sync: 0.10.1

cmake/modules/curl.cmake

@@ -36,8 +36,8 @@ else()
 			curl
 			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
 			DEPENDS openssl zlib
-			URL "https://github.com/curl/curl/releases/download/curl-7_84_0/curl-7.84.0.tar.bz2"
-			URL_HASH "SHA256=702fb26e73190a3bd77071aa146f507b9817cc4dfce218d2ab87f00cd3bc059d"
+			URL "https://github.com/curl/curl/releases/download/curl-7_87_0/curl-7.87.0.tar.bz2"
+			URL_HASH "SHA256=5d6e128761b7110946d1276aff6f0f266f2b726f5e619f7e0a057a474155f307"
 			CONFIGURE_COMMAND
 			./configure
 			${CURL_SSL_OPTION}

cmake/modules/openssl.cmake

@@ -21,8 +21,8 @@ else()
 
 		ExternalProject_Add(openssl
 			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
-			URL "https://github.com/openssl/openssl/archive/OpenSSL_1_1_1p.tar.gz"
-			URL_HASH "SHA256=cd0cce1de6c9a6da8f83ba7ae210a3662eab21c4df7aff30149597797b2ceac9"
+			URL "https://github.com/openssl/openssl/archive/OpenSSL_1_1_1q.tar.gz"
+			URL_HASH "SHA256=0686897afd3a08223760db73d8034550401b53ffc545798d7ca476564f80315e"
 			CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
 			BUILD_COMMAND ${CMD_MAKE}
 			BUILD_IN_SOURCE 1

driver/modern_bpf/definitions/events_dimensions.h

@@ -20,6 +20,8 @@
 /// want to touch scap tables.
 
 /* Syscall events */
+#define GENERIC_E_SIZE HEADER_LEN + sizeof(uint16_t) * 2 + PARAM_LEN * 2
+#define GENERIC_X_SIZE HEADER_LEN + sizeof(uint16_t) + PARAM_LEN
 #define MKDIR_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define OPEN_BY_HANDLE_AT_E_SIZE HEADER_LEN
 #define CLOSE_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN

driver/modern_bpf/helpers/base/maps_getters.h

@@ -50,6 +50,15 @@ static __always_inline u8 maps__get_event_num_params(u32 event_id)
 
 /*=============================== EVENT NUM PARAMS TABLE ===========================*/
 
+/*=============================== PPM_SC TABLE ===========================*/
+
+static __always_inline u16 maps__get_ppm_sc(u16 syscall_id)
+{
+	return g_ppm_sc_table[syscall_id & (SYSCALL_TABLE_SIZE - 1)];
+}
+
+/*=============================== PPM_SC TABLE ===========================*/
+
 /*=============================== AUXILIARY MAPS ===========================*/
 
 static __always_inline struct auxiliary_map *maps__get_auxiliary_map()

driver/modern_bpf/helpers/store/auxmap_store_params.h

@@ -195,6 +195,9 @@ static __always_inline void auxmap__submit_event(struct auxiliary_map *auxmap)
 		return;
 	}
 
+	/* This counts the event seen by the drivers even if they are dropped because the buffer is full. */
+	counter->n_evts++;
+
 	if(auxmap->payload_pos > MAX_EVENT_SIZE)
 	{
 		counter->n_drops_max_event_size++;
@@ -209,10 +212,6 @@ static __always_inline void auxmap__submit_event(struct auxiliary_map *auxmap)
 	{
 		counter->n_drops_buffer++;
 	}
-	else
-	{
-		counter->n_evts++;
-	}
 }
 
 /////////////////////////////////

driver/modern_bpf/helpers/store/ringbuf_store_params.h

@@ -99,6 +99,9 @@ static __always_inline u32 ringbuf__reserve_space(struct ringbuf_struct *ringbuf
 		return 0;
 	}
 
+	/* This counts the event seen by the drivers even if they are dropped because the buffer is full. */
+	counter->n_evts++;
+
 	/* If we are not able to reserve space we stop here
 	 * the event collection.
 	 */
@@ -109,7 +112,6 @@ static __always_inline u32 ringbuf__reserve_space(struct ringbuf_struct *ringbuf
 		return 0;
 	}
 
-	counter->n_evts++;
 	ringbuf->data = space;
 	ringbuf->reserved_event_size = event_size;
 	return 1;

driver/modern_bpf/maps/maps.h

@@ -25,11 +25,17 @@
  */
 
 /**
- * @brief Take as input the `ppm_event_type` enum and return the number
+ * @brief Take as input the `ppm_event_type` enum and returns the number
  * of parameters for that event.
  */
 __weak const volatile uint8_t g_event_params_table[PPM_EVENT_MAX];
 
+/**
+ * @brief Take as input the `syscall_id` and returns the PPM_SC_CODE
+ * associated with the syscall.
+ */
+__weak const volatile uint16_t g_ppm_sc_table[SYSCALL_TABLE_SIZE];
+
 /**
  * @brief Actual probe API version
  */
@@ -133,7 +139,7 @@ struct
 
 /**
  * @brief For every CPU on the system we have a counter
- * map where we store the number of events correcty pushed
+ * map where we store the number of events correctly pushed
  * and the number of events dropped.
  */
 struct
@@ -148,18 +154,17 @@ struct
 /*=============================== RINGBUF MAP ===============================*/
 
 /**
- * @brief We will have a ringbuf map for every CPU on the system.
- * The dimension of the single ringbuf and the number of
- * ringbuf maps are set in userspace.
+ * @brief We use this map to let the verifier understand the content of our array of maps (`ringbuf_maps`)
  */
 struct ringbuf_map
 {
 	__uint(type, BPF_MAP_TYPE_RINGBUF);
 };
 
 /**
- * @brief This array of maps will contain a ringbuf map for every CPU
- * on the system.
+ * @brief This array of maps will contain a variable number of ring buffers
+ * according to the user-provided configuration. It could also contain only
+ * one buffer shared between all CPUs. 
  */
 struct
 {

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/generic.bpf.c

@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2022 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+#include <helpers/interfaces/syscalls_dispatcher.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(generic_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, GENERIC_E_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_GENERIC_E);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	/* Parameter 1: ID (type: PT_SYSCALLID) */
+	/* This is the PPM_SC code obtained from the syscall id. */
+	ringbuf__store_u16(&ringbuf, maps__get_ppm_sc(id));
+
+	/* Parameter 2: nativeID (type: PT_UINT16) */
+	ringbuf__store_u16(&ringbuf, id);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(generic_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, GENERIC_X_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_GENERIC_X);
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	/* Parameter 1: ID (type: PT_SYSCALLID) */
+	/* This is the PPM_SC code obtained from the syscall id. */
+	ringbuf__store_u16(&ringbuf, maps__get_ppm_sc(syscalls_dispatcher__get_syscall_id(regs)));
+
+	/*=============================== COLLECT PARAMETERS ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/

test/modern_bpf/event_class/event_class.cpp

@@ -196,7 +196,7 @@ void event_test::disable_capture()
 
 void event_test::clear_ring_buffers()
 {
-	int16_t cpu_id = 0;
+	uint16_t cpu_id = 0;
 	while(get_event_from_ringbuffer(&cpu_id) != NULL)
 	{
 	};
@@ -207,15 +207,15 @@ bool event_test::are_all_ringbuffers_full(unsigned long threshold)
 	return pman_are_all_ringbuffers_full(threshold);
 }
 
-struct ppm_evt_hdr* event_test::get_event_from_ringbuffer(int16_t* cpu_id)
+struct ppm_evt_hdr* event_test::get_event_from_ringbuffer(uint16_t* cpu_id)
 {
 	m_event_header = NULL;
 	uint16_t attempts = 0;
 
 	/* Try 2 times just to be sure that all the buffers are empty. */
 	while(attempts <= 1)
 	{
-		pman_consume_first_from_buffers((void**)&m_event_header, cpu_id);
+		pman_consume_one_from_buffers((void**)&m_event_header, cpu_id);
 		if(m_event_header != NULL)
 		{
 			return m_event_header;
@@ -819,7 +819,7 @@ void event_test::assert_unix_path(const char* desired_path, int starting_index)
 
 void event_test::assert_event_in_buffers(pid_t pid_to_search, int event_to_search, bool presence)
 {
-	int16_t cpu_id = 0;
+	uint16_t cpu_id = 0;
 	pid_t pid = 0;
 	uint16_t evt_type = 0;
 

test/modern_bpf/event_class/event_class.h

@@ -169,7 +169,7 @@ class event_test
 	 *
 	 * @param cpu_id CPU from which we extracted the event.
 	 */
-	struct ppm_evt_hdr* get_event_from_ringbuffer(int16_t* cpu_id);
+	struct ppm_evt_hdr* get_event_from_ringbuffer(uint16_t* cpu_id);
 
 	/**
 	 * @brief Parse information from the event that we have extracted from the buffer:

test/modern_bpf/start_tests.cpp

@@ -63,7 +63,7 @@ int main(int argc, char** argv)
 	::testing::InitGoogleTest(&argc, argv);
 
 	/* Configure and load BPF probe. */
-	ret = pman_init_state(libbpf_verbosity, buffer_dim);
+	ret = pman_init_state(libbpf_verbosity, buffer_dim, DEFAULT_CPU_FOR_EACH_BUFFER, true);
 	ret = ret ?: pman_open_probe();
 	ret = ret ?: pman_prepare_ringbuf_array_before_loading();
 	ret = ret ?: pman_prepare_maps_before_loading();

test/modern_bpf/test_suites/local_suite/ring_buffer.cpp

@@ -40,7 +40,7 @@ TEST(Local, ring_buffer_overwrite)
 	 * and keep the pointer to an event to see if this is overwritten
 	 */
 	struct ppm_evt_hdr* evt = NULL;
-	int16_t cpu_id = 0;
+	uint16_t cpu_id = 0;
 
 	for(int i=0; i<10; i++)
 	{

userspace/libpman/include/libpman.h

@@ -26,7 +26,7 @@ extern "C"
 #endif
 
 	/* `libpman` return values convention:
-	 * In case of success `0` is return otherwise `errno`. If `errno` is not
+	 * In case of success `0` is returned otherwise `errno`. If `errno` is not
 	 * available `-1` is returned.
 	 *
 	 * Please Note:
@@ -47,17 +47,24 @@ extern "C"
 	 *
 	 * @param verbosity use `true` if you want to activate libbpf verbosity.
 	 * @param buf_bytes_dim dimension of a single per-CPU buffer in bytes.
+	 * @param cpus_for_each_buffer number of CPUs to which we want to associate a ring buffer.
+	 * @param allocate_online_only if true, allocate ring buffers taking only into account online CPUs.
 	 * @return `0` on success, `-1` in case of error.
 	 */
-	int pman_init_state(bool verbosity, unsigned long buf_bytes_dim);
+	int pman_init_state(bool verbosity, unsigned long buf_bytes_dim, uint16_t cpus_for_each_buffer, bool allocate_online_only);
 
 	/**
-	 * @brief Return the number of available CPUs on the system, not the
-	 * online CPUs!
+	 * @brief Clear the `libpman` global state before it is used.
+	 * This API could be useful if we open the modern bpf engine multiple times.
+	 */
+	void pman_clear_state(void);
+
+	/**
+	 * @brief Return the number of allocated ring buffers.
 	 *
-	 * @return number of available CPUs on success, `-1` in case of error.
+	 * @return number of allocated ring buffers.
 	 */
-	int pman_get_cpus_number(void);
+	int pman_get_required_buffers(void);
 
 	/////////////////////////////
 	// PROBE LIFECYCLE
@@ -225,10 +232,10 @@ extern "C"
 	 *
 	 * @param event_ptr in case of success return a pointer
 	 * to the event, otherwise return NULL.
-	 * @param cpu_id in case of success returns the id of the CPU
-	 * on which we have found the event, otherwise return `-1`.
+	 * @param buffer_id in case of success returns the id of the ring buffer
+	 * from which we retrieved the event, otherwise return `-1`.
 	 */
-	void pman_consume_first_from_buffers(void** event_ptr, int16_t *cpu_id);
+	void pman_consume_first_event(void** event_ptr, int16_t* buffer_id);
 
 	/////////////////////////////
 	// CAPTURE (EXCHANGE VALUES WITH BPF SIDE)
@@ -413,15 +420,15 @@ extern "C"
 	 * @brief Return `true` if all ring buffers are full. To state
 	 * that a ring buffer is full we check that the free space is less
 	 * than the `threshold`
-	 * 
+	 *
 	 * @param threshold used to check if a buffer is full
 	 * @return `true` if all buffers are full, otherwise `false`
 	 */
 	bool pman_are_all_ringbuffers_full(unsigned long threshold);
 
 	/**
 	 * @brief Get the producer pos for the required ring
-	 * 
+	 *
 	 * @param ring_num ring for which we want to obtain the producer pos
 	 * @return producer pos as an unsigned long
 	 */

userspace/libpman/src/capture.c

@@ -40,7 +40,12 @@ int pman_enable_capture(bool *tp_set)
 
 int pman_disable_capture()
 {
-	return pman_detach_all_programs();
+	/* If we fail at initialization time the BPF skeleton is not initialized */
+	if(g_state.skel)
+	{
+		return pman_detach_all_programs();
+	}
+	return 0;
 }
 
 #ifdef TEST_HELPERS
@@ -61,7 +66,7 @@ int pman_print_stats()
 		return errno;
 	}
 
-	for(int index = 0; index < g_state.n_cpus; index++)
+	for(int index = 0; index < g_state.n_possible_cpus; index++)
 	{
 		if(bpf_map_lookup_elem(counter_maps_fd, &index, &cnt_map) < 0)
 		{
@@ -109,7 +114,10 @@ int pman_get_scap_stats(void *scap_stats_struct)
 	 * - stats->n_preemptions
 	 */
 
-	for(int index = 0; index < g_state.n_cpus; index++)
+	/* We always take statistics from all the CPUs, even if some of them are not online. 
+	 * If the CPU is not online the counter map will be empty.
+	 */
+	for(int index = 0; index < g_state.n_possible_cpus; index++)
 	{
 		if(bpf_map_lookup_elem(counter_maps_fd, &index, &cnt_map) < 0)
 		{
@@ -120,6 +128,7 @@ int pman_get_scap_stats(void *scap_stats_struct)
 		stats->n_evts += cnt_map.n_evts;
 		stats->n_drops_buffer += cnt_map.n_drops_buffer;
 		stats->n_drops_scratch_map += cnt_map.n_drops_max_event_size;
+		stats->n_drops += (cnt_map.n_drops_buffer + cnt_map.n_drops_max_event_size);
 	}
 	return 0;
 
@@ -140,7 +149,10 @@ int pman_get_n_tracepoint_hit(long *n_events_per_cpu)
 		return errno;
 	}
 
-	for(int index = 0; index < g_state.n_cpus; index++)
+	/* We always take statistics from all the CPUs, even if some of them are not online. 
+	 * If the CPU is not online the counter map will be empty.
+	 */
+	for(int index = 0; index < g_state.n_possible_cpus; index++)
 	{
 		if(bpf_map_lookup_elem(counter_maps_fd, &index, &cnt_map) < 0)
 		{