forked from stackrox/falcosecurity-libs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathppm_events.h
135 lines (118 loc) · 3.87 KB
/
ppm_events.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
/*
Copyright (C) 2021 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
#ifndef EVENTS_H_
#define EVENTS_H_
/* To know about __NR_socketcall */
#ifndef UDIG
#include <asm/unistd.h>
#endif
#ifdef CONFIG_COMPAT
#include <linux/compat.h>
#endif
#ifdef __NR_socketcall
#define _HAS_SOCKETCALL
#endif
#if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION)
#define _HAS_SOCKETCALL
#endif
#include "ppm_events_public.h"
/*
* Various crap that a callback might need
*/
struct fault_data_t {
unsigned long address;
struct pt_regs *regs;
unsigned long error_code;
};
struct event_filler_arguments {
ppm_consumer_t *consumer;
char *buffer; /* the buffer that will be filled with the data */
u32 buffer_size; /* the space in the ring buffer available for this event */
u32 syscall_id; /* the system call ID */
const enum ppm_syscall_code *cur_g_syscall_code_routing_table;
#ifdef PPM_ENABLE_SENTINEL
u32 sentinel;
#endif
u32 nevents;
u32 curarg;
u32 nargs;
u32 arg_data_offset;
u32 arg_data_size;
enum ppm_event_type event_type; /* the event type */
/* Eventually convert this to an event_info union and move all the
* below per-event params in this union, it's not good to waste kernel
* stack since all this stuff is always exclusive
*/
#ifdef UDIG
u64 *regs; /* the registers containing the call arguments */
#else
struct pt_regs *regs; /* the registers containing the call arguments */
#endif
struct task_struct *sched_prev; /* for context switch events, the task that is being scheduled out */
struct task_struct *sched_next; /* for context switch events, the task that is being scheduled in */
#ifdef CAPTURE_SCHED_PROC_FORK
struct task_struct *child; /* for sched_process_fork events, this is the child task */
#endif
char *str_storage; /* String storage. Size is one page. */
#ifndef UDIG
unsigned long socketcall_args[6];
#endif
bool is_socketcall;
#ifndef UDIG
int socketcall_syscall;
bool compat;
#endif
int fd; /* Passed by some of the fillers to val_to_ring to compute the snaplen dynamically */
bool enforce_snaplen;
#ifndef UDIG
int signo; /* Signal number */
__kernel_pid_t spid; /* PID of source process */
__kernel_pid_t dpid; /* PID of destination process */
struct fault_data_t fault_data; /* For page faults */
#endif
};
#ifndef WDIG_CBACK
extern const struct ppm_event_entry g_ppm_events[];
#endif
/*
* HTTP markers
*/
#define HTTP_GET_STR "GET "
#define HTTP_OPTIONS_STR "OPTI"
#define HTTP_HEAD_STR "HEAD"
#define HTTP_POST_STR "POST"
#define HTTP_PUT_STR "PUT "
#define HTTP_DELETE_STR "DELE"
#define HTTP_TRACE_STR "TRAC"
#define HTTP_CONNECT_STR "CONN"
#define HTTP_RESP_STR "HTTP"
/*
* Functions
*/
int32_t dpi_lookahead_init(void);
int32_t val_to_ring(struct event_filler_arguments *args, u64 val, u32 val_len, bool fromuser, u8 dyn_idx);
u16 pack_addr(struct sockaddr *usrsockaddr, int ulen, char *targetbuf, u16 targetbufsize);
u16 fd_to_socktuple(int fd, struct sockaddr *usrsockaddr, int ulen, bool use_userdata, bool is_inbound, char *targetbuf, u16 targetbufsize);
int addr_to_kernel(void __user *uaddr, int ulen, struct sockaddr *kaddr);
int32_t parse_readv_writev_bufs(struct event_filler_arguments *args, const struct iovec __user *iovsrc, unsigned long iovcnt, int64_t retval, int flags);
#ifdef CONFIG_COMPAT
int32_t compat_parse_readv_writev_bufs(struct event_filler_arguments *args, const struct compat_iovec __user *iovsrc, unsigned long iovcnt, int64_t retval, int flags);
#endif
static inline int add_sentinel(struct event_filler_arguments *args)
{
#ifdef PPM_ENABLE_SENTINEL
if (likely(args->arg_data_size >= sizeof(u32))) {
*(u32 *)(args->buffer + args->arg_data_offset) = args->sentinel;
args->arg_data_offset += 4;
args->arg_data_size -= 4;
return PPM_SUCCESS;
}
return PPM_FAILURE_BUFFER_FULL;
#else
return PPM_SUCCESS;
#endif
}
#endif /* EVENTS_H_ */