From 82bc6996f899d73379193cfcdbc13fea1847f24d Mon Sep 17 00:00:00 2001
From: Ofek Shaked <ofek.shaked@aquasec.com>
Date: Tue, 22 Oct 2024 13:12:04 +0300
Subject: [PATCH] Change check_syscall_source vma type arguments from flags to
 a string

---
 .../builtin/extra/check_syscall_source.md     |  4 +---
 pkg/ebpf/c/tracee.bpf.c                       | 23 ++++++++++++++-----
 pkg/events/core.go                            |  4 +---
 .../e2e-check_syscall_source.go               | 20 +++++-----------
 4 files changed, 25 insertions(+), 26 deletions(-)

diff --git a/docs/docs/events/builtin/extra/check_syscall_source.md b/docs/docs/events/builtin/extra/check_syscall_source.md
index 612ff6289929..adbd641b8f67 100644
--- a/docs/docs/events/builtin/extra/check_syscall_source.md
+++ b/docs/docs/events/builtin/extra/check_syscall_source.md
@@ -24,9 +24,7 @@ To reduce noise in cases where code with significant syscall activity is being d
 
 * `syscall`:`int`[K] - the syscall which was invoked from an unusual location. The syscall name is parsed if the `parse-arguments` option is specified.
 * `ip`:`void *`[K] - the address from which the syscall was invoked (instruction pointer of the instruction following the syscall instruction).
-* `is_stack`:`bool`[K] - whether the syscall was invoked from the stack. Mutually exclusive with `is_heap` and `is_anon_vma`.
-* `is_heap`:`bool`[K] - whether the syscall was invoked from the heap. Mutually exclusive with `is_stack` and `is_anon_vma`.
-* `is_anon_vma`:`bool`[K] - whether the syscall was invoked from an anonymous (non-file-backed) VMA. Mutually exclusive with `is_stack` and `is_heap`.
+* `vma_type`:`char *`[K] - the type of the VMA which contains the code that triggered the syscall (one of *stack*/*heap*/*anonymous*)
 
 ## Hooks
 
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
index e6d0c6c535a4..0b04142a2244 100644
--- a/pkg/ebpf/c/tracee.bpf.c
+++ b/pkg/ebpf/c/tracee.bpf.c
@@ -5253,15 +5253,26 @@ int BPF_KPROBE(check_syscall_source)
         // This key already exists, no need to submit the same syscall-vma-process combination again
         return 0;
 
-    bool is_stack = vma_type == VMA_STACK;
-    bool is_heap = vma_type == VMA_HEAP;
-    bool is_anon = vma_type == VMA_ANON;
+    char *vma_type_str;
+
+    switch (vma_type) {
+        case VMA_STACK:
+            vma_type_str = "stack";
+            break;
+        case VMA_HEAP:
+            vma_type_str = "heap";
+            break;
+        case VMA_ANON:
+            vma_type_str = "anonymous";
+            break;
+        // shouldn't happen
+        default:
+            return 0;
+    }
 
     save_to_submit_buf(&p.event->args_buf, &syscall, sizeof(syscall), 0);
     save_to_submit_buf(&p.event->args_buf, &ip, sizeof(ip), 1);
-    save_to_submit_buf(&p.event->args_buf, &is_stack, sizeof(is_stack), 2);
-    save_to_submit_buf(&p.event->args_buf, &is_heap, sizeof(is_heap), 3);
-    save_to_submit_buf(&p.event->args_buf, &is_anon, sizeof(is_anon), 4);
+    save_str_to_buf(&p.event->args_buf, vma_type_str, 2);
 
     events_perf_submit(&p, 0);
 
diff --git a/pkg/events/core.go b/pkg/events/core.go
index 450786911e26..11b5971af288 100644
--- a/pkg/events/core.go
+++ b/pkg/events/core.go
@@ -13069,9 +13069,7 @@ var CoreEvents = map[ID]Definition{
 		params: []trace.ArgMeta{
 			{Type: "int", Name: "syscall"},
 			{Type: "void*", Name: "ip"},
-			{Type: "bool", Name: "is_stack"},
-			{Type: "bool", Name: "is_heap"},
-			{Type: "bool", Name: "is_anon_vma"},
+			{Type: "char*", Name: "vma_type"},
 		},
 	},
 	//
diff --git a/tests/e2e-inst-signatures/e2e-check_syscall_source.go b/tests/e2e-inst-signatures/e2e-check_syscall_source.go
index 274adc48035a..944d772edc03 100644
--- a/tests/e2e-inst-signatures/e2e-check_syscall_source.go
+++ b/tests/e2e-inst-signatures/e2e-check_syscall_source.go
@@ -48,34 +48,26 @@ func (sig *e2eCheckSyscallSource) OnEvent(event protocol.Event) error {
 
 	switch eventObj.EventName {
 	case "check_syscall_source":
-		syscall, err := helpers.GetTraceeIntArgumentByName(eventObj, "syscall")
+		syscall, err := helpers.ArgVal[int32](eventObj.Args, "syscall")
 		if err != nil {
 			return err
 		}
-		isStack, err := helpers.ArgVal[bool](eventObj.Args, "is_stack")
-		if err != nil {
-			return err
-		}
-		isHeap, err := helpers.ArgVal[bool](eventObj.Args, "is_heap")
-		if err != nil {
-			return err
-		}
-		isAnonVma, err := helpers.ArgVal[bool](eventObj.Args, "is_anon_vma")
+		vma_type, err := helpers.ArgVal[string](eventObj.Args, "vma_type")
 		if err != nil {
 			return err
 		}
 
 		// check expected values from test for detection
 
-		if syscall != int(events.Exit) {
+		if syscall != int32(events.Exit) {
 			return nil
 		}
 
-		if isStack {
+		if vma_type == "stack" {
 			sig.foundStack = true
-		} else if isHeap {
+		} else if vma_type == "heap" {
 			sig.foundHeap = true
-		} else if isAnonVma {
+		} else if vma_type == "anonymous" {
 			sig.foundAnonVma = true
 		} else {
 			return nil