tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

[REFAC] parse-arguments-fds feature needs refactoring for multiple fds (and feature for socket related fds)

Open rafaeldtinoco opened this issue 3 years ago • 4 comments
trafficstars

Prerequisites

Select one OR another:

  • [x] I have discussed the refactoring idea with one (or another) maintainer.
  • [ ] I'll create a PR to implement this refactoring idea (assign to yourself).
  • [x] Someone else should implement this (describe it well).

Refactoring description

This refactoring is about improving the about to be merged "parse-arguments-fds" (feature made by @geyslan in PR: #1971 and merged in PR: #2086 feature:

  • [ ] 1. change the fd argument type to string https://github.com/aquasecurity/tracee/pull/2086#issuecomment-1222500718 ~~- [ ] 2. check if we can replace sys_enter() if{} code for a tail-call to its end~~
  • [ ] 3. move the event generation to sys_exit() https://github.com/aquasecurity/tracee/pull/2086#issuecomment-1221805255
  • [ ] 4. perhaps create a table of syscalls and correspondent file descriptors (1st arg, 2nd arg)
  • [ ] 5. after new networking code is merged, to check if we can translate fd filenames AND sockets
  1. probably more ...

Additional Information (feature drawings, files, logs, etc)

@geyslan I'm assigning you for this as you are the author. I believe it would be good to have this feature with these improvements for milestone 0.9.0 (but it is not mandatory for that milestone). Feel free to unassign yourself and/or close at your will.

rafaeldtinoco avatar Aug 22 '22 03:08 rafaeldtinoco

I updated the header mentioning the requests.

geyslan avatar Aug 24 '22 14:08 geyslan

  1. change the fd argument type to string

For that I suppose we would need to change all syscall args {Type: "int", Name: "fd"} (and related) to {Type: "const char*", Name: "fd"}. If I'm right, it's not ideal as we would change syscall signatures.

  1. move the event generation to sys_exit()

We can save fd translation via sys_enter and load it from the map via sys_exit to allow sending it as part of the event.

These two steps are doable, but my question is, should the fd translation be a new arg in each events.go syscall? This goes back to concerns above (signature changes).

@rafaeldtinoco @yanivagman I would appreciate your thoughts.

geyslan avatar Aug 24 '22 17:08 geyslan

I believe changing the argument type has already been discussed in the original PR comments and we agreed not to do (as the signatures will never use the string value, since it adds overhead to the execution/pipeline).

rafaeldtinoco avatar Aug 24 '22 17:08 rafaeldtinoco

  1. change the fd argument type to string

For that I suppose we would need to change all syscall args {Type: "int", Name: "fd"} (and related) to {Type: "const char*", Name: "fd"}. If I'm right, it's not ideal as we would change syscall signatures.

No need to change syscall signatures. We already have cases where we parse int arguments to strings and change the type accordingly (e.g. "flags" arguments here: https://github.com/aquasecurity/tracee/blob/main/pkg/events/parse_args.go#L70 )

  1. move the event generation to sys_exit()

We can save fd translation via sys_enter and load it from the map via sys_exit to allow sending it as part of the event.

Yes. The idea is to keep the output same as it is now, but instead of reading the map value in userspace (like is being done now), do it in sys_exit

yanivagman avatar Aug 24 '22 19:08 yanivagman

I'm closing this as not planned. Feel free to reopen it when required.

geyslan avatar Mar 21 '23 19:03 geyslan