pkg/ebpf: fix bug in support for arg types (#2228)

AlonZivony · web-flow · commit f363f1ca2ccb · 2022-10-11T18:20:18.000+03:00
In tracee.bpf.c we use arg types to determine syscall arguments.
Recent feature changed arguments types enum values, causing bug in
argument parsing of syscalls.
This commit fix this issue and add unsupported basic types should
be supported in parsing.
diff --git a/pkg/bufferdecoder/eventsreader.go b/pkg/bufferdecoder/eventsreader.go
@@ -18,7 +18,6 @@ type ArgType uint8
 
 const (
 	noneT ArgType = iota
-	u8T
 	intT
 	uintT
 	longT
@@ -36,6 +35,7 @@ const (
 	credT
 	intArr2T
 	uint64ArrT
+	u8T
 )
 
 // These types don't match the ones defined in the ebpf code since they are not being used by syscalls arguments.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -157,6 +157,7 @@ enum argument_type_e
     CRED_T,
     INT_ARR_2_T,
     UINT64_ARR_T,
+    U8_T,
     TYPE_MAX = 255UL
 };
 
@@ -2443,6 +2444,12 @@ static __always_inline int save_args_to_submit_buf(event_data_t *data, u64 types
             case POINTER_T:
                 size = sizeof(void *);
                 break;
+            case U8_T:
+                size = sizeof(u8);
+                break;
+            case U16_T:
+                size = sizeof(u16);
+                break;
             case STR_T:
                 rc = save_str_to_buf(data, (void *) args->args[i], index);
                 break;
