libs
libs copied to clipboard
falcosecurity
[LIBS PLUGINS] Accessors to libs state tables fields - 2
See the previous issue https://github.com/falcosecurity/libs/issues/1712. This issue is to track obtaining access to additional critical libs state data.
The approach will be similar to the recent extensions regarding how to access the proc args and fd tables.
- [ ] user & group info
falcosecurity::table_field m_uid
falcosecurity::table_field m_user
falcosecurity::table_field m_loginuid
falcosecurity::table_field m_loginuser
- [ ] capabilities
falcosecurity::table_field m_cap_permitted
falcosecurity::table_field m_cap_inheritable
falcosecurity::table_field m_cap_effective
- [ ] container data
- [ ]
uint32_t sinsp_threadinfo::m_flagsflags - [ ] libs
lastevent_fd_fieldper thread cache instancemtinfo
falcosecurity::table_field m_lastevent_fd_field
// Maybe while here just open up all of them
int64_t m_lastevent_fd; ///< The FD os the last event used by this thread.
uint64_t m_lastevent_ts; ///< timestamp of the last event for this thread.
uint64_t m_prevevent_ts; ///< timestamp of the event before the last for this thread.
uint64_t m_lastaccess_ts; ///< The last time this thread was looked up. Used when cleaning up the table.
uint64_t m_clone_ts; ///< When the clone that started this process happened.
uint64_t m_lastexec_ts; ///< The last time exec was called
fdinfo - Make all members accesible
- [ ]
scap_fd_type m_type
falcosecurity::table_field m_fd_type_value;
- [ ]
sinsp_sockinfo m_sockinfo
falcosecurity::table_field m_fd_sockinfo_value;
This will be a challenging task due to the numerous custom sub-data structures we have. However, without access to these structures, we are unable to support most of the network-related fd.* filtercheck fields through custom logic within a syscalls plugin.
union sinsp_sockinfo
{
ipv4tuple m_ipv4info; ///< The tuple if this an IPv4 socket.
ipv6tuple m_ipv6info; ///< The tuple if this an IPv6 socket.
ipv4serverinfo m_ipv4serverinfo; ///< Information about an IPv4 server socket.
ipv6serverinfo m_ipv6serverinfo; ///< Information about an IPv6 server socket.
unix_tuple m_unixinfo; ///< The tuple if this a unix socket.
};
...
Additional random comments:
- Uncertain how we would or could access the corresponding enter event, if applicable.
- How do we get the main thread?
TBD what other data structures shall be made accessible.
@jasondellaluce as requested attempted to update the initial comment to reflect a more detailed view of pending tasks https://github.com/falcosecurity/libs/issues/1944#issue-2386739791. Thanks.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with
/reopen.Mark the issue as fresh with
/remove-lifecycle rotten.Provide feedback via https://github.com/falcosecurity/community. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.