fix(driver): manage syscalls only defined with socketcall

[Andreagit97]

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area driver-kmod

/area tests

Does this PR require a change in the driver versions?

Already bumped both patch versions

What this PR does / why we need it:

Please note: the following changes regard only the kernel module, at least at the moment, since it is the unique driver which supports 32-bit syscall. We will need to find a valid solution for all the drivers in the next future:

As explained in the code there are cases in which given a specific socketcall code we are not able to obtain the corresponding syscall code. There are 2 possibilities:

1. The user provided the wrong socket call code. In this case, we will send a generic event.
2. The socket call code is defined but the corresponding syscall call is not defined in the system. For example on s390x machines SYS_ACCEPT is defined but __NR_accept is not. In this case, instead of converting to the syscall code, we will convert to the corresponding event. The only difference in converting to the event is that we lose the capability to use the simple consumer (the simple consumer logic is syscall driven...).
   Let's imagine the case in which we receive an SYS_ACCEPT socketcall code on s390x. We will try to convert it to __NR_accept but this is not defined in the system. For this reason, we will covert it to PPME_SOCKET_ACCEPT_5_E/X. Note that the syscall id is not changed to __NR_accept, we cannot do that as we said, so we keep the __NR_socketcall id. Now when we face the simple consumer logic we will decide to keep this event looking at the __NR_socketcall code. If it is interesting we will keep this event, if not we will drop the event.
   TL;DR; in these corner cases in which we need to convert the socketcall code to an event code we use the __NR_socketcall code as a knob to keep or drop these events.

Known cases in which the socket call code is defined but the corresponding syscall code is not:

s390x

• SYS_ACCEPT is defined but __NR_accept is not defined

x86 with CONFIG_IA32_EMULATION

• SYS_ACCEPT is defined but __NR_accept is not defined
• SYS_SEND is defined but __NR_send is not defined
• SYS_RECV is defined but __NR_recv is not defined

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

fix(driver): manage syscalls only defined with socketcall 

[FedeDP]

Missing return statement?

[FedeDP]

Btw i'd avoid this at all, just setting data to be used by the record_event_all_consumers at the end of the function. Same for sys enter.

[Andreagit97]

Great catch!

[FedeDP]

This feels weird; still, we will need to come back at this impl later, therefore no blocker for me.

[Andreagit97]

agree this is just a patch needed because we are near the release, we need to find something better for all the engines

[FedeDP]

We are not testing kmod on s390x here, right?

[Andreagit97]

yep, we are testing it, in the else case of this ifdef

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 144068c418c4d878c9bdcc84e441398c1a1574ec

[LucaGuerra]

ACCEPT4_5 or ACCEPT4_6 or it makes no difference?

[Andreagit97]

Great catch!

[FedeDP]

Great catch Luca !

[LucaGuerra]

LGTM! Thanks for this fix!

[poiana]

LGTM label has been added.

Git tree hash: 5dc27973805355895a8209ec8ff748418b015534

[FedeDP]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP,LucaGuerra]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment