new(libscap): add m_attached_progs to modern_bpf_engine handle

Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
falcosecurity · Apr 12, 2023 · a2ccff5 · a2ccff5
1 parent 169c4d9
commit a2ccff5
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 0 deletions.
diff --git a/userspace/libpman/include/libpman.h b/userspace/libpman/include/libpman.h
@@ -85,6 +85,15 @@ extern "C"
 	 */
 	int pman_open_probe(void);
 
+	/**
+	 * @brief Save fd for each possible attached bpf tracepoint program, -1 if not available.
+	 * @param modern_bpf_engine_struct opaque pointer to `modern_bpf_engine_struct`.
+	 *
+	 * @note Only bpf programs, not to be confused with bpf tail calls.
+	 * @return `0` on success, `errno` in case of error.
+	 */
+	int pman_save_attached_progs(void* modern_bpf_engine_struct);
+
 	/**
 	 * @brief Load into the kernel all the programs and maps
 	 * contained into the skeleton.

diff --git a/userspace/libpman/src/lifecycle.c b/userspace/libpman/src/lifecycle.c
@@ -16,6 +16,8 @@ limitations under the License.
 */
 
 #include "state.h"
+#include <libpman.h>
+#include "../../libscap/engine/modern_bpf/scap_modern_bpf.h"
 
 int pman_open_probe()
 {
@@ -38,6 +40,33 @@ int pman_load_probe()
 	return 0;
 }
 
+int pman_save_attached_progs(void* modern_bpf_engine_struct)
+{
+	struct modern_bpf_engine* engine = (struct modern_bpf_engine *)modern_bpf_engine_struct;
+	engine->m_attached_progs[0] = bpf_program__fd(g_state.skel->progs.sys_enter);
+	engine->m_attached_progs[1] = bpf_program__fd(g_state.skel->progs.sys_exit);
+	engine->m_attached_progs[2] = bpf_program__fd(g_state.skel->progs.sched_proc_exit);
+	engine->m_attached_progs[3] = bpf_program__fd(g_state.skel->progs.sched_switch);
+#ifdef CAPTURE_SCHED_PROC_EXEC
+	engine->m_attached_progs[4] = bpf_program__fd(g_state.skel->progs.sched_p_exec);
+#endif
+#ifdef CAPTURE_SCHED_PROC_FORK
+	engine->m_attached_progs[5] = bpf_program__fd(g_state.skel->progs.sched_p_fork);
+#endif
+	engine->m_attached_progs[6] = bpf_program__fd(g_state.skel->progs.pf_user);
+	engine->m_attached_progs[7] = bpf_program__fd(g_state.skel->progs.pf_kernel);
+	engine->m_attached_progs[8] = bpf_program__fd(g_state.skel->progs.signal_deliver);
+	for(int j=0; j < MODERN_BPF_PROG_ATTACHED_MAX; j++)
+	{
+		if (engine->m_attached_progs[j] < 1)
+		{
+			engine->m_attached_progs[j] = -1;
+		}
+	}
+
+	return 0;
+}
+
 void pman_close_probe()
 {
 	if(g_state.cons_pos)

diff --git a/userspace/libscap/engine/modern_bpf/scap_modern_bpf.c b/userspace/libscap/engine/modern_bpf/scap_modern_bpf.c
@@ -192,8 +192,10 @@ int32_t scap_modern_bpf__init(scap_t* handle, scap_open_args* oargs)
 	ret = ret ?: pman_prepare_ringbuf_array_before_loading();
 	ret = ret ?: pman_prepare_maps_before_loading();
 	ret = ret ?: pman_load_probe();
+	ret = ret ?: pman_save_attached_progs(handle->m_engine.m_handle);
 	ret = ret ?: pman_finalize_maps_after_loading();
 	ret = ret ?: pman_finalize_ringbuf_array_after_loading();
+
 	if(ret != SCAP_SUCCESS)
 	{
 		return ret;

diff --git a/userspace/libscap/engine/modern_bpf/scap_modern_bpf.h b/userspace/libscap/engine/modern_bpf/scap_modern_bpf.h
@@ -22,12 +22,15 @@ limitations under the License.
 #include "../../../../driver/ppm_events_public.h"
 #include "scap_open.h"
 
+#define MODERN_BPF_PROG_ATTACHED_MAX 9 // TBD
+
 struct scap;
 
 struct modern_bpf_engine
 {
 	unsigned long m_retry_us; /* Microseconds to wait if all ring buffers are empty */
 	char* m_lasterr; /* Last error caught by the engine */
+	int m_attached_progs[MODERN_BPF_PROG_ATTACHED_MAX]; /* Saving fds for each possible attached bpf tracepoint program, -1 if not available. */
 	interesting_ppm_sc_set curr_sc_set; /* current ppm_sc */
 	uint64_t m_api_version;
 	uint64_t m_schema_version;