Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Method get_syscall_fnname make me can not get the parameters of syscall. #2590

Closed
wwyf opened this issue Nov 11, 2019 · 2 comments
Closed

Method get_syscall_fnname make me can not get the parameters of syscall. #2590

wwyf opened this issue Nov 11, 2019 · 2 comments

Comments

@wwyf
Copy link
Contributor

wwyf commented Nov 11, 2019
edited
Loading

The problem

Because of the syscall warpper presented in linux kernel v4.17 link ( Now I use v5.3 link ) , the function __x64_sys_##name is the syscall warpper without parameters (Parameters cannot get from the registers directly) and only the sub function __sys_##name has the arguments. But if I want to use the bpf_override_return to override the return value of syscall, I can only add a kprobe to __x64_sys_##name since these functions are in "whitelist".

Conclusion

So if I add a kprobe to __x64_sys_##name, I can overwrite the return value but I can not get the parameters. In contrast, If I want to get the parameters of syscall I must add a probe to __sys_#name.

The trouble

Method get_syscall_fnname always return the name of syscall like __x64_sys_##name which make me trouble about the wrong parameters until now. Now I found the root cause and I has two problems:

  1. Method get_syscall_fnname may trouble some people who using the new version of kernel (like me). May be I must hard code the syscall function name without using this function ?
  2. I need to override the return value of syscall in some case according the parameters of syscall. If I do that I must add a kprobe to __sys_##name and add a kretprobe to __x64_sys_##name. ummm I just feel that is ugly. Is there a elegent way to do that ?
@yonghong-song
Copy link
Collaborator

For your issue 1, get_syscall_fnname exactly tries to get the properly exposed syscall function names in /proc/kallsyms. Looks like not all syscalls have corresponding __sys_##name version.
In your case, yes, it is better just to hard code the function name. Maybe you can also contribute a pull request to document get_syscall_fnname properly?

For your issue 2, you can still use __x64_sys_##name for both kprobe and kretprobe. For the kprobe, you just need another indirection to extract the proper arguments. Adding debug=4 in your BPF constructor and you will see how bcc rewriter will be able to generate proper codes
to retrieve proper parameters. One example, execsnoop.py.

@wwyf
Copy link
Contributor Author

wwyf commented Nov 13, 2019

Thanks for your detailed explanation! I'll try the debug=4 flag to solve my problem.
And I'll try to add a supplementary explanation to function get_sys_fnname soon.

@wwyf wwyf mentioned this issue Nov 13, 2019
Merged
@wwyf wwyf closed this as completed Nov 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yonghong-song @wwyf