new(bpf, modern_bpf): introduce socketcall handling

[hbrueckner]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area driver-bpf

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

Add socketcall handling to enable capturing of network syscall events on s390x. See #810 for details.

Which issue(s) this PR fixes:

Fixes the BPF part in: #810
Depends-on: #809

Special notes for your reviewer:

I took an approach similar to the kmod driver to extract the socket call and its arguments. Arguments are stored and looked up in/from a BPF map. This becomes then transparent to the actual filler implementations.

Note that this PR includes and is depending on #809, so for review please focus on the just the last commit.

cc: @FedeDP @Andreagit97 @Molter73

@Andreagit97 The modern-bpf version of socketcall handling is not yet finalized and like to briefly discuss my approach in #810.

Does this PR introduce a user-facing change?:

This should be transparent.

`new(bpf, modern_bpf): introduce `socketcall` handling`

[FedeDP]

Since this depends on #809 that is wip, can we make wip this too?

[FedeDP]

Oh i see, this is a PR on top of #809. If you set the target branch to be the one used by #809 we are able to review only the correct diff for this patch (instead of the whole diff from master!)

[hbrueckner]

Oh i see, this is a PR on top of #809. If you set the target branch to be the one used by #809 we are able to review only the correct diff for this patch (instead of the whole diff from master!)

I guess, I need to push #809 as branch into libs directly...? I just have them external and I guess an external target branch will not work.

[FedeDP]

You are probably right; well let's keep this as is then!

[Andreagit97]

I will have a deeper look at it but it seems great! I think we can do something similar for the modern bpf probe 🤔

[hbrueckner]

Hi @FedeDP , @Andreagit97 thanks for merging #809! So now here is the rebased version of the socketcall support in the BPF.

[FedeDP]

Hi @hbrueckner ! Does this PR fix support of old bpf probe for s390x?
If affirmative, can you also update the README driver support table? ;)
Thank you!

[hbrueckner]

Hi @hbrueckner ! Does this PR fix support of old bpf probe for s390x? If affirmative, can you also update the README driver support table? ;) Thank you!

Yeah.. will do! Additional commit comes later today...

[Andreagit97]

you need to add also an enum for this map https://github.com/falcosecurity/libs/blob/master/driver/bpf/types.h#L216-L230, otherwise, the userspace could parse them out of order. something like SCAP_SOCKETCALL_MAP should be ok

[hbrueckner]

Thanks @Andreagit97 . Should be solved with this commit.

[hbrueckner]

Hi @Andreagit97, @FedeDP ,

need some hints from you regarding some initial socketcall testing. I started to modify the socket and bind driver test cases to have a direct and socketcall-based version (with mininal changes as usual ;-).

What I actually realized with initial test failures is that socketcall needs to be marked as "interesting" to create the desired events. In the current implementation the check for enabled = is_syscall_interesting(id); is quite early and is before the handle_socketcall logic is triggered.

The question is how to best handle this:

• For the driver tests, I can imagine a specific solution in the event_class...
• In general
  a) should the userspace add socketcall to be interesting when network calls are involved?
  b) should is_syscall_interesting be extended to cover socketcall and go even further with sub-filtering on the respective socket calls (based that s390xhas direct syscall support since Linux kernel v4.3 and for old BPF driver v5.5 is required anyway)

Wdyt?

For modern BPF, this is quite similar and I already have a prototype which goes into direction b). And, ultimatively, I guess @incertum might be interesting here as well to install very specific system calls only.

[hbrueckner]

Hi @Andreagit97 , @FedeDP

it took a while to complete this PR with @Andreagit97 suggested changes. Now the socketcall support should handle all cases along with respective tests (passing on kmod, bpf, and modern_bpf).

From a testing perspective, currently those are missing (and hopefully will be added with the respective modern bpf probes):

• getsockname
• getpeername
• send
• recv

The PR is very large due to copying the existing network related tests. The most interesting part of the review is the way to use socketcall and to properly set up the arguments. There are also changes to the modern bpf programs to correctly fetch the arguments. This of course, needs to be considered when providing above probe implementations. Note that there was also a bug in the kmod socketcall implementation regarding getsockopt and setsockopt (thanks to our tests!).

Also some special handling was required for accept which is not available on s390x and its mapping to accept4 in the test cases. Because tests are "syscall" based, I had to exclude for kmod with its event-based implementation (requiring some more changes in the event_class).

Take your time to review (better on commit base) ... I will on a conference next week and will be slow in response then.

[Andreagit97]

that's a huge work @hbrueckner thank you very much for that! I will take a look ASAP!

[FedeDP]

Neat fix, thank you!

[FedeDP]

All in all, this LGTM! Thank you very much for this huge effort!

Note, most of the lines changes are from test suites ;)
I'll wait for @Andreagit97 for the modern probe part!

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: dc60a823fc377ab93999d2d4d4851e6d021218eb

[Andreagit97]

the unique issue is the __NR_ACCEPT macro that should be converted to __NR_accept, but since the entity of the PR and the conflict risk I prefer to merge it and I will address these minor comments in another one :)
BTW Amazing work, thank you very much for that!
/approve

[Andreagit97]

Suggested change

	#elif defined(__NR_ACCEPT)
	#elif defined(__NR_accept)

[Andreagit97]

Same here

[Andreagit97]

syscall_arg_t is correct but since args->socketcall_args is a vector of unsigned long and not of syscall_arg_t, I would be as explicit as possible

Suggested change

	memcpy(val, args->socketcall_args, 5*sizeof(syscall_arg_t));
	memcpy(val, args->socketcall_args, 5*sizeof(unsigned long));

[Andreagit97]

Same here

Suggested change

	memcpy(val, args->socketcall_args, 5*sizeof(syscall_arg_t));
	memcpy(val, args->socketcall_args, 5*sizeof(unsigned long));

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, hbrueckner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hbrueckner]

Hi @Andreagit97 ,

the unique issue is the __NR_ACCEPT macro that should be converted to __NR_accept, but since the entity of the PR and the conflict risk I prefer to merge it and I will address these minor comments in another one :) BTW Amazing work, thank you very much for that!

Thanks for spotting the __NR_ACCEPT and the other things! Glad to see this now being merged! ❤️