new(driver,userspace): PT_MODES for file modes

Signed-off-by: Lorenzo Fontana <[email protected]>

Author: fntlnz

driver/CMakeLists.txt

@@ -45,6 +45,7 @@ set(DRIVER_SOURCES
 	event_table.c
 	fillers_table.c
 	flags_table.c
+	modes_table.c
 	main.c
 	ppm.h
 	ppm_events.c

driver/bpf/filler_helpers.h

@@ -830,6 +830,7 @@ static __always_inline int __bpf_val_to_ring(struct filler_data *data,
 		len = sizeof(u16);
 		break;
 	case PT_FLAGS32:
+	case PT_MODES:
 	case PT_UINT32:
 	case PT_UID:
 	case PT_GID:

driver/bpf/fillers.h

@@ -4183,6 +4183,7 @@ FILLER(sys_fchmodat_x, true)
 	unsigned long val;
 	int res;
 	long retval;
+	unsigned int mode;
 
 	retval = bpf_syscall_get_retval(data->ctx);
 	res = bpf_val_to_ring(data, retval);
@@ -4211,8 +4212,9 @@ FILLER(sys_fchmodat_x, true)
 	/*
 	 * mode
 	 */
-	val = bpf_syscall_get_argument(data, 2);
-	res = bpf_val_to_ring(data, val);
+	mode = bpf_syscall_get_argument(data, 2);
+	mode = chmod_modes_to_scap(mode);
+	res = bpf_val_to_ring(data, mode);
 
 	return res;
 }

driver/event_table.c

@@ -325,11 +325,11 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_LINKAT_2_E */{"linkat", EC_FILE, EF_NONE, 0},
 	/* PPME_SYSCALL_LINKAT_2_X */{"linkat", EC_FILE, EF_NONE, 6, {{"res", PT_ERRNO, PF_DEC}, {"olddir", PT_FD, PF_DEC}, {"oldpath", PT_CHARBUF, PF_NA}, {"newdir", PT_FD, PF_DEC}, {"newpath", PT_CHARBUF, PF_NA}, {"flags", PT_FLAGS32, PF_HEX, linkat_flags} } },
 	/* PPME_SYSCALL_FCHMODAT_E */{"fchmodat", EC_FILE, EF_MODIFIES_STATE, 0},
-	/* PPME_SYSCALL_FCHMODAT_X */{"fchmodat", EC_FILE, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"filename", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT} } },
+	/* PPME_SYSCALL_FCHMODAT_X */{"fchmodat", EC_FILE, EF_MODIFIES_STATE, 4, {{"res", PT_ERRNO, PF_DEC}, {"dirfd", PT_FD, PF_DEC}, {"filename", PT_FSPATH, PF_NA}, {"mode", PT_MODES, PF_OCT, chmod_modes} } },
 	/* PPME_SYSCALL_CHMOD_E */{"chmod", EC_FILE, EF_MODIFIES_STATE, 0},
-	/* PPME_SYSCALL_CHMOD_X */{"chmod", EC_FILE, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"filename", PT_FSPATH, PF_NA}, {"mode", PT_UINT32, PF_OCT} } },
+	/* PPME_SYSCALL_CHMOD_X */{"chmod", EC_FILE, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"filename", PT_FSPATH, PF_NA}, {"mode", PT_MODES, PF_OCT, chmod_modes} } },
 	/* PPME_SYSCALL_FCHMOD_E */{"fchmod", EC_FILE, EF_MODIFIES_STATE, 0},
-	/* PPME_SYSCALL_FCHMOD_X */{"fchmod", EC_FILE, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"mode", PT_UINT32, PF_OCT} } }
+	/* PPME_SYSCALL_FCHMOD_X */{"fchmod", EC_FILE, EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"mode", PT_MODES, PF_OCT, chmod_modes} } }
 
 	/* NB: Starting from scap version 1.2, event types will no longer be changed when an event is modified, and the only kind of change permitted for pre-existent events is adding parameters.
 	 *     New event types are allowed only for new syscalls or new internal events.

driver/modes_table.c

@@ -0,0 +1,26 @@
+/*
+
+Copyright (c) 2013-2019 Draios Inc. dba Sysdig.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+#include "ppm_events_public.h"
+
+const struct ppm_name_value chmod_modes[] = {
+    {"S_IXOTH", PPM_S_IXOTH},
+    {"S_IWOTH", PPM_S_IWOTH},
+    {"S_IROTH", PPM_S_IROTH},
+    {"S_IXGRP", PPM_S_IXGRP},
+    {"S_IWGRP", PPM_S_IWGRP},
+    {"S_IRGRP", PPM_S_IRGRP},
+    {"S_IXUSR", PPM_S_IXUSR},
+    {"S_IWUSR", PPM_S_IWUSR},
+    {"S_IRUSR", PPM_S_IRUSR},
+    {"S_ISVTX", PPM_S_ISVTX},
+    {"S_ISGID", PPM_S_ISGID},
+    {"S_ISUID", PPM_S_ISUID},
+    {0, 0},
+};

driver/ppm_events.c

@@ -657,6 +657,7 @@ int val_to_ring(struct event_filler_arguments *args, uint64_t val, u32 val_len,
 		break;
 	case PT_FLAGS32:
 	case PT_UINT32:
+	case PT_MODES:
 	case PT_UID:
 	case PT_GID:
 	case PT_SIGSET:

driver/ppm_events_public.h

@@ -1364,7 +1364,8 @@ enum ppm_param_type {
 	PT_IPV6NET = 39, /* An IPv6 network. */
 	PT_IPADDR = 40,  /* Either an IPv4 or IPv6 address. The length indicates which one it is. */
 	PT_IPNET = 41,  /* Either an IPv4 or IPv6 network. The length indicates which one it is. */
-	PT_MAX = 42 /* array size */
+	PT_MAX = 42, /* array size */
+	PT_MODES = 43 /* a 32 bit bitmask to represent file modes. */
 };
 
 enum ppm_print_format {
@@ -1494,6 +1495,7 @@ extern const struct ppm_name_value access_flags[];
 extern const struct ppm_name_value pf_flags[];
 extern const struct ppm_name_value unlinkat_flags[];
 extern const struct ppm_name_value linkat_flags[];
+extern const struct ppm_name_value chmod_modes[];
 
 extern const struct ppm_param_info sockopt_dynamic_param[];
 extern const struct ppm_param_info ptrace_dynamic_param[];

driver/ppm_fillers.c

@@ -4842,7 +4842,7 @@ int f_sys_fchmodat_x(struct event_filler_arguments *args)
 	 * mode
 	 */
 	syscall_get_arguments_deprecated(current, args->regs, 2, 1, &val);
-	res = val_to_ring(args, val, 0, false, 0);
+	res = val_to_ring(args, chmod_modes_to_scap(val), 0, false, 0);
 	if (unlikely(res != PPM_SUCCESS))
 		return res;
 
@@ -4871,8 +4871,8 @@ int f_sys_chmod_x(struct event_filler_arguments *args)
 	/*
 	 * mode
 	 */
-	syscall_get_arguments_deprecated(current, args->regs, 1, 1, &val);
-	res = val_to_ring(args, val, 0, false, 0);
+	syscall_get_arguments_deprecated(current, args->regs, 2, 1, &val);
+	res = val_to_ring(args, chmod_modes_to_scap(val), 0, false, 0);
 	if (unlikely(res != PPM_SUCCESS))
 		return res;
 
@@ -4902,8 +4902,8 @@ int f_sys_fchmod_x(struct event_filler_arguments *args)
 	/*
 	 * mode
 	 */
-	syscall_get_arguments_deprecated(current, args->regs, 1, 1, &val);
-	res = val_to_ring(args, val, 0, false, 0);
+	syscall_get_arguments_deprecated(current, args->regs, 2, 1, &val);
+	res = val_to_ring(args, chmod_modes_to_scap(val), 0, false, 0);
 	if (unlikely(res != PPM_SUCCESS))
 		return res;
 

driver/ppm_flag_helpers.h

@@ -1268,4 +1268,58 @@ static __always_inline u32 linkat_flags_to_scap(unsigned long flags)
 	return res;
 }
 
+static __always_inline u32 chmod_modes_to_scap(unsigned long modes)
+{
+	u32 res = 0;
+	if (modes & S_IRUSR)
+		res |= PPM_S_IRUSR;
+
+	if (modes & S_IWUSR)
+		res |= PPM_S_IWUSR;
+
+	if (modes & S_IXUSR)
+		res |= PPM_S_IXUSR;
+
+	/*
+	 * PPM_S_IRWXU == S_IRUSR | S_IWUSR | S_IXUSR
+	 */
+
+	if (modes & S_IRGRP)
+		res |= PPM_S_IRGRP;
+
+	if (modes & S_IWGRP)
+		res |= PPM_S_IWGRP;
+
+	if (modes & S_IXGRP)
+		res |= PPM_S_IXGRP;
+
+	/*
+	 * PPM_S_IRWXG == S_IRGRP | S_IWGRP | S_IXGRP
+	 */
+
+	if (modes & S_IROTH)
+		res |= PPM_S_IROTH;
+
+	if (modes & S_IWOTH)
+		res |= PPM_S_IWOTH;
+
+	if (modes & S_IXOTH)
+		res |= PPM_S_IXOTH;
+
+	/*
+	 * PPM_S_IRWXO == S_IROTH | S_IWOTH | S_IXOTH
+	 */
+
+	if (modes & S_ISUID)
+		res |= PPM_S_ISUID;
+
+	if (modes & S_ISGID)
+		res |= PPM_S_ISGID;
+
+	if (modes & S_ISVTX)
+		res |= PPM_S_ISVTX;
+
+	return res;
+}
+
 #endif /* PPM_FLAG_HELPERS_H_ */

userspace/libscap/CMakeLists.txt

@@ -32,7 +32,8 @@ list(APPEND targetfiles
 	syscall_info_table.c
 	../../driver/dynamic_params_table.c
 	../../driver/event_table.c
-	../../driver/flags_table.c)
+	../../driver/flags_table.c
+	../../driver/modes_table.c)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	list(APPEND targetfiles