libs icon indicating copy to clipboard operation
libs copied to clipboard
verified publisher icon falcosecurity

Add support for flags in fcntl, socket, socketpair, accept4

Open albe19029 opened this issue 1 year ago • 2 comments

For monitoring process files it is good to know CLOEXEC flag. But for now only part of method support it (inotify_init1, eventfd2, signalfd4, dup3, pipe2, open, openat, open_by_handle_at, pidfd_open,epoll_create1, memfd_create)

But I think this one are very important too:

fcntl (F_DUPFD_CLOEXEC -FD_CLOEXEC, F_SETFD - FD_CLOEXEC) socket (SOCK_CLOEXEC) socketpair (SOCK_CLOEXEC) accept4 (SOCK_CLOEXEC)

Is it possible to add this, as when execve will be called, it is impossible to see which file descriptors should be copy to new process, and which should not.

I also noticed that for some methods flags exists, but in native format, not scap portable PPM_*_CLOEXEC (pidfd_getfd, timerfd_create, userfaultfd)

albe19029 avatar Aug 12 '24 05:08 albe19029

Hi @albe19029, yes you are right we need to improve the flags management in our syscalls. Your request makes sense! I will add it to the backlog

Andreagit97 avatar Aug 12 '24 08:08 Andreagit97

Thanks a lot. Forgot about one more moment: is it also possible to add open_flags for not only SCAP_FD_FILE_V2 (for now scap_fd_flags_file this flags only added there).

albe19029 avatar Aug 12 '24 08:08 albe19029

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Nov 10 '24 10:11 poiana

/remove-lifecycle stale

albe19029 avatar Nov 10 '24 13:11 albe19029

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Feb 08 '25 16:02 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Mar 10 '25 16:03 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Apr 09 '25 16:04 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

poiana avatar Apr 09 '25 16:04 poiana