Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Address last inconsistencies in our syscalls #1004

Open
27 tasks
Andreagit97 opened this issue Mar 25, 2023 · 11 comments
Open
27 tasks

[FEATURE] Address last inconsistencies in our syscalls #1004

Andreagit97 opened this issue Mar 25, 2023 · 11 comments
Assignees
@Andreagit97
Labels
kind/feature New feature or request
Milestone
TBD

Comments

@Andreagit97
Copy link
Member

Motivation

Today an event pair could be associated with more than one syscall/ppm_sc ! This is a wrong behavior because any syscall should have its dedicated event pair in order to correctly manage all its params (pipe2/pipe and inotify_init/inotify_init1 are an example of possible issues that this approach could generate #515).

This is the list of syscalls that use an event pair already associated with another syscall:

-> means: "uses an event pair already associated with"

  • __NR_ugetrlimit -> __NR_getrlimit
  • __NR_fcntl64 -> __NR_fcntl
  • __NR_sendfile64 -> __NR_sendfile
  • __NR_setresuid32 -> __NR_setresuid
  • __NR_setresgid32 -> __NR_setresgid
  • __NR_setuid32 -> __NR_setuid
  • __NR_setgid32 -> __NR_setgid
  • __NR_getuid32 -> __NR_getuid
  • __NR_geteuid32 -> __NR_geteuid
  • __NR_getgid32 -> __NR_getgid
  • __NR_getegid32 -> __NR_getegid
  • __NR_getresuid32 -> __NR_getresuid
  • __NR_getresgid32 -> __NR_getresgid

Extracted from: #911

Due to this inconsistency, we didn't implement them yet into the modern bpf probe! More in detail these are the syscalls that still miss a filler into the modern bpf:

  • fcntl64
  • stat64
  • fstat64
  • sendfile64
  • setresuid32
  • setresgid32
  • setuid32
  • setgid32
  • getuid32
  • geteuid32
  • getgid32
  • getegid32
  • getresuid32
  • getresgid32

Extracted from: #723

As you can notice the 2 sets are almost identical so the idea here is to create a new dedicated event pair for each syscall and add it into the modern bpf probe

Please note: These syscalls should be never compiled unless you have the following kernel config enabled: CONFIG_64BIT.
@Andreagit97 Andreagit97 added the kind/feature New feature or request label Mar 25, 2023
@Andreagit97 Andreagit97 added this to the next-driver milestone Mar 25, 2023
@Andreagit97 Andreagit97 self-assigned this Mar 25, 2023
@Andreagit97
Copy link
Member Author

I've used milestone /next-driver but we will probably focus on that in the next release

This was referenced Mar 25, 2023
Closed
Closed
@FedeDP
Copy link
Contributor

FedeDP commented Apr 27, 2023

/milestone next-driver

@poiana poiana modified the milestones: 5.0.0+driver, next-driver Apr 27, 2023
@Andreagit97 Andreagit97 modified the milestones: driver-backlog, TBD Sep 4, 2023
@poiana
Copy link
Contributor

poiana commented Dec 3, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member Author

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Mar 3, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member Author

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Jun 3, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member Author

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Sep 2, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link
Contributor

poiana commented Oct 2, 2024

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

@Andreagit97
Copy link
Member Author

/remove-lifecycle rotten

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Andreagit97 Andreagit97

Labels
kind/feature New feature or request
Projects
None yet
Milestone
TBD
Development

No branches or pull requests
3 participants
@FedeDP @poiana @Andreagit97