From c118058dd8d25d42d36a6ae00414db96fb53e23f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= <gooffy1@gmail.com>
Date: Fri, 26 Jan 2024 20:58:07 +0100
Subject: [PATCH] on aarch64 send exec events directly to userspace

On 68c2c8ae1aeb7356f9d90e88e2129465c472e646 we excluded failed execve*
calls from being delivered to userspace, in order to get the binary that
was executed and avoid errors/confusion.

But on aarch64, it seems that we fail to save the exec event to a map,
so the event is never delivered to userspace.

So for the time being, send the exec events as soon as they arrive on
aarch64, without checking if the call failed.
---
 ebpf_prog/opensnitch-procs.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ebpf_prog/opensnitch-procs.c b/ebpf_prog/opensnitch-procs.c
index 939617b8ea..2da48f7c5b 100644
--- a/ebpf_prog/opensnitch-procs.c
+++ b/ebpf_prog/opensnitch-procs.c
@@ -123,6 +123,10 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
     }
 #endif
 
+// FIXME: on aarch64 we fail to save the event to execMap, so send it to userspace here.
+#if defined(__aarch64__)
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
+#else
     // in case of failure adding the item to the map, send it directly
     u64 pid_tgid = bpf_get_current_pid_tgid();
 	if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) {
@@ -132,6 +136,7 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
         // Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors
         bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
     }
+#endif
 
     return 0;
 };
@@ -154,6 +159,9 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
     const char *argp={0};
     data->args_count = 0;
     data->args_partial = INCOMPLETE_ARGS;
+
+// FIXME: on i386 arch, the following code fails with permission denied.
+#if !defined(__arm__) && !defined(__i386__)
     #pragma unroll
     for (int i = 0; i < MAX_ARGS; i++) {
         bpf_probe_read_user(&argp, sizeof(argp), &ctx->argv[i]);
@@ -164,7 +172,12 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
         }
         data->args_count++;
     }
+#endif
 
+// FIXME: on aarch64 we fail to save the event to execMap, so send it to userspace here.
+#if defined(__aarch64__)
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
+#else
     // in case of failure adding the item to the map, send it directly
     u64 pid_tgid = bpf_get_current_pid_tgid();
 	if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) {
@@ -174,6 +187,7 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
         // Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors
         bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
     }
+#endif
 
     return 0;
 };