stackrox · erthalion · Oct 4, 2023 · Oct 2, 2023 · Oct 4, 2023 · Oct 4, 2023
@@ -32,7 +32,7 @@ on:
           bucket will take precendence over the one in drivers-bucket.
       max-layer-depth:
         type: string
-        default: "5"
+        default: "4"
         description: |
           Max layer the drivers will be split into for x86 images
 

@@ -27,6 +27,8 @@ endif()
 
 set(FALCO_DIR ${PROJECT_SOURCE_DIR}/../falcosecurity-libs)
 
+set(CMAKE_POSITION_INDEPENDENT_CODE ON)
+
 add_subdirectory(${PROJECT_SOURCE_DIR}/proto)
 
 include_directories(${PROJECT_SOURCE_DIR}/lib)
@@ -109,6 +111,7 @@ set(NO_LINK_GRPC_LIBS ON CACHE BOOL "Do not link gRPC libraries" FORCE)
 set(WITH_CHISEL OFF CACHE BOOL "Include chisel implementation" FORCE)
 set(BUILD_LIBSCAP_GVISOR OFF CACHE BOOL "Do not build gVisor support" FORCE)
 set(MINIMAL_BUILD_WITH_EBPF ON CACHE BOOL "Minimal" FORCE)
+set(LIBELF_LIB_SUFFIX ".so" CACHE STRING "Use libelf.so" FORCE)
 
 # Turn OFF falco's unit tests and examples
 set(CREATE_TEST_TARGETS OFF CACHE BOOL "Enable make-targets for unit testing" FORCE)

@@ -23,6 +23,7 @@ class CollectorConfig {
   static constexpr CollectionMethod kCollectionMethod = CollectionMethod::EBPF;
   static constexpr const char* kSyscalls[] = {
       "accept",
+      "accept4",
       "chdir",
       "clone",
       "close",

@@ -15,7 +15,7 @@ EventNames::EventNames() {
     std::string name(g_event_info[i].name);
     syscall_by_id_[i] = 0;
     names_by_id_[i] = name;
-    ppm_event_type event_type(static_cast<ppm_event_type>(i));
+    ppm_event_code event_type(static_cast<ppm_event_code>(i));
     events_by_name_[name].push_back(event_type);
     if (PPME_IS_ENTER(event_type)) {
       events_by_name_[name + ">"].push_back(event_type);
@@ -24,13 +24,13 @@ EventNames::EventNames() {
     }
   }
   for (int i = 0; i < SYSCALL_TABLE_SIZE; i++) {
-    ppm_event_type enter_evt = g_syscall_table[i].enter_event_type;
+    ppm_event_code enter_evt = g_syscall_table[i].enter_event_type;
     if (enter_evt < 0 || enter_evt >= syscall_by_id_.size()) {
       throw CollectorException("Invalid syscall event id " + std::to_string(enter_evt));
     }
     syscall_by_id_[enter_evt] = i;
 
-    ppm_event_type exit_evt = g_syscall_table[i].exit_event_type;
+    ppm_event_code exit_evt = g_syscall_table[i].exit_event_type;
     if (exit_evt < 0 || exit_evt >= syscall_by_id_.size()) {
       throw CollectorException("Invalid syscall event id " + std::to_string(exit_evt));
     }

@@ -13,7 +13,7 @@ namespace collector {
 
 class EventNames {
  public:
-  using EventIDVector = std::vector<ppm_event_type>;
+  using EventIDVector = std::vector<ppm_event_code>;
 
   static const EventNames& GetInstance();
 

@@ -10,6 +10,8 @@ extern "C" {
 #include <unistd.h>
 }
 
+#include "libsinsp/sinsp.h"
+
 #include "CollectorConfig.h"
 #include "EventNames.h"
 #include "FileSystem.h"
@@ -36,40 +38,23 @@ class KernelDriverEBPF : public IKernelDriver {
       CLOG(ERROR) << "Cannot open eBPF probe at " << SysdigService::kProbePath;
       return false;
     }
-    setDropSyscalls(config.Syscalls());
 
     /* Get only necessary tracepoints. */
-    auto tp_set = libsinsp::events::enforce_simple_tp_set();
-    std::unordered_set<ppm_sc_code> ppm_sc;
+    auto syscall_names = config.Syscalls();
+
+    std::unordered_set<std::string> syscall_set(syscall_names.begin(), syscall_names.end());
+    auto ppm_sc = libsinsp::events::sc_names_to_sc_set(syscall_set);
+    ppm_sc.insert(PPM_SC_SCHED_PROCESS_EXIT);
 
     try {
-      inspector.open_bpf(SysdigService::kProbePath, DEFAULT_DRIVER_BUFFER_BYTES_DIM, ppm_sc, tp_set);
+      inspector.open_bpf(SysdigService::kProbePath, DEFAULT_DRIVER_BUFFER_BYTES_DIM, ppm_sc);
     } catch (const sinsp_exception& ex) {
       CLOG(WARNING) << ex.what();
       return false;
     }
 
     return true;
   }
-
- private:
-  void setDropSyscalls(const std::vector<std::string>& syscalls) {
-    // Initialize bpf syscall drop table to drop all
-    for (int i = 0; i < SYSCALL_TABLE_SIZE; i++) {
-      g_bpf_drop_syscalls[i] = 1;
-    }
-    // Do not drop syscalls from given list
-    const EventNames& event_names = EventNames::GetInstance();
-    for (const auto& syscall_str : syscalls) {
-      for (ppm_event_type event_id : event_names.GetEventIDs(syscall_str)) {
-        uint16_t syscall_id = event_names.GetEventSyscallID(event_id);
-        if (!syscall_id) {
-          continue;
-        }
-        g_bpf_drop_syscalls[syscall_id] = 0;
-      }
-    }
-  }
 };
 
 class KernelDriverCOREEBPF : public IKernelDriver {
@@ -78,30 +63,17 @@ class KernelDriverCOREEBPF : public IKernelDriver {
 
   bool Setup(const CollectorConfig& config, sinsp& inspector) override {
     /* Capture only necessary tracepoints and syscalls. */
-    auto tp_set = libsinsp::events::enforce_simple_tp_set();
-    std::unordered_set<ppm_sc_code> ppm_sc;
-
-    /*
-     * Convert text reprecentation of event type into an actual syscall code
-     * using g_syscall_table.
-     */
-    const EventNames& event_names = EventNames::GetInstance();
-    for (const auto& syscall_str : config.Syscalls()) {
-      for (ppm_event_type event_id : event_names.GetEventIDs(syscall_str)) {
-        uint16_t syscall_id = event_names.GetEventSyscallID(event_id);
-        if (!syscall_id) {
-          continue;
-        }
-
-        syscall_evt_pair syscall = g_syscall_table[syscall_id];
-        ppm_sc.insert((ppm_sc_code)syscall.ppm_sc);
-      }
-    }
+    // std::unordered_set<ppm_sc_code> ppm_sc;
+    auto syscall_names = config.Syscalls();
+
+    std::unordered_set<std::string> syscall_set(syscall_names.begin(), syscall_names.end());
+    auto ppm_sc = libsinsp::events::sc_names_to_sc_set(syscall_set);
+    ppm_sc.insert(PPM_SC_SCHED_PROCESS_EXIT);
 
     try {
       inspector.open_modern_bpf(DEFAULT_DRIVER_BUFFER_BYTES_DIM,
                                 DEFAULT_CPU_FOR_EACH_BUFFER,
-                                true, ppm_sc, tp_set);
+                                true, ppm_sc);
     } catch (const sinsp_exception& ex) {
       if (config.CoReBPFHardfail()) {
         throw ex;

@@ -306,7 +306,7 @@ void SysdigService::AddSignalHandler(std::unique_ptr<SignalHandler> signal_handl
   } else {
     const EventNames& event_names = EventNames::GetInstance();
     for (const auto& event_name : relevant_events) {
-      for (ppm_event_type event_id : event_names.GetEventIDs(event_name)) {
+      for (ppm_event_code event_id : event_names.GetEventIDs(event_name)) {
         event_filter.set(event_id);
         global_event_filter_.set(event_id);
       }