fix(epbf): fix incorrect parsed syscall name (#4402)

Commit b21174d introduced syscall ID translation for compat processes in eBPF, which makes the translation in userspace redundant. The redundant translation caused an incorrect syscall name to be displayed.
aquasecurity · Dec 8, 2024 · 16fce03 · 16fce03
1 parent 010a831
commit 16fce03
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 30 deletions.
diff --git a/pkg/ebpf/c/common/task.h b/pkg/ebpf/c/common/task.h
@@ -52,8 +52,9 @@ statfunc int get_current_task_syscall_id(void)
     if (is_compat(curr)) {
         // Translate 32bit syscalls to 64bit syscalls, so we can send to the correct handler
         u32 *id_64 = bpf_map_lookup_elem(&sys_32_to_64_map, &id);
-        if (id_64 == 0)
-            return 0;
+        if (id_64 == NULL)
+            // outdated syscall list?
+            return NO_SYSCALL;
 
         id = *id_64;
     }

diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -160,7 +160,6 @@ func (t *Tracee) queueEvents(ctx context.Context, in <-chan *trace.Event) (chan
 func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-chan *trace.Event, <-chan error) {
 	out := make(chan *trace.Event, t.config.PipelineChannelSize)
 	errc := make(chan error, 1)
-	sysCompatTranslation := events.Core.IDs32ToIDs()
 	go func() {
 		defer close(out)
 		defer close(errc)
@@ -213,10 +212,16 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch
 			flags := parseContextFlags(containerData.ID, eCtx.Flags)
 			syscall := ""
 			if eCtx.Syscall != noSyscall {
-				var err error
-				syscall, err = parseSyscallID(int(eCtx.Syscall), flags.IsCompat, sysCompatTranslation)
-				if err != nil {
-					logger.Debugw("Originated syscall parsing", "error", err)
+				// The syscall ID returned from eBPF is actually the event ID representing that syscall.
+				// For 64-bit processes, the event ID is the same as the syscall ID.
+				// For 32-bit (compat) processes, the syscall ID gets translated in eBPF to the event ID of its
+				// 64-bit counterpart, or if it's a 32-bit exclusive syscall, to the event ID corresponding to it.
+				id := events.ID(eCtx.Syscall)
+				if events.Core.IsDefined(id) {
+					syscall = events.Core.GetDefinitionByID(id).GetName()
+				} else {
+					// This should never fail, as the translation used in eBPF relies on the same event definitions
+					logger.Errorw("No syscall event with id %d", id)
 				}
 			}
 
@@ -416,29 +421,6 @@ func parseContextFlags(containerId string, flags uint32) trace.ContextFlags {
 	return cflags
 }
 
-// parseSyscallID returns the syscall name from its ID, taking into account architecture
-// and 32bit/64bit modes. It also returns an error if the syscall ID is not found in the
-// events definition.
-func parseSyscallID(syscallID int, isCompat bool, compatTranslationMap map[events.ID]events.ID) (string, error) {
-	id := events.ID(syscallID)
-	if !isCompat {
-		if !events.Core.IsDefined(id) {
-			return "", errfmt.Errorf("no syscall event with syscall id %d", syscallID)
-		}
-		return events.Core.GetDefinitionByID(id).GetName(), nil
-	}
-	if id, ok := compatTranslationMap[events.ID(syscallID)]; ok {
-		// should never happen (map should be initialized from events definition)
-		if !events.Core.IsDefined(id) {
-			return "", errfmt.Errorf(
-				"no syscall event with compat syscall id %d, translated to ID %d", syscallID, id,
-			)
-		}
-		return events.Core.GetDefinitionByID(id).GetName(), nil
-	}
-	return "", errfmt.Errorf("no syscall event with compat syscall id %d", syscallID)
-}
-
 // processEvents is the event processing pipeline stage. For each received event, it goes
 // through all event processors and check if there is any internal processing needed for
 // that event type.  It also clears policy bits for out-of-order container related events