new(driver): update exit events PPME_SYSCALL_SETRESGID_X with enter params

terror96 · terror96 · commit 88b53e4fe67d · 2025-06-18T09:10:02.000+03:00
This update is part of the implementation for disabling support for
syscall enter events. It implements the following steps:

1. Adds enter parameters to the exit event
2. Adapt sinsp state to work just with exit events.
3. Create a scap-file conversion (in a dedicated scap-file converter)
   to convert ENTER events into merged EXIT ones.
4. Add some tests replaying scap-files.

for the setresgid syscall.

Signed-off-by: Tero Kauppinen &lt;tero.kauppinen@est.tech&gt;
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-3.32.0
+3.33.0
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -3236,6 +3236,27 @@ FILLER(sys_setpgid_x, true) {
 	return bpf_push_s64_to_ring(data, (int64_t)pgid);
 }
 
+FILLER(sys_setresgid_x, true) {
+	/* Parameter 1: res (type: PT_ERRNO) */
+	long retval = bpf_syscall_get_retval(data->ctx);
+	int res = bpf_push_s64_to_ring(data, retval);
+	CHECK_RES(res);
+
+	/* Parameter 2: rgid (type: PT_GID) */
+	uint32_t rgid = (uint32_t)bpf_syscall_get_argument(data, 0);
+	res = bpf_push_u32_to_ring(data, rgid);
+	CHECK_RES(res);
+
+	/* Parameter 3: egid (type: PT_GID) */
+	uint32_t egid = (uint32_t)bpf_syscall_get_argument(data, 1);
+	res = bpf_push_u32_to_ring(data, egid);
+	CHECK_RES(res);
+
+	/* Parameter 4: sgid (type: PT_GID) */
+	uint32_t sgid = (uint32_t)bpf_syscall_get_argument(data, 2);
+	return bpf_push_u32_to_ring(data, sgid);
+}
+
 FILLER(sys_unshare_e, true) {
 	unsigned long val;
 	uint32_t flags;
diff --git a/driver/event_table.c b/driver/event_table.c
@@ -1205,16 +1205,19 @@ const struct ppm_event_info g_event_info[] = {
                                       {{"res", PT_ERRNO, PF_DEC}}},
         [PPME_SYSCALL_SETRESGID_E] = {"setresgid",
                                       EC_USER | EC_SYSCALL,
-                                      EF_MODIFIES_STATE,
+                                      EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
                                       3,
                                       {{"rgid", PT_GID, PF_DEC},
                                        {"egid", PT_GID, PF_DEC},
                                        {"sgid", PT_GID, PF_DEC}}},
         [PPME_SYSCALL_SETRESGID_X] = {"setresgid",
                                       EC_USER | EC_SYSCALL,
-                                      EF_MODIFIES_STATE,
-                                      1,
-                                      {{"res", PT_ERRNO, PF_DEC}}},
+                                      EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
+                                      4,
+                                      {{"res", PT_ERRNO, PF_DEC},
+                                       {"rgid", PT_GID, PF_DEC},
+                                       {"egid", PT_GID, PF_DEC},
+                                       {"sgid", PT_GID, PF_DEC}}},
         [PPME_SCAPEVENT_E] = {"scapevent",
                               EC_INTERNAL | EC_METAEVENT,
                               EF_SKIPPARSERESET,
diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -195,7 +195,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
         [PPME_SYSCALL_SETRESUID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
         [PPME_SYSCALL_SETRESUID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
         [PPME_SYSCALL_SETRESGID_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {1}, {2}}},
-        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_autofill), 1, APT_REG, {{AF_ID_RETVAL}}},
+        [PPME_SYSCALL_SETRESGID_X] = {FILLER_REF(sys_setresgid_x)},
         [PPME_SCAPEVENT_E] = {FILLER_REF(sys_scapevent_e)},
         [PPME_SYSCALL_SETUID_E] = {FILLER_REF(sys_autofill), 1, APT_REG, {{0}}},
         [PPME_SYSCALL_SETUID_X] = {FILLER_REF(sys_setuid_x)},
diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -129,7 +129,7 @@
 #define SETRESUID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
 #define SETRESUID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define SETRESGID_E_SIZE HEADER_LEN + sizeof(uint32_t) * 3 + PARAM_LEN * 3
-#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
+#define SETRESGID_X_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) * 3 + PARAM_LEN * 4
 #define SCAPEVENT_E_SIZE HEADER_LEN + sizeof(uint32_t) + sizeof(uint64_t) + PARAM_LEN * 2
 #define SCAPEVENT_X_SIZE HEADER_LEN
 #define SETUID_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setresgid.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/setresgid.bpf.c
@@ -58,6 +58,18 @@ int BPF_PROG(setresgid_x, struct pt_regs *regs, long ret) {
 	/* Parameter 1: res (type: PT_ERRNO)*/
 	ringbuf__store_s64(&ringbuf, ret);
 
+	/* Parameter 2: rgid (type: PT_GID) */
+	gid_t rgid = (uint32_t)extract__syscall_argument(regs, 0);
+	ringbuf__store_u32(&ringbuf, rgid);
+
+	/* Parameter 3: egid (type: PT_GID) */
+	gid_t egid = (uint32_t)extract__syscall_argument(regs, 1);
+	ringbuf__store_u32(&ringbuf, egid);
+
+	/* Parameter 4: sgid (type: PT_GID) */
+	gid_t sgid = (uint32_t)extract__syscall_argument(regs, 2);
+	ringbuf__store_u32(&ringbuf, sgid);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	ringbuf__submit_event(&ringbuf);
diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -7507,6 +7507,37 @@ int f_sys_setpgid_x(struct event_filler_arguments *args) {
 	return add_sentinel(args);
 }
 
+int f_sys_setresgid_x(struct event_filler_arguments *args) {
+	unsigned long val = 0;
+	int res = 0;
+	uint32_t gid = 0;
+
+	/* Parameter 1: res (type: PT_ERRNO) */
+	int64_t retval = (int64_t)syscall_get_return_value(current, args->regs);
+	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: rgid (type: PT_GID) */
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	gid = (uint32_t)val;
+	res = val_to_ring(args, gid, 0, true, 0);
+	CHECK_RES(res);
+
+	/* Parameter 3: egid (type: PT_GID) */
+	syscall_get_arguments_deprecated(args, 1, 1, &val);
+	gid = (uint32_t)val;
+	res = val_to_ring(args, gid, 0, true, 0);
+	CHECK_RES(res);
+
+	/* Parameter 4: sgid (type: PT_GID) */
+	syscall_get_arguments_deprecated(args, 2, 1, &val);
+	gid = (uint32_t)val;
+	res = val_to_ring(args, gid, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 int f_sys_unshare_e(struct event_filler_arguments *args) {
 	unsigned long val;
 	int res;
diff --git a/driver/ppm_fillers.h b/driver/ppm_fillers.h
@@ -184,6 +184,7 @@ or GPL2.txt for full copies of the license.
 	FN(sys_setgid_x)                     \
 	FN(sys_setpgid_e)                    \
 	FN(sys_setpgid_x)                    \
+	FN(sys_setresgid_x)                  \
 	FN(sys_recvfrom_e)                   \
 	FN(sys_recvmsg_e)                    \
 	FN(sys_listen_e)                     \
diff --git a/test/drivers/test_suites/syscall_exit_suite/setresgid_x.cpp b/test/drivers/test_suites/syscall_exit_suite/setresgid_x.cpp
@@ -37,8 +37,17 @@ TEST(SyscallExit, setresgidX) {
 	/* Parameter 1: res (type: PT_ERRNO) */
 	evt_test->assert_numeric_param(1, (int64_t)0);
 
+	/* Parameter 2: rgid (type: PT_GID) */
+	evt_test->assert_numeric_param(2, (uint32_t)rgid);
+
+	/* Parameter 3: egid (type: PT_GID) */
+	evt_test->assert_numeric_param(3, (uint32_t)egid);
+
+	/* Parameter 4: sgid (type: PT_GID) */
+	evt_test->assert_numeric_param(4, (uint32_t)sgid);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(1);
+	evt_test->assert_num_params_pushed(4);
 }
 #endif
diff --git a/test/libscap/test_suites/engines/savefile/converter.cpp b/test/libscap/test_suites/engines/savefile/converter.cpp
@@ -2433,3 +2433,57 @@ TEST_F(convert_event_test, PPME_SYSCALL_SETGID_X_to_3_params_with_enter) {
 	        create_safe_scap_event(ts, tid, PPME_SYSCALL_SETGID_X, 1, res),
 	        create_safe_scap_event(ts, tid, PPME_SYSCALL_SETGID_X, 2, res, gid));
 }
+
+////////////////////////////
+// SETRESGID
+////////////////////////////
+
+TEST_F(convert_event_test, PPME_SYSCALL_SETRESGID_E_store) {
+	uint64_t ts = 12;
+	int64_t tid = 25;
+
+	uint32_t rgid = 66;
+	uint32_t egid = 77;
+	uint32_t sgid = 88;
+
+	auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_SETRESGID_E, 3, rgid, egid, sgid);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_SETRESGID_X_to_4_params_no_enter) {
+	uint64_t ts = 12;
+	int64_t tid = 25;
+
+	int64_t res = 89;
+
+	// Defaulted to 0
+	uint32_t rgid = 0;
+	uint32_t egid = 0;
+	uint32_t sgid = 0;
+
+	assert_single_conversion_success(
+	        conversion_result::CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_SETRESGID_X, 1, res),
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_SETRESGID_X, 4, res, rgid, egid, sgid));
+}
+
+TEST_F(convert_event_test, PPME_SYSCALL_SETRESGID_X_to_4_params_with_enter) {
+	uint64_t ts = 12;
+	int64_t tid = 25;
+
+	int64_t res = 89;
+	uint32_t rgid = 66;
+	uint32_t egid = 77;
+	uint32_t sgid = 88;
+
+	// After the first conversion we should have the storage
+	auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_SETRESGID_E, 3, rgid, egid, sgid);
+	assert_single_conversion_skip(evt);
+	assert_event_storage_presence(evt);
+
+	assert_single_conversion_success(
+	        conversion_result::CONVERSION_COMPLETED,
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_SETRESGID_X, 1, res),
+	        create_safe_scap_event(ts, tid, PPME_SYSCALL_SETRESGID_X, 4, res, rgid, egid, sgid));
+}
diff --git a/test/libsinsp_e2e/sys_call_test.cpp b/test/libsinsp_e2e/sys_call_test.cpp
@@ -1440,6 +1440,12 @@ TEST_F(sys_call_test, getsetresuid_and_gid) {
 		} else if(type == PPME_SYSCALL_SETRESGID_X && !setresgid_ok) {
 			++callnum;
 			EXPECT_EQ("0", e->get_param_value_str("res", false));
+			EXPECT_EQ("6565", e->get_param_value_str("rgid", false));
+			EXPECT_EQ("testsetresgid", e->get_param_value_str("rgid"));
+			EXPECT_EQ("-1", e->get_param_value_str("egid", false));
+			EXPECT_EQ("<NONE>", e->get_param_value_str("egid"));
+			EXPECT_EQ("-1", e->get_param_value_str("sgid", false));
+			EXPECT_EQ("<NONE>", e->get_param_value_str("sgid"));
 			setresgid_ok = true;
 		} else if(type == PPME_SYSCALL_GETRESUID_E && !getresuid_e_ok) {
 			++callnum;
diff --git a/userspace/libscap/engine/gvisor/fillers.cpp b/userspace/libscap/engine/gvisor/fillers.cpp
@@ -967,13 +967,19 @@ int32_t fill_event_setresgid_e(scap_sized_buffer scap_buf,
 int32_t fill_event_setresgid_x(scap_sized_buffer scap_buf,
                                size_t* event_size,
                                char* scap_err,
-                               int64_t res) {
+                               int64_t res,
+                               uint32_t rgid,
+                               uint32_t egid,
+                               uint32_t sgid) {
 	return scap_event_encode_params(scap_buf,
 	                                event_size,
 	                                scap_err,
 	                                PPME_SYSCALL_SETRESGID_X,
-	                                1,
-	                                res);
+	                                4,
+	                                res,
+	                                rgid,
+	                                egid,
+	                                sgid);
 }
 
 // PPME_SYSCALL_PRLIMIT_E
diff --git a/userspace/libscap/engine/gvisor/fillers.h b/userspace/libscap/engine/gvisor/fillers.h
@@ -335,7 +335,10 @@ int32_t fill_event_setresgid_e(scap_sized_buffer scap_buf,
 int32_t fill_event_setresgid_x(scap_sized_buffer scap_buf,
                                size_t* event_size,
                                char* scap_err,
-                               int64_t res);
+                               int64_t res,
+                               uint32_t rgid,
+                               uint32_t egid,
+                               uint32_t sgid);
 
 int32_t fill_event_prlimit_e(scap_sized_buffer scap_buf,
                              size_t* event_size,
diff --git a/userspace/libscap/engine/gvisor/parsers.cpp b/userspace/libscap/engine/gvisor/parsers.cpp
@@ -1253,7 +1253,10 @@ static parse_result parse_setresid(uint32_t id,
 			ret.status = scap_gvisor::fillers::fill_event_setresgid_x(scap_buf,
 			                                                          &ret.size,
 			                                                          scap_err,
-			                                                          gvisor_evt.exit().result());
+			                                                          gvisor_evt.exit().result(),
+			                                                          gvisor_evt.rid(),
+			                                                          gvisor_evt.eid(),
+			                                                          gvisor_evt.sid());
 			break;
 
 		default:
diff --git a/userspace/libscap/engine/savefile/converter/table.cpp b/userspace/libscap/engine/savefile/converter/table.cpp
@@ -251,4 +251,12 @@ const std::unordered_map<conversion_key, conversion_info> g_conversion_table = {
          conversion_info()
                  .action(C_ACTION_ADD_PARAMS)
                  .instrs({{C_INSTR_FROM_ENTER, 0}, {C_INSTR_FROM_ENTER, 1}})},
+        /*====================== SETRESGID ======================*/
+        {conversion_key{PPME_SYSCALL_SETRESGID_E, 3}, conversion_info().action(C_ACTION_STORE)},
+        {conversion_key{PPME_SYSCALL_SETRESGID_X, 1},
+         conversion_info()
+                 .action(C_ACTION_ADD_PARAMS)
+                 .instrs({{C_INSTR_FROM_ENTER, 0},
+                          {C_INSTR_FROM_ENTER, 1},
+                          {C_INSTR_FROM_ENTER, 2}})},
 };
diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
@@ -102,7 +102,7 @@ struct scap_vtable;
 // and handle the result
 //
 #define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION(8, 0, 0)
-#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 32, 0)
+#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(3, 33, 0)
 
 //
 // This is the dimension we used before introducing the variable buffer size.
diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -108,7 +108,6 @@ void sinsp_parser::process_event(sinsp_evt &evt, sinsp_parser_verdict &verdict)
 	case PPME_SYSCALL_PRLIMIT_E:
 	case PPME_SYSCALL_SENDFILE_E:
 	case PPME_SYSCALL_SETRESUID_E:
-	case PPME_SYSCALL_SETRESGID_E:
 	case PPME_SYSCALL_UNLINK_E:
 	case PPME_SYSCALL_UNLINKAT_E:
 	case PPME_SYSCALL_EXECVE_18_E:
@@ -4326,15 +4325,13 @@ void sinsp_parser::parse_setreuid_exit(sinsp_evt &evt) const {
 }
 
 void sinsp_parser::parse_setresgid_exit(sinsp_evt &evt) const {
-	sinsp_evt *enter_evt = &m_tmp_evt;
-
 	//
 	// Extract the return value
 	//
 	const int64_t retval = evt.get_syscall_return_value();
 
-	if(retval == 0 && retrieve_enter_event(*enter_evt, evt)) {
-		uint32_t new_egid = enter_evt->get_param(1)->as<uint32_t>();
+	if(retval == 0) {
+		uint32_t new_egid = evt.get_param(2)->as<uint32_t>();
 
 		if(new_egid < std::numeric_limits<uint32_t>::max()) {
 			sinsp_threadinfo *ti = evt.get_thread_info();
diff --git a/userspace/libsinsp/test/events_user.ut.cpp b/userspace/libsinsp/test/events_user.ut.cpp
@@ -94,6 +94,13 @@ TEST_F(sinsp_with_test_input, setresuid_setresgid) {
 	ASSERT_EQ(get_field_as_string(evt, "group.gid"), "0");
 
 	// check that the group ID is updated if the call is successful. The expected user is the EGID
-	evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_SETRESGID_X, 1, errno_success);
+	evt = add_event_advance_ts(increasing_ts(),
+	                           1,
+	                           PPME_SYSCALL_SETRESGID_X,
+	                           4,
+	                           errno_success,
+	                           600,
+	                           600,
+	                           600);
 	ASSERT_EQ(get_field_as_string(evt, "group.gid"), "600");
 }
diff --git a/userspace/libsinsp/test/parsers/parse_setresgid.cpp b/userspace/libsinsp/test/parsers/parse_setresgid.cpp
@@ -0,0 +1,51 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2025 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+*/
+
+#include "driver/ppm_events_public.h"
+#include <helpers/threads_helpers.h>
+
+TEST_F(sinsp_with_test_input, SETRESGID_success) {
+	add_default_init_thread();
+	open_inspector();
+
+	int64_t return_value = 0;
+	uint32_t rgid = (uint32_t)-1;
+	uint32_t egid = 1000;
+	uint32_t sgid = (uint32_t)-1;
+
+	const auto evt = add_event_advance_ts(increasing_ts(),
+	                                      INIT_TID,
+	                                      PPME_SYSCALL_SETRESGID_X,
+	                                      4,
+	                                      return_value,
+	                                      rgid,
+	                                      egid,
+	                                      sgid);
+
+	// Check that the returned value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("res")->as<int64_t>(), return_value);
+
+	// Check that the rgid value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("rgid")->as<uint32_t>(), rgid);
+
+	// Check that the egid value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("egid")->as<uint32_t>(), egid);
+
+	// Check that the sgid value is as expected.
+	ASSERT_EQ(evt->get_param_by_name("sgid")->as<uint32_t>(), sgid);
+}
diff --git a/userspace/libsinsp/test/scap_files/converter_tests.cpp b/userspace/libsinsp/test/scap_files/converter_tests.cpp
