Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new(driver): update exit events PPME_SYSCALL_READ_X and PPME_SYSCALL_PREAD_X with enter params #2176

Merged
merged 11 commits into from
Dec 5, 2024
Prev Previous commit
cleanup: refuse EF_LARGE_PAYLOAD events
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Andreagit97 committed Dec 3, 2024
commit 45e39f0f884ad72541e875c0c4b2ac4b9a6a0bdf
13 changes: 13 additions & 0 deletions test/libscap/test_suites/engines/savefile/converter.cpp
Original file line number Diff line number Diff line change
@@ -13,6 +13,19 @@ limitations under the License.
*/
#include "convert_event_test.h"

TEST_F(convert_event_test, conversion_not_needed) {
uint64_t ts = 12;
int64_t tid = 25;
const char data[] = "hello world";

auto evt = create_safe_scap_event(ts,
tid,
PPME_CONTAINER_JSON_2_E,
1,
scap_const_sized_buffer{&data, strlen(data) + 1});
assert_single_conversion_failure(evt);
}

////////////////////////////
// READ
////////////////////////////
13 changes: 13 additions & 0 deletions userspace/libscap/engine/savefile/converter/converter.cpp
Original file line number Diff line number Diff line change
@@ -253,6 +253,10 @@ static uint16_t copy_old_params(scap_evt *new_evt, scap_evt *evt_to_convert) {
return new_evt_offset + size_to_copy;
}

static bool is_large_payload(scap_evt *evt_to_convert) {
return g_event_info[evt_to_convert->type].flags & EF_LARGE_PAYLOAD;
}

extern "C" bool is_conversion_needed(scap_evt *evt_to_convert) {
assert(evt_to_convert->type < PPM_EVENT_MAX);
const struct ppm_event_info *event_info = &(g_event_info[evt_to_convert->type]);
@@ -297,6 +301,15 @@ static conversion_result convert_event(scap_evt *new_evt,
scap_evt *evt_to_convert,
const conversion_info &ci,
char *error) {
// todo!: add the support for large payload events if we need to handle at least one of them.
if(is_large_payload(evt_to_convert)) {
snprintf(error,
SCAP_LASTERR_SIZE,
"The event '%d' has a large payload. We don't support it yet.",
evt_to_convert->type);
return CONVERSION_ERROR;
}

/////////////////////////////
// Dispatch the action
/////////////////////////////
Loading