new(driver,userspace/libsinsp): added support for state modifying `epoll_create` and `epoll_create1`.

[FedeDP]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area driver-kmod /area driver-bpf /area libsinsp

Does this PR require a change in the driver versions?

Yep, because it adds a new event.

/version driver-SCHEMA-version-minor

But, given that min schema version was already bumped since last libs release, i think we can skip this. (see https://github.com/falcosecurity/libs/pull/501).

What this PR does / why we need it:

Adds support for epoll_create and epoll_create1 syscalls, because they create a FD thus are needed for sinsp state.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new: support `epoll_create` and `epoll_create1` syscalls.

[FedeDP]

Github 503 :/

[Andreagit97]

Probably we need to add them also in the modern probe /hold

[LucaGuerra]

Would this case fit along the others in the creates_fd_generic test you recently added?

[FedeDP]

Would this case fit along the others in the creates_fd_generic test you recently added?

Done!

Probably we need to add them also in the modern probe

Done!

@LucaGuerra @Andreagit97

[hbrueckner]

Probably we need to add them also in the modern probe

Done!

Awesome @FedeDP . I will look later thru the patch set. Thanks.

[FedeDP]

But epoll_create1 tests are failing and i don't get why :/

[hbrueckner]

But epoll_create1 tests are failing and i don't get why :/

Looks like the syscall passes but does not create an event:

[ RUN      ] SyscallEnter.epoll_create1E
HALLO: fd=245 errno=Success
/root/git/falcosecurity/libs/test/modern_bpf/event_class/event_class.cpp:378: Failure
Failed
There is no event in the buffer.

with using printf("HALLO: fd=%i errno=%s\n", fd, strerror(errno));

[hbrueckner]

@FedeDP Tests pass on s390x:

# ./test/modern_bpf/bpf_test  |grep epoll
[ RUN      ] SyscallExit.epoll_create1X
[       OK ] SyscallExit.epoll_create1X (0 ms)
[ RUN      ] SyscallExit.epoll_createX
[       OK ] SyscallExit.epoll_createX (0 ms)
[ RUN      ] SyscallEnter.epoll_create1E
[       OK ] SyscallEnter.epoll_create1E (0 ms)
[ RUN      ] SyscallEnter.epoll_createE
[       OK ] SyscallEnter.epoll_createE (0 ms)

will review then later.

[FedeDP]

@hbrueckner fixed everything!

[hbrueckner]

@FedeDP other the minors above, this looks good to me. /lgtm

[poiana]

LGTM label has been added.

Git tree hash: 835f1bbd5f7b2660455fa49c8b49147baf08d3f5

[hbrueckner]

@FedeDP Thanks for the update. /lgtm

[poiana]

LGTM label has been added.

Git tree hash: 9af79754e9aa2bbd7266eaa8c87801ae8bc1273a

[FedeDP]

Rebased on top of master.

[FedeDP]

TODO:

• bump schema version minor

[FedeDP]

Rebased on top of master.

[Andreagit97]

/milestone next-driver

[poiana]

LGTM label has been added.

Git tree hash: 2b4be8c8dccf18ffa19529968baf5ca9bfd3b00c

[FedeDP]

Rebased on top of master.

[poiana]

LGTM label has been added.

Git tree hash: 8daa64dbb061e4f2e87d90f356b29bbf5f80b615

[FedeDP]

@Andreagit97 thanks for your review! Addressed in latest commit!

[poiana]

LGTM label has been added.

Git tree hash: b57738ff9664e41821f9765b3a8adcd2cbccef33

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, hbrueckner, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• ~~OWNERS~~ [Andreagit97,FedeDP,leogr]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[FedeDP]

/unhold