_info g_event_info[] = { [PPME_CPU_HOTPLUG_X] = {"NA", EC_UNKNOWN, EF_UNUSED, 0}, [PPME_SOCKET_ACCEPT_5_E] = {"accept", EC_NET | EC_SYSCALL, - EF_CREATES_FD | EF_MODIFIES_STATE, + EF_CREATES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED, 0}, [PPME_SOCKET_ACCEPT_5_X] = {"accept", EC_NET | EC_SYSCALL, diff --git a/test/libscap/test_suites/engines/savefile/converter.cpp b/test/libscap/test_suites/engines/savefile/converter.cpp index 15abeb9647..041728f6f2 100644 --- a/test/libscap/test_suites/engines/savefile/converter.cpp +++ b/test/libscap/test_suites/engines/savefile/converter.cpp @@ -361,3 +361,55 @@ TEST_F(convert_event_test, PPME_SOCKET_LISTEN_X_to_3_params_with_enter) { create_safe_scap_event(ts, tid, PPME_SOCKET_LISTEN_X, 1, res), create_safe_scap_event(ts, tid, PPME_SOCKET_LISTEN_X, 3, res, fd, backlog)); } + +//////////////////////////// +// ACCEPT +//////////////////////////// + +TEST_F(convert_event_test, PPME_SOCKET_ACCEPT_E_skip) { + uint64_t ts = 12; + int64_t tid = 25; + + auto evt = create_safe_scap_event(ts, tid, PPME_SOCKET_ACCEPT_E, 0); + assert_single_conversion_skip(evt); +} + +TEST_F(convert_event_test, PPME_SOCKET_ACCEPT_X_to_PPME_SOCKET_ACCEPT_5_X) { + uint64_t ts = 12; + int64_t tid = 25; + + int64_t fd = 25; + char tuple[] = {'h', 'e', 'l', 'l', 'o'}; + uint8_t queuepct = 3; + + // Defaulted to 0 + uint32_t queuelen = 0; + uint32_t queuemax = 0; + + assert_single_conversion_success( + conversion_result::CONVERSION_COMPLETED, + create_safe_scap_event(ts, + tid, + PPME_SOCKET_ACCEPT_X, + 3, + fd, + scap_const_sized_buffer{tuple, sizeof(tuple)}, + queuepct), + create_safe_scap_event(ts, + tid, + PPME_SOCKET_ACCEPT_5_X, + 5, + fd, + scap_const_sized_buffer{tuple, sizeof(tuple)}, + queuepct, + queuelen, + queuemax)); +} + +TEST_F(convert_event_test, PPME_SOCKET_ACCEPT_5_E_skip) { + uint64_t ts = 12; + int64_t tid = 25; + + auto evt = create_safe_scap_event(ts, tid, PPME_SOCKET_ACCEPT_5_E, 0); + assert_single_conversion_skip(evt); +} diff --git a/userspace/libscap/engine/savefile/converter/table.cpp b/userspace/libscap/engine/savefile/converter/table.cpp index 3747044550..f1aad43f4f 100644 --- a/userspace/libscap/engine/savefile/converter/table.cpp +++ b/userspace/libscap/engine/savefile/converter/table.cpp @@ -53,4 +53,17 @@ const std::unordered_map<conversion_key, conversion_info> g_conversion_table = { {conversion_key{PPME_SOCKET_LISTEN_X, 1}, conversion_info() .action(C_ACTION_ADD_PARAMS) - .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})}}; + .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})}, + {conversion_key{PPME_SOCKET_ACCEPT_E, 0}, conversion_info().action(C_ACTION_SKIP)}, + {conversion_key{PPME_SOCKET_ACCEPT_X, 3}, + conversion_info() + .desired_type(PPME_SOCKET_ACCEPT_5_X) + .action(C_ACTION_CHANGE_TYPE) + .instrs({ + {C_INSTR_FROM_OLD, 0}, + {C_INSTR_FROM_OLD, 1}, + {C_INSTR_FROM_OLD, 2}, + {C_INSTR_FROM_DEFAULT, 0}, + {C_INSTR_FROM_DEFAULT, 0}, + })}, + {conversion_key{PPME_SOCKET_ACCEPT_5_E, 0}, conversion_info().action(C_ACTION_SKIP)}}; diff --git a/userspace/libscap/scap_event.c b/userspace/libscap/scap_event.c index 8ee64418b2..d143212bae 100644 --- a/userspace/libscap/scap_event.c +++ b/userspace/libscap/scap_event.c @@ -520,7 +520,7 @@ int get_enter_event_fd_location(ppm_event_code etype) { return location; } -// In the exit events we don't have a precise convension on the fd parameter position. +// In the exit events we don't have a precise convention on the fd parameter position. int get_exit_event_fd_location(ppm_event_code etype) { ASSERT(etype < PPM_EVENT_MAX); ASSERT(PPME_IS_EXIT(etype)); @@ -529,13 +529,14 @@ int get_exit_event_fd_location(ppm_event_code etype) { // we want to return -1 as location if we forgot to handle something int location = -1; switch(etype) { + case PPME_SOCKET_LISTEN_X: + location = 1; + break; case PPME_SYSCALL_READ_X: case PPME_SYSCALL_PREAD_X: case PPME_SOCKET_BIND_X: location = 2; break; - case PPME_SOCKET_LISTEN_X: - location = 1; default: break; }