From d2d89e23592ad0af5fb13a48ff5253673e7c2926 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= <gooffy1@gmail.com>
Date: Fri, 26 Jan 2024 20:58:07 +0100
Subject: [PATCH] on aarch64 send exec events directly to userspace

On 68c2c8ae1aeb7356f9d90e88e2129465c472e646 we excluded failed execve*
calls from being delivered to userspace, in order to get the binary that
was executed and avoid errors/confusion.

But on aarch64, it seems that we fail to save the exec event to a map,
so the event is never delivered to userspace.

So for the time being, send the exec events as soon as they arrive on
aarch64, without checking if the call failed.

(cherry picked from commit c118058dd8d25d42d36a6ae00414db96fb53e23f)
---
 ebpf_prog/opensnitch-procs.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ebpf_prog/opensnitch-procs.c b/ebpf_prog/opensnitch-procs.c
index 939617b8ea..2da48f7c5b 100644
--- a/ebpf_prog/opensnitch-procs.c
+++ b/ebpf_prog/opensnitch-procs.c
@@ -123,6 +123,10 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
     }
 #endif
 
+// FIXME: on aarch64 we fail to save the event to execMap, so send it to userspace here.
+#if defined(__aarch64__)
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
+#else
     // in case of failure adding the item to the map, send it directly
     u64 pid_tgid = bpf_get_current_pid_tgid();
 	if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) {
@@ -132,6 +136,7 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
         // Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors
         bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
     }
+#endif
 
     return 0;
 };
@@ -154,6 +159,9 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
     const char *argp={0};
     data->args_count = 0;
     data->args_partial = INCOMPLETE_ARGS;
+
+// FIXME: on i386 arch, the following code fails with permission denied.
+#if !defined(__arm__) && !defined(__i386__)
     #pragma unroll
     for (int i = 0; i < MAX_ARGS; i++) {
         bpf_probe_read_user(&argp, sizeof(argp), &ctx->argv[i]);
@@ -164,7 +172,12 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
         }
         data->args_count++;
     }
+#endif
 
+// FIXME: on aarch64 we fail to save the event to execMap, so send it to userspace here.
+#if defined(__aarch64__)
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
+#else
     // in case of failure adding the item to the map, send it directly
     u64 pid_tgid = bpf_get_current_pid_tgid();
 	if (bpf_map_update_elem(&execMap, &pid_tgid, data, BPF_ANY) != 0) {
@@ -174,6 +187,7 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
         // Possible workaround: count -95 errors, and from userspace reinitialize the streamer if errors >= n-errors
         bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
     }
+#endif
 
     return 0;
 };