Ssprod 23814 add addl event init method

.github/workflows/ci.yaml

@@ -0,0 +1,72 @@
+name: CI Build
+on:
+  pull_request:
+    branches: [dev]
+
+jobs:
+  check-build:
+
+    strategy:
+      matrix:
+        flavor:  [ regular, bundled-deps, with-chisels, minimal ]
+        include:
+          - flavor: regular
+            build-args: '-DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=True'
+          - flavor: bundled-deps
+            build-args: '-DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True'
+          - flavor: with-chisels
+            build-args: '-DBUILD_BPF=On -DWITH_CHISEL=True'
+          - flavor: minimal
+            build-args: '-DMINIMAL_BUILD=True'
+
+    runs-on: ubuntu-20.04
+    container: ubuntu:20.04
+
+    steps:
+      - name: Setup dependencies
+        run: |
+          apt-get update && apt-get install -y --no-install-recommends \
+            ca-certificates \
+            cmake \
+            build-essential \
+            clang \
+            llvm \
+            git \
+            libncurses-dev \
+            pkg-config \
+            autoconf \
+            automake \
+            libtool \
+            libelf-dev \
+            wget \
+            libb64-dev \
+            libc-ares-dev \
+            libcurl4-openssl-dev \
+            libssl-dev \
+            libtbb-dev \
+            libjq-dev \
+            libjsoncpp-dev \
+            libgrpc++-dev \
+            protobuf-compiler-grpc \
+            libgtest-dev \
+            libprotobuf-dev \
+            libre2-dev \
+            linux-headers-$(uname -r) \
+            && apt-get clean
+        env:
+          DEBIAN_FRONTEND: noninteractive
+
+      - name: "Allow agent-libs repo access, ref: https://github.com/actions/checkout/issues/760"
+        run: git config --global --add safe.directory /__w/agent-libs/agent-libs
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Build ${{ matrix.flavor }}
+        run: |
+          rm -rf build
+          mkdir -p build
+          cd build
+          cmake ${{ matrix.build-args }} -DBUILD_LIBSCAP_GVISOR=OFF ..
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j$(nproc)
+          make run-unit-tests

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - master
       - 'release/**'
+      - 'maintainers/**'
   workflow_dispatch:
 
 jobs:
@@ -161,6 +162,15 @@ jobs:
             KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
             make run-unit-tests
 
+  test-drivers-x86:
+    name: test-drivers-x86 😇 (bundled_deps)
+    runs-on: ubuntu-22.04
+    needs: paths-filter
+    if: false
+    steps:
+      - name: Fake test
+        run: echo "skipped"
+
   build-and-test-modern-bpf-x86:
     name: build-and-test-modern-bpf-x86 😇 (bundled_deps)
     runs-on: ubuntu-22.04

README.md

@@ -145,6 +145,12 @@ make ProbeSkeleton
 
 > __Please note__: these are not the requirements to use the BPF probe but to build it from source!
 
+As you have seen the modern bpf probe has strict requirements to be built that maybe are not easy to satisfy on old machines. The workaround you can use is to build the probe skeleton on a recent machine and than link it during the building phase on an older machine. To do that you have to use the cmake variable `MODERN_BPF_SKEL_DIR`. Supposing you have built the skeleton under the directory `/tmp/skel-dir`, you should use the option in this way:
+
+```bash
+cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR="/tmp/skel-dir" -DBUILD_LIBSCAP_GVISOR=OFF .. 
+```
+
 ### gVisor support
 
 Libscap contains additional library functions to allow integration with system call events coming from [gVisor](https://gvisor.dev).

cmake/modules/curl.cmake

@@ -36,8 +36,8 @@ else()
 			curl
 			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
 			DEPENDS openssl zlib
-			URL "https://github.com/curl/curl/releases/download/curl-7_84_0/curl-7.84.0.tar.bz2"
-			URL_HASH "SHA256=702fb26e73190a3bd77071aa146f507b9817cc4dfce218d2ab87f00cd3bc059d"
+			URL "https://github.com/curl/curl/releases/download/curl-7_87_0/curl-7.87.0.tar.bz2"
+			URL_HASH "SHA256=5d6e128761b7110946d1276aff6f0f266f2b726f5e619f7e0a057a474155f307"
 			CONFIGURE_COMMAND
 			./configure
 			${CURL_SSL_OPTION}
@@ -73,6 +73,7 @@ else()
 			--without-libpsl
 			--without-nghttp2
 			--without-libssh2
+			--with-ca-path=/etc/ssl/certs/
 			--disable-threaded-resolver
 			--without-brotli
 			--without-zstd

cmake/modules/libelf.cmake

@@ -5,6 +5,9 @@ option(USE_BUNDLED_LIBELF "Enable building of the bundled libelf" ${USE_BUNDLED_
 
 if(LIBELF_INCLUDE)
     # we already have LIBELF
+    # We add a custom target, in this way we can always depend on `libelf`
+    # without distinguishing between "bundled" and "not-bundled" case
+    add_custom_target(libelf)
 elseif(NOT USE_BUNDLED_LIBELF)
     find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
     find_library(LIBELF_LIB NAMES libelf.a libelf.so)
@@ -13,6 +16,9 @@ elseif(NOT USE_BUNDLED_LIBELF)
     else()
         message(FATAL_ERROR "Couldn't find system libelf")
     endif()
+    # We add a custom target, in this way we can always depend on `libelf`
+    # without distinguishing between "bundled" and "not-bundled" case
+    add_custom_target(libelf)
 else()
     set(LIBELF_SRC "${PROJECT_BINARY_DIR}/libelf-prefix/src")
     set(LIBELF_INCLUDE "${LIBELF_SRC}/libelf/libelf")

cmake/modules/openssl.cmake

@@ -21,8 +21,8 @@ else()
 
 		ExternalProject_Add(openssl
 			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
-			URL "https://github.com/openssl/openssl/archive/OpenSSL_1_1_1p.tar.gz"
-			URL_HASH "SHA256=cd0cce1de6c9a6da8f83ba7ae210a3662eab21c4df7aff30149597797b2ceac9"
+			URL "https://github.com/openssl/openssl/archive/OpenSSL_1_1_1q.tar.gz"
+			URL_HASH "SHA256=0686897afd3a08223760db73d8034550401b53ffc545798d7ca476564f80315e"
 			CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
 			BUILD_COMMAND ${CMD_MAKE}
 			BUILD_IN_SOURCE 1

driver/API_VERSION

@@ -1 +1 @@
-3.0.0
+3.0.1

driver/SCHEMA_VERSION

@@ -1 +1 @@
-2.2.0
+2.3.0

driver/bpf/Makefile

@@ -61,5 +61,6 @@ $(obj)/probe.o: $(src)/probe.c \
 		-fno-jump-tables \
 		-fno-stack-protector \
 		-Wno-tautological-compare \
+		-Wno-unknown-attributes \
 		-O2 -g -emit-llvm -c $< -o $(patsubst %.o,%.ll,$@)
 	$(LLC) -march=bpf -filetype=obj -o $@ $(patsubst %.o,%.ll,$@)

driver/bpf/filler_helpers.h

@@ -17,6 +17,8 @@ or GPL2.txt for full copies of the license.
 #include <linux/in.h>
 #include <linux/fdtable.h>
 #include <linux/net.h>
+/* SYSDIG -- Fix Little-Endian assumptions */
+#include <endian.h>
 
 #include "../ppm_flag_helpers.h"
 #include "builtins.h"
@@ -447,6 +449,8 @@ static __always_inline u32 bpf_compute_snaplen(struct filler_data *data,
 		if (lookahead_size >= 5) {
 			u32 buf = *(u32 *)&get_buf(0);
 
+/* SYSDIG -- Fix Little-Endian assumptions */
+#if __BYTE_ORDER == __LITTLE_ENDIAN
 			if (buf == 0x20544547 || // "GET "
 			    buf == 0x54534F50 || // "POST"
 			    buf == 0x20545550 || // "PUT "
@@ -457,6 +461,20 @@ static __always_inline u32 bpf_compute_snaplen(struct filler_data *data,
 			    (buf == 0x50545448 && data->buf[(data->state->tail_ctx.curoff + 4) & SCRATCH_SIZE_HALF] == '/')) { // "HTTP/"
 				return 2000;
 			}
+#elif __BYTE_ORDER == __BIG_ENDIAN
+			if (buf == 0x47455420 || // "GET "
+			    buf == 0x504F5354 || // "POST"
+			    buf == 0x50555420 || // "PUT "
+			    buf == 0x44454C45 || // "DELE"
+			    buf == 0x54524143 || // "TRAC"
+			    buf == 0x434F4E4E || // "CONN"
+			    buf == 0x4F505449 || // "OPTI"
+			    (buf == 0x48545450 && data->buf[(data->state->tail_ctx.curoff + 4) & SCRATCH_SIZE_HALF] == '/')) { // "HTTP/"
+				return 2000;
+			}
+#else
+#error UNDEFINED __BYTE_ORDER
+#endif
 		}
 	}
 

driver/bpf/fillers.h

@@ -61,7 +61,7 @@ static __always_inline int __bpf_##x(struct filler_data *data);		\
 __bpf_section(TP_NAME "filler/" #x)					\
 static __always_inline int bpf_##x(void *ctx)				\
 {									\
-	struct filler_data data;					\
+	struct filler_data data = {0};					\
 	int res;							\
 									\
 	res = init_filler_data(ctx, &data, is_syscall);			\
@@ -288,7 +288,7 @@ FILLER_RAW(terminate_filler)
 		if (state->n_drops_scratch_map != ULLONG_MAX) {
 			++state->n_drops_scratch_map;
 		}
-		break;	
+		break;
 	default:
 		bpf_printk("Unknown filler res=%d event=%d curarg=%d\n",
 			   state->tail_ctx.prev_res,
@@ -852,7 +852,12 @@ static __always_inline unsigned long bpf_get_mm_counter(struct mm_struct *mm,
 {
 	long val;
 
+// See 6.2 kernel commit: https://github.com/torvalds/linux/commit/f1a7941243c102a44e8847e3b94ff4ff3ec56f25
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 2, 0)
 	bpf_probe_read(&val, sizeof(val), &mm->rss_stat.count[member]);
+#else
+	bpf_probe_read(&val, sizeof(val), &mm->rss_stat[member].count);
+#endif
 	if (val < 0)
 		val = 0;
 
@@ -1725,10 +1730,9 @@ static __always_inline int bpf_ppm_get_tty(struct task_struct *task)
 	struct signal_struct *sig;
 	struct tty_struct *tty;
 	struct tty_driver *driver;
-	int major;
-	int minor_start;
-	int index;
-	int tty_nr = 0;
+	int major = 0;
+	int minor_start = 0;
+	int index = 0;
 
 	sig = _READ(task->signal);
 	if (!sig)
@@ -1738,18 +1742,15 @@ static __always_inline int bpf_ppm_get_tty(struct task_struct *task)
 	if (!tty)
 		return 0;
 
-	index = _READ(tty->index);
-
 	driver = _READ(tty->driver);
 	if (!driver)
 		return 0;
 
+	index = _READ(tty->index);
 	major = _READ(driver->major);
 	minor_start = _READ(driver->minor_start);
 
-	tty_nr = new_encode_dev(MKDEV(major, minor_start) + index);
-
-	return tty_nr;
+	return new_encode_dev(MKDEV(major, minor_start) + index);
 }
 
 static __always_inline struct pid *bpf_task_pid(struct task_struct *task)
@@ -2317,7 +2318,7 @@ FILLER(proc_startupdate, true)
 		arg_start = _READ(mm->arg_start);
 		args_len = arg_end - arg_start;
 
-		if (args_len) {
+		if (args_len > 0) {
 			if (args_len > ARGS_ENV_SIZE_MAX)
 				args_len = ARGS_ENV_SIZE_MAX;
 
@@ -2344,7 +2345,7 @@ FILLER(proc_startupdate, true)
 		case PPME_SYSCALL_EXECVE_19_X:
 			val = bpf_syscall_get_argument(data, 1);
 			break;
-		
+
 		case PPME_SYSCALL_EXECVEAT_X:
 			val = bpf_syscall_get_argument(data, 2);
 			break;
@@ -2362,14 +2363,14 @@ FILLER(proc_startupdate, true)
 		args_len = 0;
 	}
 
-	if (args_len) {
+	if (args_len > 0) {
 		int exe_len;
 
 		exe_len = bpf_probe_read_str(&data->buf[data->state->tail_ctx.curoff & SCRATCH_SIZE_HALF],
 						SCRATCH_SIZE_HALF,
 						&data->buf[data->state->tail_ctx.curoff & SCRATCH_SIZE_HALF]);
 
-		if (exe_len == -EFAULT)
+		if (exe_len < 0)
 			return PPM_FAILURE_INVALID_USER_MEMORY;
 
 		/*
@@ -2380,11 +2381,15 @@ FILLER(proc_startupdate, true)
 		if (res != PPM_SUCCESS)
 			return res;
 
+		args_len -= exe_len;
+		if (args_len < 0)
+			return PPM_FAILURE_INVALID_USER_MEMORY;
+
 		/*
 		 * Args
 		 */
 		data->curarg_already_on_frame = true;
-		res = __bpf_val_to_ring(data, 0, args_len - exe_len, PT_BYTEBUF, -1, false);
+		res = __bpf_val_to_ring(data, 0, args_len, PT_BYTEBUF, -1, false);
 		if (res != PPM_SUCCESS)
 			return res;
 	} else {
@@ -2797,6 +2802,7 @@ FILLER(execve_family_flags, true)
 	bool exe_writable = false;
 	bool exe_upper_layer = false;
 	uint32_t flags = 0;
+	kuid_t euid;
 
 	if(inode)
 	{
@@ -2854,7 +2860,12 @@ FILLER(execve_family_flags, true)
 
 	/* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */
 	time = _READ(inode->i_mtime);
-	return bpf_val_to_ring_type(data, bpf_epoch_ns_from_time(time), PT_ABSTIME);
+	res = bpf_val_to_ring_type(data, bpf_epoch_ns_from_time(time), PT_ABSTIME);
+	CHECK_RES(res);
+
+	/* Parameter 27: uid */
+	euid = _READ(cred->euid);
+	return bpf_val_to_ring_type(data, euid.val, PT_UINT32);
 }
 
 FILLER(sys_accept4_e, true)
@@ -6473,6 +6484,7 @@ FILLER(sched_prog_exec_4, false)
 	bool exe_writable = false;
 	bool exe_upper_layer = false;
 	uint32_t flags = 0;
+	kuid_t euid;
 
 	if(inode)
 	{
@@ -6530,7 +6542,12 @@ FILLER(sched_prog_exec_4, false)
 
 	/* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */
 	time = _READ(inode->i_mtime);
-	return bpf_val_to_ring_type(data, bpf_epoch_ns_from_time(time), PT_ABSTIME);
+	res = bpf_val_to_ring_type(data, bpf_epoch_ns_from_time(time), PT_ABSTIME);
+	CHECK_RES(res);
+
+	/* Parameter 27: uid */
+	euid = _READ(cred->euid);
+	return bpf_val_to_ring_type(data, euid.val, PT_UINT32);
 }
 #endif