tmp 2

Signed-off-by: Andrea Terzolo <[email protected]>
falcosecurity · Jan 23, 2025 · d84e2e7 · d84e2e7
1 parent cee7bc9
commit d84e2e7
Show file tree

Hide file tree

Showing 12 changed files with 60 additions and 99 deletions.
diff --git a/.github/workflows/drivers_ci.yml b/.github/workflows/drivers_ci.yml
@@ -4,8 +4,8 @@ on:
   push:
     branches:
       - master
-      - 'release/**'
-      - 'maintainers/**'
+      - "release/**"
+      - "maintainers/**"
   workflow_dispatch:
   # we cannot use paths key here since otherwise required_status_checks jobs won't run.
   # See https://github.com/orgs/community/discussions/26251.
@@ -24,17 +24,17 @@ jobs:
       libscap: ${{ steps.filter.outputs.libscap }}
       libpman: ${{ steps.filter.outputs.libpman }}
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-      id: filter
-      with:
-        filters: |
-          driver:
-            - 'driver/**'
-          libscap:
-            - 'userspace/libscap/**'
-          libpman:
-            - 'userspace/libpman/**'
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          filters: |
+            driver:
+              - 'driver/**'
+            libscap:
+              - 'userspace/libscap/**'
+            libpman:
+              - 'userspace/libpman/**'
 
   # This job run all engine tests and scap-open
   test-scap:
@@ -73,7 +73,7 @@ jobs:
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         run: |
           mkdir -p build
-          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
+          cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
           make scap-open driver bpf libscap_test -j6
 
       - name: Run scap-open with modern bpf 🏎️
@@ -100,7 +100,8 @@ jobs:
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         run: |
           cd build
-          sudo ./test/libscap/libscap_test
+          sudo ./test/libscap/libscap_test || true
+          sudo cat /sys/kernel/debug/tracing/trace
 
   test-drivers:
     name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
@@ -155,7 +156,8 @@ jobs:
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         run: |
           cd build
-          sudo ./test/drivers/drivers_test -k
+          sudo ./test/drivers/drivers_test -k || true
+          sudo dmesg
 
   test-drivers-ppc64le:
     name: test-drivers-ppc64le 😁 (system_deps,custom node)
@@ -233,7 +235,7 @@ jobs:
   build-modern-bpf-skeleton:
     needs: paths-filter
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: 'ubuntu-latest'
+    runs-on: "ubuntu-latest"
     if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
     container: fedora:latest
     steps:
@@ -261,8 +263,8 @@ jobs:
   build-scap-open-w-extern-bpf-skeleton:
     env:
       ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
-    needs: [paths-filter,build-modern-bpf-skeleton]
-    runs-on: 'ubuntu-latest'
+    needs: [paths-filter, build-modern-bpf-skeleton]
+    runs-on: "ubuntu-latest"
     if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
     steps:
       - name: Install build dependencies

diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -5273,6 +5273,8 @@ FILLER(cpu_hotplug_e, false) {
 	res = bpf_push_u32_to_ring(data, 0);
 	CHECK_RES(res);
 
+	const char log[] = "[LEGACY] Send hotplug event for CPU %d\n";
+	bpf_trace_printk(log, sizeof(log), data->state->hotplug_cpu);
 	data->state->hotplug_cpu = 0;
 
 	return res;

diff --git a/driver/bpf/plumbing_helpers.h b/driver/bpf/plumbing_helpers.h
@@ -718,6 +718,8 @@ static __always_inline void call_filler(void *ctx,
 		return;
 
 	if(cpu == 0 && state->hotplug_cpu != 0) {
+		const char log[] = "[LEGACY] Configure hotplug event";
+		bpf_trace_printk(log, sizeof(log));
 		evt_type = PPME_CPU_HOTPLUG_E;
 		drop_flags = UF_NEVER_DROP;
 	}

diff --git a/driver/bpf/probe.c b/driver/bpf/probe.c
@@ -110,6 +110,11 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) {
 		}
 	}
 
+	if(evt_type == PPME_SYSCALL_DELETE_MODULE_E) {
+		const char log[] = "[LEGACY] Calling delete_module syscall on cpu %d";
+		bpf_trace_printk(log, sizeof(log), bpf_get_smp_processor_id());
+	}
+
 #ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
 	call_filler(ctx, ctx, evt_type, drop_flags, socketcall_syscall_id);
 #else

diff --git a/driver/main.c b/driver/main.c
@@ -1814,6 +1814,7 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
 
 	ring_info = ring->info;
 	if(!ring_info) {
+		printk("ring_info is NULL for cpu %d\n", cpu);
 		// This is likely an hotplug
 		atomic_set(&hotplug_cpu, cpu);
 		put_cpu();
@@ -2784,62 +2785,12 @@ static char *ppm_devnode(struct device *dev, mode_t *mode)
 }
 #endif /* LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20) */
 
-static int scap_cpu_online(unsigned int cpu) {
-	vpr_info("scap_cpu_online on cpu %d\n", cpu);
-	return 0;
-}
-
-static int scap_cpu_offline(unsigned int cpu) {
-	vpr_info("scap_cpu_offline on cpu %d\n", cpu);
-	return 0;
-}
-
-#if(LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0))
-/*
- * This gets called every time a CPU is added or removed
- */
-static int cpu_callback(struct notifier_block *self, unsigned long action, void *hcpu) {
-	unsigned long cpu = (unsigned long)hcpu;
-	int ret = 0;
-
-	switch(action) {
-	case CPU_UP_PREPARE:
-#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
-	case CPU_UP_PREPARE_FROZEN:
-#endif
-		ret = scap_cpu_online(cpu);
-		break;
-	case CPU_DOWN_PREPARE:
-#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
-	case CPU_DOWN_PREPARE_FROZEN:
-#endif
-		ret = scap_cpu_offline(cpu);
-		break;
-	default:
-		break;
-	}
-
-	if(ret < 0)
-		return NOTIFY_BAD;
-	else
-		return NOTIFY_OK;
-}
-
-static struct notifier_block cpu_notifier = {
-        .notifier_call = &cpu_callback,
-        .next = NULL,
-};
-#endif /* LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) */
-
 static int scap_init(void) {
 	dev_t dev;
 	unsigned int cpu;
 	unsigned int num_cpus;
 	int ret;
 	int acrret = 0;
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-	int hp_ret;
-#endif
 	int j;
 	int n_created_devices = 0;
 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
@@ -2943,25 +2894,6 @@ static int scap_init(void) {
 		goto init_module_err;
 	}
 
-	/*
-	 * Set up our callback in case we get a hotplug even while we are
-	 * initializing the cpu structures
-	 */
-#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
-	hp_ret = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
-	                                   DRIVER_NAME "/driver:online",
-	                                   scap_cpu_online,
-	                                   scap_cpu_offline);
-	if(hp_ret <= 0) {
-		pr_err("error registering cpu hotplug callback\n");
-		ret = hp_ret;
-		goto init_module_err;
-	}
-	hp_state = hp_ret;
-#else
-	register_cpu_notifier(&cpu_notifier);
-#endif
-
 	// Initialize globals
 	g_tracepoints_attached = 0;
 	for(j = 0; j < KMOD_PROG_ATTACHED_MAX; j++) {

diff --git a/driver/modern_bpf/helpers/store/auxmap_store_params.h b/driver/modern_bpf/helpers/store/auxmap_store_params.h
@@ -122,7 +122,7 @@ static __always_inline void auxmap__submit_event(struct auxiliary_map *auxmap) {
 	struct ringbuf_map *rb = maps__get_ringbuf_map();
 	if(!rb) {
 		// this should never happen because we check it in sys_enter/sys_exit
-		bpf_printk("FAILURE: unable to obtain the ring buffer");
+		bpf_printk("AUXMAP: unable to obtain the ring buffer");
 		return;
 	}
 

diff --git a/driver/modern_bpf/helpers/store/ringbuf_store_params.h b/driver/modern_bpf/helpers/store/ringbuf_store_params.h
@@ -99,7 +99,7 @@ static __always_inline uint32_t ringbuf__reserve_space(struct ringbuf_struct *ri
 	struct ringbuf_map *rb = maps__get_ringbuf_map();
 	if(!rb) {
 		// this should never happen because we check it in sys_enter/sys_exit
-		bpf_printk("FAILURE: unable to obtain the ring buffer");
+		bpf_printk("RINGBUF: unable to obtain the ring buffer");
 		return 0;
 	}
 

diff --git a/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c b/driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c
@@ -56,6 +56,8 @@ int BPF_PROG(t_hotplug) {
 	/* Right now we don't have actions we always send 0 */
 	ringbuf__store_u32(&ringbuf, 0);
 
+	bpf_printk("Send hotplug event for cpu %d", bpf_get_smp_processor_id());
+
 	/*=============================== COLLECT PARAMETERS ===========================*/
 
 	ringbuf__submit_event(&ringbuf);
@@ -170,6 +172,9 @@ static __always_inline bool sampling_logic_exit(void *ctx, uint32_t id) {
 #define X86_64_NR_EXECVE 59
 #define X86_64_NR_EXECVEAT 322
 
+#define X86_64_NR_DELETE_MODULE 176
+#define ARM64_NR_DELETE_MODULE 106
+
 /* From linux tree: /include/trace/events/syscall.h
  * TP_PROTO(struct pt_regs *regs, long ret),
  */
@@ -228,11 +233,22 @@ int BPF_PROG(sys_exit, struct pt_regs *regs, long ret) {
 		return 0;
 	}
 
+#if defined(__TARGET_ARCH_x86)
+	if(syscall_id == X86_64_NR_DELETE_MODULE) {
+		bpf_printk("Calling delete_module syscall on cpu %d", bpf_get_smp_processor_id());
+	}
+#else
+	if(syscall_id == X86_64_NR_DELETE_MODULE) {
+		bpf_printk("Calling delete_module syscall on cpu %d", bpf_get_smp_processor_id());
+	}
+#endif
+
 	// If we cannot find a ring buffer for this CPU we probably have an hotplug event. It's ok to
 	// check only in the exit path since we will always have at least one exit syscall enabled. If
 	// we change our architecture we may need to update this logic.
 	struct ringbuf_map *rb = maps__get_ringbuf_map();
 	if(!rb) {
+		bpf_printk("Configure hotplug event on cpu %d", bpf_get_smp_processor_id());
 		bpf_tail_call(ctx, &custom_sys_exit_calls, T_HOTPLUG);
 		bpf_printk("failed to tail call into the 'hotplug' prog");
 		return 0;

diff --git a/test/libscap/helpers/engines.cpp b/test/libscap/helpers/engines.cpp
@@ -213,6 +213,7 @@ void check_hotplug_event(scap_t *h, std::ofstream &cpu_file) {
 	cpu_file.seekp(0, std::ios::beg);
 	cpu_file << "1";
 	cpu_file.flush();
+	cpu_file.close();
 
 	// Set the affinity on first CPU
 	cpu_set_t set, starting_set;
@@ -223,15 +224,15 @@ void check_hotplug_event(scap_t *h, std::ofstream &cpu_file) {
 	sched_setaffinity(0, sizeof(cpu_set_t), &set);
 
 	// Generate some syscalls on CPU 1 to make sure we generate an event
-	cpu_file.close();
+	syscall(__NR_delete_module, "fail", 0);
 
 	// the legacy ebpf probe needs also a new event on CPU 0 after the hotplug to send the event in
 	// userspace
 	CPU_ZERO(&set);    // clear cpu mask
 	CPU_SET(0, &set);  // set cpu 1
 	sched_setaffinity(0, sizeof(cpu_set_t), &set);
 	// we throw a failed close to generate an event
-	close(-1);
+	syscall(__NR_delete_module, "fail", 0);
 
 	// Reset affinity
 	sched_setaffinity(0, sizeof(cpu_set_t), &starting_set);

diff --git a/test/libscap/test_suites/engines/bpf/bpf.cpp b/test/libscap/test_suites/engines/bpf/bpf.cpp
@@ -291,12 +291,11 @@ TEST(bpf, hotplug) {
 	cpu_file.flush();
 
 	// open scap, we limit the capture to just one syscall to avoid too many events.
-	// The close syscall will be called inside `check_hotplug_event`.
 	scap_t* h = open_bpf_engine(error_buffer,
 	                            &ret,
 	                            4 * 4096,
 	                            LIBSCAP_TEST_BPF_PROBE_PATH,
-	                            {PPM_SC_CLOSE});
+	                            {PPM_SC_DELETE_MODULE});
 	ASSERT_FALSE(!h || ret != SCAP_SUCCESS)
 	        << "unable to open bpf engine: " << error_buffer << std::endl;
 

diff --git a/test/libscap/test_suites/engines/kmod/kmod.cpp b/test/libscap/test_suites/engines/kmod/kmod.cpp
@@ -345,12 +345,11 @@ TEST(kmod, hotplug) {
 	cpu_file.flush();
 
 	// open scap, we limit the capture to just one syscall to avoid too many events.
-	// The close syscall will be called inside `check_hotplug_event`.
 	scap_t* h = open_kmod_engine(error_buffer,
 	                             &ret,
 	                             4 * 4096,
 	                             LIBSCAP_TEST_KERNEL_MODULE_PATH,
-	                             {PPM_SC_CLOSE});
+	                             {PPM_SC_DELETE_MODULE});
 	ASSERT_FALSE(!h || ret != SCAP_SUCCESS)
 	        << "unable to open kmod engine: " << error_buffer << std::endl;
 

diff --git a/test/libscap/test_suites/engines/modern_bpf/modern_bpf.cpp b/test/libscap/test_suites/engines/modern_bpf/modern_bpf.cpp
@@ -429,9 +429,12 @@ TEST(modern_bpf, hotplug) {
 	cpu_file.flush();
 
 	// open scap, we limit the capture to just one syscall to avoid too many events.
-	// The close syscall will be called inside `check_hotplug_event`.
-	scap_t* h =
-	        open_modern_bpf_engine(error_buffer, &ret, 1 * 1024 * 1024, 0, true, {PPM_SC_CLOSE});
+	scap_t* h = open_modern_bpf_engine(error_buffer,
+	                                   &ret,
+	                                   1 * 1024 * 1024,
+	                                   0,
+	                                   true,
+	                                   {PPM_SC_DELETE_MODULE});
 	ASSERT_FALSE(!h || ret != SCAP_SUCCESS)
 	        << "unable to open modern bpf engine: " << error_buffer << std::endl;