tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Cannot filter on `sys_enter.args.syscall`

Open oshaked1 opened this issue 1 year ago • 2 comments

Description

Filtering on the syscall argument of sys_enter does not work, neither with a syscall name nor with its number. e.g. sys_enter.args.syscall=321 or sys_enter.args.syscall=bpf do not work.

Output of tracee version:

Tracee version: v0.20.0

Output of uname -a:

Linux ****** 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Additional details

The problem appears to be in the following check from pkt/filters/args.go line 59:

if argName != "syscall" {
    argVal = fmt.Sprint(argVal)
}

Conversion of the argument value to string form doesn't happen specifically for the syscall argument.

oshaked1 avatar Feb 22 '24 12:02 oshaked1

@oshaked1 thanks for this.

I have an initial solution to make sys_enter.args.syscall=bpf working asap. Making both (number/name) to work would demand changes in the filter parser.

geyslan avatar Feb 22 '24 13:02 geyslan

Sounds great, filtering on the number is not a priority for me I just mentioned it to clarify that no method worked.

oshaked1 avatar Feb 22 '24 13:02 oshaked1