new(modern_bpf): add capset syscall

Signed-off-by: Andrea Terzolo <[email protected]>

Author: Andreagit97

driver/modern_bpf/definitions/events_dimensions.h

@@ -59,5 +59,7 @@
 #define SECCOMP_E_SIZE HEADER_LEN + sizeof(uint64_t) + PARAM_LEN
 #define SECCOMP_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define PTRACE_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint16_t) + PARAM_LEN * 2
+#define CAPSET_E_SIZE HEADER_LEN
+#define CAPSET_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint64_t) * 3 + PARAM_LEN * 4
 
 #endif /* __EVENT_DIMENSIONS_H__ */

driver/modern_bpf/helpers/extract/extract_from_kernel.h

@@ -11,6 +11,14 @@
 #include <helpers/base/read_from_task.h>
 #include <driver/ppm_flag_helpers.h>
 
+/* This enum should simplify the capabilities extraction. */
+enum capability_type
+{
+	CAP_INHERITABLE = 0,
+	CAP_PERMITTED = 1,
+	CAP_EFFECTIVE = 2,
+};
+
 /* All the functions that are called in bpf to extract parameters
  * start with the `extract` prefix.
  */
@@ -138,3 +146,52 @@ static __always_inline void extract__dev_and_ino_from_fd(s32 fd, dev_t *dev, u64
 	*dev = encode_dev(*dev);
 	BPF_CORE_READ_INTO(ino, f, f_inode, i_ino);
 }
+
+/////////////////////////
+// CAPABILITIES EXTRACTION
+////////////////////////
+
+/**
+ * @brief Extract capabilities
+ *
+ * Right now we support only 3 types of capabilities:
+ * - cap_inheritable
+ * - cap_permitted
+ * - cap_effective
+ *
+ * To extract the specific capabilities use the enum defined by us
+ * at the beginning of this file:
+ * - CAP_INHERITABLE
+ * - CAP_PERMITTED
+ * - CAP_EFFECTIVE
+ *
+ * @param task pointer to task struct.
+ * @param capability_type type of capability to extract defined by us.
+ * @return PPM encoded capability value
+ */
+static __always_inline u64 extract__capability(struct task_struct *task, enum capability_type capability_type)
+{
+	kernel_cap_t cap_struct;
+	unsigned long capability;
+
+	switch(capability_type)
+	{
+	case CAP_INHERITABLE:
+		READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_inheritable);
+		break;
+
+	case CAP_PERMITTED:
+		READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_permitted);
+		break;
+
+	case CAP_EFFECTIVE:
+		READ_TASK_FIELD_INTO(&cap_struct, task, cred, cap_effective);
+		break;
+
+	default:
+		return 0;
+		break;
+	}
+
+	return capabilities_to_scap(((unsigned long)cap_struct.cap[1] << 32) | cap_struct.cap[0]);
+}

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/capset.bpf.c

@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2022 The Falco Authors.
+ *
+ * This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+ * or GPL2.txt for full copies of the license.
+ */
+
+#include <helpers/interfaces/fixed_size_event.h>
+
+/*=============================== ENTER EVENT ===========================*/
+
+SEC("tp_btf/sys_enter")
+int BPF_PROG(capset_e,
+	     struct pt_regs *regs,
+	     long id)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, CAPSET_E_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_CAPSET_E, CAPSET_E_SIZE);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to collect.
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== ENTER EVENT ===========================*/
+
+/*=============================== EXIT EVENT ===========================*/
+
+SEC("tp_btf/sys_exit")
+int BPF_PROG(capset_x,
+	     struct pt_regs *regs,
+	     long ret)
+{
+	struct ringbuf_struct ringbuf;
+	if(!ringbuf__reserve_space(&ringbuf, CAPSET_X_SIZE))
+	{
+		return 0;
+	}
+
+	ringbuf__store_event_header(&ringbuf, PPME_SYSCALL_CAPSET_X, CAPSET_X_SIZE);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	ringbuf__store_s64(&ringbuf, ret);
+
+	struct task_struct *task = get_current_task();
+
+	/* Parameter 2: cap_inheritable (type: PT_UINT64) */
+	u64 cap_inheritable = extract__capability(task, CAP_INHERITABLE);
+	ringbuf__store_u64(&ringbuf, cap_inheritable);
+
+	/* Parameter 3: cap_permitted (type: PT_UINT64) */
+	u64 cap_permitted = extract__capability(task, CAP_PERMITTED);
+	ringbuf__store_u64(&ringbuf, cap_permitted);
+
+	/* Parameter 4: cap_effective (type: PT_UINT64) */
+	u64 cap_effective = extract__capability(task, CAP_EFFECTIVE);
+	ringbuf__store_u64(&ringbuf, cap_effective);
+
+	/*=============================== COLLECT PARAMETERS  ===========================*/
+
+	ringbuf__submit_event(&ringbuf);
+
+	return 0;
+}
+
+/*=============================== EXIT EVENT ===========================*/

test/modern_bpf/test_suites/syscall_enter_suite/capset_e.cpp

@@ -0,0 +1,45 @@
+#include "../../event_class/event_class.h"
+
+#ifdef __NR_capset
+
+#include <sys/capability.h>
+
+TEST(SyscallEnter, capsetE)
+{
+	auto evt_test = new event_test(__NR_capset, ENTER_EVENT);
+
+	evt_test->enable_capture();
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	/* - `cap_user_header_t` is a pointer to `__user_cap_header_struct`
+	 * - `cap_user_data_t` is a pointer to `__user_cap_data_struct`
+	 */
+	cap_user_header_t hdrp = NULL;
+	cap_user_data_t datap = NULL;
+	assert_syscall_state(SYSCALL_FAILURE, "capset", syscall(__NR_capset, hdrp, datap));
+
+	/*=============================== TRIGGER SYSCALL ===========================*/
+
+	evt_test->disable_capture();
+
+	evt_test->assert_event_presence();
+
+	if(HasFatalFailure())
+	{
+		return;
+	}
+
+	evt_test->parse_event();
+
+	evt_test->assert_header();
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	// Here we have no parameters to assert.
+
+	/*=============================== ASSERT PARAMETERS  ===========================*/
+
+	evt_test->assert_num_params_pushed(0);
+}
+#endif