falcosecurity · poiana · Oct 17, 2023 · Oct 11, 2023 · Oct 17, 2023 · Oct 17, 2023
diff --git a/test/drivers/event_class/event_class.cpp b/test/drivers/event_class/event_class.cpp
@@ -240,10 +240,11 @@ void event_test::disable_capture()
 void event_test::clear_ring_buffers()
 {
 	uint16_t cpu_id = 0;
+	uint32_t flags = 0;
 	/* First timeout means that all the buffers are empty. If the capture is not
 	 * stopped it is possible that we will never receive a `SCAP_TIMEOUT`.
 	 */
-	while(scap_next(s_scap_handle, (scap_evt**)&m_event_header, &cpu_id) != SCAP_TIMEOUT)
+	while(scap_next(s_scap_handle, (scap_evt**)&m_event_header, &cpu_id, &flags) != SCAP_TIMEOUT)
 	{
 	}
 }
@@ -253,11 +254,12 @@ struct ppm_evt_hdr* event_test::get_event_from_ringbuffer(uint16_t* cpu_id)
 	struct ppm_evt_hdr* hdr = NULL;
 	uint16_t attempts = 0;
 	int32_t res = 0;
+	uint32_t flags = 0;
 
 	/* Try 2 times just to be sure that all the buffers are empty. */
 	while(attempts <= 1)
 	{
-		res = scap_next(s_scap_handle, (scap_evt**)&hdr, cpu_id);
+		res = scap_next(s_scap_handle, (scap_evt**)&hdr, cpu_id, &flags);
 		if(res == SCAP_SUCCESS && hdr != NULL)
 		{
 			break;

diff --git a/test/drivers/test_suites/syscall_exit_suite/mknod_e.cpp b/test/drivers/test_suites/syscall_exit_suite/mknod_e.cpp
@@ -13,7 +13,6 @@ TEST(SyscallEnter, mknodE_failure)
 	uint32_t mode = 0060000 | 0666;
 	uint32_t dev = 61440;
 	assert_syscall_state(SYSCALL_FAILURE, "mknod", syscall(__NR_mknod, (void *)(path), (mode_t)mode, (dev_t)dev));
-	int64_t errno_value = -errno;
 
 
 	/*=============================== TRIGGER SYSCALL  ===========================*/

diff --git a/test/libscap/helpers/engines.cpp b/test/libscap/helpers/engines.cpp
@@ -50,11 +50,13 @@ void check_event_is_not_overwritten(scap_t *h)
 	 */
 	scap_evt *evt = NULL;
 	uint16_t buffer_id;
+	uint32_t flags;
 
 	/* The first 'scap_next` could return a `SCAP_TIMEOUT` according to the chosen `buffer_mode` so we ignore it. */
-	scap_next(h, &evt, &buffer_id);
+	scap_next(h, &evt, &buffer_id, &flags);
 
-	ASSERT_EQ(scap_next(h, &evt, &buffer_id), SCAP_SUCCESS) << "unable to get an event with `scap_next`: " << scap_getlasterr(h) << std::endl;
+	ASSERT_EQ(scap_next(h, &evt, &buffer_id, &flags), SCAP_SUCCESS)
+		<< "unable to get an event with `scap_next`: " << scap_getlasterr(h) << std::endl;
 
 	last_num_events = 0;
 	iterations = 0;
@@ -154,20 +156,21 @@ void check_event_order(scap_t *h)
 
 	scap_evt *evt = NULL;
 	uint16_t buffer_id = 0;
+	uint32_t flags = 0;
 	int ret = 0;
-	uint64_t acutal_pid = getpid();
+	uint64_t actual_pid = getpid();
 	/* if we hit 5 consecutive timeouts it means that all buffers are empty (approximation) */
 	uint16_t timeouts = 0;
 
 	for(int i = 0; i < EVENTS_TO_ASSERT; i++)
 	{
 		while(true)
 		{
-			ret = scap_next(h, &evt, &buffer_id);
+			ret = scap_next(h, &evt, &buffer_id, &flags);
 			if(ret == SCAP_SUCCESS)
 			{
 				timeouts = 0;
-				if(evt->tid == acutal_pid && evt->type == events_to_assert[i])
+				if(evt->tid == actual_pid && evt->type == events_to_assert[i])
 				{
 					/* We found our event */
 					break;

diff --git a/userspace/libscap/engine/bpf/scap_bpf.c b/userspace/libscap/engine/bpf/scap_bpf.c
@@ -1865,9 +1865,9 @@ int32_t scap_bpf_get_n_tracepoint_hit(struct scap_engine_handle engine, long* re
 	return SCAP_SUCCESS;
 }
 
-static int32_t next(struct scap_engine_handle engine, OUT scap_evt** pevent, OUT uint16_t* pcpuid)
+static int32_t next(struct scap_engine_handle engine, OUT scap_evt **pevent, OUT uint16_t *pdevid, OUT uint32_t *pflags)
 {
-	return ringbuffer_next(&engine.m_handle->m_dev_set, pevent, pcpuid);
+	return ringbuffer_next(&engine.m_handle->m_dev_set, pevent, pdevid, pflags);
 }
 
 static int32_t unsupported_config(struct scap_engine_handle engine, const char* msg)

diff --git a/userspace/libscap/engine/gvisor/gvisor.cpp b/userspace/libscap/engine/gvisor/gvisor.cpp
@@ -173,9 +173,9 @@ static int32_t gvisor_stop_capture(struct scap_engine_handle engine)
 	return engine.m_handle->stop_capture();
 }
 
-static int32_t gvisor_next(struct scap_engine_handle engine, scap_evt **pevent, uint16_t *pcpuid)
+static int32_t gvisor_next(struct scap_engine_handle engine, scap_evt** pevent, uint16_t* pdevid, uint32_t* pflags)
 {
-	return engine.m_handle->next(pevent, pcpuid);
+	return engine.m_handle->next(pevent, pdevid, pflags);
 }
 
 static int32_t gvisor_configure(struct scap_engine_handle engine, enum scap_setting setting, unsigned long arg1, unsigned long arg2)

diff --git a/userspace/libscap/engine/gvisor/gvisor.h b/userspace/libscap/engine/gvisor/gvisor.h
@@ -142,7 +142,7 @@ class engine {
     int32_t start_capture();
     int32_t stop_capture();
 
-    int32_t next(scap_evt **pevent, uint16_t *pcpuid);
+    int32_t next(scap_evt **pevent, uint16_t *pdevid, uint32_t *pflags);
 
     uint32_t get_vxid(uint64_t pid);
     int32_t get_stats(scap_stats *stats);

diff --git a/userspace/libscap/engine/gvisor/scap_gvisor.cpp b/userspace/libscap/engine/gvisor/scap_gvisor.cpp
@@ -506,15 +506,15 @@ int32_t engine::process_message_from_fd(int fd)
 	return parse_result.status;
 }
 
-int32_t engine::next(scap_evt **pevent, uint16_t *pcpuid)
+int32_t engine::next(scap_evt **pevent, uint16_t *pdevid, uint32_t *pflags)
 {
 	if(m_no_events)
 	{
 		return SCAP_FAILURE;
 	}
 
 	epoll_event evts[max_ready_sandboxes];
-	*pcpuid = 0;
+	*pdevid = 0;
 
 	// if there are still events to process do it before getting more
 	if(!m_event_queue.empty())
@@ -600,6 +600,7 @@ int32_t engine::next(scap_evt **pevent, uint16_t *pcpuid)
 	if(!m_event_queue.empty())
 	{
 		*pevent = m_event_queue.front();
+		*pflags = 0;
 		m_event_queue.pop_front();
 		m_gvisor_stats.n_evts++;
 		return SCAP_SUCCESS;

diff --git a/userspace/libscap/engine/kmod/scap_kmod.c b/userspace/libscap/engine/kmod/scap_kmod.c
@@ -541,9 +541,10 @@ int32_t scap_kmod_close(struct scap_engine_handle engine)
 	return SCAP_SUCCESS;
 }
 
-int32_t scap_kmod_next(struct scap_engine_handle engine, OUT scap_evt** pevent, OUT uint16_t* pcpuid)
+int32_t scap_kmod_next(struct scap_engine_handle engine, OUT scap_evt **pevent, OUT uint16_t *pdevid,
+		       OUT uint32_t *pflags)
 {
-	return ringbuffer_next(&engine.m_handle->m_dev_set, pevent, pcpuid);
+	return ringbuffer_next(&engine.m_handle->m_dev_set, pevent, pdevid, pflags);
 }
 
 uint32_t scap_kmod_get_n_devs(struct scap_engine_handle engine)

diff --git a/userspace/libscap/engine/modern_bpf/scap_modern_bpf.c b/userspace/libscap/engine/modern_bpf/scap_modern_bpf.c
@@ -49,7 +49,8 @@ static void scap_modern_bpf__free_engine(struct scap_engine_handle engine)
 /* The third parameter is not the CPU number from which we extract the event but the ring buffer number.
  * For the old BPF probe and the kernel module the number of CPUs is equal to the number of buffers since we always use a per-CPU approach.
  */
-static int32_t scap_modern_bpf__next(struct scap_engine_handle engine, OUT scap_evt** pevent, OUT uint16_t* buffer_id)
+static int32_t scap_modern_bpf__next(struct scap_engine_handle engine, OUT scap_evt** pevent, OUT uint16_t* buffer_id,
+				     OUT uint32_t* pflags)
 {
 	pman_consume_first_event((void**)pevent, (int16_t*)buffer_id);
 
@@ -64,6 +65,7 @@ static int32_t scap_modern_bpf__next(struct scap_engine_handle engine, OUT scap_
 	{
 		engine.m_handle->m_retry_us = BUFFER_EMPTY_WAIT_TIME_US_START;
 	}
+	*pflags = 0;
 	return SCAP_SUCCESS;
 }
 

diff --git a/userspace/libscap/engine/nodriver/nodriver.c b/userspace/libscap/engine/nodriver/nodriver.c
@@ -44,7 +44,7 @@ static int32_t init(scap_t* handle, scap_open_args *oargs)
 	return SCAP_SUCCESS;
 }
 
-static int32_t next(struct scap_engine_handle handle, scap_evt** pevent, uint16_t* pcpuid)
+static int32_t next(struct scap_engine_handle handle, scap_evt** pevent, uint16_t* pdevid, uint32_t* pflags)
 {
 	static scap_evt evt;
 	evt.len = 0;
@@ -56,6 +56,8 @@ static int32_t next(struct scap_engine_handle handle, scap_evt** pevent, uint16_
 
 	evt.ts = get_timestamp_ns();
 	*pevent = &evt;
+	*pdevid = 0;
+	*pflags = 0;
 	return SCAP_SUCCESS;
 }
 

diff --git a/userspace/libscap/engine/noop/noop.c b/userspace/libscap/engine/noop/noop.c
@@ -50,7 +50,7 @@ int noop_close_engine(struct scap_engine_handle engine)
 	return SCAP_SUCCESS;
 }
 
-int32_t noop_next(struct scap_engine_handle handle, scap_evt** pevent, uint16_t* pcpuid)
+int32_t noop_next(struct scap_engine_handle handle, scap_evt** pevent, uint16_t* pdevid, uint32_t* pflags)
 {
 	return SCAP_EOF;
 }

diff --git a/userspace/libscap/engine/noop/noop.h b/userspace/libscap/engine/noop/noop.h
@@ -29,7 +29,7 @@ typedef struct scap_stats_v2 scap_stats_v2;
 struct noop_engine* noop_alloc_handle(scap_t* main_handle, char* lasterr_ptr);
 void noop_free_handle(struct scap_engine_handle engine);
 int noop_close_engine(struct scap_engine_handle engine);
-int32_t noop_next(struct scap_engine_handle handle, scap_evt** pevent, uint16_t* pcpuid);
+int32_t noop_next(struct scap_engine_handle handle, scap_evt** pevent, uint16_t* pdevid, uint32_t* pflags);
 int32_t noop_start_capture(struct scap_engine_handle engine);
 int32_t noop_stop_capture(struct scap_engine_handle engine);
 int32_t unimplemented_op(char* err, size_t err_size);

diff --git a/userspace/libscap/engine/savefile/scap_savefile.c b/userspace/libscap/engine/savefile/scap_savefile.c
@@ -1925,7 +1925,7 @@ static int32_t scap_read_init(struct savefile_engine *handle, scap_reader_t* r,
 //
 // Read an event from disk
 //
-static int32_t next(struct scap_engine_handle engine, scap_evt **pevent, uint16_t *pcpuid)
+static int32_t next(struct scap_engine_handle engine, scap_evt **pevent, uint16_t *pdevid, uint32_t *pflags)
 {
 	struct savefile_engine* handle = engine.m_handle;
 	block_header bh;
@@ -2035,16 +2035,16 @@ static int32_t next(struct scap_engine_handle engine, scap_evt **pevent, uint16_
 		//
 		// EVF_BLOCK_TYPE has 32 bits of flags
 		//
-		*pcpuid = *(uint16_t *)handle->m_reader_evt_buf;
+		*pdevid = *(uint16_t *)handle->m_reader_evt_buf;
 
 		if(bh.block_type == EVF_BLOCK_TYPE || bh.block_type == EVF_BLOCK_TYPE_V2 || bh.block_type == EVF_BLOCK_TYPE_V2_LARGE)
 		{
-			handle->m_last_evt_dump_flags = *(uint32_t*)(handle->m_reader_evt_buf + sizeof(uint16_t));
+			*pflags = *(uint32_t *)(handle->m_reader_evt_buf + sizeof(uint16_t));
 			*pevent = (struct ppm_evt_hdr *)(handle->m_reader_evt_buf + sizeof(uint16_t) + sizeof(uint32_t));
 		}
 		else
 		{
-			handle->m_last_evt_dump_flags = 0;
+			*pflags = 0;
 			*pevent = (struct ppm_evt_hdr *)(handle->m_reader_evt_buf + sizeof(uint16_t));
 		}
 
@@ -2351,18 +2351,12 @@ static int64_t get_readfile_offset(struct scap_engine_handle engine)
 	return engine.m_handle->m_reader->offset(engine.m_handle->m_reader);
 }
 
-static uint32_t get_event_dump_flags(struct scap_engine_handle engine)
-{
-	return engine.m_handle->m_last_evt_dump_flags;
-}
-
 static struct scap_savefile_vtable savefile_ops = {
 	.ftell_capture = scap_savefile_ftell,
 	.fseek_capture = scap_savefile_fseek,
 
 	.restart_capture = scap_savefile_restart_capture,
 	.get_readfile_offset = get_readfile_offset,
-	.get_event_dump_flags = get_event_dump_flags,
 };
 
 struct scap_vtable scap_savefile_engine = {

diff --git a/userspace/libscap/engine/source_plugin/source_plugin.c b/userspace/libscap/engine/source_plugin/source_plugin.c
@@ -155,7 +155,7 @@ static int close_engine(struct scap_engine_handle engine)
 	return SCAP_SUCCESS;
 }
 
-static int32_t next(struct scap_engine_handle engine, OUT scap_evt** pevent, OUT uint16_t* pcpuid)
+static int32_t next(struct scap_engine_handle engine, OUT scap_evt** pevent, OUT uint16_t* pdevid, OUT uint32_t* pflags)
 {
 	struct source_plugin_engine *handle = engine.m_handle;
 	char *lasterr = engine.m_handle->m_lasterr;
@@ -255,6 +255,8 @@ static int32_t next(struct scap_engine_handle engine, OUT scap_evt** pevent, OUT
 	}
 
 	*pevent = evt;
+	*pdevid = 0;
+	*pflags = 0;
 	handle->m_nevts++;
 	handle->m_input_plugin_batch_idx++;
 	return SCAP_SUCCESS;

diff --git a/userspace/libscap/engine/test_input/test_input.c b/userspace/libscap/engine/test_input/test_input.c
@@ -52,7 +52,7 @@ static struct test_input_engine* alloc_handle(scap_t* main_handle, char* lasterr
 	return engine;
 }
 
-static int32_t next(struct scap_engine_handle handle, scap_evt** pevent, uint16_t* pcpuid)
+static int32_t next(struct scap_engine_handle handle, scap_evt** pevent, uint16_t* pdevid, uint32_t* pflags)
 {
 	test_input_engine *engine = handle.m_handle;
 	scap_test_input_data *data = engine->m_data;
@@ -64,8 +64,9 @@ static int32_t next(struct scap_engine_handle handle, scap_evt** pevent, uint16_
 
 	*pevent = *(data->events++);
 	data->event_count--;
-	/* All the events are sent by CPU 1 */
-	*pcpuid = 1; 
+	/* All the events are sent by device 1 */
+	*pdevid = 1;
+	*pflags = 0;
 	return SCAP_SUCCESS;
 }
 

diff --git a/userspace/libscap/engine/udig/scap_udig.c b/userspace/libscap/engine/udig/scap_udig.c
@@ -400,9 +400,9 @@ static int close_engine(struct scap_engine_handle engine)
 	return SCAP_SUCCESS;
 }
 
-static int32_t next(struct scap_engine_handle engine, OUT scap_evt** pevent, OUT uint16_t* pcpuid)
+static int32_t next(struct scap_engine_handle engine, OUT scap_evt** pevent, OUT uint16_t* pdevid, OUT uint32_t* pflags)
 {
-	return ringbuffer_next(&engine.m_handle->m_dev_set, pevent, pcpuid);
+	return ringbuffer_next(&engine.m_handle->m_dev_set, pevent, pdevid, pflags);
 }
 
 //

diff --git a/userspace/libscap/examples/01-open/scap_open.c b/userspace/libscap/examples/01-open/scap_open.c
@@ -837,6 +837,7 @@ int main(int argc, char** argv)
 	int32_t res = 0;
 	scap_evt* ev = NULL;
 	uint16_t cpuid = 0;
+	uint32_t flags = 0;
 
 	printf("\n[SCAP-OPEN]: Hello!\n");
 	if(signal(SIGINT, signal_callback) == SIG_ERR)
@@ -873,7 +874,7 @@ int main(int argc, char** argv)
 
 	while(g_nevts != num_events)
 	{
-		res = scap_next(g_h, &ev, &cpuid);
+		res = scap_next(g_h, &ev, &cpuid, &flags);
 		number_of_scap_next++;
 		if(res == SCAP_UNEXPECTED_BLOCK)
 		{

diff --git a/userspace/libscap/ringbuffer/ringbuffer.h b/userspace/libscap/ringbuffer/ringbuffer.h
@@ -211,14 +211,15 @@ static inline void ringbuffer_advance_to_evt(scap_device* dev, scap_evt *event)
  * - before refilling a buffer we have to consume all the others!
  * - we perform a lot of cycles but we have to be super fast here!
  */
-static inline int32_t ringbuffer_next(struct scap_device_set *devset, OUT scap_evt** pevent, OUT uint16_t* pcpuid)
+static inline int32_t ringbuffer_next(struct scap_device_set* devset, OUT scap_evt** pevent, OUT uint16_t* pdevid,
+				      OUT uint32_t* pflags)
 {
 	uint32_t j;
 	uint64_t min_ts = 0xffffffffffffffffLL;
 	scap_evt* pe = NULL;
 	uint32_t ndevs = devset->m_ndevs;
 
-	*pcpuid = 65535;
+	*pdevid = 65535;
 
 	for(j = 0; j < ndevs; j++)
 	{
@@ -276,19 +277,21 @@ static inline int32_t ringbuffer_next(struct scap_device_set *devset, OUT scap_e
 			}
 
 			*pevent = pe;
-			*pcpuid = j;
+			*pdevid = j;
 			min_ts = pe->ts;
 		}
 	}
 
-
-	if(*pcpuid != 65535)
+	if(*pdevid != 65535)
 	{
 		/* Check from which buffer we have read and move the position inside
 	 	 * the block with `ADVANCE_TO_EVT`
 	 	 */
-		struct scap_device *dev = &devset->m_devs[*pcpuid];
+		struct scap_device* dev = &devset->m_devs[*pdevid];
 		ADVANCE_TO_EVT(dev, (*pevent));
+
+		// we don't really store the flags in the ringbuffer anywhere
+		*pflags = 0;
 		return SCAP_SUCCESS;
 	}
 	else

diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
@@ -312,7 +312,7 @@ uint64_t scap_max_buf_used(scap_t* handle)
 	return 0;
 }
 
-int32_t scap_next(scap_t* handle, OUT scap_evt** pevent, OUT uint16_t* pdevid)
+int32_t scap_next(scap_t* handle, OUT scap_evt** pevent, OUT uint16_t* pdevid, OUT uint32_t* pflags)
 {
 	// Note: devid is like cpuid but not 1:1, e.g. consider CPU1 offline:
 	// CPU0 CPU1 CPU2 CPU3
@@ -321,7 +321,7 @@ int32_t scap_next(scap_t* handle, OUT scap_evt** pevent, OUT uint16_t* pdevid)
 	int32_t res = SCAP_FAILURE;
 	if(handle->m_vtable)
 	{
-		res = handle->m_vtable->next(handle->m_engine, pevent, pdevid);
+		res = handle->m_vtable->next(handle->m_engine, pevent, pdevid, pflags);
 	}
 	else
 	{
@@ -551,18 +551,6 @@ int32_t scap_set_dropfailed(scap_t* handle, bool enabled) {
 	return SCAP_FAILURE;
 }
 
-uint32_t scap_event_get_dump_flags(scap_t* handle)
-{
-	if(handle->m_vtable->savefile_ops)
-	{
-		return handle->m_vtable->savefile_ops->get_event_dump_flags(handle->m_engine);
-	}
-	else
-	{
-		return 0;
-	}
-}
-
 int32_t scap_enable_dynamic_snaplen(scap_t* handle)
 {
 	if(handle->m_vtable)