new(driver/modern_bpf): Add ppc64le support for modern-bpf

[mdafsanhossain]

What type of PR is this?
/kind feature

Any specific area of the project related to this PR?

/area driver-modern-bpf
/area libscap-engine-modern-bpf
/area libscap

What this PR does / why we need it:
This PR adds PPC64LE specific changes to allow compiling of modern-bpf on PowerPC architecture. This is to add modern-bpf support for Stackrox on ppc64le.

Output of make ProbeSkeleton and make scap are attached below.

scap-build.log
probeskeleton.log

Note: syscall_compat_* headers were generated using ./build/syscalls-bumper -repo-root /root/libs -overwrite

Does this PR introduce a user-facing change?:

new(modern-bpf): support ppc64le architecture.

[poiana]

Welcome @mdafsanhossain! It looks like this is your first PR to falcosecurity/libs 🎉

[FedeDP]

Hi! Thanks for this PR! Is there any plan to support ppc64le also for old bpf probe (and eventually kmod too)?
Btw:

Note: syscall_compat_* headers were generated using ./build/syscalls-bumper -repo-root /root/libs -overwrite

syscalls-bumper does not support ppc64le though; was its support added locally? Can you open a PR over there too?
I noticed that:

• the report.md changes look weird (it seems like riscv64 arch was dropped?)
• some syscalls were removed from syscall_compat_* and that is weird too

[mdafsanhossain]

Hi! Thanks for this PR! Is there any plan to support ppc64le also for old bpf probe (and eventually kmod too)? Btw:

Note: syscall_compat_* headers were generated using ./build/syscalls-bumper -repo-root /root/libs -overwrite

syscalls-bumper does not support ppc64le though; was its support added locally? Can you open a PR over there too? I noticed that:

• the report.md changes look weird (it seems like riscv64 arch was dropped?)
• some syscalls were removed from syscall_compat_* and that is weird too

Yes I added the support locally and built it.

diff --git a/main.go b/main.go
index ae9eae9..d085ea1 100644
--- a/main.go
+++ b/main.go
@@ -119,10 +119,10 @@ func initOpts() {
 // key should be consistent with the one used by https://github.com/hrw/syscalls-table/tree/master/tables.
 // Value should be the suffix used by libs/driver/syscall_compat_* headers.
 var supportedArchs = map[string]string{
-       "x86_64":  "x86_64",
-       "arm64":   "aarch64",
-       "s390x":   "s390x",
-       "riscv64": "riscv64",
+       "x86_64":    "x86_64",
+       "arm64":     "aarch64",
+       "s390x":     "s390x",
+       "powerpc64": "ppc64le",
 }

I removed riscv64 from the list. I will revert the last commit and regenerate it with riscv64 included.
Do you know why some of the syscalls are being removed?
And, are the above changes sufficient to generate correctly?

[FedeDP]

I removed riscv64 from the list. I will revert the last commit and regenerate it with riscv64 included.

Thanks!

And, are the above changes sufficient to generate correctly?

Yes, they are!

Do you know why some of the syscalls are being removed?

Just double checked! Yep because they were cleaned up by the project that syscalls-bumper uses under the hood: hrw/syscalls-table@079ef06, hrw/syscalls-table@94b4691, hrw/syscalls-table@046c3b5

[FedeDP]

Also, you now need a rebase since a PR with automatic bump of syscall-bumper was merged ;)

[FedeDP]

Also, once this is fully in place, mind to also update README adding the new supported arch for modern bpf probe as EXPERIMENTAL?

[mdafsanhossain]

Also, you now need a rebase since a PR with automatic bump of syscall-bumper was merged ;)

Thanks. I will do that, clean it up and after that update the README too.

[FedeDP]

I think we just need to avoid name collision, by prefixing these ones with eg: MODERN_BPF_.
@Andreagit97 thoughts?

[FedeDP]

@mdafsanhossain here !

[mdafsanhossain]

@FedeDP Do you mean something like this? MODERN_BPF_SYSCALL=0? I am not sure if I am understanding this correctly.

[FedeDP]

enum intrumentation_type
{
               MODERN_BPF_SYSCALL = 0,
               MODERN_BPF_TRACEPOINT = 1,
}

and then rename their usages whereveer sampling_logic is called.

[Andreagit97]

yes I agree, probably we can rename them in INSTR_TYPE_SYSCALL and INSTR_TYPE_TRACEPOINT

[Andreagit97]

uhm I didn't see new messages, if we all agree it's also okay to go with

enum intrumentation_type
{
               MODERN_BPF_SYSCALL = 0,
               MODERN_BPF_TRACEPOINT = 1,
}

[mdafsanhossain]

Makes sense now. Thanks :)

[FedeDP]

/milestone next-driver

[mdafsanhossain]

@FedeDP Is it fine that the syscalls are being removed?

[FedeDP]

Is it fine that the syscalls are being removed?

It is ;)
This LGTM except for the comment on driver/modern_bpf/helpers/interfaces/attached_programs.h.

Were you able to run drivers_test tests on a real ppc64le machine?

[mdafsanhossain]

Is it fine that the syscalls are being removed?

It is ;) This LGTM except for the comment on driver/modern_bpf/helpers/interfaces/attached_programs.h.

Were you able to run drivers_test tests on a real ppc64le machine?

I am running it now.
Do you have a better way to resolve the conflict on driver/modern_bpf/helpers/interfaces/attached_programs.h.?

[Andreagit97]

we bumped this because new PPM_CODES could be sent from the drivers

[mdafsanhossain]

Is it fine that the syscalls are being removed?

It is ;) This LGTM except for the comment on driver/modern_bpf/helpers/interfaces/attached_programs.h.

Were you able to run drivers_test tests on a real ppc64le machine?

@FedeDP I am running into an issue while trying to run the drivers_test

-----------------------------------------------------
- Setup phase
-----------------------------------------------------

* Configure modern BPF probe tests!
* Using buffer dim: 8388608
Unable to open the engine: the specified per-CPU ring buffer dimension (0) is not allowed! Please use a power of 2 and a multiple of the actual page_size (65536)!

Steps to reproduce:

cmake -DUSE_BUNDLED_DEPS=On -DBUILD_LIBSCAP_MODERN_BPF=On -DENABLE_DRIVERS_TESTS=On -DBUILD_LIBSCAP_GVISOR=Off -DCREATE_TEST_TARGETS=On ..
make drivers_test
sudo ./test/drivers/drivers_test -m

Btw there are 2 small bugs in these files which prevents drivers_test compilation.

• https://github.com/mdafsanhossain/libs/blob/ec188eb2f97fa927c961595c05ff74275b057b7b/test/drivers/test_suites/syscall_exit_suite/socketcall_x.cpp#L3149 - int64_t errno_value = -errno; is not declared
• https://github.com/mdafsanhossain/libs/blob/e2cdf1e084dabc8b42e69bae83ee49a74096ca1c/test/drivers/test_suites/syscall_exit_suite/send_x.cpp#L15 -No semicolon after int flags=0

[FedeDP]

Btw there are 2 small bugs in these files which prevents drivers_test compilation.

Wow! Can you fix them? We only run drivers tests on x86_64 and aarch64 that haven't got __NR_send nor __NR_socketcall defined and nobody ever caught those issues :)
Btw the errno one is pretty weird, errno should be declared.

[Andreagit97]

-----------------------------------------------------
- Setup phase
-----------------------------------------------------

* Configure modern BPF probe tests!
* Using buffer dim: 8388608
Unable to open the engine: the specified per-CPU ring buffer dimension (0) is not allowed! Please use a power of 2 and a multiple of the actual page_size (65536)!

This error is weird, the buffer dim is correct in this line

* Using buffer dim: 8388608

but in the below line is 0

Unable to open the engine: the specified per-CPU ring buffer dimension (0) is not allowed! 

It seems like someone on powerpc clears this buffer_bytes_dim 🤔

Steps to reproduce:

Just tried on my machine and it works, moreover these tests run in CI so they are working it seems something specific to powerpc

[mdafsanhossain]

-----------------------------------------------------
- Setup phase
-----------------------------------------------------

* Configure modern BPF probe tests!
* Using buffer dim: 8388608
Unable to open the engine: the specified per-CPU ring buffer dimension (0) is not allowed! Please use a power of 2 and a multiple of the actual page_size (65536)!

This error is weird, the buffer dim is correct in this line

* Using buffer dim: 8388608

but in the below line is 0

Unable to open the engine: the specified per-CPU ring buffer dimension (0) is not allowed! 

It seems like someone on powerpc clears this buffer_bytes_dim 🤔

Steps to reproduce:

Just tried on my machine and it works, moreover these tests run in CI so they are working it seems something specific to powerpc

I wonder what is resetting buffer_bytes_dim to 0. I will try to debug it but I don't have much idea on it.

[Andreagit97]

For me it's great, thank you
/approve

[poiana]

LGTM label has been added.

Git tree hash: c2202ba3d7f45e72b107e5b3f050343da3b4f6a8

[FedeDP]

@mdafsanhossain can you also open the PR on syscalls-bumper please? :)

[FedeDP]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, mdafsanhossain

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mdafsanhossain]

@mdafsanhossain can you also open the PR on syscalls-bumper please? :)

Will do

[FedeDP]

/unhold

[hbrueckner]

too late.... however, this looks very nice! Thanks a lot!
/approve

[FedeDP]

Ops sorry @hbrueckner , i completely forgot... my fault 😭 sorry again!