tetragon: Add support to match 32 bit syscalls #1816
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
olsajiri
added
the
release-note/minor
olsajiri
force-pushed
the
pr/olsajiri/32bit_syscalls
branch
11 times, most recently
from
88d413d
to
d178649
Compare
When running on 64 bits we don't have access to 32bit syscall values, adding them into under syscallinfo/i386 in i386 package. Signed-off-by: Jiri Olsa <[email protected]>
Adding syscallNames32 name map for 32bit syscalls. Signed-off-by: Jiri Olsa <[email protected]>
Adding extra return argument to CutSyscallPrefix that returns true if the cut prefix was for 32bit syscall. Signed-off-by: Jiri Olsa <[email protected]>
At the moment we treat syscall number as standard uint64 argument
type, which is fine unless you want to recognize syscalls from
32bit applications running in 64 bit system.
Adding syscall64 type which is used to carry the syscall number
value as :
- "value" for 64 bit application executing syscall
- "value|0x80000000" for 32 bit application executing syscall
The reason for this is that syscall numbers differ for 32 and 64 bit
architecture, so we are using 32nd bit and mark the value as 32bit
when we detect the 32bit syscall emulation.
This way we can load map with both 64 and 32 bit syscall values
that we are interested in and use 'InMap' operator in filter,
like in following spec (functional with extra other fixes on top
of this change):
- name: "mine"
type: "syscalls"
values:
- "sys_prctl"
- "__ia32_sys_prctl"
tracepoints:
- subsystem: "raw_syscalls"
event: "sys_enter"
args:
- index: 4
type: "syscall64"
At the moment it's implemented for x86 only.
Signed-off-by: Jiri Olsa <[email protected]>
Adding support to load syscall lists with 32 bit syscall values. This implies that the syscall lists always carry syscall64 type values. Signed-off-by: Jiri Olsa <[email protected]>
Adding support for syscall64 to be used as KProbeArg type. Signed-off-by: Jiri Olsa <[email protected]>
olsajiri
force-pushed
the
pr/olsajiri/32bit_syscalls
branch
from
d178649
to
3f5abc0
Compare
olsajiri
changed the title
Using syscall64 type in killer specs and in tests where it's needed. Signed-off-by: Jiri Olsa <[email protected]>
Adding killer tests for 32bit syscall values. Signed-off-by: Jiri Olsa <[email protected]>
Adding killer test that combines both 32 and 64 syscall values. Signed-off-by: Jiri Olsa <[email protected]>
And 32 bit syscalls. Signed-off-by: Jiri Olsa <[email protected]>
olsajiri
force-pushed
the
pr/olsajiri/32bit_syscalls
branch
from
3f5abc0
to
c0d076c
Compare
jrfastab
approved these changes
Dec 13, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding support to match 32 bit syscalls through syscall type lists.