From e5ae5a0f7f6eef1b433382b8455a2f3856ab049a Mon Sep 17 00:00:00 2001 From: Michal Stanek Date: Tue, 19 Mar 2024 16:08:13 +0100 Subject: [PATCH] clang-format fixes --- GPL/Events/File/Probe.bpf.c | 30 ++++---- GPL/Events/Helpers.h | 4 +- GPL/Events/Process/Probe.bpf.c | 76 ++++++++++--------- .../TcFilter/BPFTcFilterTests.cpp | 2 +- non-GPL/Events/EventsTrace/EventsTrace.c | 6 +- non-GPL/HostIsolation/Lib/TcLoader.c | 8 +- 6 files changed, 65 insertions(+), 61 deletions(-) diff --git a/GPL/Events/File/Probe.bpf.c b/GPL/Events/File/Probe.bpf.c index d7cc978f..076038b7 100644 --- a/GPL/Events/File/Probe.bpf.c +++ b/GPL/Events/File/Probe.bpf.c @@ -218,7 +218,10 @@ int BPF_KPROBE(kprobe__vfs_unlink) // prepare a file event and send it to ringbuf. // if path_prefix is non-NULL then event will only be sent to ringbuf if file path has that prefix -static void prepare_and_send_file_event(struct file *f, enum ebpf_event_type type, const char *path_prefix, int path_prefix_len) +static void prepare_and_send_file_event(struct file *f, + enum ebpf_event_type type, + const char *path_prefix, + int path_prefix_len) { struct ebpf_file_create_event *event = get_event_buffer(); if (!event) @@ -287,13 +290,12 @@ static int do_filp_open__exit(struct file *f) prepare_and_send_file_event(f, EBPF_EVENT_FILE_CREATE, NULL, 0); } else { // check if memfd file is being opened - struct path p = BPF_CORE_READ(f, f_path); - struct dentry *curr_dentry = BPF_CORE_READ(&p, dentry); - struct qstr component = BPF_CORE_READ(curr_dentry, d_name); - char buf_filename[8] = {0}; - int ret = bpf_probe_read_kernel_str(buf_filename, - sizeof(MEMFD_STRING), - (void *)component.name); + struct path p = BPF_CORE_READ(f, f_path); + struct dentry *curr_dentry = BPF_CORE_READ(&p, dentry); + struct qstr component = BPF_CORE_READ(curr_dentry, d_name); + char buf_filename[8] = {0}; + int ret = + bpf_probe_read_kernel_str(buf_filename, sizeof(MEMFD_STRING), (void *)component.name); if (ret <= 0) { bpf_printk("could not read d_name at %p\n", component.name); goto out; @@ -307,24 +309,22 @@ static int do_filp_open__exit(struct file *f) } struct vfsmount *curr_vfsmount = BPF_CORE_READ(&p, mnt); - const char *fs_type_name = BPF_CORE_READ(curr_vfsmount, mnt_sb, s_type, name); + const char *fs_type_name = BPF_CORE_READ(curr_vfsmount, mnt_sb, s_type, name); // check if /dev/shm shared memory file is being opened // first check if fs is tmpfs char buf_fsname[8] = {0}; - ret = bpf_probe_read_kernel_str(buf_fsname, - sizeof(TMPFS_STRING), - (void *)fs_type_name); + ret = bpf_probe_read_kernel_str(buf_fsname, sizeof(TMPFS_STRING), (void *)fs_type_name); if (ret <= 0) { bpf_printk("could not read fsname at %p\n", fs_type_name); goto out; } int is_tmpfs = is_equal_prefix(buf_fsname, TMPFS_STRING, sizeof(TMPFS_STRING) - 1); - if (is_tmpfs) - { + if (is_tmpfs) { // now filter for /dev/shm prefix, if there is match - send an SHMEM file open event - prepare_and_send_file_event(f, EBPF_EVENT_FILE_SHMEM_OPEN, DEVSHM_STRING, sizeof(DEVSHM_STRING) - 1); + prepare_and_send_file_event(f, EBPF_EVENT_FILE_SHMEM_OPEN, DEVSHM_STRING, + sizeof(DEVSHM_STRING) - 1); } } diff --git a/GPL/Events/Helpers.h b/GPL/Events/Helpers.h index 2849879b..048cd138 100644 --- a/GPL/Events/Helpers.h +++ b/GPL/Events/Helpers.h @@ -14,8 +14,8 @@ const volatile int consumer_pid = 0; -#define MEMFD_STRING "memfd:" -#define TMPFS_STRING "tmpfs" +#define MEMFD_STRING "memfd:" +#define TMPFS_STRING "tmpfs" #define DEVSHM_STRING "/dev/shm" #if BPF_DEBUG_TRACE == 0 diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c index 667368fb..ceb43ff4 100644 --- a/GPL/Events/Process/Probe.bpf.c +++ b/GPL/Events/Process/Probe.bpf.c @@ -99,25 +99,23 @@ int BPF_PROG(sched_process_exec, ebpf_ctty__fill(&event->ctty, task); if (!binprm) - return 0; + return 0; // set setuid and setgid flags - struct file *f = BPF_CORE_READ(binprm, file); + struct file *f = BPF_CORE_READ(binprm, file); struct inode *f_inode = BPF_CORE_READ(f, f_inode); - event->is_setuid = (BPF_CORE_READ(f_inode, i_mode) & S_ISUID) ? true : false; - event->is_setgid = (BPF_CORE_READ(f_inode, i_mode) & S_ISGID) ? true : false; + event->is_setuid = (BPF_CORE_READ(f_inode, i_mode) & S_ISUID) ? true : false; + event->is_setgid = (BPF_CORE_READ(f_inode, i_mode) & S_ISGID) ? true : false; // set inode link count (0 means anonymous or deleted file) event->inode_nlink = BPF_CORE_READ(f_inode, i_nlink); // check if memfd file is being exec'd - struct path p = BPF_CORE_READ(binprm, file, f_path); - struct dentry *curr_dentry = BPF_CORE_READ(&p, dentry); - struct qstr component = BPF_CORE_READ(curr_dentry, d_name); - char buf_filename[8] = {0}; - int ret = bpf_probe_read_kernel_str(buf_filename, - sizeof(MEMFD_STRING), - (void *)component.name); + struct path p = BPF_CORE_READ(binprm, file, f_path); + struct dentry *curr_dentry = BPF_CORE_READ(&p, dentry); + struct qstr component = BPF_CORE_READ(curr_dentry, d_name); + char buf_filename[8] = {0}; + int ret = bpf_probe_read_kernel_str(buf_filename, sizeof(MEMFD_STRING), (void *)component.name); if (ret <= 0) { bpf_printk("could not read d_name at %p\n", component.name); goto out; @@ -271,7 +269,7 @@ int BPF_PROG(module_load, struct module *mod) ebpf_pid_info__fill(&event->pids, task); - pid_t ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid); + pid_t ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid); pid_t curr_tgid = BPF_CORE_READ(task, tgid); // ignore if process is child of init/systemd/whatever @@ -283,8 +281,8 @@ int BPF_PROG(module_load, struct module *mod) struct ebpf_varlen_field *field; long size; - // from include/linux/moduleparam.h - #define MAX_PARAM_PREFIX_LEN (64 - sizeof(unsigned long)) +// from include/linux/moduleparam.h +#define MAX_PARAM_PREFIX_LEN (64 - sizeof(unsigned long)) // mod name field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_FILENAME); @@ -308,15 +306,19 @@ int BPF_PROG(module_load, struct module *mod) } SEC("kprobe/ptrace_attach") -int BPF_KPROBE(kprobe__ptrace_attach, struct task_struct *child, long request, unsigned long addr, unsigned long flags) +int BPF_KPROBE(kprobe__ptrace_attach, + struct task_struct *child, + long request, + unsigned long addr, + unsigned long flags) { if (ebpf_events_is_trusted_pid()) goto out; struct task_struct *task = (struct task_struct *)bpf_get_current_task(); - pid_t curr_tgid = BPF_CORE_READ(task, tgid); - pid_t child_ppid = BPF_CORE_READ(child, group_leader, real_parent, tgid); - pid_t child_tgid = BPF_CORE_READ(child, tgid); + pid_t curr_tgid = BPF_CORE_READ(task, tgid); + pid_t child_ppid = BPF_CORE_READ(child, group_leader, real_parent, tgid); + pid_t child_tgid = BPF_CORE_READ(child, tgid); if (is_kernel_thread(task)) goto out; @@ -338,7 +340,7 @@ int BPF_KPROBE(kprobe__ptrace_attach, struct task_struct *child, long request, u ebpf_pid_info__fill(&event->pids, task); event->child_pid = child_tgid; - event->request = request; + event->request = request; bpf_ringbuf_submit(event, 0); @@ -377,8 +379,8 @@ int tracepoint_syscalls_sys_enter_shmget(struct trace_event_raw_sys_enter *ctx) event->hdr.ts = bpf_ktime_get_ns(); ebpf_pid_info__fill(&event->pids, task); - event->key = ex_args->key; - event->size = ex_args->size; + event->key = ex_args->key; + event->size = ex_args->size; event->shmflg = ex_args->shmflg; bpf_ringbuf_submit(event, 0); @@ -416,22 +418,22 @@ int tracepoint_syscalls_sys_enter_memfd_create(struct trace_event_raw_sys_enter event->hdr.type = EBPF_EVENT_PROCESS_MEMFD_CREATE; event->hdr.ts = bpf_ktime_get_ns(); - // from linux/memfd.h: - // - /* flags for memfd_create(2) (unsigned int) */ - #define MFD_CLOEXEC 0x0001U - #define MFD_ALLOW_SEALING 0x0002U - #define MFD_HUGETLB 0x0004U - /* not executable and sealed to prevent changing to executable. */ - #define MFD_NOEXEC_SEAL 0x0008U - /* executable */ - #define MFD_EXEC 0x0010U - event->flags = ex_args->flags; - event->flag_cloexec = (event->flags & MFD_CLOEXEC) ? true : false; - event->flag_allow_seal = (event->flags & MFD_ALLOW_SEALING) ? true : false; - event->flag_hugetlb = (event->flags & MFD_HUGETLB) ? true : false; +// from linux/memfd.h: +// +/* flags for memfd_create(2) (unsigned int) */ +#define MFD_CLOEXEC 0x0001U +#define MFD_ALLOW_SEALING 0x0002U +#define MFD_HUGETLB 0x0004U +/* not executable and sealed to prevent changing to executable. */ +#define MFD_NOEXEC_SEAL 0x0008U +/* executable */ +#define MFD_EXEC 0x0010U + event->flags = ex_args->flags; + event->flag_cloexec = (event->flags & MFD_CLOEXEC) ? true : false; + event->flag_allow_seal = (event->flags & MFD_ALLOW_SEALING) ? true : false; + event->flag_hugetlb = (event->flags & MFD_HUGETLB) ? true : false; event->flag_noexec_seal = (event->flags & MFD_NOEXEC_SEAL) ? true : false; - event->flag_exec = (event->flags & MFD_EXEC) ? true : false; + event->flag_exec = (event->flags & MFD_EXEC) ? true : false; ebpf_pid_info__fill(&event->pids, task); @@ -442,7 +444,7 @@ int tracepoint_syscalls_sys_enter_memfd_create(struct trace_event_raw_sys_enter // memfd filename field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_FILENAME); - size = bpf_probe_read_user_str(field->data, PATH_MAX, ex_args->uname); + size = bpf_probe_read_user_str(field->data, PATH_MAX, ex_args->uname); if (size < 0) return 1; ebpf_vl_field__set_size(&event->vl_fields, field, size); diff --git a/GPL/HostIsolation/TcFilter/BPFTcFilterTests.cpp b/GPL/HostIsolation/TcFilter/BPFTcFilterTests.cpp index 1b63f15d..5d07d941 100644 --- a/GPL/HostIsolation/TcFilter/BPFTcFilterTests.cpp +++ b/GPL/HostIsolation/TcFilter/BPFTcFilterTests.cpp @@ -56,7 +56,7 @@ class BPFTcFilterTests : public ::testing::Test char *object_path_env = getenv(OBJECT_PATH_ENV_VAR); int err = 0; m_obj = object_path_env == NULL ? bpf_object__open(DEFAULT_OBJECT_PATH) - : bpf_object__open(object_path_env); + : bpf_object__open(object_path_env); if (libbpf_get_error(m_obj)) { FAIL() << "Cannot open ELF object to test, you can pass a custom one with the " diff --git a/non-GPL/Events/EventsTrace/EventsTrace.c b/non-GPL/Events/EventsTrace/EventsTrace.c index 9201588a..c8797f7f 100644 --- a/non-GPL/Events/EventsTrace/EventsTrace.c +++ b/non-GPL/Events/EventsTrace/EventsTrace.c @@ -29,9 +29,11 @@ const char argp_program_doc[] = "\n" "Prints process, network and file events sourced from the Elastic ebpf events library\n" "\n" - "USAGE: ./EventsTrace [--all|-a] [--file-delete] [--file-create] [--file-rename] [--file-memfd-open] [--file-shmem-open] [--file-modify]\n" + "USAGE: ./EventsTrace [--all|-a] [--file-delete] [--file-create] [--file-rename] " + "[--file-memfd-open] [--file-shmem-open] [--file-modify]\n" "[--process-fork] [--process-exec] [--process-exit] [--process-setsid] [--process-setuid] " - "[--process-setgid] [--process-tty-write] [--process-memfd_create] [--process-shmget] [--process-ptrace] [--process-load_module]\n" + "[--process-setgid] [--process-tty-write] [--process-memfd_create] [--process-shmget] " + "[--process-ptrace] [--process-load_module]\n" "[--net-conn-accept] [--net-conn-attempt] [--net-conn-closed]\n" "[--print-features-on-init] [--unbuffer-stdout] [--libbpf-verbose]\n"; diff --git a/non-GPL/HostIsolation/Lib/TcLoader.c b/non-GPL/HostIsolation/Lib/TcLoader.c index e747deb6..e4860e95 100644 --- a/non-GPL/HostIsolation/Lib/TcLoader.c +++ b/non-GPL/HostIsolation/Lib/TcLoader.c @@ -371,10 +371,10 @@ static int netlink_qdisc(int cmd, unsigned int flags, const char *ifname) int rv = -1; struct rtnetlink_handle qdisc_rth = {.fd = -1}; struct netlink_msg qdisc_req = { - .n.nlmsg_len = NLMSG_LENGTH(sizeof(struct tcmsg)), - .n.nlmsg_flags = NLM_F_REQUEST | flags, - .n.nlmsg_type = cmd, - .t.tcm_family = AF_UNSPEC, + .n.nlmsg_len = NLMSG_LENGTH(sizeof(struct tcmsg)), + .n.nlmsg_flags = NLM_F_REQUEST | flags, + .n.nlmsg_type = cmd, + .t.tcm_family = AF_UNSPEC, }; if (!ifname) {