tracee
tracee copied to clipboard
aquasecurity
[FEAT] Change socket option parsing API to new libbpfgo
Prerequisites
- [ ] This issue is an EPIC issue (add label: EPIC).
- [ ] This issue is an EPIC TASK (add issue to EPIC description).
Select one OR another:
- [ ] I'll create a PR to implement this feature (assign to yourself).
- [x] Someone else should implement this (describe it well).
Feature description
In libbpfgo we updated the socket option parsing function to give precise string values to options, by dividing it to 2 parsing functions.
This means that the ParseSocketOption won't be available in the next version of libbpfgo, and we will need to update the ParseArgs function under events package to use ParseSetSocketOption instead for parsing the security_socket_setsockopt event argument.
I'm using:
From 18fa4264f4571cd6270f349d56bdfbc854cea3db Mon Sep 17 00:00:00 2001
From: Rafael David Tinoco <[email protected]>
Date: Wed, 24 Aug 2022 11:21:09 -0300
Subject: [PATCH] parse_args: fix API bump for setsockopt/getsockopt
---
pkg/events/parse_args.go | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go
index 6a91f0b1..a16876a1 100644
--- a/pkg/events/parse_args.go
+++ b/pkg/events/parse_args.go
@@ -207,7 +207,13 @@ func ParseArgs(event *trace.Event) error {
}
if optionNameArg := GetArg(event, "optname"); optionNameArg != nil {
if opt, isInt := optionNameArg.Value.(int32); isInt {
- optionNameArgument, err := helpers.ParseSocketOption(uint64(opt))
+ var optionNameArgument helpers.SocketOptionArgument
+ var err error
+ if ID(event.EventID) == Getsockopt {
+ optionNameArgument, err = helpers.ParseGetSocketOption(uint64(opt))
+ } else {
+ optionNameArgument, err = helpers.ParseSetSocketOption(uint64(opt))
+ }
ParseOrEmptyString(optionNameArg, optionNameArgument, err)
}
}
--
2.37.2
for my local tests (where I needed to bump to latest libbpfgo).
So I thought we might want to advance libbpfgo version when a new version will be released.
If you want to do it with just latest commit, then I can do the update.
I'm using:
From 18fa4264f4571cd6270f349d56bdfbc854cea3db Mon Sep 17 00:00:00 2001 From: Rafael David Tinoco <[email protected]> Date: Wed, 24 Aug 2022 11:21:09 -0300 Subject: [PATCH] parse_args: fix API bump for setsockopt/getsockopt --- pkg/events/parse_args.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go index 6a91f0b1..a16876a1 100644 --- a/pkg/events/parse_args.go +++ b/pkg/events/parse_args.go @@ -207,7 +207,13 @@ func ParseArgs(event *trace.Event) error { } if optionNameArg := GetArg(event, "optname"); optionNameArg != nil { if opt, isInt := optionNameArg.Value.(int32); isInt { - optionNameArgument, err := helpers.ParseSocketOption(uint64(opt)) + var optionNameArgument helpers.SocketOptionArgument + var err error + if ID(event.EventID) == Getsockopt { + optionNameArgument, err = helpers.ParseGetSocketOption(uint64(opt)) + } else { + optionNameArgument, err = helpers.ParseSetSocketOption(uint64(opt)) + } ParseOrEmptyString(optionNameArg, optionNameArgument, err) } } -- 2.37.2for my local tests (where I needed to bump to latest libbpfgo).
But yea @rafaeldtinoco, this is the change needed here.
@AlonZivony I recently spoke with @grantseltzer about bumping libbpfgo, and he is checking a few things to see if we go directly to libbpfgo w/ libbpf 1.0 OR stay at libbpf 0.8.1 (checking some breaking changes libbpf 1.0 might have had).
But yes, we're bumping libbpfgo for Tracee 0.8.2 release.