falcosecurity
/
libs
mirror of https://github.com/falcosecurity/libs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: falcosecurity:master
Branches Tags
falcosecurity:master
falcosecurity:ekoops/isolate-modern-toctou
falcosecurity:update/lseek-conversion
falcosecurity:wip/test
falcosecurity:release/0.21.x
falcosecurity:fix/modern_bpf_maps_const
falcosecurity:wip/rawarg_madness_sanitizer
falcosecurity:fix/valijson_ci_cmake_ver
falcosecurity:chore/use_driverkit_image_latest_kernel
falcosecurity:chore/e2e_ci_arm64
falcosecurity:Andreagit97/fix_hotplug_2
falcosecurity:new/homemade_bpf_loop
falcosecurity:release/0.20.x
falcosecurity:chore/enable_lto
falcosecurity:release/0.19.x
falcosecurity:new/expose_category
falcosecurity:release/0.18.x
falcosecurity:new/sinsp_state_entry_observer
falcosecurity:wip/test_tbbmem
falcosecurity:cleanup/container-manager-unused-code
falcosecurity:test/download-zig
falcosecurity:test/shared-lib-fix-0.17.3
falcosecurity:chore/improve_e2e_ci
falcosecurity:chore/zig_build
falcosecurity:fix-fs-path-openat
falcosecurity:wip/test_benchmarks
falcosecurity:cleanup/drop_jsoncpp_use_njson
falcosecurity:release/0.17.x
falcosecurity:test/ci
falcosecurity:indexing-filterchecks
falcosecurity:release/0.16.x
falcosecurity:chore/fix_typo
falcosecurity:indexing-filterchecks-backup
falcosecurity:fix/recvfrom_bpf_filler
falcosecurity:release/0.15.x
falcosecurity:chore/set_perf_event_attr_size
falcosecurity:release/0.14.x
falcosecurity:new/check-milestone-action
falcosecurity:LucaGuerra-patch-1
falcosecurity:bug_in_the_queue
falcosecurity:release/0.13.x
falcosecurity:PR1400
falcosecurity:build/upgrade-grpc-and-friends
falcosecurity:remove_b64
falcosecurity:symlink_new
falcosecurity:release/0.12.x
falcosecurity:update/jsoncpp_1.9.5
falcosecurity:update/tinydir_1.2.5
falcosecurity:PR1229
falcosecurity:wip/scap-specification
falcosecurity:release/0.11.x
falcosecurity:allow-pmatch-to-expand-globs-backup
falcosecurity:maintainers/tmp_sinsp_branch
falcosecurity:new/codechecker
falcosecurity:fix_drivers_ppid
falcosecurity:update/protobuf
falcosecurity:release/0.10.x
falcosecurity:maintainers/tmp_cpp17
falcosecurity:chore/bump_schema_vers
falcosecurity:sync/release/0.10.5
falcosecurity:new/merge_ppm_sc_ppm_tp
falcosecurity:maintainers/899-testing
falcosecurity:maintainers/unit_test_libscap
falcosecurity:release/0.10.0
falcosecurity:maintainers/support_test_1
falcosecurity:fix/use_head_gha
falcosecurity:new/kmod_name_as_param
falcosecurity:hashes
falcosecurity:hashes-fields
falcosecurity:release/0.9.2
falcosecurity:test_feat
falcosecurity:release/0.9.0
falcosecurity:prova
falcosecurity:make-container-engines-configurable
falcosecurity:enum_to_bitmask
falcosecurity:thread-lookup-improvements
falcosecurity:change_names
falcosecurity:experiment/remove-HAS_CAPTURE
falcosecurity:add_default_args
falcosecurity:add_new_tracepoints
falcosecurity:test/fix/falco/1909
falcosecurity:cleanup/unify_simpleconsumer_simpledriver
falcosecurity:temp_cleanup_simple_consumer
falcosecurity:add-position-ast-compiler
falcosecurity:fix/fd_errno_pid_fdlist_int32
falcosecurity:open_syscalls
falcosecurity:remove-fntlnz
falcosecurity:fix/bpf_res_or_fd_crash
falcosecurity:test-arm64
falcosecurity:fix/container_sync_add_container
falcosecurity:vtable-rebased
falcosecurity:chore/improvements
falcosecurity:skip-libs-deps-install
falcosecurity:minor_improvements
falcosecurity:PR266
falcosecurity:store_userlist
falcosecurity:patch-cherry-pick
falcosecurity:scap-seek-buffer
falcosecurity:expose_plugin_schema_infos
falcosecurity:fix-plugins-issue-56
falcosecurity:mac
falcosecurity:container-json-test
falcosecurity:detect-strlcpy-better
falcosecurity:new/plugin-system-api-additions
falcosecurity:new/plugin-system-api-additions-prerebase
falcosecurity:use-openssl-1-0-2
falcosecurity:gen-events-falco-engine
falcosecurity:validate-evt-type-filterchecks
falcosecurity:new/plugin-system-api-additions-async-experiments
falcosecurity:windows-build-improvements-prerebase
falcosecurity:new/plugin-system
falcosecurity:new/plugin-system-preaddlchanges
falcosecurity:build/upgrade-deps-testing2
falcosecurity:build/upgrade-deps-testing
falcosecurity:track-container-user-names
falcosecurity:build/upgrade-grpc-deps
falcosecurity:driver/libbpf-porting
falcosecurity:refactor/sub-components
falcosecurity:build/ci-testing-basic
falcosecurity:leodido-pullrequests-template
falcosecurity:0.21.0
falcosecurity:0.21.0-rc2
falcosecurity:8.1.0+driver
falcosecurity:0.21.0-rc1
falcosecurity:0.20.0
falcosecurity:8.0.0+driver
falcosecurity:0.20.0-rc2
falcosecurity:0.20.0-rc1
falcosecurity:0.19.0
falcosecurity:0.18.2
falcosecurity:0.18.1
falcosecurity:7.3.0+driver
falcosecurity:0.18.0
falcosecurity:0.18.0-rc2
falcosecurity:0.18.0-rc1
falcosecurity:0.17.3
falcosecurity:0.17.3-rc2
falcosecurity:0.17.3-rc1
falcosecurity:7.2.1+driver
falcosecurity:0.17.2
falcosecurity:0.17.1
falcosecurity:7.2.0+driver
falcosecurity:0.17.0-rc2
falcosecurity:0.17.0
falcosecurity:0.17.0-rc1
falcosecurity:7.1.0+driver
falcosecurity:0.16.0-rc4
falcosecurity:0.16.0
falcosecurity:0.16.0-rc3
falcosecurity:0.16.0-rc2
falcosecurity:7.1.0+driver-rc1
falcosecurity:0.16.0-rc1
falcosecurity:0.15.1
falcosecurity:0.15.0
falcosecurity:0.15.0-rc1
falcosecurity:0.14.3
falcosecurity:0.14.2
falcosecurity:0.14.1
falcosecurity:0.14.0
falcosecurity:7.0.0+driver
falcosecurity:0.13.4
falcosecurity:0.13.3
falcosecurity:0.13.2
falcosecurity:0.13.2-rc1
falcosecurity:0.13.1-rc1
falcosecurity:0.13.1
falcosecurity:0.13.0
falcosecurity:6.0.1+driver
falcosecurity:0.13.0-rc2
falcosecurity:0.13.0-rc1
falcosecurity:6.0.0+driver
falcosecurity:5.1.0+driver
falcosecurity:0.12.0
falcosecurity:0.12.0-rc3
falcosecurity:0.12.0-rc2
falcosecurity:0.12.0-rc1
falcosecurity:0.11.3
falcosecurity:0.11.2
falcosecurity:0.11.1
falcosecurity:0.11.0
falcosecurity:5.0.1+driver
falcosecurity:0.11.0-rc5
falcosecurity:0.11.0-rc4
falcosecurity:0.11.0-rc3
falcosecurity:0.11.0-rc2
falcosecurity:0.11.0-rc1
falcosecurity:5.0.0+driver
falcosecurity:0.10.5
falcosecurity:4.0.1+driver
falcosecurity:0.10.4
falcosecurity:0.10.3
falcosecurity:0.10.2
falcosecurity:0.10.1
falcosecurity:0.10.0
falcosecurity:4.0.0+driver
falcosecurity:4.0.0-rc1+driver
falcosecurity:0.10.0-rc1
falcosecurity:0.9.2
falcosecurity:0.9.1
falcosecurity:0.9.0
falcosecurity:3.0.1+driver
falcosecurity:3.0.0+driver
falcosecurity:3.0.0-rc1+driver
falcosecurity:0.9.0-rc1
falcosecurity:0.8.0
falcosecurity:0.7.0
falcosecurity:0.7.0-rc4
falcosecurity:0.7.0-rc3
falcosecurity:2.0.0+driver
falcosecurity:0.7.0-rc2
falcosecurity:2.0.0-rc1+driver
falcosecurity:0.7.0-rc1
falcosecurity:1.0.0-alpha2+driver
falcosecurity:0.7.0-alpha2
falcosecurity:1.0.0-alpha+driver
falcosecurity:0.7.0-alpha
..
compare: falcosecurity:8.0.0+driver
Branches Tags
falcosecurity:ekoops/isolate-modern-toctou
falcosecurity:master
falcosecurity:update/lseek-conversion
falcosecurity:wip/test
falcosecurity:release/0.21.x
falcosecurity:fix/modern_bpf_maps_const
falcosecurity:wip/rawarg_madness_sanitizer
falcosecurity:fix/valijson_ci_cmake_ver
falcosecurity:chore/use_driverkit_image_latest_kernel
falcosecurity:chore/e2e_ci_arm64
falcosecurity:Andreagit97/fix_hotplug_2
falcosecurity:new/homemade_bpf_loop
falcosecurity:release/0.20.x
falcosecurity:chore/enable_lto
falcosecurity:release/0.19.x
falcosecurity:new/expose_category
falcosecurity:release/0.18.x
falcosecurity:new/sinsp_state_entry_observer
falcosecurity:wip/test_tbbmem
falcosecurity:cleanup/container-manager-unused-code
falcosecurity:test/download-zig
falcosecurity:test/shared-lib-fix-0.17.3
falcosecurity:chore/improve_e2e_ci
falcosecurity:chore/zig_build
falcosecurity:fix-fs-path-openat
falcosecurity:wip/test_benchmarks
falcosecurity:cleanup/drop_jsoncpp_use_njson
falcosecurity:release/0.17.x
falcosecurity:test/ci
falcosecurity:indexing-filterchecks
falcosecurity:release/0.16.x
falcosecurity:chore/fix_typo
falcosecurity:indexing-filterchecks-backup
falcosecurity:fix/recvfrom_bpf_filler
falcosecurity:release/0.15.x
falcosecurity:chore/set_perf_event_attr_size
falcosecurity:release/0.14.x
falcosecurity:new/check-milestone-action
falcosecurity:LucaGuerra-patch-1
falcosecurity:bug_in_the_queue
falcosecurity:release/0.13.x
falcosecurity:PR1400
falcosecurity:build/upgrade-grpc-and-friends
falcosecurity:remove_b64
falcosecurity:symlink_new
falcosecurity:release/0.12.x
falcosecurity:update/jsoncpp_1.9.5
falcosecurity:update/tinydir_1.2.5
falcosecurity:PR1229
falcosecurity:wip/scap-specification
falcosecurity:release/0.11.x
falcosecurity:allow-pmatch-to-expand-globs-backup
falcosecurity:maintainers/tmp_sinsp_branch
falcosecurity:new/codechecker
falcosecurity:fix_drivers_ppid
falcosecurity:update/protobuf
falcosecurity:release/0.10.x
falcosecurity:maintainers/tmp_cpp17
falcosecurity:chore/bump_schema_vers
falcosecurity:sync/release/0.10.5
falcosecurity:new/merge_ppm_sc_ppm_tp
falcosecurity:maintainers/899-testing
falcosecurity:maintainers/unit_test_libscap
falcosecurity:release/0.10.0
falcosecurity:maintainers/support_test_1
falcosecurity:fix/use_head_gha
falcosecurity:new/kmod_name_as_param
falcosecurity:hashes
falcosecurity:hashes-fields
falcosecurity:release/0.9.2
falcosecurity:test_feat
falcosecurity:release/0.9.0
falcosecurity:prova
falcosecurity:make-container-engines-configurable
falcosecurity:enum_to_bitmask
falcosecurity:thread-lookup-improvements
falcosecurity:change_names
falcosecurity:experiment/remove-HAS_CAPTURE
falcosecurity:add_default_args
falcosecurity:add_new_tracepoints
falcosecurity:test/fix/falco/1909
falcosecurity:cleanup/unify_simpleconsumer_simpledriver
falcosecurity:temp_cleanup_simple_consumer
falcosecurity:add-position-ast-compiler
falcosecurity:fix/fd_errno_pid_fdlist_int32
falcosecurity:open_syscalls
falcosecurity:remove-fntlnz
falcosecurity:fix/bpf_res_or_fd_crash
falcosecurity:test-arm64
falcosecurity:fix/container_sync_add_container
falcosecurity:vtable-rebased
falcosecurity:chore/improvements
falcosecurity:skip-libs-deps-install
falcosecurity:minor_improvements
falcosecurity:PR266
falcosecurity:store_userlist
falcosecurity:patch-cherry-pick
falcosecurity:scap-seek-buffer
falcosecurity:expose_plugin_schema_infos
falcosecurity:fix-plugins-issue-56
falcosecurity:mac
falcosecurity:container-json-test
falcosecurity:detect-strlcpy-better
falcosecurity:new/plugin-system-api-additions
falcosecurity:new/plugin-system-api-additions-prerebase
falcosecurity:use-openssl-1-0-2
falcosecurity:gen-events-falco-engine
falcosecurity:validate-evt-type-filterchecks
falcosecurity:new/plugin-system-api-additions-async-experiments
falcosecurity:windows-build-improvements-prerebase
falcosecurity:new/plugin-system
falcosecurity:new/plugin-system-preaddlchanges
falcosecurity:build/upgrade-deps-testing2
falcosecurity:build/upgrade-deps-testing
falcosecurity:track-container-user-names
falcosecurity:build/upgrade-grpc-deps
falcosecurity:driver/libbpf-porting
falcosecurity:refactor/sub-components
falcosecurity:build/ci-testing-basic
falcosecurity:leodido-pullrequests-template
falcosecurity:0.21.0
falcosecurity:0.21.0-rc2
falcosecurity:8.1.0+driver
falcosecurity:0.21.0-rc1
falcosecurity:0.20.0
falcosecurity:8.0.0+driver
falcosecurity:0.20.0-rc2
falcosecurity:0.20.0-rc1
falcosecurity:0.19.0
falcosecurity:0.18.2
falcosecurity:0.18.1
falcosecurity:7.3.0+driver
falcosecurity:0.18.0
falcosecurity:0.18.0-rc2
falcosecurity:0.18.0-rc1
falcosecurity:0.17.3
falcosecurity:0.17.3-rc2
falcosecurity:0.17.3-rc1
falcosecurity:7.2.1+driver
falcosecurity:0.17.2
falcosecurity:0.17.1
falcosecurity:7.2.0+driver
falcosecurity:0.17.0-rc2
falcosecurity:0.17.0
falcosecurity:0.17.0-rc1
falcosecurity:7.1.0+driver
falcosecurity:0.16.0-rc4
falcosecurity:0.16.0
falcosecurity:0.16.0-rc3
falcosecurity:0.16.0-rc2
falcosecurity:7.1.0+driver-rc1
falcosecurity:0.16.0-rc1
falcosecurity:0.15.1
falcosecurity:0.15.0
falcosecurity:0.15.0-rc1
falcosecurity:0.14.3
falcosecurity:0.14.2
falcosecurity:0.14.1
falcosecurity:0.14.0
falcosecurity:7.0.0+driver
falcosecurity:0.13.4
falcosecurity:0.13.3
falcosecurity:0.13.2
falcosecurity:0.13.2-rc1
falcosecurity:0.13.1-rc1
falcosecurity:0.13.1
falcosecurity:0.13.0
falcosecurity:6.0.1+driver
falcosecurity:0.13.0-rc2
falcosecurity:0.13.0-rc1
falcosecurity:6.0.0+driver
falcosecurity:5.1.0+driver
falcosecurity:0.12.0
falcosecurity:0.12.0-rc3
falcosecurity:0.12.0-rc2
falcosecurity:0.12.0-rc1
falcosecurity:0.11.3
falcosecurity:0.11.2
falcosecurity:0.11.1
falcosecurity:0.11.0
falcosecurity:5.0.1+driver
falcosecurity:0.11.0-rc5
falcosecurity:0.11.0-rc4
falcosecurity:0.11.0-rc3
falcosecurity:0.11.0-rc2
falcosecurity:0.11.0-rc1
falcosecurity:5.0.0+driver
falcosecurity:0.10.5
falcosecurity:4.0.1+driver
falcosecurity:0.10.4
falcosecurity:0.10.3
falcosecurity:0.10.2
falcosecurity:0.10.1
falcosecurity:0.10.0
falcosecurity:4.0.0+driver
falcosecurity:4.0.0-rc1+driver
falcosecurity:0.10.0-rc1
falcosecurity:0.9.2
falcosecurity:0.9.1
falcosecurity:0.9.0
falcosecurity:3.0.1+driver
falcosecurity:3.0.0+driver
falcosecurity:3.0.0-rc1+driver
falcosecurity:0.9.0-rc1
falcosecurity:0.8.0
falcosecurity:0.7.0
falcosecurity:0.7.0-rc4
falcosecurity:0.7.0-rc3
falcosecurity:2.0.0+driver
falcosecurity:0.7.0-rc2
falcosecurity:2.0.0-rc1+driver
falcosecurity:0.7.0-rc1
falcosecurity:1.0.0-alpha2+driver
falcosecurity:0.7.0-alpha2
falcosecurity:1.0.0-alpha+driver
falcosecurity:0.7.0-alpha

10 Commits
master ... 8.0.0+driv

Author SHA1 Message Date
Roberto Scolaro 22be2498e0 fix(libsinsp/runc): typo 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2025-01-20 14:11:48 +01:00
Roberto Scolaro fbe3c4639d fix(libsinsp/runc): augument containerd filter 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2025-01-20 14:11:48 +01:00
Roberto Scolaro ba87ea79e7 fix(libsinsp): allow reading scap from stdin 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2025-01-20 14:11:48 +01:00
Federico Di Pierro 5a5709133d chore(ci): switch to github-provided arm64 runners. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-01-17 10:48:32 +01:00
Leonardo Grasso 1510ea322f docs(userspace/libsinsp/filter/parser): fix grammar doc 
The spaces after the operator tokens were intended to indicate operators that mandate a whitespace character to be followed.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-01-17 10:48:32 +01:00
Roberto Scolaro 1a577bac89 chore(libsinsp/runc): report correct container id with short cid 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2025-01-17 10:48:32 +01:00
Leonardo Grasso 0297142814 docs(userspace/libsinsp/filter/parser): update grammar doc 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-01-17 10:48:32 +01:00
Roberto Scolaro dfd4328260 fix(libsinsp/container_engine/containerd): avoid cache confusion between containerd sockets 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2025-01-17 10:48:32 +01:00
Roberto Scolaro ba990bce80 fix(libsinsp/runc): use old logic and fallback for containerd 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2025-01-17 10:48:32 +01:00
Roberto Scolaro 769dbb023c feat(containers): add host-containerd socket 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
 2025-01-17 10:48:32 +01:00
707 changed files with 36839 additions and 45928 deletions
Show Stats Expand all files Collapse all files

2
.clang-format-ignore
View File

@ -3,8 +3,6 @@ driver/modern_bpf/definitions/aarch64/vmlinux.h
driver/modern_bpf/definitions/ppc64le/vmlinux.h
driver/modern_bpf/definitions/s390x/vmlinux.h
driver/modern_bpf/definitions/x86_64/vmlinux.h
# Autogenerated events dimensions file for modern probe is not formatted
driver/modern_bpf/definitions/events_dimensions.h
# All syscall_compat autogenerated headers are not formatted
driver/syscall_compat_aarch64.h
driver/syscall_compat_loongarch64.h

2
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@ -20,8 +20,6 @@
> /kind failing-test
> /kind test
> /kind feature
<!--

2
.github/actions/composite-perf/action.yml vendored
View File

@ -24,7 +24,7 @@ runs:
- name: Install deps ⛓️
shell: bash
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
sudo .github/install-deps.sh
- name: Build

28
.github/actions/install-zig/action.yml vendored
View File

@ -8,29 +8,41 @@ runs:
shell: bash
id: store
env:
ZIG_VERSION: '0.14.1'
ZIG_VERSION: '0.14.0-dev.2591+5333d2443'
run: |
echo "zig_version=${ZIG_VERSION}" >> "$GITHUB_OUTPUT"
# TODO: this is only needed because we are using a development version of zig,
# since we need https://github.com/ziglang/zig/pull/21253 to be included.
# Development versions of zig are not kept alive forever, but get overridden.
# We cache it to keep it alive.
- name: Download zig (cached)
id: cache-zig
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: zig
key: zig-${{ runner.os }}-${{ runner.arch }}-${{ steps.store.outputs.zig_version }}
- name: Download zig
if: steps.cache-zig.outputs.cache-hit != 'true'
shell: bash
run: |
curl -L -o zig.tar.xz https://ziglang.org/download/${{ steps.store.outputs.zig_version }}/zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}.tar.xz
curl -L -o zig.tar.xz https://ziglang.org/builds/zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}.tar.xz
tar -xvf zig.tar.xz
cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
#!/bin/bash
exec zig cc -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
EOF
chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc
chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-cc
cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
cat > zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
#!/bin/bash
exec zig c++ -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
EOF
chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++
chmod +x zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/zig-c++
mv zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/ zig
mv zig-linux-$(uname -m)-${{ steps.store.outputs.zig_version }}/ zig
- name: Setup zig
shell: bash
@ -40,4 +52,4 @@ runs:
echo "CC=zig-cc" >> $GITHUB_ENV
echo "CXX=zig-c++" >> $GITHUB_ENV
echo "AR=zig ar" >> $GITHUB_ENV
echo "RANLIB=zig ranlib" >> $GITHUB_ENV
echo "RANLIB=zig ranlib" >> $GITHUB_ENV

114
.github/workflows/ci.yml vendored
View File

@ -21,12 +21,14 @@ jobs:
fail-fast: false
matrix:
arch: [amd64, arm64]
name: [system_deps, bundled_deps, sanitizers, zig]
name: [system_deps, bundled_deps, system_deps_minimal, sanitizers, zig]
include:
- name: system_deps
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False
- name: bundled_deps
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True
- name: system_deps_minimal
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True
- name: sanitizers
cmake_opts: -DUSE_ASAN=On -DUSE_UBSAN=On -DUSE_BUNDLED_DEPS=False
- name: zig
@ -36,9 +38,7 @@ jobs:
steps:
- name: Install deps ⛓️
run: |
# Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
printf "deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main\ndeb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main\ndeb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main" > /etc/apt/sources.list
apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
- name: Install a recent version of CMake ⛓️
run: |
@ -74,13 +74,6 @@ jobs:
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
make run-unit-tests
- name: Test sinsp-example and .scap files
run: |
cd build && make sinsp-example
libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google.txt
libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google_comments.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google_comments.txt
diff -u /tmp/curl_google.txt /tmp/curl_google_comments.txt
# On zig, build also sinsp-example and check the glibc linked versions
# to make sure we are actually using the correct glibc version.
- name: Test zig build glibc version
@ -135,13 +128,13 @@ jobs:
- name: Install deps ⛓️
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
sudo .github/install-deps.sh
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
make -j4
make run-unit-tests
@ -154,7 +147,7 @@ jobs:
run: |
cd userspace/libsinsp/examples
export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig
g++ -o sinsp-example *.cpp $(pkg-config --cflags --libs libsinsp)
g++ -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp)
- name: Test sinsp-example runtime linker
run: |
@ -181,7 +174,7 @@ jobs:
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DENABLE_THREAD_POOL=ON ..
cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DMINIMAL_BUILD=ON -DENABLE_THREAD_POOL=ON ..
cmake --build . --config Release --parallel 4 && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe
build-shared-libs-macos-amd64:
@ -200,7 +193,7 @@ jobs:
- name: Build 🏗️
run: |
mkdir -p build
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DMINIMAL_BUILD=ON -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
cmake --build . --config Release --parallel $(getconf _NPROCESSORS_ONLN)
- name: Install
@ -258,11 +251,92 @@ jobs:
diff -u expected_ldd_out.txt ldd_out.txt
run-e2e-tests-amd64:
uses: ./.github/workflows/reusable_e2e_tests.yaml
with:
libsversion: ${{ github.sha }}
secrets: inherit
name: run-e2e-tests-amd64
strategy:
fail-fast: false
matrix:
name: [system_deps, bundled_deps, asan]
include:
- name: system_deps
cmake_opts: -DUSE_BUNDLED_DEPS=False
- name: bundled_deps
cmake_opts: -DUSE_BUNDLED_DEPS=True
- name: asan
cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
runs-on: ubuntu-22.04
steps:
- name: Install deps ⛓️
run: |
sudo apt-get update && sudo apt-get install -y --no-install-recommends \
ca-certificates \
cmake \
build-essential \
clang-14 llvm-14 \
git \
clang \
llvm \
pkg-config \
autoconf \
automake \
libtool \
libelf-dev \
wget \
libc-ares-dev \
libbpf-dev \
libcap-dev \
libcurl4-openssl-dev \
libssl-dev \
libtbb-dev \
libjq-dev \
libjsoncpp-dev \
libgrpc++-dev \
protobuf-compiler-grpc \
libgtest-dev \
libprotobuf-dev \
"linux-headers-$(uname -r)"
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Fix kernel mmap rnd bits
# Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
# high-entropy ASLR in much newer kernels that GitHub runners are
# using leading to random crashes: https://reviews.llvm.org/D148280
run: sudo sysctl vm.mmap_rnd_bits=28
- name: Install deps ⛓️
run: |
sudo .github/install-deps.sh
- name: Build and test 🏗️🧪
env:
# This avoids random failures on CI.
# (https://github.com/google/sanitizers/issues/1322#issuecomment-699946942)
ASAN_OPTIONS: intercept_tls_get_addr=0
run: |
mkdir -p build && cd build
cmake -DBUILD_BPF=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DBUILD_LIBSCAP_GVISOR=OFF \
${{ matrix.cmake_opts }} \
-DUSE_BUNDLED_LIBBPF=ON \
..
make -j$(nproc) sinsp-example driver bpf
sudo -E make e2e-install-deps
sudo -E ../test/e2e/scripts/run_tests.sh
- name: Archive test reports
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: failure()
with:
name: ${{ matrix.name }}_report
path: |
/tmp/report/
build-libs-emscripten:
name: build-libs-emscripten 🧐

2
.github/workflows/driverkit.yml vendored
View File

@ -55,7 +55,7 @@ jobs:
kernelrelease: 6.4.1-1.el9.elrepo.aarch64
target: centos
kernelurls: https://download.falco.org/fixtures/libs/kernel-ml-devel-6.4.1-1.el9.elrepo.aarch64.rpm
runs-on: ubuntu-24.04-arm
runs-on: ubuntu-latest
container:
image: falcosecurity/driverkit:latest
steps:

36
.github/workflows/drivers_ci.yml vendored
View File

@ -39,7 +39,7 @@ jobs:
# This job run all engine tests and scap-open
test-scap:
name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
needs: paths-filter
strategy:
matrix:
@ -73,7 +73,7 @@ jobs:
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
run: |
mkdir -p build
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On -DUSE_ASAN=On -DUSE_UBSAN=On ../
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
make scap-open driver bpf libscap_test -j6
- name: Run scap-open with modern bpf 🏎️
@ -102,13 +102,6 @@ jobs:
cd build
sudo ./test/libscap/libscap_test
- name: Validate scap-open with modern bpf
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: Andreagit97/bpfvalidator@v0.3.0
with:
args: |
--config=$GITHUB_WORKSPACE/driver/modern_bpf/bpfvalidator_config.yaml --cmd="$GITHUB_WORKSPACE/build/libscap/examples/01-open/scap-open --modern_bpf --num_events 10"
test-drivers:
name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
@ -177,7 +170,7 @@ jobs:
- name: Build and test drivers on ppc64le node via ssh
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: appleboy/ssh-action@2ead5e36573f08b82fbfce1504f1a4b05a647c6f # v1.2.2
uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0
with:
host: ${{ secrets.PPC64LE_HOST }}
username: ${{ secrets.PPC64LE_USERNAME }}
@ -187,12 +180,10 @@ jobs:
command_timeout: 60m
script: |
sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
# Remove, if present, any libs clone created by a previous job run.
rm -rf libs
git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs
cd libs
mkdir -p build
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF -DUSE_BUNDLED_LIBELF=OFF ../
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
make drivers_test driver bpf -j6
sudo ./test/drivers/drivers_test -m
rc_modern=$?
@ -213,7 +204,7 @@ jobs:
with:
fetch-depth: 0
- uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
- uses: uraimo/run-on-arch-action@5397f9e30a9b62422f302092631c99ae1effcd9e # v2.8.1
name: Run s390x build 🏗️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
with:
@ -222,16 +213,15 @@ jobs:
githubToken: ${{ github.token }}
install: |
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev libcap-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-generic
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
cd bpftool
git submodule update --init
cd src && make install
cd ../../
git clone https://github.com/libbpf/libbpf.git --branch v1.3.0 --single-branch
cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install install_uapi_headers
cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install
ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/
ln -s /usr/include/bpf /usr/include/s390x-linux-gnu/
# Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
@ -245,7 +235,7 @@ jobs:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: 'ubuntu-latest'
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
container: fedora:41
container: fedora:latest
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
@ -262,7 +252,7 @@ jobs:
make ProbeSkeleton -j6
- name: Upload skeleton
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: bpf_probe_x86_64.skel.h
path: skeleton-build/skel_dir/bpf_probe.skel.h
@ -287,7 +277,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download skeleton
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bpf_probe_x86_64.skel.h
path: /tmp
@ -329,13 +319,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Download X64 matrix
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: matrix_X64
path: matrix_X64
- name: Download ARM64 matrix
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: matrix_ARM64
path: matrix_ARM64
@ -355,7 +345,7 @@ jobs:
echo ""
- name: Upload PR info as artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: pr-kernel-testing
path: pr/

15
.github/workflows/e2e_ci.yml vendored
View File

@ -35,6 +35,7 @@ jobs:
clang \
llvm \
git \
clang \
ccache \
llvm \
pkg-config \
@ -43,14 +44,18 @@ jobs:
libtool \
libelf-dev \
wget \
libc-ares-dev \
libbpf-dev \
libcap-dev \
libcurl4-openssl-dev \
libssl-dev \
libtbb-dev \
libjq-dev \
libjsoncpp-dev \
libgrpc++-dev \
protobuf-compiler-grpc \
libgtest-dev \
libprotobuf-dev \
protobuf-compiler \
linux-headers-$(uname -r)
sudo .github/install-deps.sh
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
@ -64,7 +69,7 @@ jobs:
sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
- name: Run sccache-cache
uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
uses: mozilla-actions/sccache-action@054db53350805f83040bf3e6e9b8cf5a139aa7c9 # v0.0.7
- name: Build e2e tests 🏗️
env:
@ -90,7 +95,7 @@ jobs:
cd ..
- name: Cache build
uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
if: always()
id: cache
with:
@ -114,7 +119,7 @@ jobs:
- name: Restore build
id: cache
uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: build
key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
@ -166,4 +171,4 @@ jobs:
UBSAN_OPTIONS: print_stacktrace=1
run: |
cd build/test/libsinsp_e2e/
sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok
sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }} --gtest_filter=-sys_call_test.quotactl_ok

2
.github/workflows/format.yml vendored
View File

@ -32,7 +32,7 @@ jobs:
- name: Upload the git diff artifact 📦
if: failure()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: format_diff.patch
path: ./format_diff.patch

28
.github/workflows/latest-kernel.yml vendored
View File

@ -44,7 +44,7 @@ jobs:
echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT
- name: Upload driverkit config
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: driverkit_config.yaml
path: linux/dk.yaml
@ -56,19 +56,16 @@ jobs:
runs-on: 'ubuntu-latest'
steps:
- name: Download driverkit config
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: driverkit_config.yaml
- name: Download latest driverkit artifact
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7
with:
fileName: driverkit_*_linux_amd64.tar.gz
latest: true
repository: falcosecurity/driverkit
tarBall: false
zipBall: false
extract: true
name: driverkit-amd64
workflow: release.yml
repo: falcosecurity/driverkit
- name: Test drivers build
id: build
@ -84,19 +81,16 @@ jobs:
runs-on: 'ubuntu-22.04-arm'
steps:
- name: Download driverkit config
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: driverkit_config.yaml
- name: Download latest driverkit artifact
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7
with:
fileName: driverkit_*_linux_arm64.tar.gz
latest: true
repository: falcosecurity/driverkit
tarBall: false
zipBall: false
extract: true
name: driverkit-arm64
workflow: release.yml
repo: falcosecurity/driverkit
- name: Test drivers build
id: build

12
.github/workflows/pages.yml vendored
View File

@ -28,7 +28,7 @@ jobs:
uses: ./.github/actions/composite-perf
- name: Archive master perf report
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: perf_report
retention-days: 30 # 30 days because this is the artifact on master; we need to retain it to be able to properly diff it
@ -72,7 +72,7 @@ jobs:
rm -rf stacks.txt
- name: Upload svg files
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: perf_svg
path: '*.svg'
@ -88,7 +88,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download matrix X64
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: matrix_X64
@ -96,7 +96,7 @@ jobs:
run: mv matrix.md docs/matrix_X64.md
- name: Download matrix ARM64
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: matrix_ARM64
@ -109,7 +109,7 @@ jobs:
sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_ARM64.md
- name: Download perf svg files
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: perf_svg
@ -128,7 +128,7 @@ jobs:
echo '<object data="../heaptrack_scap.svg" type="image/svg+xml" id="heaptrack_scap_file"></object>' > docs/heaptrack_scap_file.md
sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_scap_file.md
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: 3.x

6
.github/workflows/perf.yml vendored
View File

@ -27,7 +27,7 @@ jobs:
uses: ./.github/actions/composite-perf
- name: Download latest master report
uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7
with:
branch: master
event: push
@ -56,7 +56,7 @@ jobs:
python3 google-benchmark/tools/compare.py --no-color benchmarks gbench_data.json ${{ steps.perf.outputs.gbench_json }} &> gbench_diff.txt
- name: Archive perf diff
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: perf_diff
path: '*_diff.txt'
@ -96,7 +96,7 @@ jobs:
echo ""
- name: Upload PR info as artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: pr-perf
path: pr/

29
.github/workflows/release-body.yml vendored
View File

@ -98,7 +98,7 @@ jobs:
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Release
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
with:
body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }}
@ -135,29 +135,8 @@ jobs:
echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md
echo "" >> release-body.md
- name: Push badge to latest kernel release
run: |
wget https://gist.githubusercontent.com/FedeDP/1cbc5d42edf8e3a02fb75e76625f1072/raw/kernel.json
# 6.15-rc2 -> 6.15
# 6.10.6 -> 6.10
# 6.10 -> 6.10
KVER=$(cat kernel.json | jq '.message' | tr -d '"' | grep -oE -- '[0-9]+.[0-9]+')
SUCCESS=$(cat kernel.json | jq '.color' | tr -d '"')
# If latest run was not successful,
# revert back to previous kernel release.
# Of course, the fallback logic is bugged in case minor is 0,
# as we cannot know which was the previous version.
# It should not matter until kernel 7.0 :P
if [[ "$SUCCESS" = "red" ]]; then
n=${KVER//[!0-9]/ }
a=(${n//\./ })
KVER=$(echo "${a[0]}.$((a[1] - 1))")
fi
echo '!'"[Latest Compatible Kernel](https://img.shields.io/badge/KERNEL-${KVER}-brightgreen)" >> release-body.md
echo "" >> release-body.md
- name: Download matrix X64
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: matrix_X64
@ -165,7 +144,7 @@ jobs:
run: mv matrix.md matrix_X64.md
- name: Download matrix ARM64
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: matrix_ARM64
@ -203,7 +182,7 @@ jobs:
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Release
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
with:
body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }}

137
.github/workflows/reusable_e2e_tests.yaml vendored
View File

@ -1,137 +0,0 @@
name: Run libs e2e tests python framework
on:
workflow_call:
inputs:
container_plugin_artifact_name:
description: 'use a previously built custom container plugin; artifact name to be downloaded, or empty'
type: string
required: false
default: ''
test-docker:
description: "Whether to run tests with docker socket"
type: boolean
required: false
default: true
test-podman:
description: "Whether to run tests with podman socket"
type: boolean
required: false
default: true
libsversion:
description: 'libs version to be tested, eg: master'
type: string
required: false
default: 'master'
libsrepo:
description: 'libs repo to be tested, eg: falcosecurity/libs'
type: string
required: false
default: 'falcosecurity/libs'
jobs:
test-e2e:
if: inputs.test-docker || inputs.test-podman
strategy:
fail-fast: false
matrix:
name: [ system_deps, bundled_deps, asan ]
include:
- name: system_deps
cmake_opts: -DUSE_BUNDLED_DEPS=False
- name: bundled_deps
cmake_opts: -DUSE_BUNDLED_DEPS=True
- name: asan
cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
runs-on: ubuntu-24.04
steps:
- name: Install deps ⛓️
run: |
sudo apt-get update && sudo apt-get install -y --no-install-recommends \
ca-certificates \
cmake \
build-essential \
git \
clang \
llvm \
pkg-config \
autoconf \
automake \
libtool \
libelf-dev \
wget \
libbpf-dev \
libcap-dev \
libtbb-dev \
libjq-dev \
libjsoncpp-dev \
libgtest-dev \
libprotobuf-dev \
protobuf-compiler \
"linux-headers-$(uname -r)"
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
repository: ${{ inputs.libsrepo }}
ref: ${{ inputs.libsversion }}
- name: Install deps ⛓️
run: |
sudo .github/install-deps.sh
- name: Build tests 🏗️
run: |
mkdir -p build && cd build
cmake -DBUILD_BPF=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DBUILD_LIBSCAP_GVISOR=OFF \
-DENABLE_E2E_TESTS=ON \
${{ matrix.cmake_opts }} \
-DUSE_BUNDLED_LIBBPF=ON \
..
make -j$(nproc) sinsp-example driver bpf container_plugin
sudo -E make e2e-install-deps
- name: Download overriding custom container plugin
if: inputs.container_plugin_artifact_name != ''
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: ${{ inputs.container_plugin_artifact_name }}
path: build/test/e2e/container_plugin-prefix/src/container_plugin/
- name: Run tests - docker 🧪
if: inputs.test-docker
working-directory: build
run: |
sudo -E ../test/e2e/scripts/run_tests.sh
- name: Archive test reports - docker
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: inputs.test-docker && failure()
with:
name: ${{ matrix.name }}_docker_report
path: |
/tmp/report/
- name: Run tests - podman 🧪
if: inputs.test-podman && always()
working-directory: build
env:
# Set DOCKER_HOST pointing to podman socket
DOCKER_HOST: unix://run/podman/podman.sock
run: |
# Cleanup docker tests generated report folder
sudo rm -rf /tmp/report
# Podman tests require podman socket
sudo systemctl start podman
sudo -E ../test/e2e/scripts/run_tests.sh
- name: Archive test reports - podman
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: inputs.test-podman && failure()
with:
name: ${{ matrix.name }}_podman_report
path: |
/tmp/report/

4
.github/workflows/reusable_kernel_tests.yaml vendored
View File

@ -47,12 +47,12 @@ jobs:
libsrepo: ${{ inputs.libsrepo }}
build_matrix: 'true'
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ansible_output_${{matrix.architecture}}
path: ${{ steps.kernel_tests.outputs.ansible_output }}
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: matrix_${{matrix.architecture}}
path: ${{ steps.kernel_tests.outputs.matrix_output }}

4
.github/workflows/test_coverage_ci.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
- name: Install deps ⛓️
run: |
sudo apt-get update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r) gpg gpg-agent gcovr
sudo apt-get update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-$(uname -r) gpg gpg-agent gcovr
sudo .github/install-deps.sh
- name: Build and test 🏗️🧪
@ -37,7 +37,7 @@ jobs:
gcovr --xml -o ./libsinsp.coverage.xml
- name: Upload to codecov
uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
with:
fail_ci_if_error: true
files: ./libsinsp.coverage.xml

2
.github/workflows/update-syscalls.yml vendored
View File

@ -24,7 +24,7 @@ jobs:
repo-root: ${{ github.workspace }}/libs
- name: Create Pull Request
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
path: libs
signoff: true

1
.gitignore vendored
View File

@ -28,4 +28,3 @@ cscope.out
tags
third_party
*.vagrant*
.DS_Store

13
CMakeLists.txt
View File

@ -53,15 +53,18 @@ endif()
project(falcosecurity-libs)
option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
option(MINIMAL_BUILD
"Produce a minimal build with only the essential features (no container metadata)" OFF
)
option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
option(USE_BUNDLED_DRIVER
"Use the driver/ subdirectory in the build process (only available in Linux)" ON
)
option(ENABLE_E2E_TESTS "Enable e2e tests" OFF)
option(ENABLE_DRIVERS_TESTS "Enable driver tests (bpf, kernel module, modern bpf)" OFF)
option(ENABLE_LIBSCAP_TESTS "Enable libscap unit tests" OFF)
option(ENABLE_LIBSINSP_E2E_TESTS "Enable libsinsp e2e tests" OFF)
option(BUILD_SHARED_LIBS "Build libscap and libsinsp as shared libraries" OFF)
option(ENABLE_VM_TESTS "Enable driver sanity tests" OFF)
option(USE_ASAN "Build with AddressSanitizer" OFF)
option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
option(USE_TSAN "Build with ThreadSanitizer" OFF)
@ -126,9 +129,7 @@ if(CREATE_TEST_TARGETS)
# ctest's add_test because it will build the code and output to stdout.
add_custom_target(run-unit-tests COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp)
if(ENABLE_E2E_TESTS)
add_subdirectory(test/e2e)
endif()
add_subdirectory(test/e2e)
if(ENABLE_DRIVERS_TESTS)
add_subdirectory(test/drivers)
@ -144,6 +145,10 @@ if(CREATE_TEST_TARGETS)
add_subdirectory(test/libsinsp_e2e/resources)
endif()
if(ENABLE_VM_TESTS)
add_subdirectory(test/vm)
endif()
endif()
option(ENABLE_BENCHMARKS "Enable Benchmarks" OFF)

6
CMakePresets.json
View File

@ -33,13 +33,13 @@
{
"name": "sinsp-minimal",
"inherits": "base",
"displayName": "Build minimal sinsp",
"description": "Build sinsp without gvisor and protobuf deps",
"displayName": "Build sinsp in minimal build",
"description": "Build sinsp in minimal build with its tests",
"binaryDir": "${sourceDir}/build-sinsp-minimal",
"cacheVariables": {
"USE_BUNDLED_DEPS": "ON",
"BUILD_LIBSCAP_GVISOR": "OFF",
"CREATE_TEST_TARGETS": "ON",
"MINIMAL_BUILD": "ON",
"SCAP_FILES_SUITE_ENABLE": "OFF"
}
}

3
OWNERS
View File

@ -7,11 +7,10 @@ approvers:
- molter73
- lucaguerra
- jasondellaluce
- ekoops
- incertum
reviewers:
- hbrueckner
emeritus_approvers:
- fntlnz
- leodido
- ldegio
- incertum

44
README.md
View File

@ -11,7 +11,7 @@ This repository contains **libsinsp**, **libscap**, the **kernel module** and th
These components are at the foundation of [Falco](https://github.com/falcosecurity/falco) and other projects that work with the same kind of data.
This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to Falco's [official documentation](https://falco.org/docs/).
This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to the [official documentation](https://falco.org/docs/).
An image is worth a thousand words, they say:
@ -104,13 +104,13 @@ If you are building this project outside of a Git working directory, or if you w
<details>
<summary>Expand Build Instructions</summary>
For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in Falco's [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in the [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
The project utilizes the `cmake` build system, and the key `make` targets are as follows:
* `driver` -> build the kmod
* `bpf` -> build the legacy `ebpf` probe
* `scap` -> build libscap (`modern_ebpf` driver will be bundled into `scap` if enabled)
* `bpf` -> build the eBPF probe
* `scap` -> build libscap (`modern_bpf` driver will be bundled into `scap` if enabled)
* `sinsp` -> build libsinsp (depends upon `scap` target)
* `scap-open` -> build a small example binary for `libscap` to test the drivers (dependent on `scap`)
* `sinsp-example` -> build a small example binary for `libsinsp` to test the drivers and/or `libsinsp` functionality (dependent on `scap` and `sinsp`)
@ -135,7 +135,7 @@ make sinsp
### Build userspace using system deps
To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to Falco's [official documentation](https://falco.org/docs/install-operate/source/).
To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to the [official documentation](https://falco.org/docs/install-operate/source/).
```bash
cmake -DUSE_BUNDLED_DEPS=OFF ../;
@ -146,27 +146,29 @@ make sinsp
### Build driver - kmod
To build the kmod driver, you need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
To build the kmod driver, you need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
```bash
make driver
# Verify the kmod binary object file was created, uses `.ko` extension.
# Verify the kmod object code was created, uses `.ko` extension.
ls -l driver/src/scap.ko;
```
### Build driver - eBPF probe
To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
```bash
cmake -DBUILD_BPF=ON ../;
make bpf
# Verify the eBPF bytecode file was created, uses `.o` extension.
# Verify the eBPF object code was created, uses `.o` extension.
ls -l driver/bpf/probe.o;
```
>__WARNING__: **clang-7** is the oldest supported version to build our BPF probe.
Initial guidance for CI and building within containers: To build either the kmod or eBPF probe in a container, you will need to make the extracted kernel headers available. The [test/vm](test/vm/) directory contains example [scripts](test/vm/scripts/compile_drivers.sh) demonstrating how to pass them to the `make` command using the argument `KERNELDIR=${EXTRACTED_KERNEL_HEADERS_DIR}`. You can also use the [falcosecurity/driverkit](https://github.com/falcosecurity/driverkit) or explore the scripts within the driverkit repository. The mentioned resources also provide candidate builder containers.
### Build driver - modern eBPF probe
To build the modern eBPF probe, further prerequisites are necessary:
@ -191,13 +193,13 @@ To build the modern eBPF probe, further prerequisites are necessary:
> __NOTE:__ These are not the requirements to use the modern BPF probe, but rather for building it from source.
Regarding the previously discussed legacy eBPF driver, it generates kernel-specific bytecode (`driver/bpf/probe.o`) tailored to your machine's kernel release (`uname -r`). The location of the bytecode file can then be passed as an argument for testing with the `scap-open` and `sinsp-example` binaries.
Regarding the previously discussed bpf drivers, they create a kernel-specific object code (`driver/bpf/probe.o`) for your machine's kernel release (`uname -r`). This object code is then used as an argument for testing with `scap-open` and `sinsp-example` binaries.
However, the modern eBPF driver build process doesn't require kernel headers, and it isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern eBPF driver.
However, the modern BPF driver operates differently. It doesn't require kernel headers, and its build isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8.
CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8. The way the driver interprets kernel data structures without direct knowledge of the running kernel is not magic — it leverages predefined type information and BTF-based relocations. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file containing essential kernel data structure definitions, allowing the eBPF program to reference fields dynamically. Additionally, for cases where macros or functions from system headers are required, we redefine them in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h). Combined with CO-RE (Compile Once, Run Everywhere), this enables the driver to remain portable across different kernel versions.
To comprehend how the driver understands kernel data structures without knowledge of the kernel it runs on, there's no black magic involved. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file in our project containing all necessary kernel data structure definitions. Additionally, we sometimes rely on macros or functions typically found in system header files, which we redefine in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h).
The modern eBPF driver build process produces an eBPF header skeleton file using `bpftool`. The skeleton file is a C header file that embeds the compiled eBPF program as bytecode.
That being said, the modern BPF driver still produces an object file, which you can create using the target below. Nevertheless, we ultimately include it in `scap` regardless. Hence, when modern BPF is enabled, building `scap` will already cover this step for you.
```bash
cmake \
@ -205,15 +207,13 @@ cmake \
-DBUILD_LIBSCAP_MODERN_BPF=ON ../;
make ProbeSkeleton
# Verify the modern eBPF bytecode / final composed header file including all `.o` modern_ebpf files was created, uses `.h` extension.
# Verify the modern eBPF object code / final composed header file including all `.o` modern_bpf files was created, uses `.h` extension.
ls -l skel_dir/bpf_probe.skel.h;
# Now includes skel_dir/bpf_probe.skel.h in `scap` during the linking process.
make scap
```
Since modern eBPF is included in `scap`, running `make scap` automatically covers the `make ProbeSkeleton` build step.
You can also split the build process and specify the directory containing the `bpf_probe.skel.h` file.
Initial guidance for CI and building within containers: The Falco Project, for instance, compiles the final Falco userspace binary within older centos7 [falco-builder](https://falco.org/docs/install-operate/source/#build-using-falco-builder-container) containers with bundled dependencies. This ensures compatibility across supported systems, mainly due to GLIBC versions and other intricacies. However, you won't be able to compile the modern BPF driver on such old systems or builder containers. One solution is to build `skel_dir/bpf_probe.skel.h` in a more recent builder container. For example, you can refer to this [container](test/vm/containers/ubuntu2310.Dockerfile) as a guide. Subsequently, you can provide the modern BPF header file as an artifact to `scap` during building in an older builder container. As an illustrative example, we use `/tmp/skel-dir` containing the `bpf_probe.skel.h` file.
```bash
cmake \
@ -243,7 +243,7 @@ This repository includes convenient test example binaries for both `scap` and `s
When developing new features, you would run either one depending on what you're working on, in order to test and validate your changes.
> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern eBPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern BPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
Here's an example of a `cmake` command that will enable everything you need for all tests and components. By default, the following flags are disabled, with the exception of `USE_BUNDLED_DEPS` and `CREATE_TEST_TARGETS` (they are enabled by default).
@ -259,7 +259,8 @@ cmake \
-DCREATE_TEST_TARGETS=ON \
-DENABLE_LIBSCAP_TESTS=ON \
-DENABLE_DRIVERS_TESTS=ON \
-DENABLE_LIBSINSP_E2E_TESTS=ON ../;
-DENABLE_LIBSINSP_E2E_TESTS=ON \
-DENABLE_VM_TESTS=ON ../;
```
> __NOTE:__ The `ENABLE_LIBSINSP_E2E_TESTS` flag enables the new e2e tests for libsinsp. Please keep in mind these tests are currently in heavy development and need some extra steps (see in the section below) to run correctly.
@ -301,10 +302,9 @@ sudo ./test/drivers/drivers_test -m;
The tests mentioned below expand beyond the scope of "unit tests". In this context as well, we are dedicated to making sure they run smoothly on your `localhost` for pre-PR testing, to the best of our ability:
- [test/e2e](test/e2e) - enforced by our CI
- [test/vm](test/vm) - our CI includes comparable tests, but it employs a distinct framework. For current status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
For current status reports on the CI powered Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
In general, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
As mentioned earlier, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
### [EXPERIMENTAL] Run libsinsp e2e tests

16
benchmark/libsinsp/utils.cpp
View File

@ -53,3 +53,19 @@ static void BM_sinsp_concatenate_paths_absolute_path(benchmark::State& state) {
}
}
BENCHMARK(BM_sinsp_concatenate_paths_absolute_path);
static void BM_sinsp_split_container_image(benchmark::State& state) {
for(auto _ : state) {
std::string container_image =
"localhost:12345/library/"
"busybox:1.27.2@sha256:da39a3ee5e6b4b0d3255bfef95601890afd80709";
std::string hostname, port, name, tag, digest;
sinsp_utils::split_container_image(container_image, hostname, port, name, tag, digest);
benchmark::DoNotOptimize(hostname);
benchmark::DoNotOptimize(port);
benchmark::DoNotOptimize(name);
benchmark::DoNotOptimize(tag);
benchmark::DoNotOptimize(digest);
}
}
BENCHMARK(BM_sinsp_split_container_image);

40
cmake/modules/BuildPkgConfigDependencies.cmake
View File

@ -3,7 +3,6 @@
# libsinsp.pc (which requires libscap.pc and pulls them in that way)
function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
message(DEBUG "[add_pkgconfig_library] processing lib \"${lib}\"")
# if it's not a target, it doesn't have dependencies we know or care about
if(NOT TARGET ${lib})
return()
@ -15,26 +14,14 @@ function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
return()
endif()
message(DEBUG "[add_pkgconfig_library] LINK_LIBRARIES property: \"${PKGCONFIG_LIBRARIES}\"")
get_property(
target_type
TARGET ${lib}
PROPERTY TYPE
)
message(DEBUG "[add_pkgconfig_library] ignored list: \"${ignored}\"")
foreach(dep ${PKGCONFIG_LIBRARIES})
# XXX: We use a (very) loose match as we are potentially comparing absolute library file
# names (dep) to pkg-config library names to be ignored. The only alternative I can think
# of would be to maintain a map associating pkg-config names to their library file name.
get_filename_component(dep_base ${dep} NAME_WE)
string(REGEX REPLACE "^lib" "" dep_name ${dep_base})
# For CMake imported targets, keep only the suffix, e.g. gRPC::grpc -> grpc.
string(REGEX REPLACE "[^:]*::" "" dep_name ${dep_base})
message(DEBUG "[add_pkgconfig_library] processing dep ${dep}")
string(FIND "${ignored}" "${dep_name}" find_result)
if(NOT ${find_result} EQUAL -1)
message(DEBUG "[add_pkgconfig_library] \"${dep}\" ignored")
# ignore dependencies in the list ${ignored}
if(${dep} IN_LIST "${ignored}")
continue()
endif()
@ -47,7 +34,7 @@ function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
TARGET ${dep}
PROPERTY TYPE
)
if(NOT ${dep_target_type} STREQUAL "SHARED_LIBRARY")
if(${dep_target_type} STREQUAL "STATIC_LIBRARY")
continue()
endif()
else()
@ -65,27 +52,6 @@ function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
if(NOT TARGET ${dep})
get_filename_component(filename ${dep} NAME)
set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
else()
get_property(
dep_target_type
TARGET ${dep}
PROPERTY TYPE
)
if(${dep_target_type} STREQUAL "OBJECT_LIBRARY")
# skip object libraries
continue()
endif()
# if the library is imported, use the IMPORTED_LOCATION instead
get_property(
dep_imported_location
TARGET ${dep}
PROPERTY IMPORTED_LOCATION
)
if(NOT ${dep_imported_location} STREQUAL "")
get_filename_component(filename ${dep_imported_location} NAME)
set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
endif()
endif()
endif()

9
cmake/modules/CompilerFlags.cmake
View File

@ -33,6 +33,11 @@ if(NOT MSVC)
set(FALCOSECURITY_LIBS_COMMON_FLAGS "-Wall -ggdb")
set(FALCOSECURITY_LIBS_DEBUG_FLAGS "-Og -D_DEBUG")
set(FALCOSECURITY_LIBS_RELEASE_FLAGS "-O3 -fno-strict-aliasing -DNDEBUG")
if(MINIMAL_BUILD)
set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -DMINIMAL_BUILD")
endif()
if(MUSL_OPTIMIZED_BUILD)
set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -static -Os")
endif()
@ -116,8 +121,10 @@ if(NOT MSVC)
add_definitions(-D__STDC_FORMAT_MACROS)
else() # MSVC
set(MINIMAL_BUILD ON)
set(FALCOSECURITY_LIBS_COMMON_FLAGS
"-D_CRT_SECURE_NO_WARNINGS -DWIN32 /EHsc /W3 /Zi /std:c++17"
"-D_CRT_SECURE_NO_WARNINGS -DWIN32 -DMINIMAL_BUILD /EHsc /W3 /Zi /std:c++17"
)
if(CMAKE_VERSION VERSION_LESS 3.15.0)
set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")

76
cmake/modules/cares.cmake Normal file
View File

@ -0,0 +1,76 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
if(CARES_INCLUDE)
# we already have c-ares
elseif(NOT USE_BUNDLED_CARES)
find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
find_library(CARES_LIB NAMES cares)
if(CARES_INCLUDE AND CARES_LIB)
message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
else()
message(FATAL_ERROR "Couldn't find system c-ares")
endif()
else()
if(BUILD_SHARED_LIBS)
set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(CARES_STATIC_OPTION "Off")
else()
set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(CARES_STATIC_OPTION "On")
endif()
set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
set(CARES_INCLUDE "${CARES_SRC}/include/")
set(CARES_LIB "${CARES_SRC}/lib/libcares${CARES_LIB_SUFFIX}")
if(NOT TARGET c-ares)
message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
ExternalProject_Add(
c-ares
PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
URL "https://github.com/c-ares/c-ares/releases/download/v1.33.1/c-ares-1.33.1.tar.gz"
URL_HASH "SHA256=06869824094745872fa26efd4c48e622b9bd82a89ef0ce693dc682a23604f415"
BUILD_IN_SOURCE 1
CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-DCARES_SHARED=${BUILD_SHARED_LIBS}
-DCARES_STATIC=${CARES_STATIC_OPTION}
-DCARES_STATIC_PIC=${ENABLE_PIC}
-DCARES_BUILD_TOOLS=Off
-DCARES_INSTALL=Off
BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
INSTALL_COMMAND ""
)
install(
FILES "${CARES_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
DIRECTORY "${CARES_INCLUDE}"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
endif()
endif()
if(NOT TARGET c-ares)
add_custom_target(c-ares)
endif()
include_directories("${CARES_INCLUDE}")

44
cmake/modules/container_plugin.cmake
View File

@ -1,44 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2025 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
include(ExternalProject)
string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
set(CONTAINER_LIBRARY
"${CMAKE_CURRENT_BINARY_DIR}/container_plugin-prefix/src/container_plugin/libcontainer.so"
)
if(NOT CONTAINER_VERSION)
set(CONTAINER_VERSION "0.3.4")
endif()
if(NOT CONTAINER_HASH)
if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
set(CONTAINER_HASH "658f96c4b4a56d1bf945a788d60571076f808ae1bcc877c4ba3625b0fd752d8d")
else() # arm64
set(CONTAINER_HASH "34a153aca0164843a169193aba092a3063b24bca9ef80fd4f1d1f1919aba3bde")
endif()
endif()
if(NOT TARGET container_plugin)
message(STATUS "Fetching container plugin ${CONTAINER_VERSION} in '${CONTAINER_LIBRARY}'")
ExternalProject_Add(
container_plugin
URL "https://download.falco.org/plugins/stable/container-${CONTAINER_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
URL_HASH "SHA256=${CONTAINER_HASH}"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""
)
endif()

100
cmake/modules/curl.cmake Normal file
View File

@ -0,0 +1,100 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
include(openssl)
include(zlib)
if(CURL_INCLUDE_DIRS)
# we already have curl
elseif(NOT USE_BUNDLED_CURL)
find_package(CURL REQUIRED)
message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
else()
if(BUILD_SHARED_LIBS)
set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(CURL_STATIC_OPTION)
else()
set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(CURL_STATIC_OPTION --disable-shared)
endif()
set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
if(NOT USE_BUNDLED_OPENSSL)
set(CURL_SSL_OPTION "--with-ssl")
else()
set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
endif()
if(NOT USE_BUNDLED_ZLIB)
set(CURL_ZLIB_OPTION "--with-zlib")
else()
set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
endif()
message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
if(NOT ENABLE_PIC)
set(CURL_PIC_OPTION)
else()
set(CURL_PIC_OPTION "--with-pic")
endif()
if(NOT TARGET curl)
ExternalProject_Add(
curl
PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
DEPENDS openssl zlib
URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2"
URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76"
CONFIGURE_COMMAND
./configure ${CURL_SSL_OPTION} ${CURL_ZLIB_OPTION} ${CURL_STATIC_OPTION}
${CURL_PIC_OPTION} --enable-optimize --disable-curldebug --disable-rt --enable-http
--disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp
--disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb
--disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp
--without-winssl --without-polarssl --without-cyassl --without-nss --without-axtls
--without-librtmp --without-winidn --without-libidn2 --without-libpsl
--without-nghttp2 --without-libssh2 --with-ca-path=/etc/ssl/certs/
--disable-threaded-resolver --without-brotli --without-zstd
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${CURL_LIBRARIES}
INSTALL_COMMAND ""
)
install(
FILES "${CURL_LIBRARIES}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
DIRECTORY "${CURL_INCLUDE_DIRS}curl"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
FILES_MATCHING
PATTERN "*.h"
)
endif()
endif()
if(NOT TARGET curl)
add_custom_target(curl)
endif()
include_directories("${CURL_INCLUDE_DIRS}")

5
cmake/modules/engine_config.cmake
View File

@ -23,7 +23,10 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
endif()
# gVisor is currently only supported on Linux x86_64
if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux")
if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64"
AND CMAKE_SYSTEM_NAME MATCHES "Linux"
AND NOT MINIMAL_BUILD
)
option(BUILD_LIBSCAP_GVISOR "Build gVisor support" ON)
if(BUILD_LIBSCAP_GVISOR)
set(HAS_ENGINE_GVISOR On)

274
cmake/modules/grpc.cmake Normal file
View File

@ -0,0 +1,274 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
if(GRPC_INCLUDE)
# we already have grpc
elseif(NOT USE_BUNDLED_GRPC)
# gRPC
find_package(gRPC CONFIG)
if(gRPC_FOUND)
message(STATUS "Using gRPC ${gRPC_VERSION}")
set(GPR_LIB gRPC::gpr)
set(GRPC_LIB gRPC::grpc)
set(GRPCPP_LIB gRPC::grpc++)
# gRPC C++ plugin
get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
if(NOT GRPC_CPP_PLUGIN)
message(FATAL_ERROR "System grpc_cpp_plugin not found")
endif()
# gRPC include dir + properly handle grpc{++,pp}
get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
find_path(
GRPCXX_INCLUDE
NAMES grpc++/grpc++.h
PATHS ${GRPC_INCLUDE}
)
if(NOT GRPCXX_INCLUDE)
find_path(
GRPCPP_INCLUDE
NAMES grpcpp/grpcpp.h
PATHS ${GRPC_INCLUDE}
)
add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
endif()
else()
# Fallback to manually find libraries; Some distro, namely Ubuntu focal, do not install gRPC
# config cmake module
find_library(GPR_LIB NAMES gpr)
if(GPR_LIB)
message(STATUS "Found gpr lib: ${GPR_LIB}")
else()
message(FATAL_ERROR "Couldn't find system gpr")
endif()
find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
if(GRPCXX_INCLUDE)
set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
else()
find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
endif()
find_library(GRPC_LIB NAMES grpc)
find_library(GRPCPP_LIB NAMES grpc++)
if(GRPC_INCLUDE
AND GRPC_LIB
AND GRPCPP_LIB
)
message(
STATUS
"Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}"
)
else()
message(FATAL_ERROR "Couldn't find system grpc")
endif()
find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
if(NOT GRPC_CPP_PLUGIN)
message(FATAL_ERROR "System grpc_cpp_plugin not found")
endif()
endif()
else()
include(cares)
include(protobuf)
include(zlib)
include(openssl)
if(BUILD_SHARED_LIBS)
set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
else()
set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
endif()
include(re2)
set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
set(GRPC_INCLUDE "${GRPC_INSTALL_DIR}/include" "${GRPC_SRC}/third_party/abseil-cpp")
set(GPR_LIB "${GRPC_SRC}/libgpr.a")
set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
set(GRPC_MAIN_LIBS "")
list(
APPEND
GRPC_MAIN_LIBS
"${GPR_LIB}"
"${GRPC_LIB}"
"${GRPCPP_LIB}"
"${GRPC_SRC}/libgrpc++_alts.a"
"${GRPC_SRC}/libgrpc++_error_details.a"
"${GRPC_SRC}/libgrpc++_reflection.a"
"${GRPC_SRC}/libgrpc++_unsecure.a"
"${GRPC_SRC}/libgrpc_plugin_support.a"
"${GRPC_SRC}/libgrpc_unsecure.a"
"${GRPC_SRC}/libgrpcpp_channelz.a"
)
get_filename_component(PROTOC_DIR ${PROTOC} PATH)
if(NOT TARGET grpc)
message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP
# cmakefiles) into target_link_libraries later note: the list below is manually generated
# starting from the output of pkg-config --libs grpc++
set(GRPC_LIBRARIES "")
list(
APPEND
GRPC_LIBRARIES
"${GRPC_SRC}/libaddress_sorting.a"
"${GRPC_SRC}/libupb.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
)
# Make abseil-cpp build compatible with gcc-13 See
# https://patchwork.yoctoproject.org/project/oe/patch/20230518093301.2938164-1-Martin.Jansa@gmail.com/
# TO BE DROPPED once we finally upgrade grpc...
set(GRPC_PATCH_CMD
sh
-c
"sed -i '20s/^/#include <cstdint>/' ${GRPC_SRC}/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h"
)
# Zig workaround: Add a PATCH_COMMAND to grpc cmake to fixup emitted -march by abseil-cpp
# cmake module, making it use a name understood by zig for arm64. See
# https://github.com/abseil/abseil-cpp/blob/master/absl/copts/GENERATED_AbseilCopts.cmake#L226.
if(CMAKE_C_COMPILER MATCHES "zig")
message(STATUS "Enabling zig workaround for abseil-cpp")
set(GRPC_PATCH_CMD
${GRPC_PATCH_CMD}
&&
sh
-c
"sed -i 's/armv8-a/cortex_a57/g' ${GRPC_SRC}/third_party/abseil-cpp/absl/copts/GENERATED_AbseilCopts.cmake"
)
endif()
ExternalProject_Add(
grpc
PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
DEPENDS openssl protobuf c-ares zlib re2
GIT_REPOSITORY https://github.com/grpc/grpc.git
GIT_TAG v1.44.0
GIT_SUBMODULES "third_party/abseil-cpp"
CMAKE_CACHE_ARGS
-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
-DCMAKE_BUILD_TYPE:STRING=${CMAKE_BUILD_TYPE}
-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=${ENABLE_PIC}
-DgRPC_INSTALL:BOOL=OFF
# disable unused stuff
-DgRPC_BUILD_TESTS:BOOL=OFF
-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
# deps provided by us
# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
-DgRPC_CARES_PROVIDER:STRING=package
-Dc-ares_DIR:PATH=${CARES_SRC}
-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
-Dc-ares_LIBRARY:PATH=${CARES_LIB}
# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
-DgRPC_PROTOBUF_PROVIDER:STRING=package
-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
-DgRPC_SSL_PROVIDER:STRING=package
-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
-DgRPC_ZLIB_PROVIDER:STRING=package
-DZLIB_ROOT:STRING=${ZLIB_SRC}
# RE2
-DgRPC_RE2_PROVIDER:STRING=package
-Dre2_DIR:PATH=${RE2_DIR}
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
# Keep installation files into the local ${GRPC_INSTALL_DIR} since here is the case when
# we are embedding gRPC
UPDATE_COMMAND ""
PATCH_COMMAND ${GRPC_PATCH_CMD}
INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
)
install(
FILES ${GRPC_MAIN_LIBS}
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
FILES ${GRPC_LIBRARIES}
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
DIRECTORY "${GRPC_SRC}/target/include/"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
endif()
endif()
if(NOT TARGET grpc)
add_custom_target(grpc)
endif()
include_directories("${GRPC_INCLUDE}")

4
cmake/modules/libbpf.cmake
View File

@ -23,7 +23,7 @@ elseif(NOT USE_BUNDLED_LIBBPF)
find_path(LIBBPF_INCLUDE bpf/libbpf.h)
find_library(LIBBPF_LIB NAMES bpf)
if(LIBBPF_INCLUDE AND LIBBPF_LIB)
add_library(lbpf STATIC IMPORTED GLOBAL)
add_library(lbpf STATIC IMPORTED)
set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
@ -64,7 +64,7 @@ else()
BUILD_BYPRODUCTS ${LIBBPF_LIB}
)
add_library(lbpf STATIC IMPORTED GLOBAL)
add_library(lbpf STATIC IMPORTED)
set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
file(MAKE_DIRECTORY ${LIBBPF_INCLUDE}) # necessary to make target_include_directories() work
target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)

4
cmake/modules/libelf.cmake
View File

@ -54,9 +54,9 @@ elseif(NOT USE_BUNDLED_LIBELF)
endif()
if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
add_library(elf SHARED IMPORTED GLOBAL)
add_library(elf SHARED IMPORTED)
else()
add_library(elf STATIC IMPORTED GLOBAL)
add_library(elf STATIC IMPORTED)
endif()
set_target_properties(elf PROPERTIES IMPORTED_LOCATION ${LIBELF_LIB})

17
cmake/modules/libscap.cmake
View File

@ -91,6 +91,16 @@ if(NOT HAVE_LIBSCAP)
endif()
endforeach()
set(libscap_link_flags)
set(libscap_link_libdirs "")
add_pkgconfig_dependency(libscap_link_libdirs libscap_link_flags scap "")
string(REPLACE ";" " " LIBSCAP_LINK_LIBRARIES_FLAGS "${libscap_link_flags}")
string(REPLACE ";" " " LIBSCAP_LINK_LIBDIRS_FLAGS "${libscap_link_libdirs}")
configure_file(
${LIBS_DIR}/userspace/libscap/libscap.pc.in ${PROJECT_BINARY_DIR}/libscap/libscap.pc @ONLY
)
install(
TARGETS ${LIBSCAP_INSTALL_LIBS}
ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
@ -122,13 +132,6 @@ if(NOT HAVE_LIBSCAP)
FILES_MATCHING
PATTERN "*.h"
)
if(USE_BUNDLED_UTHASH)
install(FILES ${UTHASH_INCLUDE}/uthash.h
DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
)
endif()
install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_config.h
DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
)

17
cmake/modules/libsinsp.cmake
View File

@ -32,6 +32,14 @@ if(NOT HAVE_LIBSINSP)
if(NOT EMSCRIPTEN)
include(tbb)
endif()
if(NOT WIN32
AND NOT APPLE
AND NOT MINIMAL_BUILD
AND NOT EMSCRIPTEN
)
include(cares)
include(curl)
endif()
include(jsoncpp)
include(valijson)
include(re2)
@ -50,6 +58,15 @@ if(NOT HAVE_LIBSINSP)
list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE})
endif()
if(NOT USE_BUNDLED_CURL
AND NOT WIN32
AND NOT APPLE
AND NOT MINIMAL_BUILD
AND NOT EMSCRIPTEN
)
list(APPEND LIBSINSP_INCLUDE_DIRS ${CURL_INCLUDE_DIRS})
endif()
function(set_sinsp_target_properties target)
set_target_properties(
${target} PROPERTIES VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}

81
cmake/modules/openssl.cmake Normal file
View File

@ -0,0 +1,81 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
if(OPENSSL_INCLUDE_DIR)
# we already have openssl
elseif(NOT USE_BUNDLED_OPENSSL)
find_package(OpenSSL REQUIRED)
message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
else()
if(BUILD_SHARED_LIBS)
set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(OPENSSL_SHARED_OPTION shared)
else()
set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(OPENSSL_SHARED_OPTION no-shared)
endif()
set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
if(NOT TARGET openssl)
if(NOT ENABLE_PIC)
set(OPENSSL_PIC_OPTION)
else()
set(OPENSSL_PIC_OPTION "-fPIC")
endif()
message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
ExternalProject_Add(
openssl
PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} ${OPENSSL_PIC_OPTION}
--prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
INSTALL_COMMAND make install_sw
)
install(
FILES "${OPENSSL_LIBRARY_SSL}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
FILES "${OPENSSL_LIBRARY_CRYPTO}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
DIRECTORY "${OPENSSL_INCLUDE_DIR}"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
endif()
endif()
if(NOT TARGET openssl)
add_custom_target(openssl)
endif()
include_directories("${OPENSSL_INCLUDE_DIR}")

9
cmake/modules/protobuf.cmake
View File

@ -58,9 +58,8 @@ else()
else()
set(PROTOBUF_PIC_OPTION "--with-pic=yes")
endif()
# Match both release and relwithdebinfo builds
if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
set(PROTOBUF_CXXFLAGS "-O3 -std=c++11 -DNDEBUG")
if(CMAKE_BUILD_TYPE STREQUAL "Release")
set(PROTOBUF_CXXFLAGS "-O2 -std=c++11 -DNDEBUG")
else()
set(PROTOBUF_CXXFLAGS "-g -std=c++11")
endif()
@ -73,8 +72,8 @@ else()
URL_HASH "SHA256=e51cc8fc496f893e2a48beb417730ab6cbcb251142ad8b2cd1951faa5c76fe3d"
# TODO what if using system zlib?
CONFIGURE_COMMAND
./configure CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib-include=${ZLIB_INCLUDE}
--with-zlib-lib=${ZLIB_SRC} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
CPPFLAGS=-I${ZLIB_INCLUDE} LDFLAGS=-L${ZLIB_SRC} ./configure
CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
${PROTOBUF_PIC_OPTION} --prefix=${PROTOBUF_INSTALL_DIR}
BUILD_COMMAND make
BUILD_IN_SOURCE 1

4
cmake/modules/re2.cmake
View File

@ -55,7 +55,6 @@ else()
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
)
else()
# CMake 3.29.1 removed the support for the `PACKAGE_PREFIX_DIR` variable. The patch
@ -75,7 +74,6 @@ else()
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
)
endif()
else()
@ -97,7 +95,6 @@ else()
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
)
else()
ExternalProject_Add(
@ -114,7 +111,6 @@ else()
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
)
endif()
endif()

10
cmake/modules/tbb.cmake
View File

@ -58,9 +58,9 @@ else()
if(NOT TARGET tbb)
message(STATUS "Using bundled tbb in '${TBB_SRC}'")
set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.1.0.tar.gz")
set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.0.0.tar.gz")
set(TBB_SRC_URL_HASH
"SHA256=ed067603ece0dc832d2881ba5c516625ac2522c665d95f767ef6304e34f961b5"
"SHA256=e8e89c9c345415b17b30a2db3095ba9d47647611662073f7fbf54ad48b7f3c2a"
)
set(TBB_FLAGS "")
if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
@ -89,8 +89,6 @@ else()
-DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
-DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
-DEMSCRIPTEN=${TBB_EMSCRIPTEN}
-DTBB_FILE_TRIM=Off
-DTBB_INSTALL=Off
BUILD_BYPRODUCTS ${TBB_LIB}
INSTALL_COMMAND ""
)
@ -112,8 +110,6 @@ else()
-DTBB_OUTPUT_DIR_BASE=lib
-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DTBB_FILE_TRIM=Off
-DTBB_INSTALL=Off
BUILD_BYPRODUCTS ${TBB_LIB}
INSTALL_COMMAND ""
)
@ -133,8 +129,6 @@ else()
-DTBB_OUTPUT_DIR_BASE=lib
-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DTBB_FILE_TRIM=Off
-DTBB_INSTALL=Off
BUILD_BYPRODUCTS ${TBB_LIB}
INSTALL_COMMAND ""
)

9
cmake/modules/zlib.cmake
View File

@ -45,14 +45,9 @@ else()
"${ZLIB_INCLUDE}/zutil.h"
)
if(NOT TARGET zlib)
# Match both release and relwithdebinfo builds
if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
set(ZLIB_CFLAGS "-O3")
else()
set(ZLIB_CFLAGS "-g")
endif()
set(ZLIB_CFLAGS)
if(ENABLE_PIC)
set(ZLIB_CFLAGS "${ZLIB_CFLAGS} -fPIC")
set(ZLIB_CFLAGS -fPIC)
endif()
message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")

1
docs/report.md
View File

@ -213,7 +213,6 @@
| open | 🟢 | ppc64le,s390x,x86_64 |
| open_by_handle_at | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| open_tree | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| open_tree_attr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| openat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| openat2 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pause | 🟡 | ppc64le,s390x,x86_64 |

2
driver/API_VERSION
View File

@ -1 +1 @@
8.0.4
8.0.3

5
driver/CMakeLists.txt
View File

@ -158,11 +158,6 @@ set(DRIVER_SOURCES
ppm_consumer.h
capture_macro.h
socketcall_to_syscall.h
syscall_compat_loongarch64.h
syscall_compat_ppc64le.h
syscall_compat_riscv64.h
syscall_compat_s390x.h
syscall_compat_x86_64.h
syscall_ia32_64_map.c
)

2
driver/Makefile.in
View File

@ -29,7 +29,7 @@ install: all
else
KERNELDIR ?= $(realpath $(objtree))
KERNELDIR ?= $(CURDIR)
#
# Get the path of the module sources
#

2
driver/SCHEMA_VERSION
View File

@ -1 +1 @@
3.69.0
3.5.0

2
driver/bpf/Makefile
View File

@ -28,7 +28,7 @@ clean:
else
KERNELDIR ?= $(realpath $(objtree))
KERNELDIR ?= $(CURDIR)
#
# Get the path of the module sources
#

23
driver/bpf/configure/0__SANITY/test.c
View File

@ -1,23 +0,0 @@
// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
Copyright (C) 2024 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
/*
* Check that the build system is sane.
*/
#include "../../quirks.h"
#include "../../ppm_events_public.h"
#include "../../types.h"
BPF_PROBE("sanity/", sanity, sanity_args) {
return 0;
}
char __license[] __bpf_section("license") = "Dual MIT/GPL";

32
driver/bpf/configure/KERNFS_NODE_PARENT/test.c
View File

@ -1,32 +0,0 @@
// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
Copyright (C) 2025 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
/*
* Check that kernfs_node's field `parent` exists.
* See 6.15 kernel commit it is named __parent:
* https://github.com/torvalds/linux/commit/633488947ef66b194377411322dc9e12aab79b65
*/
#include "../../quirks.h"
#include "../../ppm_events_public.h"
#include "../../types.h"
// struct kernfs_node declaration
#include <linux/kernfs.h>
BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
struct kernfs_node *parent;
struct kernfs_node node;
parent = node.parent;
return 0;
}
char __license[] __bpf_section("license") = "Dual MIT/GPL";

12
driver/bpf/configure/Makefile.inc.in
View File

@ -7,17 +7,7 @@ ifeq ($(HAS_@CONFIGURE_MODULE@),0)
$(info [configure-bpf] Setting HAS_@CONFIGURE_MODULE@ flag)
KBUILD_CPPFLAGS += -DHAS_@CONFIGURE_MODULE@
else
HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
$(info [configure-bpf] Build output for HAS_@CONFIGURE_MODULE@:)
$(info [configure-bpf] $(HAS_@CONFIGURE_MODULE@_OUT))
endif
ifeq ('@CONFIGURE_MODULE@','0__SANITY')
ifeq ($(HAS_@CONFIGURE_MODULE@),0)
$(info [configure-bpf] Build system is sane)
else
$(info [configure-bpf] Build system is broken, please see above errors)
$(error The build system is broken, please see above errors)
endif
endif

12
driver/bpf/filler_helpers.h
View File

@ -1407,15 +1407,3 @@ static __always_inline pid_t bpf_push_pgid(struct filler_data *data, struct task
}
#endif
/* Legacy-probe-specific replacement for `socket_family_to_scap` helper. As encoding the socket
* family using the `socket_family_to_scap` helper breaks the verifier on old kernel versions, just
* send `PPM_AF_UNSPEC` if the user-provided socket family is negative, and leave it as is
* otherwise. This solution relies on the fact that `AF_*` and corresponding `PPM_AF_*` macros map
* to the same values. */
static __always_inline uint8_t bpf_socket_family_to_scap(int8_t family) {
if(family < 0) {
family = PPM_AF_UNSPEC;
}
return (uint8_t)family;
}

2662
driver/bpf/fillers.h
View File

File diff suppressed because it is too large Load Diff

20
driver/bpf/types.h
View File

@ -143,16 +143,6 @@ struct sys_stash_args {
#ifdef CAPTURE_SCHED_PROC_EXEC
#ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
struct sched_process_exec_args {
unsigned short common_type;
unsigned char common_flags;
unsigned char common_preempt_count;
int common_pid;
__u32 filename; // This is actually defined as "__data_loc char[] filename;".
pid_t pid;
pid_t old_pid;
};
#else
/* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
* Taken from `/include/trace/events/sched.h`
*/
@ -161,6 +151,16 @@ struct sched_process_exec_args {
pid_t old_pid;
struct linux_binprm *bprm;
};
#else
struct sched_process_exec_args {
unsigned short common_type;
unsigned char common_flags;
unsigned char common_preempt_count;
int common_pid;
int filename;
pid_t pid;
pid_t old_pid;
};
#endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */
#endif /* CAPTURE_SCHED_PROC_EXEC */

26
driver/configure/0__SANITY/test.c
View File

@ -1,26 +0,0 @@
/*
Copyright (C) 2023 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
/*
* Check that the build environment is sane
*/
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("the Falco authors");
static int empty_init(void) {
return 0;
}
static void empty_exit(void) {}
module_init(empty_init);
module_exit(empty_exit);

33
driver/configure/FS_MNT_IDMAP/test.c
View File

@ -1,33 +0,0 @@
/*
Copyright (C) 2025 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
/*
* Check that fs function wants mnt_idmap
* See linux 6.3 changes:
* - https://github.com/torvalds/linux/commit/abf08576afe3
* - https://github.com/torvalds/linux/commit/01beba7957a2
*/
#include <linux/module.h>
#include <linux/fs.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("the Falco authors");
static int fs_mnt_idmap_init(void) {
struct mnt_idmap *idmap = NULL;
const struct inode *inode = NULL;
inode_owner_or_capable(idmap, inode);
return 0;
}
static void fs_mnt_idmap_exit(void) {}
module_init(fs_mnt_idmap_init);
module_exit(fs_mnt_idmap_exit);

12
driver/configure/Makefile.inc.in
View File

@ -9,17 +9,7 @@ ifeq ($(HAS_@CONFIGURE_MODULE@),0)
$(info [configure-kmod] Setting HAS_@CONFIGURE_MODULE@ flag)
ccflags-y += -DHAS_@CONFIGURE_MODULE@
else
HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
$(info [configure-kmod] Build output for HAS_@CONFIGURE_MODULE@:)
$(info [configure-kmod] $(HAS_@CONFIGURE_MODULE@_OUT))
endif
ifeq ('@CONFIGURE_MODULE@','0__SANITY')
ifeq ($(HAS_@CONFIGURE_MODULE@),0)
$(info [configure-kmod] Build system is sane)
else
$(info [configure-kmod] Build system is broken, please see above errors)
$(error The build system is broken, please see above errors)
endif
endif

949
driver/event_table.c
View File

File diff suppressed because it is too large Load Diff

86
driver/fillers_table.c
View File

@ -45,13 +45,13 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SOCKET_SEND_E] = {FILLER_REF(sys_send_e)},
[PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)},
[PPME_SOCKET_SENDTO_E] = {FILLER_REF(sys_sendto_e)},
[PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_sendto_x)},
[PPME_SOCKET_SENDTO_X] = {FILLER_REF(sys_send_x)},
[PPME_SOCKET_RECV_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {2}}},
[PPME_SOCKET_RECV_X] = {FILLER_REF(sys_recv_x)},
[PPME_SOCKET_RECVFROM_E] = {FILLER_REF(sys_recvfrom_e)},
[PPME_SOCKET_RECVFROM_X] = {FILLER_REF(sys_recvfrom_x)},
[PPME_SOCKET_SHUTDOWN_E] = {FILLER_REF(sys_shutdown_e)},
[PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_shutdown_x)},
[PPME_SOCKET_SHUTDOWN_X] = {FILLER_REF(sys_single_x)},
[PPME_SOCKET_GETSOCKNAME_E] = {FILLER_REF(sys_empty)},
[PPME_SOCKET_GETSOCKNAME_X] = {FILLER_REF(sys_empty)},
[PPME_SOCKET_GETPEERNAME_E] = {FILLER_REF(sys_empty)},
@ -75,15 +75,15 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SYSCALL_PIPE_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_PIPE_X] = {FILLER_REF(sys_pipe_x)},
[PPME_SYSCALL_EVENTFD_E] = {FILLER_REF(sys_eventfd_e)},
[PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_eventfd_x)},
[PPME_SYSCALL_EVENTFD_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_FUTEX_E] = {FILLER_REF(sys_futex_e)},
[PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_futex_x)},
[PPME_SYSCALL_FUTEX_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_STAT_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_STAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
[PPME_SYSCALL_LSTAT_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_LSTAT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
[PPME_SYSCALL_FSTAT_E] = {FILLER_REF(sys_fstat_e)},
[PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_fstat_x)},
[PPME_SYSCALL_FSTAT_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_STAT64_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_STAT64_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
[PPME_SYSCALL_LSTAT64_E] = {FILLER_REF(sys_empty)},
@ -91,7 +91,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SYSCALL_FSTAT64_E] = {FILLER_REF(sys_single)},
[PPME_SYSCALL_FSTAT64_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_EPOLLWAIT_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{2}}},
[PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_epoll_wait_x)},
[PPME_SYSCALL_EPOLLWAIT_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_POLL_E] = {FILLER_REF(sys_poll_e)},
[PPME_SYSCALL_POLL_X] = {FILLER_REF(sys_poll_x)},
[PPME_SYSCALL_SELECT_E] = {FILLER_REF(sys_empty)},
@ -99,7 +99,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SYSCALL_NEWSELECT_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_NEWSELECT_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_LSEEK_E] = {FILLER_REF(sys_lseek_e)},
[PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_lseek_x)},
[PPME_SYSCALL_LSEEK_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_LLSEEK_E] = {FILLER_REF(sys_llseek_e)},
[PPME_SYSCALL_LLSEEK_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_GETCWD_E] = {FILLER_REF(sys_empty)},
@ -115,15 +115,15 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SYSCALL_PREAD_E] = {FILLER_REF(sys_pread64_e)},
[PPME_SYSCALL_PREAD_X] = {FILLER_REF(sys_pread64_x)},
[PPME_SYSCALL_PWRITE_E] = {FILLER_REF(sys_pwrite64_e)},
[PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_pwrite64_x)},
[PPME_SYSCALL_PWRITE_X] = {FILLER_REF(sys_write_x)},
[PPME_SYSCALL_READV_E] = {FILLER_REF(sys_readv_e)},
[PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_x)},
[PPME_SYSCALL_READV_X] = {FILLER_REF(sys_readv_preadv_x)},
[PPME_SYSCALL_WRITEV_E] = {FILLER_REF(sys_writev_e)},
[PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_x)},
[PPME_SYSCALL_WRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
[PPME_SYSCALL_PREADV_E] = {FILLER_REF(sys_preadv_e)},
[PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_preadv_x)},
[PPME_SYSCALL_PREADV_X] = {FILLER_REF(sys_readv_preadv_x)},
[PPME_SYSCALL_PWRITEV_E] = {FILLER_REF(sys_pwritev_e)},
[PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_pwritev_x)},
[PPME_SYSCALL_PWRITEV_X] = {FILLER_REF(sys_writev_pwritev_x)},
[PPME_SYSCALL_DUP_1_E] = {FILLER_REF(sys_dup_e)},
[PPME_SYSCALL_DUP_1_X] = {FILLER_REF(sys_dup_x)},
[PPME_SYSCALL_DUP2_E] = {FILLER_REF(sys_dup2_e)},
@ -131,22 +131,22 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SYSCALL_DUP3_E] = {FILLER_REF(sys_dup3_e)},
[PPME_SYSCALL_DUP3_X] = {FILLER_REF(sys_dup3_x)},
[PPME_SYSCALL_SIGNALFD_E] = {FILLER_REF(sys_signalfd_e)},
[PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_signalfd_x)},
[PPME_SYSCALL_SIGNALFD_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_KILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
[PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_kill_x)},
[PPME_SYSCALL_KILL_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_TKILL_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
[PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_tkill_x)},
[PPME_SYSCALL_TKILL_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_TGKILL_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
[PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_tgkill_x)},
[PPME_SYSCALL_TGKILL_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_NANOSLEEP_E] = {FILLER_REF(sys_nanosleep_e)},
[PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_nanosleep_x)},
[PPME_SYSCALL_NANOSLEEP_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_TIMERFD_CREATE_E] = {FILLER_REF(sys_autofill),
2,
APT_REG,
{{AF_ID_USEDEFAULT, 0}, {AF_ID_USEDEFAULT, 0}}},
[PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_timerfd_create_x)},
[PPME_SYSCALL_TIMERFD_CREATE_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_INOTIFY_INIT_E] = {FILLER_REF(sys_inotify_init_e)},
[PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_inotify_init_x)},
[PPME_SYSCALL_INOTIFY_INIT_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_GETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
[PPME_SYSCALL_GETRLIMIT_X] = {FILLER_REF(sys_getrlimit_x)},
[PPME_SYSCALL_SETRLIMIT_E] = {FILLER_REF(sys_getrlimit_setrlimit_e)},
@ -161,19 +161,19 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SCHEDSWITCH_6_E] = {FILLER_REF(sched_switch_e)},
#endif
[PPME_SYSCALL_BRK_4_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
[PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_x)},
[PPME_SYSCALL_BRK_4_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
[PPME_SYSCALL_MMAP_E] = {FILLER_REF(sys_mmap_e)},
[PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_mmap_x)},
[PPME_SYSCALL_MMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
[PPME_SYSCALL_MMAP2_E] = {FILLER_REF(sys_mmap_e)},
[PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_mmap2_x)},
[PPME_SYSCALL_MMAP2_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
[PPME_SYSCALL_MUNMAP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
[PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_munmap_x)},
[PPME_SYSCALL_MUNMAP_X] = {FILLER_REF(sys_brk_munmap_mmap_x)},
[PPME_SYSCALL_SPLICE_E] = {FILLER_REF(sys_splice_e)},
[PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_splice_x)},
[PPME_SYSCALL_SPLICE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_PTRACE_E] = {FILLER_REF(sys_ptrace_e)},
[PPME_SYSCALL_PTRACE_X] = {FILLER_REF(sys_ptrace_x)},
[PPME_SYSCALL_IOCTL_3_E] = {FILLER_REF(sys_ioctl_e)},
[PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_ioctl_x)},
[PPME_SYSCALL_IOCTL_3_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_RENAME_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_RENAME_X] = {FILLER_REF(sys_autofill),
3,
@ -193,14 +193,14 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SYSCALL_QUOTACTL_E] = {FILLER_REF(sys_quotactl_e)},
[PPME_SYSCALL_QUOTACTL_X] = {FILLER_REF(sys_quotactl_x)},
[PPME_SYSCALL_SETRESUID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
[PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_setresuid_x)},
[PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_SETRESGID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
[PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_setresgid_x)},
[PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SCAPEVENT_E] = {FILLER_REF(sys_scapevent_e)},
[PPME_SYSCALL_SETUID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
[PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_setuid_x)},
[PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_SETGID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
[PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_setgid_x)},
[PPME_SYSCALL_SETGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_GETUID_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_GETUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_GETEUID_E] = {FILLER_REF(sys_empty)},
@ -223,43 +223,43 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SIGNALDELIVER_E] = {FILLER_REF(sys_signaldeliver_e)},
#endif
[PPME_SYSCALL_GETDENTS_E] = {FILLER_REF(sys_getdents_e)},
[PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_getdents_x)},
[PPME_SYSCALL_GETDENTS_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_GETDENTS64_E] = {FILLER_REF(sys_getdents64_e)},
[PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_getdents64_x)},
[PPME_SYSCALL_GETDENTS64_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_SETNS_E] = {FILLER_REF(sys_setns_e)},
[PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_setns_x)},
[PPME_SYSCALL_SETNS_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_FLOCK_E] = {FILLER_REF(sys_flock_e)},
[PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_flock_x)},
[PPME_SYSCALL_FLOCK_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_CPU_HOTPLUG_E] = {FILLER_REF(cpu_hotplug_e)},
[PPME_SOCKET_ACCEPT_5_E] = {FILLER_REF(sys_empty)},
[PPME_SOCKET_ACCEPT_5_X] = {FILLER_REF(sys_accept_x)},
[PPME_SYSCALL_SEMOP_E] = {FILLER_REF(sys_single)},
[PPME_SYSCALL_SEMOP_X] = {FILLER_REF(sys_semop_x)},
[PPME_SYSCALL_SEMCTL_E] = {FILLER_REF(sys_semctl_e)},
[PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_semctl_x)},
[PPME_SYSCALL_SEMCTL_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_PPOLL_E] = {FILLER_REF(sys_ppoll_e)},
[PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_ppoll_x)},
[PPME_SYSCALL_PPOLL_X] = {FILLER_REF(sys_poll_x)}, /* exit same for poll() and ppoll() */
[PPME_SYSCALL_MOUNT_E] = {FILLER_REF(sys_mount_e)},
[PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_mount_x),
[PPME_SYSCALL_MOUNT_X] = {FILLER_REF(sys_autofill),
4,
APT_REG,
{{AF_ID_RETVAL}, {0}, {1}, {2}}},
[PPME_SYSCALL_SEMGET_E] = {FILLER_REF(sys_semget_e)},
[PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_semget_x)},
[PPME_SYSCALL_SEMGET_X] = {FILLER_REF(sys_single_x)},
[PPME_SYSCALL_ACCESS_E] = {FILLER_REF(sys_access_e)},
[PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_access_x)},
[PPME_SYSCALL_ACCESS_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
[PPME_SYSCALL_CHROOT_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_CHROOT_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
[PPME_SYSCALL_SETSID_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_SETSID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_SETPGID_E] = {FILLER_REF(sys_setpgid_e)},
[PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_setpgid_x)},
[PPME_SYSCALL_SETPGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_MKDIR_2_E] = {FILLER_REF(sys_mkdir_e)},
[PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_mkdir_x)},
[PPME_SYSCALL_MKDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
[PPME_SYSCALL_RMDIR_2_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_RMDIR_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
[PPME_SYSCALL_UNSHARE_E] = {FILLER_REF(sys_unshare_e)},
[PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_unshare_x)},
[PPME_SYSCALL_UNSHARE_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_EXECVE_19_E] = {FILLER_REF(sys_execve_e)},
[PPME_SYSCALL_EXECVE_19_X] = {FILLER_REF(proc_startupdate)},
#ifdef CAPTURE_PAGE_FAULTS
@ -268,7 +268,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SYSCALL_BPF_2_E] = {FILLER_REF(sys_bpf_e)},
[PPME_SYSCALL_BPF_2_X] = {FILLER_REF(sys_bpf_x)},
[PPME_SYSCALL_SECCOMP_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1}}},
[PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_seccomp_x)},
[PPME_SYSCALL_SECCOMP_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
[PPME_SYSCALL_UNLINK_2_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_UNLINK_2_X] = {FILLER_REF(sys_autofill), 2, APT_REG, {{AF_ID_RETVAL}, {0}}},
[PPME_SYSCALL_UNLINKAT_2_E] = {FILLER_REF(sys_empty)},
@ -344,7 +344,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SYSCALL_UMOUNT_1_E] = {FILLER_REF(sys_empty)},
[PPME_SYSCALL_UMOUNT_1_X] = {FILLER_REF(sys_umount_x)},
[PPME_SOCKET_ACCEPT4_6_E] = {FILLER_REF(sys_accept4_e)},
[PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept4_x)},
[PPME_SOCKET_ACCEPT4_6_X] = {FILLER_REF(sys_accept_x)},
[PPME_SYSCALL_UMOUNT2_E] = {FILLER_REF(sys_umount2_e)},
[PPME_SYSCALL_UMOUNT2_X] = {FILLER_REF(sys_umount2_x)},
[PPME_SYSCALL_PIPE2_E] = {FILLER_REF(sys_empty)},

144
driver/main.c
View File

@ -277,6 +277,10 @@ static bool verbose = 0;
static unsigned int max_consumers = 5;
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
static enum cpuhp_state hp_state = 0;
#endif
#define vpr_info(fmt, ...) \
do { \
if(verbose) \
@ -442,7 +446,6 @@ static int ppm_open(struct inode *inode, struct file *filp) {
consumer->consumer_id = consumer_id;
consumer->buffer_bytes_dim = g_buffer_bytes_dim;
consumer->tracepoints_attached = 0; /* Start with no tracepoints */
consumer->hotplug_cpu = -1;
/*
* Initialize the ring buffers array
@ -473,6 +476,14 @@ static int ppm_open(struct inode *inode, struct file *filp) {
ring->info = NULL;
}
/*
* If a cpu is offline when the consumer is first created, we
* will never get events for that cpu even if it later comes
* online via hotplug. We could allocate these rings on-demand
* later in this function if needed for hotplug, but that
* requires the consumer to know to call open again, and that is
* not supported.
*/
for_each_online_cpu(cpu) {
ring = per_cpu_ptr(consumer->ring_buffers, cpu);
@ -1809,27 +1820,6 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
ASSERT(ring);
ring_info = ring->info;
if(!ring_info) {
// If we haven't got the ring info, it means
// the event was generated by a CPU that was not
// online when the ring buffers were initialized.
// Store info about hotplugged CPU here to later
// send hotplug events on cpu0.
consumer->hotplug_cpu = cpu;
put_cpu();
return res;
}
// Manage hotplug on cpu 0
if(consumer->hotplug_cpu != -1 && cpu == 0) {
event_type = PPME_CPU_HOTPLUG_E;
drop_flags = UF_NEVER_DROP;
tp_type = INTERNAL_EVENTS;
event_datap->category = PPMC_CONTEXT_SWITCH;
event_datap->event_info.context_data.sched_prev = (void *)(long)consumer->hotplug_cpu;
event_datap->event_info.context_data.sched_next = (void *)(long)0;
}
if(event_datap->category == PPMC_CONTEXT_SWITCH &&
event_datap->event_info.context_data.sched_prev != NULL) {
if(event_type != PPME_SCAPEVENT_E && event_type != PPME_CPU_HOTPLUG_E) {
@ -2781,12 +2771,96 @@ static char *ppm_devnode(struct device *dev, mode_t *mode)
}
#endif /* LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20) */
static int do_cpu_callback(unsigned long cpu, long sd_action) {
struct ppm_ring_buffer_context *ring;
struct ppm_consumer_t *consumer;
struct event_data_t event_data;
if(sd_action != 0) {
rcu_read_lock();
list_for_each_entry_rcu(consumer, &g_consumer_list, node) {
ring = per_cpu_ptr(consumer->ring_buffers, cpu);
if(sd_action == 1) {
/*
* If the cpu was offline when the consumer was created,
* this won't do anything because we never created a ring
* buffer. We can't safely create one here because we're
* in atomic context, and the consumer needs to call open
* on this device anyways, so do it in ppm_open.
*/
ring->cpu_online = true;
} else if(sd_action == 2) {
ring->cpu_online = false;
}
}
rcu_read_unlock();
event_data.category = PPMC_CONTEXT_SWITCH;
event_data.event_info.context_data.sched_prev = (void *)cpu;
event_data.event_info.context_data.sched_next = (void *)sd_action;
record_event_all_consumers(PPME_CPU_HOTPLUG_E, UF_NEVER_DROP, &event_data, INTERNAL_EVENTS);
}
return 0;
}
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
static int scap_cpu_online(unsigned int cpu) {
vpr_info("scap_cpu_online on cpu %d\n", cpu);
return do_cpu_callback(cpu, 1);
}
static int scap_cpu_offline(unsigned int cpu) {
vpr_info("scap_cpu_offline on cpu %d\n", cpu);
return do_cpu_callback(cpu, 2);
}
#else /* LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)) */
/*
* This gets called every time a CPU is added or removed
*/
static int cpu_callback(struct notifier_block *self, unsigned long action, void *hcpu) {
unsigned long cpu = (unsigned long)hcpu;
long sd_action = 0;
switch(action) {
case CPU_UP_PREPARE:
#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
case CPU_UP_PREPARE_FROZEN:
#endif
sd_action = 1;
break;
case CPU_DOWN_PREPARE:
#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
case CPU_DOWN_PREPARE_FROZEN:
#endif
sd_action = 2;
break;
default:
break;
}
if(do_cpu_callback(cpu, sd_action) < 0)
return NOTIFY_BAD;
else
return NOTIFY_OK;
}
static struct notifier_block cpu_notifier = {
.notifier_call = &cpu_callback,
.next = NULL,
};
#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0) */
static int scap_init(void) {
dev_t dev;
unsigned int cpu;
unsigned int num_cpus;
int ret;
int acrret = 0;
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
int hp_ret;
#endif
int j;
int n_created_devices = 0;
#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
@ -2890,6 +2964,25 @@ static int scap_init(void) {
goto init_module_err;
}
/*
* Set up our callback in case we get a hotplug even while we are
* initializing the cpu structures
*/
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
hp_ret = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
DRIVER_NAME "/driver:online",
scap_cpu_online,
scap_cpu_offline);
if(hp_ret <= 0) {
pr_err("error registering cpu hotplug callback\n");
ret = hp_ret;
goto init_module_err;
}
hp_state = hp_ret;
#else
register_cpu_notifier(&cpu_notifier);
#endif
// Initialize globals
g_tracepoints_attached = 0;
for(j = 0; j < KMOD_PROG_ATTACHED_MAX; j++) {
@ -2948,6 +3041,13 @@ static void scap_exit(void) {
#if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 20)
tracepoint_synchronize_unregister();
#endif
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0))
if(hp_state > 0)
cpuhp_remove_state_nocalls(hp_state);
#else
unregister_cpu_notifier(&cpu_notifier);
#endif
}
module_init(scap_init);

28
driver/modern_bpf/CMakeLists.txt
View File

@ -256,32 +256,6 @@ file(GLOB_RECURSE BPF_H_FILES ${CMAKE_CURRENT_SOURCE_DIR}/*.h)
# Search all bpf.c files
file(GLOB_RECURSE BPF_C_FILES ${CMAKE_CURRENT_SOURCE_DIR}/*.bpf.c)
# ##################################################################################################
# Generate the events dimensions file generator executable.
# ##################################################################################################
add_executable(
events_dimensions_generator ${CMAKE_CURRENT_SOURCE_DIR}/definitions/generator/generator.cpp
)
target_link_libraries(events_dimensions_generator PRIVATE scap_event_schema)
add_dependencies(events_dimensions_generator scap_event_schema)
# ##################################################################################################
# Generate the events dimensions file.
# ##################################################################################################
set(BPF_EVENTS_DIMENSIONS_FILE ${CMAKE_CURRENT_SOURCE_DIR}/definitions/events_dimensions.h)
add_custom_command(
OUTPUT ${BPF_EVENTS_DIMENSIONS_FILE}
COMMAND events_dimensions_generator ${BPF_EVENTS_DIMENSIONS_FILE}
VERBATIM
DEPENDS events_dimensions_generator ${CMAKE_CURRENT_SOURCE_DIR}/../event_table.c
COMMENT
"${MODERN_BPF_LOG_PREFIX} Building events dimensions file: ${BPF_EVENTS_DIMENSIONS_FILE}"
)
add_custom_target(EventsDimensions ALL DEPENDS ${BPF_EVENTS_DIMENSIONS_FILE})
# ##################################################################################################
# Generate an `bpf.o` file for every `bpf.c`
# ##################################################################################################
@ -304,7 +278,7 @@ foreach(BPF_C_FILE ${BPF_C_FILES})
${BPF_O_FILE}
VERBATIM
DEPENDS lbpf
DEPENDS ${BPF_C_FILE} ${BPF_H_FILES} EventsDimensions
DEPENDS ${BPF_C_FILE} ${BPF_H_FILES}
COMMENT "${MODERN_BPF_LOG_PREFIX} Building BPF object: ${BPF_O_FILE}"
)

8
driver/modern_bpf/bpfvalidator_config.yaml
View File

@ -1,8 +0,0 @@
parallel: 2
kernel_versions:
- v5.10.237
- v5.15.184
- v6.1.140
- v6.6.92
- v6.12.30
- v6.15

439
driver/modern_bpf/definitions/events_dimensions.h
View File

@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
* Copyright (C) 2025 The Falco Authors.
* Copyright (C) 2023 The Falco Authors.
*
* This file is dual licensed under either the MIT or GPL 2. See MIT.txt
* or GPL2.txt for full copies of the license.
@ -21,239 +21,243 @@
/// want to touch scap tables.
/* Syscall events */
#define SYSCALL_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
#define SYSCALL_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
#define CLOSE_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define READ_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define WRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define SOCKET_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
#define SOCKET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define LISTEN_E_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) + PARAM_LEN * 2
#define LISTEN_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) * 2 + PARAM_LEN * 3
#define SEND_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define RECV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
#define GETSOCKNAME_E_SIZE HEADER_LEN
#define GETSOCKNAME_X_SIZE HEADER_LEN
#define GENERIC_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
#define GENERIC_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
#define GETCWD_E_SIZE HEADER_LEN
#define GETDENTS_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define GETDENTS64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define EPOLL_WAIT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define GETPEERNAME_E_SIZE HEADER_LEN
#define GETPEERNAME_X_SIZE HEADER_LEN
#define SOCKETPAIR_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 8
#define SETSOCKOPT_E_SIZE HEADER_LEN
#define GETSOCKOPT_E_SIZE HEADER_LEN
#define SENDMMSG_E_SIZE HEADER_LEN
#define RECVMSG_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define RECVMMSG_E_SIZE HEADER_LEN
#define PIPE_E_SIZE HEADER_LEN
#define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
#define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
#define FUTEX_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
#define STAT_E_SIZE HEADER_LEN
#define LSTAT_E_SIZE HEADER_LEN
#define FSTAT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define STAT64_E_SIZE HEADER_LEN
#define LSTAT64_E_SIZE HEADER_LEN
#define FSTAT64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define FSTAT64_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define EPOLL_WAIT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define EPOLL_WAIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define SELECT_E_SIZE HEADER_LEN
#define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define LSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
#define LLSEEK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 3
#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint8_t) + PARAM_LEN * 4
#define GETCWD_E_SIZE HEADER_LEN
#define CHDIR_E_SIZE HEADER_LEN
#define FCHDIR_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define PREAD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
#define PWRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
#define READV_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define WRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define PREADV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
#define PWRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
#define SIGNALFD_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 3
#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 4
#define KILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
#define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
#define TGKILL_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
#define NANOSLEEP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
#define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 3
#define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
#define SETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
#define SETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
#define PRLIMIT_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define PRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 6 + sizeof(uint8_t) + PARAM_LEN * 7
#define DROP_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define DROP_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define FCNTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define FCNTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
#define SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
#define BRK_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
#define BRK_X_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
#define MMAP_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
#define MMAP2_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 5 + sizeof(uint64_t) * 3 + PARAM_LEN * 10
#define MUNMAP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 6
#define SPLICE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 4
#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
#define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
#define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
#define RENAME_E_SIZE HEADER_LEN
#define RENAMEAT_E_SIZE HEADER_LEN
#define SYMLINK_E_SIZE HEADER_LEN
#define SYMLINKAT_E_SIZE HEADER_LEN
#define PROCEXIT_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) * 2 + PARAM_LEN * 5
#define SENDFILE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
#define QUOTACTL_E_SIZE HEADER_LEN + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint8_t) * 2 + PARAM_LEN * 4
#define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define SCAPEVENT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
#define SCAPEVENT_X_SIZE HEADER_LEN
#define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define SETGID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define GETUID_E_SIZE HEADER_LEN
#define GETUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define GETEUID_E_SIZE HEADER_LEN
#define GETEUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define GETGID_E_SIZE HEADER_LEN
#define GETGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define GETEGID_E_SIZE HEADER_LEN
#define GETEGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define GETRESUID_E_SIZE HEADER_LEN
#define GETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define GETRESGID_E_SIZE HEADER_LEN
#define GETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define CLONE_E_SIZE HEADER_LEN
#define FORK_E_SIZE HEADER_LEN
#define VFORK_E_SIZE HEADER_LEN
#define SIGNALDELIVER_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
#define PROCINFO_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
#define GETDENTS_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define GETDENTS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define GETDENTS64_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define GETDENTS64_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
#define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
#define CPU_HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
#define ACCEPT_E_SIZE HEADER_LEN
#define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
#define SEMOP_X_SIZE HEADER_LEN + sizeof(int16_t) * 2 + sizeof(int32_t) + sizeof(int64_t) + sizeof(uint16_t) * 4 + sizeof(uint32_t) + PARAM_LEN * 9
#define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 5
#define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
#define SEMGET_X_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 4
#define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define CHROOT_E_SIZE HEADER_LEN
#define SETSID_E_SIZE HEADER_LEN
#define SETSID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define GETSOCKNAME_E_SIZE HEADER_LEN
#define GETSOCKNAME_X_SIZE HEADER_LEN
#define MKDIR_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define RMDIR_E_SIZE HEADER_LEN
#define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define PAGE_FAULT_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define SETPGID_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define UNLINK_E_SIZE HEADER_LEN
#define UNLINKAT_E_SIZE HEADER_LEN
#define MKDIRAT_E_SIZE HEADER_LEN
#define LINK_E_SIZE HEADER_LEN
#define LINKAT_E_SIZE HEADER_LEN
#define FCHMODAT_E_SIZE HEADER_LEN
#define MMAP_E_SIZE \
HEADER_LEN + sizeof(uint64_t) * 3 + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 6
#define MMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define MUNMAP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
#define MUNMAP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
#define CLOSE_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define CLOSE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define COPY_FILE_RANGE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + PARAM_LEN * 3
#define DUP_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define DUP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define DUP2_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define DUP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
#define DUP3_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define DUP3_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
#define CHDIR_E_SIZE HEADER_LEN
#define CHMOD_E_SIZE HEADER_LEN
#define CHOWN_E_SIZE HEADER_LEN
#define LCHOWN_E_SIZE HEADER_LEN
#define CHROOT_E_SIZE HEADER_LEN
#define FCHDIR_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define FCHDIR_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define FCHMOD_E_SIZE HEADER_LEN
#define FCHMOD_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
#define RENAMEAT2_E_SIZE HEADER_LEN
#define FCHMODAT_E_SIZE HEADER_LEN
#define FCHOWN_E_SIZE HEADER_LEN
#define FCHOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 2 + PARAM_LEN * 4
#define FCHOWNAT_E_SIZE HEADER_LEN
#define MKDIRAT_E_SIZE HEADER_LEN
#define RMDIR_E_SIZE HEADER_LEN
#define EVENTFD_E_SIZE HEADER_LEN + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define EVENTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define INOTIFY_INIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
#define INOTIFY_INIT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define TIMERFD_CREATE_E_SIZE HEADER_LEN + sizeof(uint8_t) * 2 + PARAM_LEN * 2
#define TIMERFD_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define USERFAULTFD_E_SIZE HEADER_LEN
#define USERFAULTFD_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define MPROTECT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
#define COPY_FILE_RANGE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define COPY_FILE_RANGE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 3 + PARAM_LEN * 6
#define SIGNALFD_E_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint8_t) + PARAM_LEN * 3
#define SIGNALFD_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define KILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define KILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define TGKILL_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
#define TGKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define TKILL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define TKILL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + PARAM_LEN * 2
#define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
#define CAPSET_E_SIZE HEADER_LEN
#define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4
#define SOCKET_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
#define SOCKET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define SOCKETPAIR_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
#define SOCKETPAIR_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) * 2 + PARAM_LEN * 5
#define ACCEPT_E_SIZE HEADER_LEN
#define ACCEPT4_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
#define LISTEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(int32_t) + PARAM_LEN * 3
#define CLONE_E_SIZE HEADER_LEN
#define CLONE3_E_SIZE HEADER_LEN
#define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
#define IO_URING_SETUP_E_SIZE HEADER_LEN
#define IO_URING_SETUP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 7 + PARAM_LEN * 8
#define IO_URING_ENTER_E_SIZE HEADER_LEN
#define IO_URING_ENTER_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 4 + PARAM_LEN * 6
#define IO_URING_REGISTER_E_SIZE HEADER_LEN
#define IO_URING_REGISTER_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
#define FORK_E_SIZE HEADER_LEN
#define VFORK_E_SIZE HEADER_LEN
#define RENAME_E_SIZE HEADER_LEN
#define RENAMEAT_E_SIZE HEADER_LEN
#define RENAMEAT2_E_SIZE HEADER_LEN
#define PIPE_E_SIZE HEADER_LEN
#define PIPE_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + PARAM_LEN * 4
#define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
#define FLOCK_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define FLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define IOCTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define IOCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define QUOTACTL_E_SIZE \
HEADER_LEN + sizeof(uint16_t) + sizeof(uint8_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 4
#define UNSHARE_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define UNSHARE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define MOUNT_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define UMOUNT_E_SIZE HEADER_LEN
#define LINK_E_SIZE HEADER_LEN
#define LINKAT_E_SIZE HEADER_LEN
#define SYMLINK_E_SIZE HEADER_LEN
#define SYMLINKAT_E_SIZE HEADER_LEN
#define UNLINK_E_SIZE HEADER_LEN
#define UNLINKAT_E_SIZE HEADER_LEN
#define SETGID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define SETGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define SETUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SETNS_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define SETNS_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SETPGID_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define SETPGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
#define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SETSID_E_SIZE HEADER_LEN
#define SETSID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
#define SETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint8_t) + PARAM_LEN * 4
#define PRLIMIT64_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define PRLIMIT64_X_SIZE HEADER_LEN + sizeof(int64_t) * 6 + sizeof(uint8_t) + PARAM_LEN * 7
#define GETSOCKOPT_E_SIZE HEADER_LEN
#define SETSOCKOPT_E_SIZE HEADER_LEN
#define RECVMSG_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define READV_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define PREADV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
#define PREAD64_E_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
#define RECVFROM_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define FCNTL_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define FCNTL_X_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 3
#define SHUTDOWN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint8_t) + PARAM_LEN * 2
#define SHUTDOWN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define FSCONFIG_E_SIZE HEADER_LEN
#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define ACCESS_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define MPROTECT_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
#define MPROTECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define GETUID_E_SIZE HEADER_LEN
#define GETUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define GETGID_E_SIZE HEADER_LEN
#define GETGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define GETEUID_E_SIZE HEADER_LEN
#define GETEUID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define GETEGID_E_SIZE HEADER_LEN
#define GETEGID_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define MLOCK_E_SIZE HEADER_LEN
#define MLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define MLOCK2_E_SIZE HEADER_LEN
#define MLOCK2_X_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
#define MUNLOCK_E_SIZE HEADER_LEN
#define MUNLOCK_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 3
#define MLOCKALL_E_SIZE HEADER_LEN
#define MLOCKALL_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define MUNLOCKALL_E_SIZE HEADER_LEN
#define MUNLOCKALL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define CAPSET_E_SIZE HEADER_LEN
#define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4
#define DUP2_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define DUP2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
#define DUP3_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define DUP3_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
#define DUP_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define DUP_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + PARAM_LEN * 2
#define BPF_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define BPF_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define MLOCK2_E_SIZE HEADER_LEN
#define MLOCK2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) * 2 + PARAM_LEN * 4
#define FSCONFIG_E_SIZE HEADER_LEN
#define EPOLL_CREATE_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
#define EPOLL_CREATE_X_SIZE HEADER_LEN + sizeof(int32_t) + sizeof(int64_t) + PARAM_LEN * 2
#define EPOLL_CREATE1_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define EPOLL_CREATE1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define CHOWN_E_SIZE HEADER_LEN
#define LCHOWN_E_SIZE HEADER_LEN
#define FCHOWN_E_SIZE HEADER_LEN
#define FCHOWN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 2 + PARAM_LEN * 4
#define FCHOWNAT_E_SIZE HEADER_LEN
#define UMOUNT_E_SIZE HEADER_LEN
#define ACCEPT4_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
#define UMOUNT2_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define READ_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define IO_URING_ENTER_E_SIZE HEADER_LEN
#define IO_URING_ENTER_X_SIZE \
HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) * 4 + PARAM_LEN * 6
#define IO_URING_REGISTER_E_SIZE HEADER_LEN
#define IO_URING_REGISTER_X_SIZE \
HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint64_t) + sizeof(uint32_t) + \
PARAM_LEN * 5
#define IO_URING_SETUP_E_SIZE HEADER_LEN
#define IO_URING_SETUP_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 7 + PARAM_LEN * 8
#define MMAP2_E_SIZE \
HEADER_LEN + sizeof(uint64_t) * 3 + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 6
#define MMAP2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define SEMGET_E_SIZE HEADER_LEN + sizeof(int32_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
#define SEMGET_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SEMCTL_E_SIZE HEADER_LEN + sizeof(int32_t) * 3 + sizeof(uint16_t) + PARAM_LEN * 4
#define SEMCTL_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SELECT_E_SIZE HEADER_LEN
#define SELECT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define SPLICE_E_SIZE \
HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 4
#define SPLICE_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define RECVMMSG_E_SIZE HEADER_LEN
#define SENDMMSG_E_SIZE HEADER_LEN
#define SEMOP_E_SIZE HEADER_LEN + sizeof(int32_t) + PARAM_LEN
#define SEMOP_X_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint16_t) * 4 + sizeof(int16_t) * 2 + \
PARAM_LEN * 8
#define GETRESUID_E_SIZE HEADER_LEN
#define GETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define SENDFILE_E_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint64_t) * 2 + PARAM_LEN * 4
#define SENDFILE_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + PARAM_LEN * 2
#define FUTEX_E_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint16_t) + PARAM_LEN * 3
#define FUTEX_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define STAT_E_SIZE HEADER_LEN
#define LSTAT_E_SIZE HEADER_LEN
#define FSTAT_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define FSTAT_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define LSEEK_E_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + 3 * PARAM_LEN
#define LSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define LLSEEK_E_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) + sizeof(uint8_t) + 3 * PARAM_LEN
#define LLSEEK_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define WRITE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define WRITEV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define PWRITEV_E_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
#define PWRITE64_E_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 3
#define GETRESGID_E_SIZE HEADER_LEN
#define GETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define BRK_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
#define BRK_X_SIZE HEADER_LEN + sizeof(uint64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
#define GETRLIMIT_E_SIZE HEADER_LEN + sizeof(uint8_t) + PARAM_LEN
#define GETRLIMIT_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + PARAM_LEN * 3
#define SEND_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define RECV_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define NANOSLEEP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
#define NANOSLEEP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define PIPE2_E_SIZE HEADER_LEN
#define PIPE2_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 5
#define PIPE2_X_SIZE \
HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint64_t) + sizeof(uint32_t) + PARAM_LEN * 5
#define INOTIFY_INIT1_E_SIZE HEADER_LEN
#define INOTIFY_INIT1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
#define INOTIFY_INIT1_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
#define EVENTFD2_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + sizeof(uint64_t) + PARAM_LEN * 3
#define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint16_t) + sizeof(uint32_t) + PARAM_LEN * 4
#define EVENTFD2_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
#define SIGNALFD4_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + 2 * PARAM_LEN
#define SIGNALFD4_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + 2 * PARAM_LEN
#define PRCTL_E_SIZE HEADER_LEN
#define MEMFD_CREATE_E_SIZE HEADER_LEN
#define PIDFD_GETFD_E_SIZE HEADER_LEN
#define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + PARAM_LEN * 4
#define PIDFD_GETFD_X_SIZE HEADER_LEN + sizeof(int64_t) * 3 + sizeof(uint32_t) + 4 * PARAM_LEN
#define PIDFD_OPEN_E_SIZE HEADER_LEN
#define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
#define PIDFD_OPEN_X_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint32_t) + 3 * PARAM_LEN
#define INIT_MODULE_E_SIZE HEADER_LEN
#define FINIT_MODULE_E_SIZE HEADER_LEN
#define MKNOD_E_SIZE HEADER_LEN
@ -263,8 +267,19 @@
#define PROCESS_VM_WRITEV_E_SIZE HEADER_LEN
#define DELETE_MODULE_E_SIZE HEADER_LEN
#define SETREUID_E_SIZE HEADER_LEN
#define SETREUID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 3
#define SETREUID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
#define SETREGID_E_SIZE HEADER_LEN
#define SETREGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 2 + PARAM_LEN * 3
#define SETREGID_X_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + sizeof(int64_t) + 3 * PARAM_LEN
/* Generic tracepoints events. */
#define SCHED_SWITCH_SIZE \
HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6
#define PAGE_FAULT_SIZE HEADER_LEN + sizeof(uint64_t) * 2 + sizeof(uint32_t) + PARAM_LEN * 3
#define SIGNAL_DELIVER_SIZE HEADER_LEN + sizeof(int64_t) * 2 + sizeof(uint8_t) + PARAM_LEN * 3
/* Special internal events */
#define DROP_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define DROP_X_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define HOTPLUG_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + PARAM_LEN * 2
#endif /* __EVENT_DIMENSIONS_H__ */

234
driver/modern_bpf/definitions/generator/generator.cpp
View File

@ -1,234 +0,0 @@
#include <functional>
#include <iostream>
#include <map>
#include <sstream>
#include <fstream>
#include <algorithm>
#include "driver/ppm_events_public.h"
extern const struct ppm_event_info g_event_info[];
auto PREFACE = R"(// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
* Copyright (C) 2025 The Falco Authors.
*
* This file is dual licensed under either the MIT or GPL 2. See MIT.txt
* or GPL2.txt for full copies of the license.
*/
#ifndef __EVENT_DIMENSIONS_H__
#define __EVENT_DIMENSIONS_H__
#include "vmlinux.h"
/* Here we have all the dimensions for fixed-size events.
*/
#define PARAM_LEN 2
#define HEADER_LEN sizeof(struct ppm_evt_hdr)
/// TODO: We have to move these in the event_table.c. Right now we don't
/// want to touch scap tables.
/* Syscall events */
)";
auto POSTFACE = R"(
#endif /* __EVENT_DIMENSIONS_H__ */
)";
// Use the following macro to get the stringified version of the C expression retrieving the type
// size (e.g.: SIZE_OF_EXPR(uint8_t) is resolved in "sizeof(uint8_t)").
#define SIZE_OF_EXPR(type) SIZE_OF_EXPR_##type
// Generate the "sizeof" stringified expression for the listed types. New handled types must be
// appended to the list.
#define SIZE_OF_EXPR_DECL_LIST_GEN(FN) \
FN(int8_t) \
FN(int16_t) \
FN(int32_t) \
FN(int64_t) \
FN(uint8_t) \
FN(uint16_t) \
FN(uint32_t) \
FN(uint64_t)
#define SIZE_OF_EXPR_DECL(type) char SIZE_OF_EXPR(type)[] = "sizeof(" #type ")";
SIZE_OF_EXPR_DECL_LIST_GEN(SIZE_OF_EXPR_DECL)
#undef SIZE_OF_EXPR_DECL
#undef SIZE_OF_EXPR_DECL_LIST_GEN
// Special expressions denoting variable size or unused parameter types.
char SIZE_OF_EXPR_VARIABLE_SIZE[] = "<variable_size>", SIZE_OF_EXPR_UNUSED[] = "<unused>";
// Table containing the mapping between parameter types and the corresponding stringified "sizeof"
// expression.
std::map<long long, char *> type_to_size_expr{
{PT_NONE, SIZE_OF_EXPR_UNUSED},
{PT_INT8, SIZE_OF_EXPR(int8_t)},
{PT_INT16, SIZE_OF_EXPR(int16_t)},
{PT_INT32, SIZE_OF_EXPR(int32_t)},
{PT_INT64, SIZE_OF_EXPR(int64_t)},
{PT_UINT8, SIZE_OF_EXPR(uint8_t)},
{PT_UINT16, SIZE_OF_EXPR(uint16_t)},
{PT_UINT32, SIZE_OF_EXPR(uint32_t)},
{PT_UINT64, SIZE_OF_EXPR(uint64_t)},
{PT_CHARBUF, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_BYTEBUF, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_ERRNO, SIZE_OF_EXPR(int64_t)},
{PT_SOCKADDR, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_SOCKTUPLE, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_FD, SIZE_OF_EXPR(int64_t)},
{PT_PID, SIZE_OF_EXPR(int64_t)},
{PT_FDLIST, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_FSPATH, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_SYSCALLID, SIZE_OF_EXPR(uint16_t)},
{PT_SIGTYPE, SIZE_OF_EXPR(uint8_t)},
{PT_RELTIME, SIZE_OF_EXPR(uint64_t)},
{PT_ABSTIME, SIZE_OF_EXPR(uint64_t)},
{PT_PORT, SIZE_OF_EXPR_UNUSED},
{PT_L4PROTO, SIZE_OF_EXPR_UNUSED},
{PT_SOCKFAMILY, SIZE_OF_EXPR_UNUSED},
{PT_BOOL, SIZE_OF_EXPR_UNUSED},
{PT_IPV4ADDR, SIZE_OF_EXPR_UNUSED},
{PT_DYN, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_FLAGS8, SIZE_OF_EXPR(uint8_t)},
{PT_FLAGS16, SIZE_OF_EXPR(uint16_t)},
{PT_FLAGS32, SIZE_OF_EXPR(uint32_t)},
{PT_UID, SIZE_OF_EXPR(uint32_t)},
{PT_GID, SIZE_OF_EXPR(uint32_t)},
{PT_DOUBLE, SIZE_OF_EXPR_UNUSED},
{PT_SIGSET, SIZE_OF_EXPR(uint32_t)},
{PT_CHARBUFARRAY, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_CHARBUF_PAIR_ARRAY, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_IPV4NET, SIZE_OF_EXPR_UNUSED},
{PT_IPV6ADDR, SIZE_OF_EXPR_UNUSED},
{PT_IPV6NET, SIZE_OF_EXPR_UNUSED},
{PT_IPADDR, SIZE_OF_EXPR_UNUSED},
{PT_IPNET, SIZE_OF_EXPR_UNUSED},
{PT_MODE, SIZE_OF_EXPR(uint32_t)},
{PT_FSRELPATH, SIZE_OF_EXPR_VARIABLE_SIZE},
{PT_ENUMFLAGS8, SIZE_OF_EXPR(uint8_t)},
{PT_ENUMFLAGS16, SIZE_OF_EXPR(uint16_t)},
{PT_ENUMFLAGS32, SIZE_OF_EXPR(uint32_t)},
};
// is_fixed_size_event determines if the provided event has a fixed size or not.
bool is_fixed_size_event(struct ppm_event_info const *const evt) {
for(uint32_t i = 0; i < evt->nparams; i++) {
auto &param = evt->params[i];
auto const param_type = param.type;
auto it = type_to_size_expr.find(param_type);
if(it == type_to_size_expr.end()) {
throw std::runtime_error("Unknown event parameter type: " + std::to_string(param_type));
}
auto const size_expr = it->second;
// Just compare pointers is enough.
if(size_expr == SIZE_OF_EXPR_UNUSED) {
throw std::runtime_error("Unexpected unused event parameter type: " +
std::to_string(param_type));
}
if(size_expr == SIZE_OF_EXPR_VARIABLE_SIZE) {
return false;
}
}
return true;
}
// get_vent_size_expr_counts returns, given the provided event and the resulting size expression of
// its parameters, a map containing, for each size expression, the number of occurrences.
std::map<std::string, size_t> get_event_size_expr_counts(struct ppm_event_info const *const evt) {
std::map<std::string, size_t> size_expr_counts;
for(uint32_t i = 0; i < evt->nparams; i++) {
auto const &param = evt->params[i];
auto const param_type = param.type;
auto const it = type_to_size_expr.find(param_type);
if(it == type_to_size_expr.end()) {
throw std::runtime_error("Unknown event parameter type: " + std::to_string(param_type));
}
auto const size_expr = it->second;
size_expr_counts[size_expr]++;
}
return size_expr_counts;
}
// output_event_size outputs the event size macro for the provided event into the provided output
// stream.
void output_event_size(std::ostream &os,
struct ppm_event_info const *const evt,
bool const is_enter_evt) {
// Exclude old versions.
if(evt->flags & EF_OLD_VERSION) {
return;
}
std::string name{evt->name};
// Ignore events without name.
if(name == "NA") {
return;
}
// Exclude events not having a fixed size.
if(!is_fixed_size_event(evt)) {
return;
}
// Generate the complete event size macro name.
std::transform(name.cbegin(), name.cend(), name.begin(), toupper);
if((evt->category & EC_TRACEPOINT) == 0) {
name += is_enter_evt ? "_E" : "_X";
}
name += "_SIZE";
// The event contains at least the header.
os << "#define " << name << " HEADER_LEN";
auto const params_num = evt->nparams;
// Count the number of occurrences for each size expression.
auto size_expr_counts = get_event_size_expr_counts(evt);
// Output "size expression" * "number of occurrences of size expression", for each size
// expression.
for(auto const &[size_expr, count] : size_expr_counts) {
os << " + " << size_expr;
if(count != 1) {
os << " * " << count;
}
}
// Add "number of parameters" * PARAM_LEN, to account the size of each parameter length.
if(params_num != 0) {
os << " + PARAM_LEN";
if(params_num != 1) {
os << " * " << params_num;
}
}
os << '\n';
}
int main(int argc, char *argv[]) {
if(argc != 2) {
std::cerr << "Usage: " << argv[0] << " <filepath>\n";
std::exit(EXIT_FAILURE);
}
std::string filepath{argv[1]};
// Build file content.
std::ostringstream oss;
oss << PREFACE;
for(int i = 0; i < PPM_EVENT_MAX; i++) {
output_event_size(oss, &g_event_info[i], i % 2 == 0);
}
oss << POSTFACE;
// Write content to file.
std::ofstream f{filepath, std::fstream::out | std::fstream::trunc};
f << oss.str();
f.close();
return 0;
}

4
driver/modern_bpf/definitions/struct_flavors.h
View File

@ -59,10 +59,6 @@ struct inode___v6_11 {
uint32_t i_ctime_nsec;
};
struct kernfs_node___v6_15 {
struct kernfs_node *__parent;
};
#ifndef BPF_NO_PRESERVE_ACCESS_INDEX
#pragma clang attribute pop
#endif

83
driver/modern_bpf/helpers/base/maps_getters.h
View File

@ -17,99 +17,44 @@
/*=============================== SETTINGS ===========================*/
static __always_inline struct capture_settings *maps__get_capture_settings() {
uint32_t key = 0;
return bpf_map_lookup_elem(&capture_settings, &key);
}
static __always_inline uint64_t maps__get_boot_time() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->boot_time;
return g_settings.boot_time;
}
static __always_inline uint32_t maps__get_snaplen() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->snaplen;
return g_settings.snaplen;
}
static __always_inline bool maps__get_dropping_mode() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->dropping_mode;
return g_settings.dropping_mode;
}
static __always_inline uint32_t maps__get_sampling_ratio() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->sampling_ratio;
return g_settings.sampling_ratio;
}
static __always_inline bool maps__get_drop_failed() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->drop_failed;
return g_settings.drop_failed;
}
static __always_inline bool maps__get_do_dynamic_snaplen() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->do_dynamic_snaplen;
return g_settings.do_dynamic_snaplen;
}
static __always_inline uint16_t maps__get_fullcapture_port_range_start() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->fullcapture_port_range_start;
return g_settings.fullcapture_port_range_start;
}
static __always_inline uint16_t maps__get_fullcapture_port_range_end() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->fullcapture_port_range_end;
return g_settings.fullcapture_port_range_end;
}
static __always_inline uint16_t maps__get_statsd_port() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->statsd_port;
return g_settings.statsd_port;
}
static __always_inline int32_t maps__get_scap_tid() {
struct capture_settings *settings = maps__get_capture_settings();
if(settings == NULL) {
return 0;
}
return settings->scap_tid;
return g_settings.scap_tid;
}
/*=============================== SETTINGS ===========================*/
@ -144,12 +89,8 @@ static __always_inline uint8_t maps__64bit_sampling_syscall_table(uint32_t sysca
/*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/
static __always_inline bool maps__interesting_syscall_64bit(uint32_t syscall_id) {
bool *ret = bpf_map_lookup_elem(&interesting_syscalls_table_64bit, &syscall_id);
if(ret == NULL) {
return false;
}
return *ret;
static __always_inline bool maps__64bit_interesting_syscall(uint32_t syscall_id) {
return g_64bit_interesting_syscalls_table[syscall_id & (SYSCALL_TABLE_SIZE - 1)];
}
/*=============================== SYSCALL-64 INTERESTING TABLE ===========================*/

4
driver/modern_bpf/helpers/base/shared_size.h
View File

@ -26,8 +26,8 @@
/* Maximum number of `iovec` structures that we can analyze. */
#define MAX_IOVCNT 32
/* Maximum number of supported sendmmsg/recvmmsg loops with bpf_loop helper */
#define MAX_SENDMMSG_RECVMMSG_SIZE 16
/* Maximum number of supported sendmmsg/recvmmsg messages */
#define MAX_SENDMMSG_RECVMMSG_SIZE 8
/* Maximum number of `pollfd` structures that we can analyze. */
#define MAX_POLLFD 16

45
driver/modern_bpf/helpers/extract/extract_from_kernel.h
View File

@ -10,7 +10,6 @@
#include <helpers/base/maps_getters.h>
#include <helpers/base/read_from_task.h>
#include <helpers/base/shared_size.h>
#include <driver/ppm_flag_helpers.h>
#if __has_include(<sys/syscall.h>)
@ -1032,47 +1031,3 @@ static __always_inline struct socket *get_sock_from_file(struct file *file) {
}
return (struct socket *)BPF_CORE_READ(file, private_data);
}
///////////////////////////
// EXTRACT FROM MSGHDR
///////////////////////////
/**
* @brief Read the msghdr pointed by `msghdr_pointer` and store it in `msghdr` location.
* @param msghdr pointer to the user_msghdr struct used to store the read msghdr.
* @param msghdr_pointer pointer to the msghdr to be read.
* @return 0 on success, or a negative error in case of failure.
*/
static __always_inline long extract__msghdr(struct user_msghdr *msghdr,
unsigned long msghdr_pointer) {
return bpf_probe_read_user((void *)msghdr,
bpf_core_type_size(struct user_msghdr),
(void *)msghdr_pointer);
}
/**
* @brief Extract the size of a message extracted from an `iovec` struct array.
* @param scratch_space pointer the scratch space on which iovecs are read.
* @param scratch_space_size scratch space total size.
* @param iov_pointer pointer to `iovec` struct array.
* @param iov_cnt number of `iovec` structs.
* @return the size of the message on success, or 0 in case of failure.
*/
static __always_inline uint32_t extract__iovec_size(void *scratch_space,
uint32_t scratch_space_size,
unsigned long iov_pointer,
unsigned long iov_cnt) {
if(bpf_probe_read_user(scratch_space, scratch_space_size, (void *)iov_pointer)) {
return 0;
}
uint32_t total_size_to_read = 0;
const struct iovec *iovec = (const struct iovec *)scratch_space;
for(int i = 0; i < MAX_IOVCNT; i++) {
if(i == iov_cnt) {
break;
}
total_size_to_read += iovec[i].iov_len;
}
return total_size_to_read;
}

2
driver/modern_bpf/helpers/interfaces/syscalls_dispatcher.h
View File

@ -14,7 +14,7 @@
#include <helpers/extract/extract_from_kernel.h>
static __always_inline bool syscalls_dispatcher__64bit_interesting_syscall(uint32_t syscall_id) {
return maps__interesting_syscall_64bit(syscall_id);
return maps__64bit_interesting_syscall(syscall_id);
}
static __always_inline long convert_network_syscalls(struct pt_regs *regs) {

69
driver/modern_bpf/helpers/store/auxmap_store_params.h
View File

@ -1121,7 +1121,9 @@ static __always_inline void auxmap__store_msghdr_size_param(struct auxiliary_map
* we return 0.
*/
struct user_msghdr msghdr = {0};
if(extract__msghdr(&msghdr, msghdr_pointer)) {
if(bpf_probe_read_user((void *)&msghdr,
bpf_core_type_size(struct user_msghdr),
(void *)msghdr_pointer)) {
auxmap__store_u32_param(auxmap, 0);
return;
}
@ -1146,7 +1148,9 @@ static __always_inline struct user_msghdr auxmap__store_msghdr_data_param(
* we return an empty param.
*/
struct user_msghdr msghdr = {0};
if(extract__msghdr(&msghdr, msghdr_pointer)) {
if(bpf_probe_read_user((void *)&msghdr,
bpf_core_type_size(struct user_msghdr),
(void *)msghdr_pointer)) {
/* in case of NULL msghdr we return an empty param */
push__param_len(auxmap->data, &auxmap->lengths_pos, 0);
return msghdr;
@ -1292,12 +1296,7 @@ static __always_inline uint16_t store_cgroup_subsys(struct auxiliary_map *auxmap
}
path_components++;
BPF_CORE_READ_INTO(&cgroup_path_pointers[k], kn, name);
if(bpf_core_field_exists(kn->parent)) {
BPF_CORE_READ_INTO(&kn, kn, parent);
} else {
struct kernfs_node___v6_15 *kn_v6_15 = (void *)kn;
BPF_CORE_READ_INTO(&kn, kn_v6_15, __parent);
}
BPF_CORE_READ_INTO(&kn, kn, parent);
}
/* Reconstruct the path in reverse, using previously collected pointers.
@ -1507,9 +1506,7 @@ static __always_inline void auxmap__store_fdlist_param(struct auxiliary_map *aux
typedef struct {
bool only_port_range;
ppm_event_code evt_type;
long mmsg_index; // Only used by sendmmsg/recvmmsg to pass the current message index
unsigned long *mm_args; // Only used by sendmmsg/recvmmsg to reduce stack size to avoid
// verifier issues
long mmsg_index;
} dynamic_snaplen_args;
static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
@ -1559,12 +1556,6 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
*/
unsigned long args[5] = {0};
struct sockaddr *sockaddr = NULL;
union {
struct compat_msghdr compat_mh;
struct user_msghdr mh;
struct compat_mmsghdr compat_mmh;
struct mmsghdr mmh;
} msg_mh = {};
switch(input_args->evt_type) {
case PPME_SOCKET_SENDTO_X:
@ -1577,41 +1568,43 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
case PPME_SOCKET_SENDMSG_X: {
extract__network_args(args, 3, regs);
if(bpf_in_ia32_syscall()) {
if(likely(bpf_probe_read_user(&msg_mh.compat_mh,
struct compat_msghdr compat_mh = {};
if(likely(bpf_probe_read_user(&compat_mh,
bpf_core_type_size(struct compat_msghdr),
(void *)args[1]) == 0)) {
sockaddr = (struct sockaddr *)(unsigned long)(msg_mh.compat_mh.msg_name);
sockaddr = (struct sockaddr *)(unsigned long)(compat_mh.msg_name);
}
// in any case we break the switch.
break;
}
if(extract__msghdr(&msg_mh.mh, args[1]) == 0) {
sockaddr = (struct sockaddr *)msg_mh.mh.msg_name;
struct user_msghdr mh = {};
if(bpf_probe_read_user(&mh, bpf_core_type_size(struct user_msghdr), (void *)args[1]) == 0) {
sockaddr = (struct sockaddr *)mh.msg_name;
}
} break;
case PPME_SOCKET_RECVMMSG_X:
case PPME_SOCKET_SENDMMSG_X: {
// To avoid verifier stack size issues, sendmmsg and recvmmsg directly pass args
// in dynamic_snaplen_args.
// This also gives a small perf boost while using `bpf_loop` because we don't need
// to re-fetch first 3 syscall args at every iteration.
__builtin_memcpy(args, input_args->mm_args, 3 * sizeof(unsigned long));
extract__network_args(args, 3, regs);
if(bpf_in_ia32_syscall()) {
struct compat_mmsghdr compat_mmh = {};
struct compat_mmsghdr *mmh_ptr = (struct compat_mmsghdr *)args[1];
if(likely(bpf_probe_read_user(&msg_mh.compat_mmh,
if(likely(bpf_probe_read_user(&compat_mmh,
bpf_core_type_size(struct compat_mmsghdr),
(void *)(mmh_ptr + input_args->mmsg_index)) == 0)) {
sockaddr = (struct sockaddr *)(unsigned long)(msg_mh.compat_mmh.msg_hdr.msg_name);
sockaddr = (struct sockaddr *)(unsigned long)(compat_mmh.msg_hdr.msg_name);
}
// in any case we break the switch.
break;
}
struct mmsghdr mmh = {};
struct mmsghdr *mmh_ptr = (struct mmsghdr *)args[1];
if(bpf_probe_read_user(&msg_mh.mmh,
if(bpf_probe_read_user(&mmh,
bpf_core_type_size(struct mmsghdr),
(void *)(mmh_ptr + input_args->mmsg_index)) == 0) {
sockaddr = (struct sockaddr *)msg_mh.mmh.msg_hdr.msg_name;
sockaddr = (struct sockaddr *)mmh.msg_hdr.msg_name;
}
} break;
@ -1649,20 +1642,16 @@ static __always_inline void apply_dynamic_snaplen(struct pt_regs *regs,
port_remote = ntohs(port_remote);
if(port_remote == 0 && sockaddr != NULL) {
union {
struct sockaddr_in sockaddr_in;
struct sockaddr_in6 sockaddr_in6;
} saddr_in = {};
if(socket_family == AF_INET) {
bpf_probe_read_user(&saddr_in.sockaddr_in,
bpf_core_type_size(struct sockaddr_in),
sockaddr);
port_remote = ntohs(saddr_in.sockaddr_in.sin_port);
struct sockaddr_in sockaddr_in = {};
bpf_probe_read_user(&sockaddr_in, bpf_core_type_size(struct sockaddr_in), sockaddr);
port_remote = ntohs(sockaddr_in.sin_port);
} else {
bpf_probe_read_user(&saddr_in.sockaddr_in6,
struct sockaddr_in6 sockaddr_in6 = {};
bpf_probe_read_user(&sockaddr_in6,
bpf_core_type_size(struct sockaddr_in6),
sockaddr);
port_remote = ntohs(saddr_in.sockaddr_in6.sin6_port);
port_remote = ntohs(sockaddr_in6.sin6_port);
}
}
}

44
driver/modern_bpf/maps/maps.h
View File

@ -47,23 +47,35 @@ __weak const volatile uint64_t probe_api_ver = PPM_API_CURRENT_VERSION;
*/
__weak const volatile uint64_t probe_schema_var = PPM_SCHEMA_CURRENT_VERSION;
/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
/*=============================== BPF GLOBAL VARIABLES ===============================*/
/**
* @brief Given the syscall id on 64-bit-architectures returns if
* the syscall must be filtered out according to the simple consumer logic.
*/
__weak bool g_64bit_interesting_syscalls_table[SYSCALL_TABLE_SIZE];
/**
* @brief Given the syscall id on 64-bit-architectures returns:
* - `UF_NEVER_DROP` if the syscall must not be dropped in the sampling logic.
* - `UF_ALWAYS_DROP` if the syscall must always be dropped in the sampling logic.
* - `UF_NONE` if we drop the syscall depends on the sampling ratio.
*/
__weak const volatile uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
__weak uint8_t g_64bit_sampling_syscall_table[SYSCALL_TABLE_SIZE];
/**
* @brief Given the syscall id on 32-bit x86 arch returns
* its x64 value. Used to support ia32 syscall emulation.
*/
__weak const volatile uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];
__weak uint32_t g_ia32_to_64_table[SYSCALL_TABLE_SIZE];
/*=============================== BPF READ-ONLY GLOBAL VARIABLES ===============================*/
/*=============================== BPF GLOBAL VARIABLES ===============================*/
/**
* @brief Global capture settings shared between userspace and
* bpf programs.
*/
__weak struct capture_settings g_settings;
/**
* @brief Variable used only kernel side to understand when we need to send
@ -121,28 +133,6 @@ struct {
/*=============================== BPF_MAP_TYPE_ARRAY ===============================*/
/**
* @brief This table is used to keep track of which syscalls must be filtered out
* according to the simple consumer logic.
*/
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__uint(max_entries, SYSCALL_TABLE_SIZE);
__type(key, uint32_t);
__type(value, bool);
} interesting_syscalls_table_64bit __weak SEC(".maps");
/**
* @brief Global capture settings shared between userspace and
* bpf programs.
*/
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__uint(max_entries, 1);
__type(key, uint32_t);
__type(value, struct capture_settings);
} capture_settings __weak SEC(".maps");
/* These maps have one entry for each CPU.
*
* PLEASE NOTE:

4
driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c
View File

@ -36,9 +36,9 @@ int BPF_PROG(t_hotplug) {
* the event collection.
*/
struct ringbuf_struct ringbuf;
ringbuf.reserved_event_size = CPU_HOTPLUG_E_SIZE;
ringbuf.reserved_event_size = HOTPLUG_E_SIZE;
ringbuf.event_type = PPME_CPU_HOTPLUG_E;
ringbuf.data = bpf_ringbuf_reserve(rb, CPU_HOTPLUG_E_SIZE, 0);
ringbuf.data = bpf_ringbuf_reserve(rb, HOTPLUG_E_SIZE, 0);
if(!ringbuf.data) {
counter->n_drops_buffer++;
return 0;

6
driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c
View File

@ -179,9 +179,9 @@ int BPF_PROG(t1_sched_p_exec, struct task_struct *p, pid_t old_pid, struct linux
uint32_t tty = exctract__tty(task);
auxmap__store_u32_param(auxmap, (uint32_t)tty);
/* Parameter 18: vpgid (type: PT_PID) */
pid_t vpgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
auxmap__store_s64_param(auxmap, (int64_t)vpgid);
/* Parameter 18: pgid (type: PT_PID) */
pid_t pgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
auxmap__store_s64_param(auxmap, (int64_t)pgid);
/* Parameter 19: loginuid (type: PT_UID) */
uint32_t loginuid;

2
driver/modern_bpf/programs/attached/events/sched_switch.bpf.c
View File

@ -22,7 +22,7 @@ int BPF_PROG(sched_switch, bool preempt, struct task_struct *prev, struct task_s
/// TODO: we could avoid switches from kernel threads to kernel threads (?).
struct ringbuf_struct ringbuf;
if(!ringbuf__reserve_space(&ringbuf, SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
if(!ringbuf__reserve_space(&ringbuf, SCHED_SWITCH_SIZE, PPME_SCHEDSWITCH_6_E)) {
return 0;
}

2
driver/modern_bpf/programs/attached/events/signal_deliver.bpf.c
View File

@ -19,7 +19,7 @@ int BPF_PROG(signal_deliver, int sig, struct kernel_siginfo *info, struct k_siga
}
struct ringbuf_struct ringbuf;
if(!ringbuf__reserve_space(&ringbuf, SIGNALDELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
if(!ringbuf__reserve_space(&ringbuf, SIGNAL_DELIVER_SIZE, PPME_SIGNALDELIVER_E)) {
return 0;
}

6
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/accept4.bpf.c
View File

@ -105,12 +105,6 @@ int BPF_PROG(accept4_x, struct pt_regs *regs, long ret) {
/* Parameter 5: queuemax (type: PT_UINT32) */
auxmap__store_u32_param(auxmap, queuemax);
/* Parameter 6: flags (type: PT_FLAGS32) */
/// TODO: we don't support flags yet and so we just return zero.
/// If implemented, special handling for SYS_ACCEPT socketcall is needed.
uint32_t flags = 0;
auxmap__store_u32_param(auxmap, flags);
/*=============================== COLLECT PARAMETERS ===========================*/
auxmap__finalize_event_header(auxmap);

6
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/access.bpf.c
View File

@ -51,14 +51,10 @@ int BPF_PROG(access_x, struct pt_regs *regs, long ret) {
/* Parameter 1: res (type: PT_ERRNO) */
auxmap__store_s64_param(auxmap, ret);
/* Parameter 2: name (type: PT_FSPATH) */
/* Parameter 2: pathname (type: PT_FSPATH) */
unsigned long path_pointer = extract__syscall_argument(regs, 0);
auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER);
/* Parameter 3: mode (type: PT_UINT32) */
int mode = (int)extract__syscall_argument(regs, 1);
auxmap__store_u32_param(auxmap, (uint32_t)access_flags_to_scap(mode));
/*=============================== COLLECT PARAMETERS ===========================*/
auxmap__finalize_event_header(auxmap);

6
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/brk.bpf.c
View File

@ -22,7 +22,7 @@ int BPF_PROG(brk_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: addr (type: PT_UINT64) */
uint64_t addr = extract__syscall_argument(regs, 0);
unsigned long addr = extract__syscall_argument(regs, 0);
ringbuf__store_u64(&ringbuf, addr);
/*=============================== COLLECT PARAMETERS ===========================*/
@ -68,10 +68,6 @@ int BPF_PROG(brk_x, struct pt_regs *regs, long ret) {
/* Parameter 4: vm_swap (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, swap_size);
/* Parameter 5: addr (type: PT_UINT64) */
uint64_t addr = extract__syscall_argument(regs, 0);
ringbuf__store_u64(&ringbuf, addr);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

12
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c
View File

@ -50,9 +50,9 @@ int BPF_PROG(close_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
/* Parameter 1: fd (type: PT_FD)*/
int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fd);
/*=============================== COLLECT PARAMETERS ===========================*/
@ -80,13 +80,9 @@ int BPF_PROG(close_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_ERRNO) */
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

37
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c
View File

@ -24,14 +24,14 @@ int BPF_PROG(connect_e, struct pt_regs *regs, long id) {
unsigned long args[3] = {0};
extract__network_args(args, 3, regs);
/* Parameter 1: fd (type: PT_FD) */
int64_t socket_fd = (int64_t)(int32_t)args[0];
auxmap__store_s64_param(auxmap, socket_fd);
/* Parameter 1: fd (type: PT_FD)*/
int32_t socket_fd = (int32_t)args[0];
auxmap__store_s64_param(auxmap, (int64_t)socket_fd);
/* Parameter 2: addr (type: PT_SOCKADDR) */
unsigned long usrsockaddr = args[1];
uint16_t usrsockaddr_len = (uint16_t)args[2];
auxmap__store_sockaddr_param(auxmap, usrsockaddr, usrsockaddr_len);
/* Parameter 2: addr (type: PT_SOCKADDR)*/
unsigned long sockaddr_ptr = args[1];
uint16_t addrlen = (uint16_t)args[2];
auxmap__store_sockaddr_param(auxmap, sockaddr_ptr, addrlen);
/*=============================== COLLECT PARAMETERS ===========================*/
@ -57,30 +57,25 @@ int BPF_PROG(connect_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
unsigned long args[3] = {0};
extract__network_args(args, 3, regs);
int64_t socket_fd = (int64_t)(int32_t)args[0];
unsigned long socket_fd = 0;
extract__network_args(&socket_fd, 1, regs);
/* Parameter 1: res (type: PT_ERRNO) */
auxmap__store_s64_param(auxmap, ret);
struct sockaddr *usrsockaddr = (struct sockaddr *)args[1];
/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
/* We need a valid sockfd to extract source data.*/
if(ret == 0 || ret == -EINPROGRESS) {
/* Notice: the following will push an empty parameter if
* something goes wrong (e.g.: fd not valid). */
auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, usrsockaddr);
auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, NULL);
} else {
auxmap__store_empty_param(auxmap);
}
/* Parameter 3: fd (type: PT_FD) */
auxmap__store_s64_param(auxmap, socket_fd);
/* Parameter 4: addr (type: PT_SOCKADDR) */
uint16_t usrsockaddr_len = (uint16_t)args[2];
auxmap__store_sockaddr_param(auxmap, (unsigned long)usrsockaddr, usrsockaddr_len);
/* Parameter 3: fd (type: PT_FD)*/
/* We need the double cast to extract the first 4 bytes and then
* convert them to a signed integer on 64-bit
*/
auxmap__store_s64_param(auxmap, (int64_t)(int32_t)socket_fd);
/*=============================== COLLECT PARAMETERS ===========================*/

22
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/copy_file_range.bpf.c
View File

@ -25,8 +25,8 @@ int BPF_PROG(copy_file_range_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: fdin (type: PT_FD) */
int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fdin);
int32_t fdin = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fdin);
/* Parameter 2: offin (type: PT_UINT64) */
uint64_t offin = extract__syscall_argument(regs, 1);
@ -58,29 +58,17 @@ int BPF_PROG(copy_file_range_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_ERRNO) */
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: fdout (type: PT_FD) */
int64_t fdout = (int64_t)(int32_t)extract__syscall_argument(regs, 2);
ringbuf__store_s64(&ringbuf, fdout);
int32_t fdout = (int32_t)extract__syscall_argument(regs, 2);
ringbuf__store_s64(&ringbuf, (int64_t)fdout);
/* Parameter 3: offout (type: PT_UINT64) */
uint64_t offout = extract__syscall_argument(regs, 3);
ringbuf__store_u64(&ringbuf, offout);
/* Parameter 4: fdin (type: PT_FD) */
int64_t fdin = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fdin);
/* Parameter 5: offin (type: PT_UINT64) */
uint64_t offin = extract__syscall_argument(regs, 1);
ringbuf__store_u64(&ringbuf, offin);
/* Parameter 6: len (type: PT_UINT64) */
uint64_t len = extract__syscall_argument(regs, 4);
ringbuf__store_u64(&ringbuf, len);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

14
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup.bpf.c
View File

@ -21,9 +21,9 @@ int BPF_PROG(dup_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: fd (type: PT_FD) */
int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, oldfd);
/* Parameter 1: oldfd (type: PT_FD) */
int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
/*=============================== COLLECT PARAMETERS ===========================*/
@ -47,12 +47,12 @@ int BPF_PROG(dup_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_FD) */
ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
/* Parameter 1: res (type: PT_FD)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: oldfd (type: PT_FD) */
int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, oldfd);
int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
/*=============================== COLLECT PARAMETERS ===========================*/

18
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup2.bpf.c
View File

@ -21,9 +21,9 @@ int BPF_PROG(dup2_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: fd (type: PT_FD) */
int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, oldfd);
/* Parameter 1: oldfd (type: PT_FD) */
int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
/*=============================== COLLECT PARAMETERS ===========================*/
@ -47,16 +47,16 @@ int BPF_PROG(dup2_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_FD) */
ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
/* Parameter 1: res (type: PT_FD)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: oldfd (type: PT_FD) */
int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, oldfd);
int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
/* Parameter 3: newfd (type: PT_FD) */
int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
ringbuf__store_s64(&ringbuf, newfd);
int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
ringbuf__store_s64(&ringbuf, (int64_t)newfd);
/*=============================== COLLECT PARAMETERS ===========================*/

18
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/dup3.bpf.c
View File

@ -21,9 +21,9 @@ int BPF_PROG(dup3_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: fd (type: PT_FD) */
int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, oldfd);
/* Parameter 1: oldfd (type: PT_FD) */
int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
/*=============================== COLLECT PARAMETERS ===========================*/
@ -47,16 +47,16 @@ int BPF_PROG(dup3_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_FD) */
ringbuf__store_s64(&ringbuf, (int64_t)(int32_t)ret);
/* Parameter 1: res (type: PT_FD)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: oldfd (type: PT_FD) */
int64_t oldfd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, oldfd);
int32_t oldfd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)oldfd);
/* Parameter 3: newfd (type: PT_FD) */
int64_t newfd = (int64_t)(int32_t)extract__syscall_argument(regs, 1);
ringbuf__store_s64(&ringbuf, newfd);
int32_t newfd = (int32_t)extract__syscall_argument(regs, 1);
ringbuf__store_s64(&ringbuf, (int64_t)newfd);
/* Parameter 4: flags (type: PT_FLAGS32) */
int32_t flags = extract__syscall_argument(regs, 2);

6
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create.bpf.c
View File

@ -47,13 +47,9 @@ int BPF_PROG(epoll_create_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_ERRNO) */
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: size (type: PT_INT32) */
int32_t size = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s32(&ringbuf, size);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

6
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_create1.bpf.c
View File

@ -47,13 +47,9 @@ int BPF_PROG(epoll_create1_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_ERRNO) */
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: flags (type: PT_FLAGS32) */
int32_t flags = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_u32(&ringbuf, epoll_create1_flags_to_scap(flags));
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

4
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/epoll_wait.bpf.c
View File

@ -50,10 +50,6 @@ int BPF_PROG(epoll_wait_x, struct pt_regs *regs, long ret) {
/* Parameter 1: res (type: PT_ERRNO) */
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: maxevents (type: PT_ERRNO) */
int maxevents = (int)extract__syscall_argument(regs, 2);
ringbuf__store_s64(&ringbuf, (int64_t)maxevents);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

16
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd.bpf.c
View File

@ -22,8 +22,8 @@ int BPF_PROG(eventfd_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: initval (type: PT_UINT64) */
uint64_t initval = (uint64_t)extract__syscall_argument(regs, 0);
ringbuf__store_u64(&ringbuf, initval);
uint32_t initval = (uint32_t)extract__syscall_argument(regs, 0);
ringbuf__store_u64(&ringbuf, (uint64_t)initval);
/* Parameter 2: flags (type: PT_UINT32) */
/* The syscall eventfd has no flags! only `eventfd2` has the `flags` param.
@ -53,19 +53,9 @@ int BPF_PROG(eventfd_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_FD) */
/* Parameter 1: res (type: PT_FD)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: initval (type: PT_UINT64) */
uint64_t initval = (uint64_t)extract__syscall_argument(regs, 0);
ringbuf__store_u64(&ringbuf, initval);
/* Parameter 3: flags (type: PT_UINT32) */
/* The syscall eventfd has no flags! only `eventfd2` has the `flags` param.
* For compatibility with the event definition here we send `0` as flags.
*/
ringbuf__store_u32(&ringbuf, 0);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

6
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/eventfd2.bpf.c
View File

@ -47,17 +47,13 @@ int BPF_PROG(eventfd2_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_FD) */
/* Parameter 1: res (type: PT_FD)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: flags (type: PT_FLAGS16) */
int32_t flags = (int32_t)extract__syscall_argument(regs, 1);
ringbuf__store_u16(&ringbuf, eventfd2_flags_to_scap(flags));
/* Parameter 3: initval (type: PT_UINT64) */
uint32_t initval = (uint32_t)extract__syscall_argument(regs, 0);
ringbuf__store_u64(&ringbuf, (uint64_t)initval);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

6
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c
View File

@ -198,9 +198,9 @@ int BPF_PROG(t1_execve_x, struct pt_regs *regs, long ret) {
uint32_t tty = exctract__tty(task);
auxmap__store_u32_param(auxmap, (uint32_t)tty);
/* Parameter 18: vpgid (type: PT_PID) */
pid_t vpgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
auxmap__store_s64_param(auxmap, (int64_t)vpgid);
/* Parameter 18: pgid (type: PT_PID) */
pid_t pgid = extract__task_xid_vnr(task, PIDTYPE_PGID);
auxmap__store_s64_param(auxmap, (int64_t)pgid);
/* Parameter 19: loginuid (type: PT_UID) */
uint32_t loginuid;

4
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchdir.bpf.c
View File

@ -50,10 +50,6 @@ int BPF_PROG(fchdir_x, struct pt_regs *regs, long ret) {
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: fd (type: PT_FD) */
int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fd);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

14
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/flock.bpf.c
View File

@ -22,8 +22,8 @@ int BPF_PROG(flock_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fd);
/* Parameter 2: operation (type: PT_FLAGS32) */
unsigned long operation = extract__syscall_argument(regs, 1);
@ -51,17 +51,9 @@ int BPF_PROG(flock_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_ERRNO) */
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
/* Parameter 3: operation (type: PT_FLAGS32) */
unsigned long operation = extract__syscall_argument(regs, 1);
ringbuf__store_u32(&ringbuf, flock_flags_to_scap((int)operation));
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

4
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fstat.bpf.c
View File

@ -50,10 +50,6 @@ int BPF_PROG(fstat_x, struct pt_regs *regs, long ret) {
/* Parameter 1: res (type: PT_ERRNO) */
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: fd (type: PT_FD) */
int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fd);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

12
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/futex.bpf.c
View File

@ -58,18 +58,6 @@ int BPF_PROG(futex_x, struct pt_regs *regs, long ret) {
/* Parameter 1: res (type: PT_ERRNO) */
ringbuf__store_s64(&ringbuf, (int64_t)ret);
/* Parameter 2: addr (type: PT_UINT64) */
uint64_t addr = extract__syscall_argument(regs, 0);
ringbuf__store_u64(&ringbuf, addr);
/* Parameter 3: op (type: PT_ENUMFLAGS16) */
int32_t op = (int32_t)extract__syscall_argument(regs, 1);
ringbuf__store_u16(&ringbuf, futex_op_to_scap((unsigned long)op));
/* Parameter 4: val (type: PT_UINT64) */
uint64_t val = extract__syscall_argument(regs, 2);
ringbuf__store_u64(&ringbuf, val);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

4
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/generic.bpf.c
View File

@ -13,7 +13,7 @@
SEC("tp_btf/sys_enter")
int BPF_PROG(generic_e, struct pt_regs *regs, long id) {
struct ringbuf_struct ringbuf;
if(!ringbuf__reserve_space(&ringbuf, SYSCALL_E_SIZE, PPME_GENERIC_E)) {
if(!ringbuf__reserve_space(&ringbuf, GENERIC_E_SIZE, PPME_GENERIC_E)) {
return 0;
}
@ -52,7 +52,7 @@ int BPF_PROG(generic_e, struct pt_regs *regs, long id) {
SEC("tp_btf/sys_exit")
int BPF_PROG(generic_x, struct pt_regs *regs, long ret) {
struct ringbuf_struct ringbuf;
if(!ringbuf__reserve_space(&ringbuf, SYSCALL_X_SIZE, PPME_GENERIC_X)) {
if(!ringbuf__reserve_space(&ringbuf, GENERIC_X_SIZE, PPME_GENERIC_X)) {
return 0;
}

12
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents.bpf.c
View File

@ -21,9 +21,9 @@ int BPF_PROG(getdents_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
/* Parameter 1: fd (type: PT_FD)*/
int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fd);
/*=============================== COLLECT PARAMETERS ===========================*/
@ -47,13 +47,9 @@ int BPF_PROG(getdents_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_ERRNO) */
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

12
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getdents64.bpf.c
View File

@ -21,9 +21,9 @@ int BPF_PROG(getdents64_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
/* Parameter 1: fd (type: PT_FD)*/
int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fd);
/*=============================== COLLECT PARAMETERS ===========================*/
@ -47,13 +47,9 @@ int BPF_PROG(getdents64_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_ERRNO) */
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

4
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/getrlimit.bpf.c
View File

@ -71,10 +71,6 @@ int BPF_PROG(getrlimit_x, struct pt_regs *regs, long ret) {
ringbuf__store_s64(&ringbuf, -1);
}
/* Parameter 4: resource (type: PT_ENUMFLAGS8) */
unsigned long resource = extract__syscall_argument(regs, 0);
ringbuf__store_u8(&ringbuf, rlimit_resource_to_scap(resource));
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

5
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/inotify_init.bpf.c
View File

@ -53,11 +53,6 @@ int BPF_PROG(inotify_init_x, struct pt_regs *regs, long ret) {
/* Parameter 1: res (type: PT_FD) */
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: flags (type: PT_UINT8) */
/* Send `0` to unify handling with inotify_init1. */
uint8_t flags = 0;
ringbuf__store_u8(&ringbuf, flags);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

14
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ioctl.bpf.c
View File

@ -55,21 +55,9 @@ int BPF_PROG(ioctl_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_ERRNO) */
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: fd (type: PT_FD) */
int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fd);
/* Parameter 3: request (type: PT_UINT64) */
uint64_t request = extract__syscall_argument(regs, 1);
ringbuf__store_u64(&ringbuf, request);
/* Parameter 4: argument (type: PT_UINT64) */
uint64_t argument = extract__syscall_argument(regs, 2);
ringbuf__store_u64(&ringbuf, argument);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

10
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/kill.bpf.c
View File

@ -51,17 +51,9 @@ int BPF_PROG(kill_x, struct pt_regs *regs, long ret) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: res (type: PT_ERRNO) */
/* Parameter 1: res (type: PT_ERRNO)*/
ringbuf__store_s64(&ringbuf, ret);
/* Parameter 2: pid (type: PT_PID) */
pid_t pid = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)pid);
/* Parameter 3: sig (type: PT_SIGTYPE) */
uint8_t sig = (uint8_t)extract__syscall_argument(regs, 1);
ringbuf__store_u8(&ringbuf, sig);
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

14
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/llseek.bpf.c
View File

@ -58,20 +58,6 @@ int BPF_PROG(llseek_x, struct pt_regs *regs, long ret) {
/* Parameter 1: res (type: PT_ERRNO) */
ringbuf__store_s64(&ringbuf, (int64_t)ret);
/* Parameter 2: fd (type: PT_FD) */
int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fd);
/* Parameter 3: offset (type: PT_UINT64) */
unsigned long oh = extract__syscall_argument(regs, 1);
unsigned long ol = extract__syscall_argument(regs, 2);
unsigned long offset = (oh << 32) + ol;
ringbuf__store_u64(&ringbuf, offset);
/* Parameter 4: whence (type: PT_ENUMFLAGS8) */
unsigned long whence = extract__syscall_argument(regs, 3);
ringbuf__store_u8(&ringbuf, lseek_whence_to_scap(whence));
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

16
driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/lseek.bpf.c
View File

@ -22,8 +22,8 @@ int BPF_PROG(lseek_e, struct pt_regs *regs, long id) {
/*=============================== COLLECT PARAMETERS ===========================*/
/* Parameter 1: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
int32_t fd = (int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, (int64_t)fd);
/* Parameter 2: offset (type: PT_UINT64) */
unsigned long offset = extract__syscall_argument(regs, 1);
@ -56,18 +56,6 @@ int BPF_PROG(lseek_x, struct pt_regs *regs, long ret) {
/* Parameter 1: res (type: PT_ERRNO) */
ringbuf__store_s64(&ringbuf, (int64_t)ret);
/* Parameter 2: fd (type: PT_FD) */
int64_t fd = (int64_t)(int32_t)extract__syscall_argument(regs, 0);
ringbuf__store_s64(&ringbuf, fd);
/* Parameter 3: offset (type: PT_UINT64) */
unsigned long offset = extract__syscall_argument(regs, 1);
ringbuf__store_u64(&ringbuf, offset);
/* Parameter 4: whence (type: PT_ENUMFLAGS8) */
unsigned long whence = extract__syscall_argument(regs, 2);
ringbuf__store_u8(&ringbuf, lseek_whence_to_scap(whence));
/*=============================== COLLECT PARAMETERS ===========================*/
ringbuf__submit_event(&ringbuf);

Some files were not shown because too many files have changed in this diff Show More