[Feature] implement new event pairs for a restricted set of syscalls #911
Comments
|
to these syscalls we need to add other 2 corner cases:
|
This was referenced Mar 7, 2023
#975 addresses this by adding a new event pair ( |
|
/milestone 0.11.0 |
4 tasks
Probably we won't finish it for libs 0.11.0, we will just address the "first set". To close this issue I would like to remove all inconsistencies :)! |
27 tasks
|
Collected the remaining points into #1004 we can close this :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Motivation
Working on the new dynamic syscall selection, we faced some issues regarding the resolution from the event type to the associated syscall. The 2 main issues are:
syscall_tableto perform the conversion and this table is architecture dependent. Issue related to this fact: [Bug] Incorrect log output on arm64 in application::check_for_ignored_events falco#2326clonesyscall, there are several event pairs corresponding to it.We can address this issue by adding a new field to the
event_table, a sort of "source" of the event, in this way we are able to perform, in an architecture-indigent way, an exact conversion fromeventstoppm_scand vice-versa.One blocker to this solution is the fact that today we have an event pair associated with more than one syscall (
ppm_sc)! This is a wrong behavior because any syscall should have its dedicated event pair in order to correctly manage all its params (pipe2/pipeandinotify_init/inotify_init1are an example of possible issues that this approach could generate #515).This is the list of syscalls that use an event pair already associated with another syscall:
->means: "uses an event pair already associated with"First set
__NR_pipe2->__NR_pipe__NR_inotify_init1->__NR_inotify_init__NR_eventfd2->__NR_eventfd__NR_signalfd4->__NR_signalfdSecond set
__NR_ugetrlimit->__NR_getrlimit__NR_fcntl64->__NR_fcntl__NR_sendfile64->__NR_sendfile__NR_setresuid32->__NR_setresuid__NR_setresgid32->__NR_setresgid__NR_setuid32->__NR_setuid__NR_setgid32->__NR_setgid__NR_getuid32->__NR_getuid__NR_geteuid32->__NR_geteuid__NR_getgid32->__NR_getgid__NR_getegid32->__NR_getegid__NR_getresuid32->__NR_getresuid__NR_getresgid32->__NR_getresgidI've split them into 2 sets because the first one is a real blocker, while the second set is composed of syscalls that are never defined on our supported architectures so the solution will work also if they are associated with an already used event pair. BTW this is an inconsistent approach so we need to address all of them in order to obtain a clear final design.
Please note: a syscall can have multiple event pairs associated while the opposite relation should be forbidden! An event pair should be associated with just one syscall! (the generic event pair is an exception since by definition it is associated with more syscalls)
Feature
Implements new event pairs for the aforementioned syscalls ☝️
Example:
a new event pair for
pipe2->PPME_SYSCALL_PIPE2_E/PPME_SYSCALL_PIPE2_XThe text was updated successfully, but these errors were encountered: