From d563dbe7ce555a4546f7d9bc63500475dca72cb6 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Sat, 15 Oct 2022 13:55:46 +0000 Subject: [PATCH] update(modern_bpf): change signature of `auxmap__store_charbuf_param` method Signed-off-by: Andrea Terzolo Co-authored-by: Hendrik Brueckner Co-authored-by: Melissa Kilby --- .../helpers/store/auxmap_store_params.h | 69 ++++++++++++++----- .../syscall_dispatched_events/chdir.bpf.c | 2 +- .../syscall_dispatched_events/chmod.bpf.c | 2 +- .../syscall_dispatched_events/chroot.bpf.c | 2 +- .../syscall_dispatched_events/clone.bpf.c | 6 +- .../syscall_dispatched_events/clone3.bpf.c | 6 +- .../syscall_dispatched_events/creat.bpf.c | 4 +- .../syscall_dispatched_events/execve.bpf.c | 8 +-- .../syscall_dispatched_events/execveat.bpf.c | 4 +- .../syscall_dispatched_events/fchmodat.bpf.c | 3 +- .../syscall_dispatched_events/fork.bpf.c | 6 +- .../syscall_dispatched_events/fsconfig.bpf.c | 4 +- .../syscall_dispatched_events/link.bpf.c | 4 +- .../syscall_dispatched_events/linkat.bpf.c | 4 +- .../syscall_dispatched_events/mkdir.bpf.c | 2 +- .../syscall_dispatched_events/mkdirat.bpf.c | 2 +- .../syscall_dispatched_events/mount.bpf.c | 6 +- .../syscall_dispatched_events/open.bpf.c | 4 +- .../syscall_dispatched_events/openat.bpf.c | 4 +- .../syscall_dispatched_events/openat2.bpf.c | 4 +- .../syscall_dispatched_events/quotactl.bpf.c | 4 +- .../syscall_dispatched_events/rename.bpf.c | 4 +- .../syscall_dispatched_events/renameat.bpf.c | 4 +- .../syscall_dispatched_events/renameat2.bpf.c | 4 +- .../syscall_dispatched_events/rmdir.bpf.c | 2 +- .../syscall_dispatched_events/symlink.bpf.c | 4 +- .../syscall_dispatched_events/symlinkat.bpf.c | 4 +- .../syscall_dispatched_events/umount2.bpf.c | 2 +- .../syscall_dispatched_events/unlink.bpf.c | 2 +- .../syscall_dispatched_events/unlinkat.bpf.c | 2 +- .../syscall_dispatched_events/vfork.bpf.c | 6 +- 31 files changed, 108 insertions(+), 76 deletions(-) diff --git a/driver/modern_bpf/helpers/store/auxmap_store_params.h b/driver/modern_bpf/helpers/store/auxmap_store_params.h index d9a9e3bac8..7b743a63b8 100644 --- a/driver/modern_bpf/helpers/store/auxmap_store_params.h +++ b/driver/modern_bpf/helpers/store/auxmap_store_params.h @@ -10,7 +10,14 @@ #include #include -/* Right now a cgroup pathname can have at most 6 components. */ +/*=============================== FIXED CONSTRAINTS ===============================*/ + +/* These are some of the constraints we want to impose during our + * store operations. One day these could become const global variables + * that could be set by the userspace. + */ + +/* Right now a `cgroup` pathname can have at most 6 components. */ #define MAX_CGROUP_PATH_POINTERS 6 /* Right now a file path extracted from a file descriptor can @@ -18,15 +25,35 @@ */ #define MAX_PATH_POINTERS 8 -/* Maximum length of unix socket path. - * We can have at maximum 108 characters plus the `\0` terminator. +/* Maximum length of `unix` socket path. + * We can have a maximum of 108 characters plus the `\0` terminator. */ #define MAX_UNIX_SOCKET_PATH 108 + 1 -/* Max number of iovec structure that we can analize. */ +/* Maximum number of `iovec` structures that we can analyze. */ #define MAX_IOVCNT 32 -/* Conversion factors used in setsockopt val. */ +/* Maximum number of charbuf pointers that we assume an array can have. */ +#define MAX_CHARBUF_POINTERS 16 + +/* Proc name */ +#define MAX_PROC_EXE 4096 + +/* Proc arguments or environment variables. + * Must be always a power of 2 because we can also use it as a mask! + */ +#define MAX_PROC_ARG_ENV 4096 + +/* PATH_MAX supported by the operating system: 4096 */ +#define MAX_PATH 4096 + +/*=============================== FIXED CONSTRAINTS ===============================*/ + +/*=============================== COMMON DEFINITIONS ===============================*/ + +/* Some auxiliary definitions we use during our store operations */ + +/* Conversion factors used in `setsockopt` val. */ #define SEC_FACTOR 1000000000 #define USEC_FACTOR 1000 @@ -46,11 +73,7 @@ enum connection_direction INBOUND = 1, }; -/* Maximum number of charbuf pointers that we assume an array can have. */ -#define MAX_CHARBUF_POINTERS 16 - -/* Maximum length of an `execve` arg. */ -#define MAX_EXECVE_ARG_LEN 4096 +/*=============================== COMMON DEFINITIONS ===============================*/ /* Concept of auxamp (auxiliary map): * @@ -303,18 +326,27 @@ static __always_inline void auxmap__store_u64_param(struct auxiliary_map *auxmap /** * @brief This helper stores the charbuf pointed by `charbuf_pointer` - * into the auxmap. The charbuf can have a maximum length - * of `MAX_PARAM_SIZE`. For more details, look at the underlying + * into the auxmap. We read until we find a `\0`, if the charbuf length + * is greater than `len_to_read`, we read up to `len_to_read-1` bytes + * and add the `\0`. For more details, look at the underlying * `push__charbuf` method * * @param auxmap pointer to the auxmap in which we are storing the param. * @param charbuf_pointer pointer to the charbuf to store. + * @param len_to_read upper bound limit. * @param mem from which memory we need to read: user-space or kernel-space. * @return number of bytes read. */ -static __always_inline u16 auxmap__store_charbuf_param(struct auxiliary_map *auxmap, unsigned long charbuf_pointer, enum read_memory mem) +static __always_inline u16 auxmap__store_charbuf_param(struct auxiliary_map *auxmap, unsigned long charbuf_pointer, u16 len_to_read, enum read_memory mem) { - u16 charbuf_len = push__charbuf(auxmap->data, &auxmap->payload_pos, charbuf_pointer, MAX_PARAM_SIZE, mem); + u16 charbuf_len = 0; + /* This check is just for performance reasons. Is useless to check + * `len_to_read > 0` here, since `len_to_read` is just the upper bound. + */ + if(charbuf_pointer) + { + charbuf_len = push__charbuf(auxmap->data, &auxmap->payload_pos, charbuf_pointer, len_to_read, mem); + } /* If we are not able to push anything with `push__charbuf` * `charbuf_len` will be equal to `0` so we will send an * empty param to userspace. @@ -335,10 +367,11 @@ static __always_inline u16 auxmap__store_charbuf_param(struct auxiliary_map *aux * @param mem from which memory we need to read: user-space or kernel-space. * @return number of bytes read. */ -static __always_inline u16 auxmap__store_bytebuf_param(struct auxiliary_map *auxmap, unsigned long bytebuf_pointer, unsigned long len_to_read, enum read_memory mem) +static __always_inline u16 auxmap__store_bytebuf_param(struct auxiliary_map *auxmap, unsigned long bytebuf_pointer, u16 len_to_read, enum read_memory mem) { u16 bytebuf_len = 0; - if (len_to_read > 0) + /* This check is just for performance reasons. */ + if(bytebuf_pointer && len_to_read > 0) { bytebuf_len = push__bytebuf(auxmap->data, &auxmap->payload_pos, bytebuf_pointer, len_to_read, mem); } @@ -369,7 +402,7 @@ static __always_inline void auxmap__store_execve_exe(struct auxiliary_map *auxma return; } - exe_len = push__charbuf(auxmap->data, &auxmap->payload_pos, charbuf_pointer, MAX_EXECVE_ARG_LEN, USER); + exe_len = push__charbuf(auxmap->data, &auxmap->payload_pos, charbuf_pointer, MAX_PROC_EXE, USER); push__param_len(auxmap->data, &auxmap->lengths_pos, exe_len); } @@ -400,7 +433,7 @@ static __always_inline void auxmap__store_execve_args(struct auxiliary_map *auxm { break; } - arg_len = push__charbuf(auxmap->data, &auxmap->payload_pos, charbuf_pointer, MAX_EXECVE_ARG_LEN, USER); + arg_len = push__charbuf(auxmap->data, &auxmap->payload_pos, charbuf_pointer, MAX_PROC_ARG_ENV, USER); if(!arg_len) { break; diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chdir.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chdir.bpf.c index 60f672c577..20672a0da7 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chdir.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chdir.bpf.c @@ -58,7 +58,7 @@ int BPF_PROG(chdir_x, /* Parameter 2: path (type: PT_CHARBUF) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chmod.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chmod.bpf.c index 226c13059b..30aff9f1ca 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chmod.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chmod.bpf.c @@ -58,7 +58,7 @@ int BPF_PROG(chmod_x, /* Parameter 2: filename (type: PT_FSPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /* Parameter 3: mode (type: PT_MODE) */ unsigned long mode = extract__syscall_argument(regs, 1); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chroot.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chroot.bpf.c index 42fa6ba4e3..13434a6bd0 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chroot.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/chroot.bpf.c @@ -58,7 +58,7 @@ int BPF_PROG(chroot_x, /* Parameter 2: path (type: PT_FSPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c index 6a4a4d40dd..a874ecc0f2 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone.bpf.c @@ -78,7 +78,7 @@ int BPF_PROG(clone_x, /* We need to extract the len of `exe` arg so we can understand * the overall length of the remaining args. */ - u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, USER); + u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, MAX_PROC_EXE, USER); /* Parameter 3: args (type: PT_CHARBUFARRAY) */ /* Here we read all the array starting from the pointer to the first @@ -86,7 +86,7 @@ int BPF_PROG(clone_x, * since we know the total len we read it as a `bytebuf`. * The `\0` after every argument are preserved. */ - auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, total_args_len - exe_arg_len, USER); + auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, (total_args_len - exe_arg_len) & (MAX_PROC_ARG_ENV - 1), USER); } else { @@ -147,7 +147,7 @@ int BPF_PROG(clone_x, auxmap__store_u32_param(auxmap, vm_swap); /* Parameter 14: comm (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, KERNEL); + auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, MAX_PROC_EXE, KERNEL); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c index 108b13ce97..3d36bcffdd 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c @@ -78,7 +78,7 @@ int BPF_PROG(clone3_x, /* We need to extract the len of `exe` arg so we can understand * the overall length of the remaining args. */ - u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, USER); + u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, MAX_PROC_EXE, USER); /* Parameter 3: args (type: PT_CHARBUFARRAY) */ /* Here we read all the array starting from the pointer to the first @@ -86,7 +86,7 @@ int BPF_PROG(clone3_x, * since we know the total len we read it as a `bytebuf`. * The `\0` after every argument are preserved. */ - auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, total_args_len - exe_arg_len, USER); + auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, (total_args_len - exe_arg_len) & (MAX_PROC_ARG_ENV - 1), USER); } else { @@ -147,7 +147,7 @@ int BPF_PROG(clone3_x, auxmap__store_u32_param(auxmap, vm_swap); /* Parameter 14: comm (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, KERNEL); + auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, MAX_PROC_EXE, KERNEL); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/creat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/creat.bpf.c index 36f892be30..6d9eb96e21 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/creat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/creat.bpf.c @@ -26,7 +26,7 @@ int BPF_PROG(creat_e, /* Parameter 1: name (type: PT_FSPATH) */ unsigned long name_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, name_pointer, USER); + auxmap__store_charbuf_param(auxmap, name_pointer, MAX_PATH, USER); /* Parameter 2: mode (type: PT_UINT32) */ unsigned long mode = extract__syscall_argument(regs, 1); @@ -65,7 +65,7 @@ int BPF_PROG(creat_x, /* Parameter 2: name (type: PT_FSPATH) */ unsigned long name_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, name_pointer, USER); + auxmap__store_charbuf_param(auxmap, name_pointer, MAX_PATH, USER); /* Parameter 3: mode (type: PT_UINT32) */ unsigned long mode = extract__syscall_argument(regs, 1); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c index b1b89c08da..18102c7426 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c @@ -25,7 +25,7 @@ int BPF_PROG(execve_e, /* Parameter 1: filename (type: PT_FSPATH) */ unsigned long filename_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, filename_pointer, USER); + auxmap__store_charbuf_param(auxmap, filename_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ @@ -79,7 +79,7 @@ int BPF_PROG(execve_x, /* We need to extract the len of `exe` arg so we can undestand * the overall length of the remaining args. */ - u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, USER); + u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, MAX_PROC_EXE, USER); /* Parameter 3: args (type: PT_CHARBUFARRAY) */ /* Here we read the whole array starting from the pointer to the first @@ -87,7 +87,7 @@ int BPF_PROG(execve_x, * since we know the total len we read it as a `bytebuf`. * The `\0` after every argument are preserved. */ - auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, total_args_len - exe_arg_len, USER); + auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, (total_args_len - exe_arg_len) & (MAX_PROC_ARG_ENV - 1), USER); } else { @@ -155,7 +155,7 @@ int BPF_PROG(execve_x, auxmap__store_u32_param(auxmap, vm_swap); /* Parameter 14: comm (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, KERNEL); + auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, MAX_PROC_EXE, KERNEL); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c index da895f2591..2d8f04bf51 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c @@ -33,7 +33,7 @@ int BPF_PROG(execveat_e, /* Parameter 2: pathname (type: PT_FSRELPATH) */ unsigned long pathname_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, pathname_pointer, USER); + auxmap__store_charbuf_param(auxmap, pathname_pointer, MAX_PATH, USER); /* Parameter 3: flags (type: PT_FLAGS32) */ unsigned long flags = extract__syscall_argument(regs, 4); @@ -136,7 +136,7 @@ int BPF_PROG(execveat_x, auxmap__store_u32_param(auxmap, vm_swap); /* Parameter 14: comm (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, KERNEL); + auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, MAX_PROC_EXE, KERNEL); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmodat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmodat.bpf.c index 2551109e07..9f675d0452 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmodat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fchmodat.bpf.c @@ -66,7 +66,7 @@ int BPF_PROG(fchmodat_x, /* Parameter 3: filename (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /* Parameter 4: mode (type: PT_MODE) */ unsigned long mode = extract__syscall_argument(regs, 2); @@ -81,5 +81,4 @@ int BPF_PROG(fchmodat_x, return 0; } - /*=============================== EXIT EVENT ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fork.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fork.bpf.c index bd18e9b9cd..ad856bbe09 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fork.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fork.bpf.c @@ -80,7 +80,7 @@ int BPF_PROG(fork_x, /* We need to extract the len of `exe` arg so we can undestand * the overall length of the remaining args. */ - u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, USER); + u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, MAX_PROC_EXE, USER); /* Parameter 3: args (type: PT_CHARBUFARRAY) */ /* Here we read all the array starting from the pointer to the first @@ -88,7 +88,7 @@ int BPF_PROG(fork_x, * since we know the total len we read it as a `bytebuf`. * The `\0` after every argument are preserved. */ - auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, total_args_len - exe_arg_len, USER); + auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, (total_args_len - exe_arg_len) & (MAX_PROC_ARG_ENV - 1), USER); } else { @@ -149,7 +149,7 @@ int BPF_PROG(fork_x, auxmap__store_u32_param(auxmap, vm_swap); /* Parameter 14: comm (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, KERNEL); + auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, MAX_PROC_EXE, KERNEL); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fsconfig.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fsconfig.bpf.c index 833f16ac84..bd4ee35482 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fsconfig.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/fsconfig.bpf.c @@ -68,7 +68,7 @@ int BPF_PROG(fsconfig_x, /* Parameter 4: key (type: PT_CHARBUF) */ unsigned long key_pointer = extract__syscall_argument(regs, 2); - auxmap__store_charbuf_param(auxmap, key_pointer, USER); + auxmap__store_charbuf_param(auxmap, key_pointer, MAX_PARAM_SIZE, USER); int aux = extract__syscall_argument(regs, 4); @@ -114,7 +114,7 @@ int BPF_PROG(fsconfig_x, auxmap__store_empty_param(auxmap); /* Parameter 6: value_charbuf (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, value_pointer, USER); + auxmap__store_charbuf_param(auxmap, value_pointer, MAX_PARAM_SIZE, USER); break; case PPM_FSCONFIG_SET_BINARY: diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/link.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/link.bpf.c index c06a097602..6249f92417 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/link.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/link.bpf.c @@ -58,11 +58,11 @@ int BPF_PROG(link_x, /* Parameter 2: oldpath (type: PT_FSPATH) */ unsigned long old_path_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, old_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, old_path_pointer, MAX_PATH, USER); /* Parameter 3: newpath (type: PT_FSPATH) */ unsigned long new_path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, new_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, new_path_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/linkat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/linkat.bpf.c index 948bac8350..fa29aac448 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/linkat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/linkat.bpf.c @@ -66,7 +66,7 @@ int BPF_PROG(linkat_x, /* Parameter 3: oldpath (type: PT_FSRELPATH) */ unsigned long old_path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, old_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, old_path_pointer, MAX_PATH, USER); /* Parameter 4: newdirfd (type: PT_FD) */ s32 newdirfd = (s32)extract__syscall_argument(regs, 2); @@ -78,7 +78,7 @@ int BPF_PROG(linkat_x, /* Parameter 5: newpath (type: PT_FSRELPATH) */ unsigned long new_path_pointer = extract__syscall_argument(regs, 3); - auxmap__store_charbuf_param(auxmap, new_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, new_path_pointer, MAX_PATH, USER); /* Parameter 6: flags (type: PT_FLAGS32) */ unsigned long flags = extract__syscall_argument(regs, 4); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdir.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdir.bpf.c index 9ef5864022..04f09ffc28 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdir.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdir.bpf.c @@ -60,7 +60,7 @@ int BPF_PROG(mkdir_x, /* Parameter 2: path (type: PT_FSPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdirat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdirat.bpf.c index 2366eb69a0..7263fc11e7 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdirat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mkdirat.bpf.c @@ -66,7 +66,7 @@ int BPF_PROG(mkdirat_x, /* Parameter 3: path (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /* Parameter 4: mode (type: PT_UINT32) */ u32 mode = (u32)extract__syscall_argument(regs, 2); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mount.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mount.bpf.c index 535d1e5511..6fb761c41d 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mount.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/mount.bpf.c @@ -73,15 +73,15 @@ int BPF_PROG(mount_x, /* Parameter 2: dev (type: PT_CHARBUF) */ unsigned long source_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, source_pointer, USER); + auxmap__store_charbuf_param(auxmap, source_pointer, MAX_PARAM_SIZE, USER); /* Parameter 3: dir (type: PT_FSPATH) */ unsigned long target_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, target_pointer, USER); + auxmap__store_charbuf_param(auxmap, target_pointer, MAX_PARAM_SIZE, USER); /* Parameter 4: type (type: PT_CHARBUF) */ unsigned long fstype_pointer = extract__syscall_argument(regs, 2); - auxmap__store_charbuf_param(auxmap, fstype_pointer, USER); + auxmap__store_charbuf_param(auxmap, fstype_pointer, MAX_PARAM_SIZE, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c index ea12c15190..dc30be7f94 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/open.bpf.c @@ -26,7 +26,7 @@ int BPF_PROG(open_e, /* Parameter 1: name (type: PT_FSPATH) */ unsigned long name_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, name_pointer, USER); + auxmap__store_charbuf_param(auxmap, name_pointer, MAX_PATH, USER); /* Parameter 2: flags (type: PT_FLAGS32) */ u32 flags = (u32)extract__syscall_argument(regs, 1); @@ -69,7 +69,7 @@ int BPF_PROG(open_x, /* Parameter 2: name (type: PT_FSPATH) */ unsigned long name_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, name_pointer, USER); + auxmap__store_charbuf_param(auxmap, name_pointer, MAX_PATH, USER); /* Parameter 3: flags (type: PT_FLAGS32) */ u32 flags = (u32)extract__syscall_argument(regs, 1); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c index b794af720f..39c4f1bf08 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat.bpf.c @@ -34,7 +34,7 @@ int BPF_PROG(openat_e, /* Parameter 2: name (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /* Parameter 3: flags (type: PT_FLAGS32) */ u32 flags = (u32)extract__syscall_argument(regs, 2); @@ -85,7 +85,7 @@ int BPF_PROG(openat_x, /* Parameter 3: name (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /* Parameter 4: flags (type: PT_FLAGS32) */ u32 flags = (u32)extract__syscall_argument(regs, 2); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c index 63d34c1a8e..9c9a75e378 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/openat2.bpf.c @@ -34,7 +34,7 @@ int BPF_PROG(openat2_e, /* Parameter 2: name (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /* the `open_how` struct is defined since kernel version 5.6 */ unsigned long open_how_pointer = extract__syscall_argument(regs, 2); @@ -91,7 +91,7 @@ int BPF_PROG(openat2_x, /* Parameter 3: name (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /* the `open_how` struct is defined since kernel version 5.6 */ unsigned long open_how_pointer = extract__syscall_argument(regs, 2); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c index 82b565abe0..94fa055560 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/quotactl.bpf.c @@ -91,7 +91,7 @@ int BPF_PROG(quotactl_x, * the filesystem being manipulated. */ unsigned long special_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, special_pointer, USER); + auxmap__store_charbuf_param(auxmap, special_pointer, MAX_PATH, USER); uint32_t cmd = (uint32_t)extract__syscall_argument(regs, 0); u16 scap_cmd = quotactl_cmd_to_scap(cmd); @@ -106,7 +106,7 @@ int BPF_PROG(quotactl_x, if(scap_cmd == PPM_Q_QUOTAON) { /* Parameter 3: quotafilepath (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, addr_pointer, USER); + auxmap__store_charbuf_param(auxmap, addr_pointer, MAX_PATH, USER); } else { diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rename.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rename.bpf.c index 52116b84c9..3fbf1dd36b 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rename.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rename.bpf.c @@ -58,11 +58,11 @@ int BPF_PROG(rename_x, /* Parameter 2: oldpath (type: PT_FSPATH) */ unsigned long old_path_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, old_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, old_path_pointer, MAX_PATH, USER); /* Parameter 3: newpath (type: PT_FSPATH) */ unsigned long new_path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, new_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, new_path_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/renameat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/renameat.bpf.c index 3f87bd6c01..c47dee84be 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/renameat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/renameat.bpf.c @@ -66,7 +66,7 @@ int BPF_PROG(renameat_x, /* Parameter 3: oldpath (type: PT_FSRELPATH) */ unsigned long old_path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, old_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, old_path_pointer, MAX_PATH, USER); /* Parameter 4: newdirfd (type: PT_FD) */ s32 newdirfd = (s32)extract__syscall_argument(regs, 2); @@ -78,7 +78,7 @@ int BPF_PROG(renameat_x, /* Parameter 5: newpath (type: PT_FSRELPATH) */ unsigned long new_path_pointer = extract__syscall_argument(regs, 3); - auxmap__store_charbuf_param(auxmap, new_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, new_path_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/renameat2.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/renameat2.bpf.c index b9d5d53df2..36a007ae2c 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/renameat2.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/renameat2.bpf.c @@ -66,7 +66,7 @@ int BPF_PROG(renameat2_x, /* Parameter 3: oldpath (type: PT_FSRELPATH) */ unsigned long old_path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, old_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, old_path_pointer, MAX_PATH, USER); /* Parameter 4: newdirfd (type: PT_FD) */ s32 newdirfd = (s32)extract__syscall_argument(regs, 2); @@ -78,7 +78,7 @@ int BPF_PROG(renameat2_x, /* Parameter 5: newpath (type: PT_FSRELPATH) */ unsigned long new_path_pointer = extract__syscall_argument(regs, 3); - auxmap__store_charbuf_param(auxmap, new_path_pointer, USER); + auxmap__store_charbuf_param(auxmap, new_path_pointer, MAX_PATH, USER); /* Parameter 6: flags (type: PT_FLAGS32) */ u32 flags = (u32)extract__syscall_argument(regs, 4); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c index 3106baa66c..8c99b3824b 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/rmdir.bpf.c @@ -58,7 +58,7 @@ int BPF_PROG(rmdir_x, /* Parameter 2: path (type: PT_CHARBUF) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/symlink.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/symlink.bpf.c index e677f200e8..ab9bb423df 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/symlink.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/symlink.bpf.c @@ -58,11 +58,11 @@ int BPF_PROG(symlink_x, /* Parameter 2: target (type: PT_CHARBUF) */ unsigned long target_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, target_pointer, USER); + auxmap__store_charbuf_param(auxmap, target_pointer, MAX_PATH, USER); /* Parameter 3: linkpath (type: PT_FSPATH) */ unsigned long linkpath_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, linkpath_pointer, USER); + auxmap__store_charbuf_param(auxmap, linkpath_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/symlinkat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/symlinkat.bpf.c index 6c38b8260f..08af3cf4c8 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/symlinkat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/symlinkat.bpf.c @@ -58,7 +58,7 @@ int BPF_PROG(symlinkat_x, /* Parameter 2: target (type: PT_CHARBUF) */ unsigned long target_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, target_pointer, USER); + auxmap__store_charbuf_param(auxmap, target_pointer, MAX_PATH, USER); /* Parameter 3: linkdirfd (type: PT_FD) */ s32 linkdirfd = (s32)extract__syscall_argument(regs, 1); @@ -70,7 +70,7 @@ int BPF_PROG(symlinkat_x, /* Parameter 4: linkpath (type: PT_FSRELPATH) */ unsigned long linkpath_pointer = extract__syscall_argument(regs, 2); - auxmap__store_charbuf_param(auxmap, linkpath_pointer, USER); + auxmap__store_charbuf_param(auxmap, linkpath_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c index 064d7ec3d5..aa2c9b19b1 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/umount2.bpf.c @@ -62,7 +62,7 @@ int BPF_PROG(umount2_x, /* Parameter 2: name (type: PT_FSPATH) */ unsigned long target_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, target_pointer, USER); + auxmap__store_charbuf_param(auxmap, target_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/unlink.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/unlink.bpf.c index 4332c877a7..33062bb68d 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/unlink.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/unlink.bpf.c @@ -58,7 +58,7 @@ int BPF_PROG(unlink_x, /* Parameter 2: path (type: PT_FSPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 0); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/unlinkat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/unlinkat.bpf.c index 3882e9b7df..db5313bfc8 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/unlinkat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/unlinkat.bpf.c @@ -66,7 +66,7 @@ int BPF_PROG(unlinkat_x, /* Parameter 3: path (type: PT_FSRELPATH) */ unsigned long path_pointer = extract__syscall_argument(regs, 1); - auxmap__store_charbuf_param(auxmap, path_pointer, USER); + auxmap__store_charbuf_param(auxmap, path_pointer, MAX_PATH, USER); /* Parameter 4: flags (type: PT_FLAGS32) */ unsigned long flags = extract__syscall_argument(regs, 2); diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/vfork.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/vfork.bpf.c index 4ece4c0b21..1b809c077b 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/vfork.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/vfork.bpf.c @@ -80,7 +80,7 @@ int BPF_PROG(vfork_x, /* We need to extract the len of `exe` arg so we can undestand * the overall length of the remaining args. */ - u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, USER); + u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, MAX_PROC_EXE, USER); /* Parameter 3: args (type: PT_CHARBUFARRAY) */ /* Here we read all the array starting from the pointer to the first @@ -88,7 +88,7 @@ int BPF_PROG(vfork_x, * since we know the total len we read it as a `bytebuf`. * The `\0` after every argument are preserved. */ - auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, total_args_len - exe_arg_len, USER); + auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, (total_args_len - exe_arg_len) & (MAX_PROC_ARG_ENV - 1), USER); } else { @@ -147,7 +147,7 @@ int BPF_PROG(vfork_x, auxmap__store_u32_param(auxmap, vm_swap); /* Parameter 14: comm (type: PT_CHARBUF) */ - auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, KERNEL); + auxmap__store_charbuf_param(auxmap, (unsigned long)task->comm, MAX_PROC_EXE, KERNEL); /*=============================== COLLECT PARAMETERS ===========================*/