new: add setre*id syscall family

Signed-off-by: Roberto Scolaro <[email protected]>

driver/SCHEMA_VERSION

@@ -1 +1 @@
-2.20.0
+2.21.0

driver/event_stats.h

@@ -10,7 +10,7 @@ or GPL2.txt for full copies of the license.
 #pragma once
 
 /* These numbers must be updated when we add new events in the event table */
-#define SYSCALL_EVENTS_NUM 378
+#define SYSCALL_EVENTS_NUM 382
 #define TRACEPOINT_EVENTS_NUM 6
 #define METAEVENTS_NUM 20
 #define PLUGIN_EVENTS_NUM 1

driver/event_table.c

@@ -478,6 +478,10 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {"process_vm_writev", EC_SYSCALL | EC_IPC, EF_NONE, 3, {{"res", PT_INT64, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}}},
 	[PPME_SYSCALL_DELETE_MODULE_E] = {"delete_module", EC_OTHER | EC_SYSCALL, EF_NONE, 0},
 	[PPME_SYSCALL_DELETE_MODULE_X] = {"delete_module", EC_OTHER | EC_SYSCALL, EF_NONE, 3, {{"res", PT_ERRNO, PF_DEC}, {"name", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, delete_module_flags}}},
+	[PPME_SYSCALL_SETREUID_E] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"ruid", PT_UID, PF_DEC}, {"euid", PT_UID, PF_DEC} } },
+	[PPME_SYSCALL_SETREUID_X] = {"setreuid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC}} },
+	[PPME_SYSCALL_SETREGID_E] = {"setregid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 2, {{"rgid", PT_UID, PF_DEC}, {"egid", PT_UID, PF_DEC} } },
+	[PPME_SYSCALL_SETREGID_X] = {"setregid", EC_USER | EC_SYSCALL, EF_MODIFIES_STATE, 1, {{"res", PT_ERRNO, PF_DEC}} },
 };
 #pragma GCC diagnostic pop
 

driver/fillers_table.c

@@ -363,5 +363,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SYSCALL_PROCESS_VM_WRITEV_X] = {FILLER_REF(sys_process_vm_writev_x)},
 	[PPME_SYSCALL_DELETE_MODULE_E] = {FILLER_REF(sys_empty)},
 	[PPME_SYSCALL_DELETE_MODULE_X] = {FILLER_REF(sys_delete_module_x)},
+	[PPME_SYSCALL_SETREUID_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1} } },
+	[PPME_SYSCALL_SETREUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL} } },
+	[PPME_SYSCALL_SETREGID_E] = {FILLER_REF(sys_autofill), 2, APT_REG, {{0}, {1} } },
+	[PPME_SYSCALL_SETREGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL} } },
 };
-#pragma GCC diagnostic pop

driver/modern_bpf/definitions/events_dimensions.h

@@ -250,6 +250,10 @@
 #define PROCESS_VM_READV_E_SIZE HEADER_LEN
 #define PROCESS_VM_WRITEV_E_SIZE HEADER_LEN
 #define DELETE_MODULE_E_SIZE HEADER_LEN
+#define SETREUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + 2 * PARAM_LEN
+#define SETREUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETREGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 2 + 2 * PARAM_LEN
+#define SETREGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 
 /* Generic tracepoints events. */
 #define SCHED_SWITCH_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 2 + sizeof(uint32_t) * 3 + PARAM_LEN * 6

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setregid.bpf.c

@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+ * Copyright (C) 2024 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(setregid_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, ctx, SETREGID_E_SIZE, PPME_SYSCALL_SETREGID_E))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Paraueter 1: rgid (type: PT_GID) */
+	uid_t rgid = (uint32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u32(&ringbuf, rgid);
+
+	/* Parameter 2: euid (type: PT_GID) */
+	uid_t egid = (uint32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_u32(&ringbuf, egid);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(setregid_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, ctx, SETREGID_X_SIZE, PPME_SYSCALL_SETREGID_X))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO)*/
+	ringbuf__store_s64(&ringbuf, ret);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setreuid.bpf.c

@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+ * Copyright (C) 2024 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(setreuid_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, ctx, SETREUID_E_SIZE, PPME_SYSCALL_SETREUID_E))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: ruid (type: PT_GID) */
+	uid_t ruid = (uint32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u32(&ringbuf, ruid);
+
+	/* Parameter 2: euid (type: PT_GID) */
+	uid_t euid = (uint32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_u32(&ringbuf, euid);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(setreuid_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, ctx, SETREUID_X_SIZE, PPME_SYSCALL_SETREUID_X))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO)*/
+	ringbuf__store_s64(&ringbuf, ret);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/

driver/ppm_events_public.h

@@ -1476,7 +1476,11 @@ typedef enum {
 	PPME_SYSCALL_PROCESS_VM_WRITEV_X = 423,
 	PPME_SYSCALL_DELETE_MODULE_E = 424,
 	PPME_SYSCALL_DELETE_MODULE_X = 425,
-	PPM_EVENT_MAX = 426
+	PPME_SYSCALL_SETREUID_E = 426,
+	PPME_SYSCALL_SETREUID_X = 427,
+	PPME_SYSCALL_SETREGID_E = 428,
+	PPME_SYSCALL_SETREGID_X = 429,
+	PPM_EVENT_MAX = 430
 } ppm_event_code;
 /*@}*/
 

driver/syscall_table.c

@@ -506,8 +506,12 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_rt_sigsuspend - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_RT_SIGSUSPEND},
 	[__NR_capget - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_CAPGET},
 
-	[__NR_setreuid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETREUID},
-	[__NR_setregid - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETREGID},
+#ifdef __NR_setreuid
+	[__NR_setreuid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETREUID_E, PPME_SYSCALL_SETREUID_X, PPM_SC_SETREUID},
+#endif
+#ifdef __NR_setregid
+	[__NR_setregid - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_SETREGID_E, PPME_SYSCALL_SETREGID_X, PPM_SC_SETREGID},
+#endif
 	[__NR_getgroups - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_GETGROUPS},
 	[__NR_setgroups - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SETGROUPS},
 #ifdef __NR_fchown

test/drivers/test_suites/syscall_enter_suite/setregid_e.cpp

@@ -0,0 +1,44 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_setregid
+TEST(SyscallEnter, setregidE)
+{
+    auto evt_test = get_syscall_event_test(__NR_setregid, ENTER_EVENT);
+
+    evt_test->enable_capture();
+
+    /*=============================== TRIGGER SYSCALL ===========================*/
+
+    gid_t rgid = (uint32_t)-1;
+    gid_t egid = (uint32_t)-1;
+    /* If one of the arguments equals -1, the corresponding value is not changed. */
+    assert_syscall_state(SYSCALL_SUCCESS, "setregid", syscall(__NR_setregid, rgid, egid), NOT_EQUAL, -1);
+
+    /*=============================== TRIGGER SYSCALL ===========================*/
+
+    evt_test->disable_capture();
+
+    evt_test->assert_event_presence();
+
+    if(HasFatalFailure())
+    {
+        return;
+    }
+
+    evt_test->parse_event();
+
+    evt_test->assert_header();
+
+    /*=============================== ASSERT PARAMETERS  ===========================*/
+
+    /* Parameter 1: rgid (type: PT_GID) */
+    evt_test->assert_numeric_param(1, (uint32_t)rgid);
+
+    /* Parameter 2: egid (type: PT_GID) */
+    evt_test->assert_numeric_param(2, (uint32_t)egid);
+
+    /*=============================== ASSERT PARAMETERS  ===========================*/
+
+    evt_test->assert_num_params_pushed(2);
+}
+#endif

test/drivers/test_suites/syscall_enter_suite/setreuid_e.cpp

@@ -0,0 +1,44 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_setreuid
+TEST(SyscallEnter, setreuidE)
+{
+    auto evt_test = get_syscall_event_test(__NR_setreuid, ENTER_EVENT);
+
+    evt_test->enable_capture();
+
+    /*=============================== TRIGGER SYSCALL ===========================*/
+
+    uid_t ruid = (uint32_t)-1;
+    uid_t euid = (uint32_t)-1;
+    /* If one of the arguments equals -1, the corresponding value is not changed. */
+    assert_syscall_state(SYSCALL_SUCCESS, "setreuid", syscall(__NR_setreuid, ruid, euid), NOT_EQUAL, -1);
+
+    /*=============================== TRIGGER SYSCALL ===========================*/
+
+    evt_test->disable_capture();
+
+    evt_test->assert_event_presence();
+
+    if(HasFatalFailure())
+    {
+        return;
+    }
+
+    evt_test->parse_event();
+
+    evt_test->assert_header();
+
+    /*=============================== ASSERT PARAMETERS  ===========================*/
+
+    /* Parameter 1: ruid (type: PT_GID) */
+    evt_test->assert_numeric_param(1, (uint32_t)ruid);
+
+    /* Parameter 2: euid (type: PT_GID) */
+    evt_test->assert_numeric_param(2, (uint32_t)euid);
+
+    /*=============================== ASSERT PARAMETERS  ===========================*/
+
+    evt_test->assert_num_params_pushed(2);
+}
+#endif

test/drivers/test_suites/syscall_exit_suite/setregid_x.cpp

@@ -0,0 +1,41 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_setresgid
+TEST(SyscallExit, setregidX)
+{
+    auto evt_test = get_syscall_event_test(__NR_setregid, EXIT_EVENT);
+
+    evt_test->enable_capture();
+
+    /*=============================== TRIGGER SYSCALL ===========================*/
+
+    gid_t rgid = (uint32_t)-1;
+    gid_t egid = (uint32_t)-1;
+    /* If one of the arguments equals -1, the corresponding value is not changed. */
+    assert_syscall_state(SYSCALL_SUCCESS, "setregid", syscall(__NR_setregid, rgid, egid), NOT_EQUAL, -1);
+
+    /*=============================== TRIGGER SYSCALL ===========================*/
+
+    evt_test->disable_capture();
+
+    evt_test->assert_event_presence();
+
+    if(HasFatalFailure())
+    {
+        return;
+    }
+
+    evt_test->parse_event();
+
+    evt_test->assert_header();
+
+    /*=============================== ASSERT PARAMETERS  ===========================*/
+
+    /* Parameter 1: res (type: PT_ERRNO) */
+    evt_test->assert_numeric_param(1, (int64_t)0);
+
+    /*=============================== ASSERT PARAMETERS  ===========================*/
+
+    evt_test->assert_num_params_pushed(1);
+}
+#endif

test/drivers/test_suites/syscall_exit_suite/setreuid_x.cpp

@@ -0,0 +1,41 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_setresuid
+TEST(SyscallExit, setreuidX)
+{
+    auto evt_test = get_syscall_event_test(__NR_setreuid, EXIT_EVENT);
+
+    evt_test->enable_capture();
+
+    /*=============================== TRIGGER SYSCALL ===========================*/
+
+    uid_t ruid = (uint32_t)-1;
+    uid_t euid = (uint32_t)-1;
+    /* If one of the arguments equals -1, the corresponding value is not changed. */
+    assert_syscall_state(SYSCALL_SUCCESS, "setreuid", syscall(__NR_setreuid, ruid, euid), NOT_EQUAL, -1);
+
+    /*=============================== TRIGGER SYSCALL ===========================*/
+
+    evt_test->disable_capture();
+
+    evt_test->assert_event_presence();
+
+    if(HasFatalFailure())
+    {
+        return;
+    }
+
+    evt_test->parse_event();
+
+    evt_test->assert_header();
+
+    /*=============================== ASSERT PARAMETERS  ===========================*/
+
+    /* Parameter 1: res (type: PT_ERRNO) */
+    evt_test->assert_numeric_param(1, (int64_t)0);
+
+    /*=============================== ASSERT PARAMETERS  ===========================*/
+
+    evt_test->assert_num_params_pushed(1);
+}
+#endif