Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syscall64 updates #2986

Merged
merged 13 commits into from
Oct 11, 2024
Merged

syscall64 updates #2986

merged 13 commits into from
Oct 11, 2024

Conversation

kkourt
Copy link
Contributor

@kkourt kkourt commented Oct 10, 2024
edited
Loading

This PR changes the behavior of the syscall64 tracing type so that we can include the ABI in the events. See commits.

tracing: include ABI information for syscall64 type

@kkourt kkourt added the release-note/minor This PR introduces a minor user-visible change label Oct 10, 2024
@netlify Netlify
Copy link

netlify bot commented Oct 10, 2024
edited
Loading

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 81046c1
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/6707e80ee2bebc0008b02bfb
😎 Deploy Preview https://deploy-preview-2986--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@kkourt kkourt force-pushed the pr/kkourt/syscall64-updates branch 4 times, most recently from b335808 to 97ea03d Compare October 10, 2024 14:22
@kkourt kkourt marked this pull request as ready for review October 10, 2024 14:23
@kkourt kkourt requested review from a team and mtardy as code owners October 10, 2024 14:23
@kkourt kkourt force-pushed the pr/kkourt/syscall64-updates branch from 97ea03d to 81046c1 Compare October 10, 2024 14:43
olsajiri
olsajiri approved these changes Oct 11, 2024
View reviewed changes
Copy link
Contributor

@olsajiri olsajiri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great, had some minor comments, thanks

cmd/dump-syscalls-info/main.go Outdated Show resolved Hide resolved
cmd/dump-syscalls-info/main.go Outdated Show resolved Hide resolved
pkg/syscallinfo/syscallinfo.go Outdated Show resolved Hide resolved
bpf/process/bpf_generic_tracepoint.c Show resolved Hide resolved
bpf/process/bpf_generic_tracepoint.c Show resolved Hide resolved
@kkourt
cmd/dump-syscalls-info: add an info sub-command
47e9fc1 
Add an info subcommand (using kong) so that we can add more commands.
More improvements coming in subsequent patches.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
dump-syscalls-info: allow merging with old data
f0edc11 
While we are updating dump-syscalls-info tool for other purposes (to add
ids for all ABIs), it also seems like a good point to update the syscall
information. Add some code to allow merging old and new data in a
structured way.

Note: there are several improvements that can be made in this commmand
(such as se syscall id indexing and add arm syscall information) but
these are left as followups since they are beyond the scope of this PR.

Next patches will update the syscall information for various different
kernel versions.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
update syscallinfo using 4.19.322
7e3d1a7 
Steps:
lvh kernel pull --dir kernels 4.19-main --platform linux/amd64
go run ./cmd/dump-syscalls-info  info --vmlinux kernels/4.19-main/boot/vmlinux-4.19.322  --jsonfile pkg/syscallinfo/syscalls.json

Output:
```
2024/10/09 13:01:08 INFO new syscall syscall=chown16
2024/10/09 13:01:08 INFO new syscall syscall=set_thread_area
2024/10/09 13:01:08 INFO new syscall syscall=fchown16
2024/10/09 13:01:08 INFO new syscall syscall=quotactl
2024/10/09 13:01:08 INFO new syscall syscall=process_vm_readv
2024/10/09 13:01:08 INFO new syscall syscall=get_mempolicy
2024/10/09 13:01:08 INFO new syscall syscall=kexec_load
2024/10/09 13:01:08 INFO new syscall syscall=acct
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=stime i=0 old="{Name:tptr Type:__kernel_old_time_t *}" new="{Name:tptr Type:time_t *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=io_pgetevents i=4 old="{Name:timeout Type:struct __kernel_timespec *}" new="{Name:timeout Type:struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=pselect6 i=4 old="{Name:tsp Type:struct __kernel_timespec *}" new="{Name:tsp Type:struct timespec *}"
2024/10/09 13:01:08 INFO new syscall syscall=setregid16
2024/10/09 13:01:08 INFO new syscall syscall=keyctl
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=sched_rr_get_interval i=1 old="{Name:interval Type:struct __kernel_timespec *}" new="{Name:interval Type:struct timespec *}"
2024/10/09 13:01:08 INFO new syscall syscall=get_thread_area
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=adjtimex i=0 old="{Name:txc_p Type:struct __kernel_timex *}" new="{Name:txc_p Type:struct timex *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=clock_getres i=1 old="{Name:tp Type:struct __kernel_timespec *}" new="{Name:tp Type:struct timespec *}"
2024/10/09 13:01:08 INFO new syscall syscall=lchown16
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=gettimeofday i=0 old="{Name:tv Type:struct __kernel_old_timeval *}" new="{Name:tv Type:struct timeval *}"
2024/10/09 13:01:08 INFO new syscall syscall=pkey_mprotect
2024/10/09 13:01:08 INFO new syscall syscall=uselib
2024/10/09 13:01:08 INFO new syscall syscall=setuid16
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=getitimer i=1 old="{Name:value Type:struct __kernel_old_itimerval *}" new="{Name:value Type:struct itimerval *}"
2024/10/09 13:01:08 INFO new syscall syscall=setreuid16
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=semtimedop i=3 old="{Name:timeout Type:const struct __kernel_timespec *}" new="{Name:timeout Type:const struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=futimesat i=2 old="{Name:utimes Type:struct __kernel_old_timeval *}" new="{Name:utimes Type:struct timeval *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=timer_settime i=2 old="{Name:new_setting Type:const struct __kernel_itimerspec *}" new="{Name:new_setting Type:const struct itimerspec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=timer_settime i=3 old="{Name:old_setting Type:struct __kernel_itimerspec *}" new="{Name:old_setting Type:struct itimerspec *}"
2024/10/09 13:01:08 INFO new syscall syscall=setresuid16
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=mq_timedsend i=4 old="{Name:u_abs_timeout Type:const struct __kernel_timespec *}" new="{Name:u_abs_timeout Type:const struct timespec *}"
2024/10/09 13:01:08 INFO new syscall syscall=migrate_pages
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=select i=4 old="{Name:tvp Type:struct __kernel_old_timeval *}" new="{Name:tvp Type:struct timeval *}"
2024/10/09 13:01:08 INFO new syscall syscall=getgroups16
2024/10/09 13:01:08 INFO new syscall syscall=setgid16
2024/10/09 13:01:08 INFO arg names differ, keeping old syscall=sched_getattr i=2 old="{Name:usize Type:unsigned int}" new="{Name:size Type:unsigned int}"
2024/10/09 13:01:08 WARN ¯\_(ツ)_/¯, keeping old syscall=ftruncate i=1 old="{Name:length Type:unsigned long}" new="{Name:length Type:off_t}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=timerfd_gettime i=1 old="{Name:otmr Type:struct __kernel_itimerspec *}" new="{Name:otmr Type:struct itimerspec *}"
2024/10/09 13:01:08 INFO new syscall syscall=sigsuspend
2024/10/09 13:01:08 INFO new syscall syscall=setfsuid16
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=rt_sigtimedwait i=2 old="{Name:uts Type:const struct __kernel_timespec *}" new="{Name:uts Type:const struct timespec *}"
2024/10/09 13:01:08 INFO new syscall syscall=llseek
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=time i=0 old="{Name:tloc Type:__kernel_old_time_t *}" new="{Name:tloc Type:time_t *}"
2024/10/09 13:01:08 INFO new syscall syscall=process_vm_writev
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=timerfd_settime i=2 old="{Name:utmr Type:const struct __kernel_itimerspec *}" new="{Name:utmr Type:const struct itimerspec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=timerfd_settime i=3 old="{Name:otmr Type:struct __kernel_itimerspec *}" new="{Name:otmr Type:struct itimerspec *}"
2024/10/09 13:01:08 INFO new syscall syscall=setresgid16
2024/10/09 13:01:08 INFO new syscall syscall=set_mempolicy
2024/10/09 13:01:08 INFO new syscall syscall=getresgid16
2024/10/09 13:01:08 INFO new syscall syscall=pkey_alloc
2024/10/09 13:01:08 INFO new syscall syscall=request_key
2024/10/09 13:01:08 INFO new syscall syscall=pkey_free
2024/10/09 13:01:08 WARN ¯\_(ツ)_/¯, keeping old syscall=seccomp i=2 old="{Name:uargs Type:void *}" new="{Name:uargs Type:const char *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=clock_nanosleep i=2 old="{Name:rqtp Type:const struct __kernel_timespec *}" new="{Name:rqtp Type:const struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=clock_nanosleep i=3 old="{Name:rmtp Type:struct __kernel_timespec *}" new="{Name:rmtp Type:struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=ppoll i=2 old="{Name:tsp Type:struct __kernel_timespec *}" new="{Name:tsp Type:struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=settimeofday i=0 old="{Name:tv Type:struct __kernel_old_timeval *}" new="{Name:tv Type:struct timeval *}"
2024/10/09 13:01:08 INFO new syscall syscall=setfsgid16
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=utimes i=1 old="{Name:utimes Type:struct __kernel_old_timeval *}" new="{Name:utimes Type:struct timeval *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=setitimer i=1 old="{Name:value Type:struct __kernel_old_itimerval *}" new="{Name:value Type:struct itimerval *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=setitimer i=2 old="{Name:ovalue Type:struct __kernel_old_itimerval *}" new="{Name:ovalue Type:struct itimerval *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=mq_timedreceive i=4 old="{Name:u_abs_timeout Type:const struct __kernel_timespec *}" new="{Name:u_abs_timeout Type:const struct timespec *}"
2024/10/09 13:01:08 INFO arg names differ, keeping old syscall=setns i=1 old="{Name:flags Type:int}" new="{Name:nstype Type:int}"
2024/10/09 13:01:08 INFO new syscall syscall=setgroups16
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=io_getevents i=4 old="{Name:timeout Type:struct __kernel_timespec *}" new="{Name:timeout Type:struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=nanosleep i=0 old="{Name:rqtp Type:struct __kernel_timespec *}" new="{Name:rqtp Type:struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=nanosleep i=1 old="{Name:rmtp Type:struct __kernel_timespec *}" new="{Name:rmtp Type:struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=utimensat i=2 old="{Name:utimes Type:struct __kernel_timespec *}" new="{Name:utimes Type:struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=recvmmsg i=4 old="{Name:timeout Type:struct __kernel_timespec *}" new="{Name:timeout Type:struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=futex i=3 old="{Name:utime Type:struct __kernel_timespec *}" new="{Name:utime Type:struct timespec *}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=timer_gettime i=1 old="{Name:setting Type:struct __kernel_itimerspec *}" new="{Name:setting Type:struct itimerspec *}"
2024/10/09 13:01:08 INFO new syscall syscall=mbind
2024/10/09 13:01:08 INFO new syscall syscall=add_key
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=clock_adjtime i=1 old="{Name:utx Type:struct __kernel_timex *}" new="{Name:utx Type:struct timex *}"
2024/10/09 13:01:08 INFO arg names differ, keeping old syscall=getrandom i=0 old="{Name:buf Type:char *}" new="{Name:ubuf Type:char *}"
2024/10/09 13:01:08 INFO arg names differ, keeping old syscall=getrandom i=1 old="{Name:count Type:size_t}" new="{Name:len Type:size_t}"
2024/10/09 13:01:08 INFO new syscall syscall=sysctl
2024/10/09 13:01:08 INFO new syscall syscall=move_pages
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=clock_gettime i=1 old="{Name:tp Type:struct __kernel_timespec *}" new="{Name:tp Type:struct timespec *}"
2024/10/09 13:01:08 WARN ¯\_(ツ)_/¯, keeping old syscall=membarrier i=1 old="{Name:flags Type:unsigned int}" new="{Name:flags Type:int}"
2024/10/09 13:01:08 INFO argument does not exist in new, keeping old syscall=membarrier i=2 old="{Name:cpu_id Type:int}"
2024/10/09 13:01:08 INFO old type is compatible to old, keeping new syscall=clock_settime i=1 old="{Name:tp Type:const struct __kernel_timespec *}" new="{Name:tp Type:const struct timespec *}"
2024/10/09 13:01:08 INFO new syscall syscall=getresuid16
```

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
update syscallinfo using 5.4.284
5ff1163 
Steps:
lvh kernel pull --dir kernels 5.4-main --platform linux/amd64
go run ./cmd/dump-syscalls-info  info --vmlinux kernels/5.4-main/boot/vmlinux-5.4.284  --jsonfile pkg/syscallinfo/syscalls.json 2> log

Log:
```
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=nanosleep i=0 old="{Name:rqtp Type:struct timespec *}" new="{Name:rqtp Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=nanosleep i=1 old="{Name:rmtp Type:struct timespec *}" new="{Name:rmtp Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=mq_timedreceive i=4 old="{Name:u_abs_timeout Type:const struct timespec *}" new="{Name:u_abs_timeout Type:const struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=rt_sigtimedwait i=2 old="{Name:uts Type:const struct timespec *}" new="{Name:uts Type:const struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=utimensat i=2 old="{Name:utimes Type:struct timespec *}" new="{Name:utimes Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=adjtimex i=0 old="{Name:txc_p Type:struct timex *}" new="{Name:txc_p Type:struct __kernel_timex *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=timerfd_settime i=2 old="{Name:utmr Type:const struct itimerspec *}" new="{Name:utmr Type:const struct __kernel_itimerspec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=timerfd_settime i=3 old="{Name:otmr Type:struct itimerspec *}" new="{Name:otmr Type:struct __kernel_itimerspec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=mq_timedsend i=4 old="{Name:u_abs_timeout Type:const struct timespec *}" new="{Name:u_abs_timeout Type:const struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=timerfd_settime32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=pselect6 i=4 old="{Name:tsp Type:struct timespec *}" new="{Name:tsp Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=futex_time32
2024/10/09 13:03:18 INFO arg names differ, keeping old syscall=setns i=1 old="{Name:flags Type:int}" new="{Name:nstype Type:int}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=ppoll i=2 old="{Name:tsp Type:struct timespec *}" new="{Name:tsp Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=clock_getres_time32
2024/10/09 13:03:18 INFO new syscall syscall=timerfd_gettime32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=clock_adjtime i=1 old="{Name:utx Type:struct timex *}" new="{Name:utx Type:struct __kernel_timex *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=semtimedop i=3 old="{Name:timeout Type:const struct timespec *}" new="{Name:timeout Type:const struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=utimensat_time32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=clock_getres i=1 old="{Name:tp Type:struct timespec *}" new="{Name:tp Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=utimes_time32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=io_pgetevents i=4 old="{Name:timeout Type:struct timespec *}" new="{Name:timeout Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=recvmmsg_time32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=clock_gettime i=1 old="{Name:tp Type:struct timespec *}" new="{Name:tp Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=nanosleep_time32
2024/10/09 13:03:18 INFO new syscall syscall=clock_adjtime32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=clock_nanosleep i=2 old="{Name:rqtp Type:const struct timespec *}" new="{Name:rqtp Type:const struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=clock_nanosleep i=3 old="{Name:rmtp Type:struct timespec *}" new="{Name:rmtp Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=recvmmsg i=4 old="{Name:timeout Type:struct timespec *}" new="{Name:timeout Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=stime32
2024/10/09 13:03:18 INFO new syscall syscall=adjtimex_time32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=clock_settime i=1 old="{Name:tp Type:const struct timespec *}" new="{Name:tp Type:const struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=sched_rr_get_interval_time32
2024/10/09 13:03:18 INFO new syscall syscall=semtimedop_time32
2024/10/09 13:03:18 INFO new syscall syscall=timer_settime32
2024/10/09 13:03:18 INFO new syscall syscall=io_getevents_time32
2024/10/09 13:03:18 INFO new syscall syscall=utime32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=timer_gettime i=1 old="{Name:setting Type:struct itimerspec *}" new="{Name:setting Type:struct __kernel_itimerspec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=sched_rr_get_interval i=1 old="{Name:interval Type:struct timespec *}" new="{Name:interval Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=rt_sigtimedwait_time32
2024/10/09 13:03:18 WARN ¯\_(ツ)_/¯, keeping old syscall=ftruncate i=1 old="{Name:length Type:unsigned long}" new="{Name:length Type:off_t}"
2024/10/09 13:03:18 INFO new syscall syscall=mq_timedreceive_time32
2024/10/09 13:03:18 INFO new syscall syscall=clock_settime32
2024/10/09 13:03:18 INFO arg names differ, keeping old syscall=getrandom i=0 old="{Name:buf Type:char *}" new="{Name:ubuf Type:char *}"
2024/10/09 13:03:18 INFO arg names differ, keeping old syscall=getrandom i=1 old="{Name:count Type:size_t}" new="{Name:len Type:size_t}"
2024/10/09 13:03:18 INFO new syscall syscall=futimesat_time32
2024/10/09 13:03:18 INFO new syscall syscall=timer_gettime32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=io_getevents i=4 old="{Name:timeout Type:struct timespec *}" new="{Name:timeout Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=clock_nanosleep_time32
2024/10/09 13:03:18 INFO new syscall syscall=time32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=timerfd_gettime i=1 old="{Name:otmr Type:struct itimerspec *}" new="{Name:otmr Type:struct __kernel_itimerspec *}"
2024/10/09 13:03:18 INFO new syscall syscall=mq_timedsend_time32
2024/10/09 13:03:18 WARN ¯\_(ツ)_/¯, keeping old syscall=membarrier i=1 old="{Name:flags Type:unsigned int}" new="{Name:flags Type:int}"
2024/10/09 13:03:18 INFO argument does not exist in new, keeping old syscall=membarrier i=2 old="{Name:cpu_id Type:int}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=futex i=3 old="{Name:utime Type:struct timespec *}" new="{Name:utime Type:struct __kernel_timespec *}"
2024/10/09 13:03:18 INFO new syscall syscall=clock_gettime32
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=timer_settime i=2 old="{Name:new_setting Type:const struct itimerspec *}" new="{Name:new_setting Type:const struct __kernel_itimerspec *}"
2024/10/09 13:03:18 INFO new type is compatible to old, keeping old syscall=timer_settime i=3 old="{Name:old_setting Type:struct itimerspec *}" new="{Name:old_setting Type:struct __kernel_itimerspec *}"
```

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
update syscallinfo using 6.6.53
2b30c62 
Steps:
lvh kernel pull --dir kernels 6.6-main --platform linux/amd65
go run ./cmd/dump-syscalls-info  info --vmlinux kernels/6.6-main/boot/vmlinux-6.6.53  --jsonfile pkg/syscallinfo/syscalls.json

Log:
```
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=mq_timedreceive i=4 old="{Name:u_abs_timeout Type:const struct timespec *}" new="{Name:u_abs_timeout Type:const struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new syscall syscall=process_mrelease
2024/10/09 13:08:51 INFO new syscall syscall=ia32_fadvise64
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=rt_sigtimedwait i=2 old="{Name:uts Type:const struct timespec *}" new="{Name:uts Type:const struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=sched_rr_get_interval i=1 old="{Name:interval Type:struct timespec *}" new="{Name:interval Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=clock_gettime i=1 old="{Name:tp Type:struct timespec *}" new="{Name:tp Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=gettimeofday i=0 old="{Name:tv Type:struct timeval *}" new="{Name:tv Type:struct __kernel_old_timeval *}"
2024/10/09 13:08:51 INFO new syscall syscall=kcmp
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=select i=4 old="{Name:tvp Type:struct timeval *}" new="{Name:tvp Type:struct __kernel_old_timeval *}"
2024/10/09 13:08:51 INFO new syscall syscall=epoll_pwait2
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=setitimer i=1 old="{Name:value Type:struct itimerval *}" new="{Name:value Type:struct __kernel_old_itimerval *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=setitimer i=2 old="{Name:ovalue Type:struct itimerval *}" new="{Name:ovalue Type:struct __kernel_old_itimerval *}"
2024/10/09 13:08:51 INFO new syscall syscall=ia32_fadvise64_64
2024/10/09 13:08:51 INFO new syscall syscall=ia32_ftruncate64
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=timer_settime i=2 old="{Name:new_setting Type:const struct itimerspec *}" new="{Name:new_setting Type:const struct __kernel_itimerspec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=timer_settime i=3 old="{Name:old_setting Type:struct itimerspec *}" new="{Name:old_setting Type:struct __kernel_itimerspec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=clock_adjtime i=1 old="{Name:utx Type:struct timex *}" new="{Name:utx Type:struct __kernel_timex *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=settimeofday i=0 old="{Name:tv Type:struct timeval *}" new="{Name:tv Type:struct __kernel_old_timeval *}"
2024/10/09 13:08:51 INFO new syscall syscall=ia32_pread64
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=timerfd_gettime i=1 old="{Name:otmr Type:struct itimerspec *}" new="{Name:otmr Type:struct __kernel_itimerspec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=clock_settime i=1 old="{Name:tp Type:const struct timespec *}" new="{Name:tp Type:const struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=semtimedop i=3 old="{Name:timeout Type:const struct timespec *}" new="{Name:timeout Type:const struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new syscall syscall=mount_setattr
2024/10/09 13:08:51 INFO new syscall syscall=ia32_sync_file_range
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=ppoll i=2 old="{Name:tsp Type:struct timespec *}" new="{Name:tsp Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new syscall syscall=ia32_truncate64
2024/10/09 13:08:51 INFO new syscall syscall=futex_waitv
2024/10/09 13:08:51 INFO new syscall syscall=set_mempolicy_home_node
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=utimensat i=2 old="{Name:utimes Type:struct timespec *}" new="{Name:utimes Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new syscall syscall=ia32_readahead
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=io_pgetevents i=4 old="{Name:timeout Type:struct timespec *}" new="{Name:timeout Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=getitimer i=1 old="{Name:value Type:struct itimerval *}" new="{Name:value Type:struct __kernel_old_itimerval *}"
2024/10/09 13:08:51 INFO new syscall syscall=cachestat
2024/10/09 13:08:51 INFO new syscall syscall=ia32_fallocate
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=timerfd_settime i=2 old="{Name:utmr Type:const struct itimerspec *}" new="{Name:utmr Type:const struct __kernel_itimerspec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=timerfd_settime i=3 old="{Name:otmr Type:struct itimerspec *}" new="{Name:otmr Type:struct __kernel_itimerspec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=futimesat i=2 old="{Name:utimes Type:struct timeval *}" new="{Name:utimes Type:struct __kernel_old_timeval *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=clock_nanosleep i=2 old="{Name:rqtp Type:const struct timespec *}" new="{Name:rqtp Type:const struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=clock_nanosleep i=3 old="{Name:rmtp Type:struct timespec *}" new="{Name:rmtp Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=pselect6 i=4 old="{Name:tsp Type:struct timespec *}" new="{Name:tsp Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new syscall syscall=memfd_secret
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=timer_gettime i=1 old="{Name:setting Type:struct itimerspec *}" new="{Name:setting Type:struct __kernel_itimerspec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=nanosleep i=0 old="{Name:rqtp Type:struct timespec *}" new="{Name:rqtp Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=nanosleep i=1 old="{Name:rmtp Type:struct timespec *}" new="{Name:rmtp Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO arg names differ, keeping old syscall=getrandom i=0 old="{Name:buf Type:char *}" new="{Name:ubuf Type:char *}"
2024/10/09 13:08:51 INFO arg names differ, keeping old syscall=getrandom i=1 old="{Name:count Type:size_t}" new="{Name:len Type:size_t}"
2024/10/09 13:08:51 WARN ¯\_(ツ)_/¯, keeping old syscall=ftruncate i=1 old="{Name:length Type:unsigned long}" new="{Name:length Type:off_t}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=stime i=0 old="{Name:tptr Type:time_t *}" new="{Name:tptr Type:__kernel_old_time_t *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=utimes i=1 old="{Name:utimes Type:struct timeval *}" new="{Name:utimes Type:struct __kernel_old_timeval *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=recvmmsg i=4 old="{Name:timeout Type:struct timespec *}" new="{Name:timeout Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=time i=0 old="{Name:tloc Type:time_t *}" new="{Name:tloc Type:__kernel_old_time_t *}"
2024/10/09 13:08:51 WARN ¯\_(ツ)_/¯, keeping old syscall=futex i=3 old="{Name:utime Type:struct timespec *}" new="{Name:utime Type:const struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new syscall syscall=fchmodat2
2024/10/09 13:08:51 WARN ¯\_(ツ)_/¯, keeping old syscall=futex_time32 i=3 old="{Name:utime Type:struct old_timespec32 *}" new="{Name:utime Type:const struct old_timespec32 *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=io_getevents i=4 old="{Name:timeout Type:struct timespec *}" new="{Name:timeout Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 WARN ¯\_(ツ)_/¯, keeping old syscall=io_uring_enter i=4 old="{Name:sig Type:const sigset_t *}" new="{Name:argp Type:const void *}"
2024/10/09 13:08:51 INFO arg names differ, keeping old syscall=io_uring_enter i=5 old="{Name:sigsz Type:size_t}" new="{Name:argsz Type:size_t}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=clock_getres i=1 old="{Name:tp Type:struct timespec *}" new="{Name:tp Type:struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new syscall syscall=ia32_pwrite64
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=mq_timedsend i=4 old="{Name:u_abs_timeout Type:const struct timespec *}" new="{Name:u_abs_timeout Type:const struct __kernel_timespec *}"
2024/10/09 13:08:51 INFO new type is compatible to old, keeping old syscall=adjtimex i=0 old="{Name:txc_p Type:struct timex *}" new="{Name:txc_p Type:struct __kernel_timex *}"
2024/10/09 13:08:51 INFO new syscall syscall=quotactl_fd
```

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt kkourt force-pushed the pr/kkourt/syscall64-updates branch from 81046c1 to 0f2406c Compare October 11, 2024 12:21
@kkourt
Copy link
Contributor Author

kkourt commented Oct 11, 2024

Thanks for the review! Pushed a new version with updates.

Diff for reference below:

diff --git a/bpf/process/bpf_generic_tracepoint.c b/bpf/process/bpf_generic_tracepoint.c
index 98f8d8a01..9f1b90661 100644
--- a/bpf/process/bpf_generic_tracepoint.c
+++ b/bpf/process/bpf_generic_tracepoint.c
@@ -75,6 +75,7 @@ FUNC_INLINE unsigned long get_ctx_ul(void *src, int type)
 	case s64_ty:
 	case u64_ty: {
 		u64 ret;
+
 		probe_read(&ret, sizeof(u64), src);
 		if (type == syscall64_type)
 			ret = syscall64_set_32bit(ret);
diff --git a/cmd/dump-syscalls-info/main.go b/cmd/dump-syscalls-info/main.go
index bb1dbfdd2..ec1a718bd 100644
--- a/cmd/dump-syscalls-info/main.go
+++ b/cmd/dump-syscalls-info/main.go
@@ -334,17 +334,17 @@ func parseLibcArchSyscall(fname string) ([]string, error) {
 
 func (c *SyscallsIDsCmd) Run() error {
 	glibcLocation := map[string]string{
-		"x64":   "sysdeps/unix/sysv/linux/x86_64/64",
-		"i386":  "sysdeps/unix/sysv/linux/i386",
-		"arm64": "sysdeps/unix/sysv/linux/aarch64",
-		"arm32": "sysdeps/unix/sysv/linux/arm",
+		"x86_64": "sysdeps/unix/sysv/linux/x86_64/64",
+		"i386":   "sysdeps/unix/sysv/linux/i386",
+		"arm64":  "sysdeps/unix/sysv/linux/aarch64",
+		"arm32":  "sysdeps/unix/sysv/linux/arm",
 	}
 
 	tmpDir, err := os.MkdirTemp("", "glibc-tmp")
 	if err != nil {
 		return err
 	}
-	//defer os.RmoveAll(tmpDir)
+	defer os.RmoveAll(tmpDir)
 
 	for _, abi := range c.ABI {
 		glibcLoc, ok := glibcLocation[abi]
diff --git a/pkg/syscallinfo/syscallinfo.go b/pkg/syscallinfo/syscallinfo.go
index c99478ef5..ea9558230 100644
--- a/pkg/syscallinfo/syscallinfo.go
+++ b/pkg/syscallinfo/syscallinfo.go
@@ -94,15 +94,8 @@ func GetSyscallName(abi string, sysID int) (string, error) {
 		return "", err
 	}
 
-	if sysID >= len(names) {
-		return "", fmt.Errorf("unknown syscall id: %d", sysID)
-	}
-	if sysID < 0 {
-		return "", fmt.Errorf("invalid syscall id: %d", sysID)
-	}
-
-	ret := names[sysID]
-	if ret == "" {
+	ret, ok := names[sysID]
+	if !ok {
 		return "", fmt.Errorf("unknown syscall id: %d", sysID)
 	}
 	return ret, nil

@kkourt kkourt mentioned this pull request Oct 11, 2024
Merged
@kkourt
dump-syscalls-info: add ids command
c64d7c1 
Add a command for dumping id <-> name information for all ABIs.
We use glibc to get syscall information and translate it into go files.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
syscallinfo: add id <-> name mapping for all ABIs
6e29ba9 
This was generated using:
go run ./cmd/dump-syscalls-info ids --abi x86_64,i386,arm64,arm32

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
syscallinfo: update to use the new tables
8dabd60 
This commit updates syscallinfo to use the new tables.

There are a couple of reasons for this:

The main one is that we want to be able to lookup syscall names for a
given id in non-native ABIs. For example, if we are running the tetra
client in a windows or in an ARM machine, we want to be able to query syscall
names for given ids given their ABI. Subsequent patches will make use of
this feature. Hence, we always compile the syscall tables for all ABIs.

Another reason is that we want to be able to easily update the syscall ids
and names, which is achieved by the tooling introduced in previous
patches.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
syscall64: add the 32-bit flag to the argument
b98ec21 
To dinstinguish between different syscalls ABIs, we use a 64-bit value
for the syscall id and a bit (1<<31 ==  0x80000000) to mark 32-bit
syscalls.

In the bpf side, we set the bit to the argument value whenever we
wanted to do filtering. The problem with this approach, however, is that
it is not possible to determine whether the ABI call from user-space.

This commit changes the bpf code to store the bit directly into the
argument. For now, we keep compatibility with the previous versions and
clear the bit before it reaches users. Subsequent patches will pass this
information to users.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
teragon.proto: add SyscallID argument
5edc35c 
We want to pass syscall ABI information to the users. Specifically, we
want to dinstinguish between 64- and 32-bit syscalls. This commit
introduces a SyscallID protobuf message for doing that.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
autochore: make protogen
7ee4f80 
Generate code for SyscallID.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
contrib/tester-progs: add a getcpu-i386 target
2cc9695 
This is intended for testing.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
syscalls: add ABI to syscall information
67fd599 
This commit enables the new type for the syscall64 type. Specifically,
it makes it so that we get a SyscallId event that includes both the ABI
(64- or 32-bit) and the syscall id.

Because this changes previous behaviour, we introduce a
compatibility flag.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt kkourt force-pushed the pr/kkourt/syscall64-updates branch from 0f2406c to 67fd599 Compare October 11, 2024 13:11
@kkourt kkourt merged commit 7a6715b into main Oct 11, 2024
50 checks passed
@kkourt kkourt deleted the pr/kkourt/syscall64-updates branch October 11, 2024 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olsajiri olsajiri olsajiri approved these changes

@mtardy mtardy Awaiting requested review from mtardy mtardy is a code owner

Assignees
No one assigned
Labels
release-note/minor This PR introduces a minor user-visible change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kkourt @olsajiri