scap-open is a small executable that helps to understand if drivers work correctly.
Right now there are 4 scap sources:
- KERNEL_MODULE
- BPF_PROBE
- MODERN_BPF_PROBE
- SCAP_FILE
You can enable them with the following options:
'--kmod': enable the kernel module.
'--bpf <probe_path>': enable the BPF probe.
'--modern_bpf': enable modern BPF probe.
'--scap_file <file.scap>': read events from scap file.
For each scap source you can set additional configurations:
'--tp <tp_code>': enable only requested tracepoint. Can be passed multiple times. (dafault: all enabled)
'--ppm_sc <ppm_sc_code>': enable only requested syscall (this is our internal ppm syscall code not the system syscall code). Can be passed multiple times. (dafault: all enabled)
'--num_events <num_events>': number of events to catch before terminating. (default: UINT64_MAX)
'--evt_type <event_type>': every event of this type will be printed to console. (default: -1, no print)
There are also some options to validate the content of our tables:
'--validate_syscalls': validation checks.
Print some information like the supported syscalls or the help menu:
'--print_syscalls': print all supported syscalls with different sources and configurations.
'--help': print this menu.
From the repository root (/libs) type:
mkdir build && cd build
cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_LIBSCAP_GVISOR=OFF -DCREATE_TEST_TARGETS=OFF ..
make scap-openOptional Cmake options:
-DBUILD_BPF=ON: if you want to test the BPF probe.-DBUILD_LIBSCAP_MODERN_BPF=ON: if you want to test the modern BPF probe.-DMODERN_BPF_DEBUG_MODE=ON: if you want to test the modern BPF probe in debug mode. (if you use it you need also the previous one-DBUILD_LIBSCAP_MODERN_BPF=ON).
You have also to build the driver that you want to use:
- Kernel module
make driver- BPF probe
make bpf- Modern BPF probe (if you have already compiled
scap-openthe probe skeleton should be already built)
make ProbeSkeletonTo execute it, you have to pass at least one source. For example in this case we use the bpf source.
sudo ./libscap/examples/01-open/scap-open --bpf driver/bpf/probe.oPlease note: to use the BPF probe you have also to pass the path to the
.ofile.
As soon as you quit (CTRL-C) the scap-open program, you will be prompted with detailed information on the capture:
---------------------- STATS -----------------------
Events captured: 20
Seen by driver: 20
Time elapsed: 2 s
Number of events/per-second: 10
Number of dropped events: 0
Number of dropped events caused by full buffer (total / all buffer drops - includes all categories below, likely higher than sum of syscall categories): 0
Number of dropped events caused by full buffer (n_drops_buffer_clone_fork_enter syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_clone_fork_exit syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_execve_enter syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_execve_exit syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_connect_enter syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_connect_exit syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_open_enter syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_open_exit syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_dir_file_enter syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_dir_file_exit syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_other_interest_enter syscall category): 0
Number of dropped events caused by full buffer (n_drops_buffer_other_interest_exit syscall category): 0
Number of dropped events caused by full scratch map: 0
Number of dropped events caused by invalid memory access (page faults): 0
Number of dropped events caused by an invalid condition in the kernel instrumentation (bug): 0
Number of preemptions: 0
Number of events skipped due to the tid being in a set of suppressed tids: 0
Number of threads currently being suppressed: 0
-----------------------------------------------------
To run it with the kernel module, you first have to inject the kernel module into the kernel:
sudo insmod driver/scap.koThen you can type:
sudo ./libscap/examples/01-open/scap-open --kmodRemember to remove the kernel module when you have finished:
sudo rmmod scapTo run it with the modern BPF probe, issue:
sudo ./libscap/examples/01-open/scap-open --modern_bpfYou can look at the other available options by using --help:
sudo ./libscap/examples/01-open/scap-open --helpHere there are just some examples:
- Read from a
scap-file:
sudo ./libscap/examples/01-open/scap-open --scap_file ~/my_scap_file/path- Use BPF probe with only
mkdirsyscall andsys_entertracepoint (on x86_64 architecture)
- Check the
ppm_codeofmkdir, the code is27as you can see:
sudo ./libscap/examples/01-open/scap-open --ppm_sc | grep mkdir
- mkdir system_code: (83) ppm_code: (27)
- mkdirat system_code: (258) ppm_code: (198)- Check the code for
sys_entertracepoint, the code is0as you can see:
sudo ./libscap/examples/01-open/scap-open --tp | grep sys_enter
- sys_enter tp_code: (0)- Run the command with the obtained configuration:
sudo ./libscap/examples/01-open/scap-open --bpf driver/bpf/probe.o --ppm_sc 27 --tp 0The Dockerfile will use runner-image tag to build the final image as you can see here:
FROM runner-image AS runner
...For example, if I build scap-open locally on a un ubuntu:22-04 machine I will instruct docker to use ubuntu:22-04 as a final running image.
docker tag ubuntu:22.04 runner-imagemkdir build && cd build
cmake -DUSE_BUNDLED_DEPS=On -DBUILD_LIBSCAP_GVISOR=Off -DBUILD_BPF=On -DBUILD_LIBSCAP_MODERN_BPF=On -DCREATE_TEST_TARGETS=Off -DMODERN_BPF_DEBUG_MODE=On ..
make scap-open driver bpfFrom the build directory:
docker build --tag scap-open-dev -f ./../userspace/libscap/examples/01-open/Dockerfile .From the build directory:
docker run --rm -i -t --privileged \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
scap-open-dev