libs icon indicating copy to clipboard operation
libs copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

feat: extend `PPME_SYSCALL_{P}WRITEV_X` with enter parameters

Open ekoops opened this issue 5 months ago • 7 comments

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This PR is part of https://github.com/falcosecurity/libs/issues/2427.

It:

  • adds PPME_SYSCALL_{P}WRITEV_E parameters to PPME_SYSCALL_{P}WRITEV_X event definition and aligns all 3 kernel drivers to it
  • adds new rules to scap file converter table to convert events in old scap files to the new layout
  • adds/updates {p}writev-related drivers, scap converter and sinsp parser tests to account the new layout.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

/milestone 0.22.0

Does this PR introduce a user-facing change?:

NONE

ekoops avatar Jun 27 '25 15:06 ekoops

Please double check driver/SCHEMA_VERSION file. See versioning.

/hold

github-actions[bot] avatar Jun 27 '25 15:06 github-actions[bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar Jun 27 '25 15:06 poiana

LGTM label has been added.

Git tree hash: 1ed3df1301bfac5f0d73c8b62457da58089bcc6e

poiana avatar Jun 27 '25 16:06 poiana

X64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-4.19 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2-5.10 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2023-6.1 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.0 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.7 🟢 🟢 🟢 🟢 🟢 🟢
centos-3.10 🟢 🟢 🟢 🟡 🟡 🟡
centos-4.18 🟢 🟢 🟢 🟢 🟢 🟢
centos-5.14 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.17 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.8 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-3.10 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-4.14 🟢 🟢 🟢 🟢 🟢 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-5.4 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-4.15 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-5.8 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

ARM64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-4.14 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

github-actions[bot] avatar Jun 27 '25 22:06 github-actions[bot]

New changes are detected. LGTM label has been removed.

poiana avatar Jun 30 '25 07:06 poiana

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 78.51%. Comparing base (239b981) to head (3142c0b). Report is 6 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2520      +/-   ##
==========================================
+ Coverage   78.47%   78.51%   +0.03%     
==========================================
  Files         289      291       +2     
  Lines       31866    31919      +53     
  Branches     4641     4642       +1     
==========================================
+ Hits        25008    25060      +52     
- Misses       6858     6859       +1
Flag Coverage Δ
libsinsp 78.51% <100.00%> (+0.03%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Jun 30 '25 08:06 codecov[bot]

Perf diff from master - unit tests

   100.00%    -99.63%  [.] 0x0000000000077e90

Heap diff from master - unit tests

peak heap memory consumption: -32.00K
peak RSS (including heaptrack overhead): 0B
total memory leaked: 3.00M

Heap diff from master - scap file

peak heap memory consumption: -4.49K
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            -0.0144         -0.0142           149           147           149           147
BM_sinsp_split_median                                          -0.0183         -0.0182           150           147           150           147
BM_sinsp_split_stddev                                          -0.4693         -0.4693             2             1             2             1
BM_sinsp_split_cv                                              -0.4616         -0.4616             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  -0.1273         -0.1272            64            56            64            56
BM_sinsp_concatenate_paths_relative_path_median                -0.1273         -0.1272            64            56            64            56
BM_sinsp_concatenate_paths_relative_path_stddev                -0.5995         -0.5993             1             1             1             1
BM_sinsp_concatenate_paths_relative_path_cv                    -0.5411         -0.5409             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     +0.0119         +0.0120            24            25            24            25
BM_sinsp_concatenate_paths_empty_path_median                   +0.0114         +0.0115            24            25            24            25
BM_sinsp_concatenate_paths_empty_path_stddev                   +0.8816         +0.8933             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       +0.8595         +0.8709             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.1035         -0.1034            61            55            61            55
BM_sinsp_concatenate_paths_absolute_path_median                -0.1008         -0.1007            61            55            61            55
BM_sinsp_concatenate_paths_absolute_path_stddev                +1.0567         +1.0571             1             2             1             2
BM_sinsp_concatenate_paths_absolute_path_cv                    +1.2940         +1.2942             0             0             0             0

github-actions[bot] avatar Jun 30 '25 09:06 github-actions[bot]

Close this in favor of:

  • https://github.com/falcosecurity/libs/pull/2523
  • https://github.com/falcosecurity/libs/pull/2524

ekoops avatar Jul 02 '25 15:07 ekoops