libs icon indicating copy to clipboard operation
libs copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

[BUG]: file related `dev` field extraction is dependent on the Filesystem type

Open FedeDP opened this issue 1 year ago • 9 comments

During the development of ppc64 me and @Andreagit97 noticed that some open related tests were failing to assert the dev field:

Expected equality of these values:
 *(T*)(m_event_params[m_current_param].valptr)
   Which is: 29
 param
   Which is: 37

Digging into it, we noticed that vfs_getattr_nosec calls a filesystem dependent getattr callback (https://elixir.bootlin.com/linux/v6.7.7/source/fs/stat.c#L135), that, for btrfs (the filesystem being used by our ppc64 test node), sets dev field differently: https://elixir.bootlin.com/linux/v6.7.7/source/fs/btrfs/inode.c#L8692.

See the call trace:

@[
    generic_fillattr+12
    btrfs_getattr+228
    vfs_getattr_nosec+244
    vfs_fstat+128
    __do_sys_newfstat+80
    system_call_exception+372
    system_call_vectored_common+348
]: 2

This means that our dev field is FS dependent and thus it cannot be relied upon. There is no way to fix this (at least on eBPF probes), since we miss the needed helpers.

FedeDP avatar Apr 19 '24 07:04 FedeDP

/milestone TBD

FedeDP avatar Apr 19 '24 07:04 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jul 18 '24 16:07 poiana

/remove-lifecycle stale

Andreagit97 avatar Jul 19 '24 07:07 Andreagit97