Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix incorrect prctl values and add new ones #479

Merged
merged 1 commit into from
Feb 13, 2025
+178 −104
Merged

Fix incorrect prctl values and add new ones #479

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
282 changes: 178 additions & 104 deletions helpers/argumentParsers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -550,6 +550,8 @@ const (
PR_SET_TIMING
PR_SET_NAME
PR_GET_NAME
_
_
PR_GET_ENDIAN
PR_SET_ENDIAN
PR_GET_SECCOMP
Expand Down Expand Up @@ -579,70 +581,119 @@ const (
PR_SET_FP_MODE
PR_GET_FP_MODE
PR_CAP_AMBIENT
_
_
PR_SVE_SET_VL
PR_SVE_GET_VL
PR_GET_SPECULATION_CTRL
PR_SET_SPECULATION_CTRL
PR_PAC_RESET_KEYS
PR_SET_TAGGED_ADDR_CTRL
PR_GET_TAGGED_ADDR_CTRL
PR_SET_IO_FLUSHER
PR_GET_IO_FLUSHER
PR_SET_SYSCALL_USER_DISPATCH
PR_PAC_SET_ENABLED_KEYS
PR_PAC_GET_ENABLED_KEYS
PR_SCHED_CORE
PR_SME_SET_VL
PR_SME_GET_VL
PR_SET_MDWE
PR_GET_MDWE
PR_SET_MEMORY_MERGE
PR_GET_MEMORY_MERGE
Comment on lines +598 to +604
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of those were already inserted in Tracee's: https://github.com/aquasecurity/tracee/blob/1150c947b726ba22f0432106d85abc389ffb8699/pkg/events/parsers/data_parsers.go#L496-L502

Other were ignored due to from unsupported archs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, we've discussed offline, merging it for now.

PR_RISCV_V_SET_CONTROL
PR_RISCV_V_GET_CONTROL
PR_RISCV_SET_ICACHE_FLUSH_CTX
PR_PPC_GET_DEXCR
PR_PPC_SET_DEXCR
PR_GET_SHADOW_STACK_STATUS
PR_SET_SHADOW_STACK_STATUS
PR_LOCK_SHADOW_STACK_STATUS
// non-consecutive
PR_SET_PTRACER PrctlOptionArgument = 0x59616d61
PR_SET_VMA PrctlOptionArgument = 0x53564d41
PR_GET_AUXV PrctlOptionArgument = 0x41555856
)

func (p PrctlOptionArgument) Value() uint64 { return uint64(p) }

var prctlOptionStringMap = map[PrctlOptionArgument]string{
PR_SET_PDEATHSIG: "PR_SET_PDEATHSIG",
PR_GET_PDEATHSIG: "PR_GET_PDEATHSIG",
PR_GET_DUMPABLE: "PR_GET_DUMPABLE",
PR_SET_DUMPABLE: "PR_SET_DUMPABLE",
PR_GET_UNALIGN: "PR_GET_UNALIGN",
PR_SET_UNALIGN: "PR_SET_UNALIGN",
PR_GET_KEEPCAPS: "PR_GET_KEEPCAPS",
PR_SET_KEEPCAPS: "PR_SET_KEEPCAPS",
PR_GET_FPEMU: "PR_GET_FPEMU",
PR_SET_FPEMU: "PR_SET_FPEMU",
PR_GET_FPEXC: "PR_GET_FPEXC",
PR_SET_FPEXC: "PR_SET_FPEXC",
PR_GET_TIMING: "PR_GET_TIMING",
PR_SET_TIMING: "PR_SET_TIMING",
PR_SET_NAME: "PR_SET_NAME",
PR_GET_NAME: "PR_GET_NAME",
PR_GET_ENDIAN: "PR_GET_ENDIAN",
PR_SET_ENDIAN: "PR_SET_ENDIAN",
PR_GET_SECCOMP: "PR_GET_SECCOMP",
PR_SET_SECCOMP: "PR_SET_SECCOMP",
PR_CAPBSET_READ: "PR_CAPBSET_READ",
PR_CAPBSET_DROP: "PR_CAPBSET_DROP",
PR_GET_TSC: "PR_GET_TSC",
PR_SET_TSC: "PR_SET_TSC",
PR_GET_SECUREBITS: "PR_GET_SECUREBITS",
PR_SET_SECUREBITS: "PR_SET_SECUREBITS",
PR_SET_TIMERSLACK: "PR_SET_TIMERSLACK",
PR_GET_TIMERSLACK: "PR_GET_TIMERSLACK",
PR_TASK_PERF_EVENTS_DISABLE: "PR_TASK_PERF_EVENTS_DISABLE",
PR_TASK_PERF_EVENTS_ENABLE: "PR_TASK_PERF_EVENTS_ENABLE",
PR_MCE_KILL: "PR_MCE_KILL",
PR_MCE_KILL_GET: "PR_MCE_KILL_GET",
PR_SET_MM: "PR_SET_MM",
PR_SET_CHILD_SUBREAPER: "PR_SET_CHILD_SUBREAPER",
PR_GET_CHILD_SUBREAPER: "PR_GET_CHILD_SUBREAPER",
PR_SET_NO_NEW_PRIVS: "PR_SET_NO_NEW_PRIVS",
PR_GET_NO_NEW_PRIVS: "PR_GET_NO_NEW_PRIVS",
PR_GET_TID_ADDRESS: "PR_GET_TID_ADDRESS",
PR_SET_THP_DISABLE: "PR_SET_THP_DISABLE",
PR_GET_THP_DISABLE: "PR_GET_THP_DISABLE",
PR_MPX_ENABLE_MANAGEMENT: "PR_MPX_ENABLE_MANAGEMENT",
PR_MPX_DISABLE_MANAGEMENT: "PR_MPX_DISABLE_MANAGEMENT",
PR_SET_FP_MODE: "PR_SET_FP_MODE",
PR_GET_FP_MODE: "PR_GET_FP_MODE",
PR_CAP_AMBIENT: "PR_CAP_AMBIENT",
PR_SVE_SET_VL: "PR_SVE_SET_VL",
PR_SVE_GET_VL: "PR_SVE_GET_VL",
PR_GET_SPECULATION_CTRL: "PR_GET_SPECULATION_CTRL",
PR_SET_SPECULATION_CTRL: "PR_SET_SPECULATION_CTRL",
PR_PAC_RESET_KEYS: "PR_PAC_RESET_KEYS",
PR_SET_TAGGED_ADDR_CTRL: "PR_SET_TAGGED_ADDR_CTRL",
PR_GET_TAGGED_ADDR_CTRL: "PR_GET_TAGGED_ADDR_CTRL",
PR_SET_PDEATHSIG: "PR_SET_PDEATHSIG",
PR_GET_PDEATHSIG: "PR_GET_PDEATHSIG",
PR_GET_DUMPABLE: "PR_GET_DUMPABLE",
PR_SET_DUMPABLE: "PR_SET_DUMPABLE",
PR_GET_UNALIGN: "PR_GET_UNALIGN",
PR_SET_UNALIGN: "PR_SET_UNALIGN",
PR_GET_KEEPCAPS: "PR_GET_KEEPCAPS",
PR_SET_KEEPCAPS: "PR_SET_KEEPCAPS",
PR_GET_FPEMU: "PR_GET_FPEMU",
PR_SET_FPEMU: "PR_SET_FPEMU",
PR_GET_FPEXC: "PR_GET_FPEXC",
PR_SET_FPEXC: "PR_SET_FPEXC",
PR_GET_TIMING: "PR_GET_TIMING",
PR_SET_TIMING: "PR_SET_TIMING",
PR_SET_NAME: "PR_SET_NAME",
PR_GET_NAME: "PR_GET_NAME",
PR_GET_ENDIAN: "PR_GET_ENDIAN",
PR_SET_ENDIAN: "PR_SET_ENDIAN",
PR_GET_SECCOMP: "PR_GET_SECCOMP",
PR_SET_SECCOMP: "PR_SET_SECCOMP",
PR_CAPBSET_READ: "PR_CAPBSET_READ",
PR_CAPBSET_DROP: "PR_CAPBSET_DROP",
PR_GET_TSC: "PR_GET_TSC",
PR_SET_TSC: "PR_SET_TSC",
PR_GET_SECUREBITS: "PR_GET_SECUREBITS",
PR_SET_SECUREBITS: "PR_SET_SECUREBITS",
PR_SET_TIMERSLACK: "PR_SET_TIMERSLACK",
PR_GET_TIMERSLACK: "PR_GET_TIMERSLACK",
PR_TASK_PERF_EVENTS_DISABLE: "PR_TASK_PERF_EVENTS_DISABLE",
PR_TASK_PERF_EVENTS_ENABLE: "PR_TASK_PERF_EVENTS_ENABLE",
PR_MCE_KILL: "PR_MCE_KILL",
PR_MCE_KILL_GET: "PR_MCE_KILL_GET",
PR_SET_MM: "PR_SET_MM",
PR_SET_CHILD_SUBREAPER: "PR_SET_CHILD_SUBREAPER",
PR_GET_CHILD_SUBREAPER: "PR_GET_CHILD_SUBREAPER",
PR_SET_NO_NEW_PRIVS: "PR_SET_NO_NEW_PRIVS",
PR_GET_NO_NEW_PRIVS: "PR_GET_NO_NEW_PRIVS",
PR_GET_TID_ADDRESS: "PR_GET_TID_ADDRESS",
PR_SET_THP_DISABLE: "PR_SET_THP_DISABLE",
PR_GET_THP_DISABLE: "PR_GET_THP_DISABLE",
PR_MPX_ENABLE_MANAGEMENT: "PR_MPX_ENABLE_MANAGEMENT",
PR_MPX_DISABLE_MANAGEMENT: "PR_MPX_DISABLE_MANAGEMENT",
PR_SET_FP_MODE: "PR_SET_FP_MODE",
PR_GET_FP_MODE: "PR_GET_FP_MODE",
PR_CAP_AMBIENT: "PR_CAP_AMBIENT",
PR_SVE_SET_VL: "PR_SVE_SET_VL",
PR_SVE_GET_VL: "PR_SVE_GET_VL",
PR_GET_SPECULATION_CTRL: "PR_GET_SPECULATION_CTRL",
PR_SET_SPECULATION_CTRL: "PR_SET_SPECULATION_CTRL",
PR_PAC_RESET_KEYS: "PR_PAC_RESET_KEYS",
PR_SET_TAGGED_ADDR_CTRL: "PR_SET_TAGGED_ADDR_CTRL",
PR_GET_TAGGED_ADDR_CTRL: "PR_GET_TAGGED_ADDR_CTRL",
PR_SET_IO_FLUSHER: "PR_SET_IO_FLUSHER",
PR_GET_IO_FLUSHER: "PR_GET_IO_FLUSHER",
PR_SET_SYSCALL_USER_DISPATCH: "PR_SET_SYSCALL_USER_DISPATCH",
PR_PAC_SET_ENABLED_KEYS: "PR_PAC_SET_ENABLED_KEYS",
PR_PAC_GET_ENABLED_KEYS: "PR_PAC_GET_ENABLED_KEYS",
PR_SCHED_CORE: "PR_SCHED_CORE",
PR_SME_SET_VL: "PR_SME_SET_VL",
PR_SME_GET_VL: "PR_SME_GET_VL",
PR_SET_MDWE: "PR_SET_MDWE",
PR_GET_MDWE: "PR_GET_MDWE",
PR_SET_MEMORY_MERGE: "PR_SET_MEMORY_MERGE",
PR_GET_MEMORY_MERGE: "PR_GET_MEMORY_MERGE",
PR_RISCV_V_SET_CONTROL: "PR_RISCV_V_SET_CONTROL",
PR_RISCV_V_GET_CONTROL: "PR_RISCV_V_GET_CONTROL",
PR_RISCV_SET_ICACHE_FLUSH_CTX: "PR_RISCV_SET_ICACHE_FLUSH_CTX",
PR_PPC_GET_DEXCR: "PR_PPC_GET_DEXCR",
PR_PPC_SET_DEXCR: "PR_PPC_SET_DEXCR",
PR_GET_SHADOW_STACK_STATUS: "PR_GET_SHADOW_STACK_STATUS",
PR_SET_SHADOW_STACK_STATUS: "PR_SET_SHADOW_STACK_STATUS",
PR_LOCK_SHADOW_STACK_STATUS: "PR_LOCK_SHADOW_STACK_STATUS",
PR_SET_PTRACER: "PR_SET_PTRACER",
PR_SET_VMA: "PR_SET_VMA",
PR_GET_AUXV: "PR_GET_AUXV",
}

func (p PrctlOptionArgument) String() string {
Expand All @@ -657,58 +708,81 @@ func (p PrctlOptionArgument) String() string {
}

var prctlOptionsMap = map[uint64]PrctlOptionArgument{
PR_SET_PDEATHSIG.Value(): PR_SET_PDEATHSIG,
PR_GET_PDEATHSIG.Value(): PR_GET_PDEATHSIG,
PR_GET_DUMPABLE.Value(): PR_GET_DUMPABLE,
PR_SET_DUMPABLE.Value(): PR_SET_DUMPABLE,
PR_GET_UNALIGN.Value(): PR_GET_UNALIGN,
PR_SET_UNALIGN.Value(): PR_SET_UNALIGN,
PR_GET_KEEPCAPS.Value(): PR_GET_KEEPCAPS,
PR_SET_KEEPCAPS.Value(): PR_SET_KEEPCAPS,
PR_GET_FPEMU.Value(): PR_GET_FPEMU,
PR_SET_FPEMU.Value(): PR_SET_FPEMU,
PR_GET_FPEXC.Value(): PR_GET_FPEXC,
PR_SET_FPEXC.Value(): PR_SET_FPEXC,
PR_GET_TIMING.Value(): PR_GET_TIMING,
PR_SET_TIMING.Value(): PR_SET_TIMING,
PR_SET_NAME.Value(): PR_SET_NAME,
PR_GET_NAME.Value(): PR_GET_NAME,
PR_GET_ENDIAN.Value(): PR_GET_ENDIAN,
PR_SET_ENDIAN.Value(): PR_SET_ENDIAN,
PR_GET_SECCOMP.Value(): PR_GET_SECCOMP,
PR_SET_SECCOMP.Value(): PR_SET_SECCOMP,
PR_CAPBSET_READ.Value(): PR_CAPBSET_READ,
PR_CAPBSET_DROP.Value(): PR_CAPBSET_DROP,
PR_GET_TSC.Value(): PR_GET_TSC,
PR_SET_TSC.Value(): PR_SET_TSC,
PR_GET_SECUREBITS.Value(): PR_GET_SECUREBITS,
PR_SET_SECUREBITS.Value(): PR_SET_SECUREBITS,
PR_SET_TIMERSLACK.Value(): PR_SET_TIMERSLACK,
PR_GET_TIMERSLACK.Value(): PR_GET_TIMERSLACK,
PR_TASK_PERF_EVENTS_DISABLE.Value(): PR_TASK_PERF_EVENTS_DISABLE,
PR_TASK_PERF_EVENTS_ENABLE.Value(): PR_TASK_PERF_EVENTS_ENABLE,
PR_MCE_KILL.Value(): PR_MCE_KILL,
PR_MCE_KILL_GET.Value(): PR_MCE_KILL_GET,
PR_SET_MM.Value(): PR_SET_MM,
PR_SET_CHILD_SUBREAPER.Value(): PR_SET_CHILD_SUBREAPER,
PR_GET_CHILD_SUBREAPER.Value(): PR_GET_CHILD_SUBREAPER,
PR_SET_NO_NEW_PRIVS.Value(): PR_SET_NO_NEW_PRIVS,
PR_GET_NO_NEW_PRIVS.Value(): PR_GET_NO_NEW_PRIVS,
PR_GET_TID_ADDRESS.Value(): PR_GET_TID_ADDRESS,
PR_SET_THP_DISABLE.Value(): PR_SET_THP_DISABLE,
PR_GET_THP_DISABLE.Value(): PR_GET_THP_DISABLE,
PR_MPX_ENABLE_MANAGEMENT.Value(): PR_MPX_ENABLE_MANAGEMENT,
PR_MPX_DISABLE_MANAGEMENT.Value(): PR_MPX_DISABLE_MANAGEMENT,
PR_SET_FP_MODE.Value(): PR_SET_FP_MODE,
PR_GET_FP_MODE.Value(): PR_GET_FP_MODE,
PR_CAP_AMBIENT.Value(): PR_CAP_AMBIENT,
PR_SVE_SET_VL.Value(): PR_SVE_SET_VL,
PR_SVE_GET_VL.Value(): PR_SVE_GET_VL,
PR_GET_SPECULATION_CTRL.Value(): PR_GET_SPECULATION_CTRL,
PR_SET_SPECULATION_CTRL.Value(): PR_SET_SPECULATION_CTRL,
PR_PAC_RESET_KEYS.Value(): PR_PAC_RESET_KEYS,
PR_SET_TAGGED_ADDR_CTRL.Value(): PR_SET_TAGGED_ADDR_CTRL,
PR_GET_TAGGED_ADDR_CTRL.Value(): PR_GET_TAGGED_ADDR_CTRL,
PR_SET_PDEATHSIG.Value(): PR_SET_PDEATHSIG,
PR_GET_PDEATHSIG.Value(): PR_GET_PDEATHSIG,
PR_GET_DUMPABLE.Value(): PR_GET_DUMPABLE,
PR_SET_DUMPABLE.Value(): PR_SET_DUMPABLE,
PR_GET_UNALIGN.Value(): PR_GET_UNALIGN,
PR_SET_UNALIGN.Value(): PR_SET_UNALIGN,
PR_GET_KEEPCAPS.Value(): PR_GET_KEEPCAPS,
PR_SET_KEEPCAPS.Value(): PR_SET_KEEPCAPS,
PR_GET_FPEMU.Value(): PR_GET_FPEMU,
PR_SET_FPEMU.Value(): PR_SET_FPEMU,
PR_GET_FPEXC.Value(): PR_GET_FPEXC,
PR_SET_FPEXC.Value(): PR_SET_FPEXC,
PR_GET_TIMING.Value(): PR_GET_TIMING,
PR_SET_TIMING.Value(): PR_SET_TIMING,
PR_SET_NAME.Value(): PR_SET_NAME,
PR_GET_NAME.Value(): PR_GET_NAME,
PR_GET_ENDIAN.Value(): PR_GET_ENDIAN,
PR_SET_ENDIAN.Value(): PR_SET_ENDIAN,
PR_GET_SECCOMP.Value(): PR_GET_SECCOMP,
PR_SET_SECCOMP.Value(): PR_SET_SECCOMP,
PR_CAPBSET_READ.Value(): PR_CAPBSET_READ,
PR_CAPBSET_DROP.Value(): PR_CAPBSET_DROP,
PR_GET_TSC.Value(): PR_GET_TSC,
PR_SET_TSC.Value(): PR_SET_TSC,
PR_GET_SECUREBITS.Value(): PR_GET_SECUREBITS,
PR_SET_SECUREBITS.Value(): PR_SET_SECUREBITS,
PR_SET_TIMERSLACK.Value(): PR_SET_TIMERSLACK,
PR_GET_TIMERSLACK.Value(): PR_GET_TIMERSLACK,
PR_TASK_PERF_EVENTS_DISABLE.Value(): PR_TASK_PERF_EVENTS_DISABLE,
PR_TASK_PERF_EVENTS_ENABLE.Value(): PR_TASK_PERF_EVENTS_ENABLE,
PR_MCE_KILL.Value(): PR_MCE_KILL,
PR_MCE_KILL_GET.Value(): PR_MCE_KILL_GET,
PR_SET_MM.Value(): PR_SET_MM,
PR_SET_CHILD_SUBREAPER.Value(): PR_SET_CHILD_SUBREAPER,
PR_GET_CHILD_SUBREAPER.Value(): PR_GET_CHILD_SUBREAPER,
PR_SET_NO_NEW_PRIVS.Value(): PR_SET_NO_NEW_PRIVS,
PR_GET_NO_NEW_PRIVS.Value(): PR_GET_NO_NEW_PRIVS,
PR_GET_TID_ADDRESS.Value(): PR_GET_TID_ADDRESS,
PR_SET_THP_DISABLE.Value(): PR_SET_THP_DISABLE,
PR_GET_THP_DISABLE.Value(): PR_GET_THP_DISABLE,
PR_MPX_ENABLE_MANAGEMENT.Value(): PR_MPX_ENABLE_MANAGEMENT,
PR_MPX_DISABLE_MANAGEMENT.Value(): PR_MPX_DISABLE_MANAGEMENT,
PR_SET_FP_MODE.Value(): PR_SET_FP_MODE,
PR_GET_FP_MODE.Value(): PR_GET_FP_MODE,
PR_CAP_AMBIENT.Value(): PR_CAP_AMBIENT,
PR_SVE_SET_VL.Value(): PR_SVE_SET_VL,
PR_SVE_GET_VL.Value(): PR_SVE_GET_VL,
PR_GET_SPECULATION_CTRL.Value(): PR_GET_SPECULATION_CTRL,
PR_SET_SPECULATION_CTRL.Value(): PR_SET_SPECULATION_CTRL,
PR_PAC_RESET_KEYS.Value(): PR_PAC_RESET_KEYS,
PR_SET_TAGGED_ADDR_CTRL.Value(): PR_SET_TAGGED_ADDR_CTRL,
PR_GET_TAGGED_ADDR_CTRL.Value(): PR_GET_TAGGED_ADDR_CTRL,
PR_SET_IO_FLUSHER.Value(): PR_SET_IO_FLUSHER,
PR_GET_IO_FLUSHER.Value(): PR_GET_IO_FLUSHER,
PR_SET_SYSCALL_USER_DISPATCH.Value(): PR_SET_SYSCALL_USER_DISPATCH,
PR_PAC_SET_ENABLED_KEYS.Value(): PR_PAC_SET_ENABLED_KEYS,
PR_PAC_GET_ENABLED_KEYS.Value(): PR_PAC_GET_ENABLED_KEYS,
PR_SCHED_CORE.Value(): PR_SCHED_CORE,
PR_SME_SET_VL.Value(): PR_SME_SET_VL,
PR_SME_GET_VL.Value(): PR_SME_GET_VL,
PR_SET_MDWE.Value(): PR_SET_MDWE,
PR_GET_MDWE.Value(): PR_GET_MDWE,
PR_SET_MEMORY_MERGE.Value(): PR_SET_MEMORY_MERGE,
PR_GET_MEMORY_MERGE.Value(): PR_GET_MEMORY_MERGE,
PR_RISCV_V_SET_CONTROL.Value(): PR_RISCV_V_SET_CONTROL,
PR_RISCV_V_GET_CONTROL.Value(): PR_RISCV_V_GET_CONTROL,
PR_RISCV_SET_ICACHE_FLUSH_CTX.Value(): PR_RISCV_SET_ICACHE_FLUSH_CTX,
PR_PPC_GET_DEXCR.Value(): PR_PPC_GET_DEXCR,
PR_PPC_SET_DEXCR.Value(): PR_PPC_SET_DEXCR,
PR_GET_SHADOW_STACK_STATUS.Value(): PR_GET_SHADOW_STACK_STATUS,
PR_SET_SHADOW_STACK_STATUS.Value(): PR_SET_SHADOW_STACK_STATUS,
PR_LOCK_SHADOW_STACK_STATUS.Value(): PR_LOCK_SHADOW_STACK_STATUS,
PR_SET_PTRACER.Value(): PR_SET_PTRACER,
PR_SET_VMA.Value(): PR_SET_VMA,
PR_GET_AUXV.Value(): PR_GET_AUXV,
}

// ParsePrctlOption parses the `option` argument of the `prctl` syscall
Expand Down
Loading