new: introduce dedicated dropping logic for some syscalls

Signed-off-by: Andrea Terzolo <[email protected]>

driver/modern_bpf/definitions/missing_definitions.h

@@ -1397,4 +1397,13 @@
 
 /*=============================== SOCKETCALL CODES ===========================*/
 
+/*=============================== OPENED FILE DESCRIPTORS ===========================*/
+
+/* `/include/asm-generic/bitsperlong.h` from kernel source tree. */
+
+#define BITS_PER_LONG 64
+#define BIT_WORD(nr)		((nr) / BITS_PER_LONG)
+
+/*=============================== OPENED FILE DESCRIPTORS ===========================*/
+
 #endif /* __MISSING_DEFINITIONS_H__ */

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/bind.bpf.c

@@ -49,6 +49,11 @@ int BPF_PROG(bind_x,
 	     struct pt_regs *regs,
 	     long ret)
 {
+	if(maps__get_dropping_mode() && ret < 0)
+	{
+		return 0;
+	}
+
 	struct auxiliary_map *auxmap = auxmap__get();
 	if(!auxmap)
 	{

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/close.bpf.c

@@ -14,6 +14,40 @@ int BPF_PROG(close_e,
 	     struct pt_regs *regs,
 	     long id)
 {
+	if(maps__get_dropping_mode())
+	{
+		s32 fd = (s32)extract__syscall_argument(regs, 0);
+		/* We drop the event if we are closing a negative file descriptor */
+		if(fd < 0)
+		{
+			return 0;
+		}
+
+		struct task_struct *task = get_current_task();
+		u32 max_fds = 0;
+		READ_TASK_FIELD_INTO(&max_fds, task, files, fdt, max_fds);
+		/* We drop the event if the fd is >= than `max_fds` */
+		if(fd >= max_fds)
+		{
+			return 0;
+		}
+
+		/* We drop the event if the fd is not open */
+		long unsigned int entry = 0;
+		long unsigned int *open_fds = READ_TASK_FIELD(task, files, fdt, open_fds);
+		if(open_fds == NULL)
+		{
+			return 0;
+		}
+		if(bpf_probe_read_kernel(&entry, sizeof(entry), (const void *)&(open_fds[BIT_WORD(fd)])) == 0)
+		{
+			if(!(1UL & (entry >> (fd & (BITS_PER_LONG - 1)))))
+			{
+				return 0;
+			}
+		}
+	}
+
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf, CLOSE_E_SIZE))
 	{
@@ -44,6 +78,11 @@ int BPF_PROG(close_x,
 	     struct pt_regs *regs,
 	     long ret)
 {
+	if(maps__get_dropping_mode() && ret < 0)
+	{
+		return 0;
+	}
+
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf, CLOSE_X_SIZE))
 	{

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fcntl.bpf.c

@@ -7,13 +7,28 @@
 
 #include <helpers/interfaces/fixed_size_event.h>
 
+static __always_inline bool check_fcntl_dropping(struct pt_regs *regs)
+{
+	int cmd = (s32)extract__syscall_argument(regs, 1);
+	if(cmd != F_DUPFD && cmd != F_DUPFD_CLOEXEC)
+	{
+		return true;
+	}
+	return false;
+}
+
 /*=============================== ENTER EVENT ===========================*/
 
 SEC("tp_btf/sys_enter")
 int BPF_PROG(fcntl_e,
 	     struct pt_regs *regs,
 	     long id)
 {
+	if(maps__get_dropping_mode() && check_fcntl_dropping(regs))
+	{
+		return 0;
+	}
+
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf, FCNTL_E_SIZE))
 	{
@@ -48,6 +63,11 @@ int BPF_PROG(fcntl_x,
 	     struct pt_regs *regs,
 	     long ret)
 {
+	if(maps__get_dropping_mode() && check_fcntl_dropping(regs))
+	{
+		return 0;
+	}
+
 	struct ringbuf_struct ringbuf;
 	if(!ringbuf__reserve_space(&ringbuf, FCNTL_X_SIZE))
 	{