From c83c483d2becb4b3292ab36bc59d1172a5e379fe Mon Sep 17 00:00:00 2001
From: Alexander Kindyakov <akindyakov@fb.com>
Date: Mon, 4 Feb 2019 09:10:44 -0800
Subject: [PATCH] Let's EbpfTracepoint own the ebpf::Program and
 tracing::NativeEvent

Summary: Part of a linux  tracing system, blueprint: [#5218](https://github.com/facebook/osquery/issues/5218)

Reviewed By: SAlexandru

Differential Revision: D13787759

fbshipit-source-id: 726075e04474b4148c0292d6e9e8f10cf60b9214
---
 .../events/linux/probes/ebpf_tracepoint.cpp   | 19 ++++++++++----
 osquery/events/linux/probes/ebpf_tracepoint.h | 14 +++++++---
 osquery/events/linux/probes/tests/BUCK        |  1 -
 .../linux/probes/tests/ebpf_tracepoint.cpp    | 26 -------------------
 4 files changed, 24 insertions(+), 36 deletions(-)
 delete mode 100644 osquery/events/linux/probes/tests/ebpf_tracepoint.cpp

diff --git a/osquery/events/linux/probes/ebpf_tracepoint.cpp b/osquery/events/linux/probes/ebpf_tracepoint.cpp
index d87f3b18ada..e1af29e188d 100644
--- a/osquery/events/linux/probes/ebpf_tracepoint.cpp
+++ b/osquery/events/linux/probes/ebpf_tracepoint.cpp
@@ -22,11 +22,20 @@
 namespace osquery {
 namespace events {
 
-EbpfTracepoint::EbpfTracepoint(EbpfTracepoint&& other) : fd_(other.fd_) {
+EbpfTracepoint::EbpfTracepoint(tracing::NativeEvent system_event,
+                               ebpf::Program program)
+    : system_event_{std::move(system_event)}, program_{std::move(program)} {}
+
+EbpfTracepoint::EbpfTracepoint(EbpfTracepoint&& other)
+    : fd_{other.fd_},
+      system_event_{std::move(other.system_event_)},
+      program_{std::move(other.program_)} {
   other.fd_ = -1;
 }
 
 EbpfTracepoint& EbpfTracepoint::operator=(EbpfTracepoint&& other) {
+  std::swap(system_event_, other.system_event_);
+  std::swap(program_, other.program_);
   std::swap(fd_, other.fd_);
   return *this;
 }
@@ -36,14 +45,14 @@ EbpfTracepoint::~EbpfTracepoint() {
 }
 
 Expected<EbpfTracepoint, EbpfTracepoint::Error> EbpfTracepoint::load(
-    tracing::SystemEventId system_event_id, int prog_fd) {
-  auto instance = EbpfTracepoint{};
+    tracing::NativeEvent system_event, ebpf::Program program) {
+  auto instance = EbpfTracepoint(std::move(system_event), std::move(program));
 
   struct perf_event_attr trace_attr;
   memset(&trace_attr, 0, sizeof(struct perf_event_attr));
   trace_attr.type = PERF_TYPE_TRACEPOINT;
   trace_attr.size = sizeof(struct perf_event_attr);
-  trace_attr.config = system_event_id;
+  trace_attr.config = instance.system_event_.id();
   trace_attr.sample_period = 1;
   trace_attr.sample_type = PERF_SAMPLE_RAW;
   trace_attr.wakeup_events = 1;
@@ -62,7 +71,7 @@ Expected<EbpfTracepoint, EbpfTracepoint::Error> EbpfTracepoint::load(
   }
   instance.fd_ = fd_exp.take();
 
-  if (ioctl(instance.fd_, PERF_EVENT_IOC_SET_BPF, prog_fd) < 0) {
+  if (ioctl(instance.fd_, PERF_EVENT_IOC_SET_BPF, instance.program_.fd()) < 0) {
     return createError(Error::SystemError,
                        "Fail to attach perf event of EbpfTracepoint ")
            << boost::io::quoted(strerror(errno));
diff --git a/osquery/events/linux/probes/ebpf_tracepoint.h b/osquery/events/linux/probes/ebpf_tracepoint.h
index 44877382e90..a98210e2976 100644
--- a/osquery/events/linux/probes/ebpf_tracepoint.h
+++ b/osquery/events/linux/probes/ebpf_tracepoint.h
@@ -10,8 +10,10 @@
 
 #pragma once
 
+#include <osquery/utils/system/linux/ebpf/program.h>
+#include <osquery/utils/system/linux/tracing/native_event.h>
+
 #include <osquery/utils/expected/expected.h>
-#include <osquery/utils/system/linux/tracing/types.h>
 
 namespace osquery {
 namespace events {
@@ -31,11 +33,12 @@ class EbpfTracepoint final {
 
   ~EbpfTracepoint();
 
-  static Expected<EbpfTracepoint, Error> load(
-      tracing::SystemEventId system_event_id, int ebpf_prog_fd);
+  static Expected<EbpfTracepoint, Error> load(tracing::NativeEvent system_event,
+                                              ebpf::Program program);
 
  private:
-  explicit EbpfTracepoint() = default;
+  explicit EbpfTracepoint(tracing::NativeEvent system_event,
+                          ebpf::Program program);
 
   ExpectedSuccess<Error> unload();
 
@@ -43,6 +46,9 @@ class EbpfTracepoint final {
 
  private:
   int fd_ = -1;
+
+  tracing::NativeEvent system_event_;
+  ebpf::Program program_;
 };
 
 } // namespace events
diff --git a/osquery/events/linux/probes/tests/BUCK b/osquery/events/linux/probes/tests/BUCK
index b5462572c50..70a788e4e27 100644
--- a/osquery/events/linux/probes/tests/BUCK
+++ b/osquery/events/linux/probes/tests/BUCK
@@ -19,7 +19,6 @@ osquery_cxx_test(
         (
             LINUX,
             [
-                "ebpf_tracepoint.cpp",
                 "syscall_event.cpp",
             ],
         ),
diff --git a/osquery/events/linux/probes/tests/ebpf_tracepoint.cpp b/osquery/events/linux/probes/tests/ebpf_tracepoint.cpp
deleted file mode 100644
index 49d224891a9..00000000000
--- a/osquery/events/linux/probes/tests/ebpf_tracepoint.cpp
+++ /dev/null
@@ -1,26 +0,0 @@
-/**
- *  Copyright (c) 2014-present, Facebook, Inc.
- *  All rights reserved.
- *
- *  This source code is licensed under both the Apache 2.0 license (found in the
- *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
- *  in the COPYING file in the root directory of this source tree).
- *  You may select, at your option, one of the above-listed licenses.
- */
-
-#include <gtest/gtest.h>
-
-#include <osquery/events/linux/probes/ebpf_tracepoint.h>
-
-namespace osquery {
-namespace {
-
-class EbpfTracepointTests : public testing::Test {};
-
-TEST_F(EbpfTracepointTests, invalid_args) {
-  auto ebpf_tracepoint_exp = events::EbpfTracepoint::load(-1, -1);
-  ASSERT_TRUE(ebpf_tracepoint_exp.isError());
-}
-
-} // namespace
-} // namespace osquery