libs icon indicating copy to clipboard operation
libs copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

eBPF probes: 32 bit applications support

Open alexburt opened this issue 2 years ago • 7 comments

Hello, Is there a reason why 32 bit syscalls is not supported by eBPF driver ? My test program opens /etc/shadow and normally triggers the alert. But there is no alerts when I compile program as ELF 32-bit (gcc -m32).

Looks like 32 bit calls just skipped by eBPF probe (https://github.com/falcosecurity/libs/blob/master/driver/bpf/probe.c):

if (bpf_in_ia32_syscall()) return 0;

Any reason for that ?

alexburt avatar Apr 05 '22 23:04 alexburt

Hi! I think that the issue with compat syscalls is that we don't really support them; we'd need to implement its support. I think that from a security standpoint, we really need that though! I might work on this in my spare time :)

FedeDP avatar Apr 06 '22 07:04 FedeDP

/kind feature

FedeDP avatar May 11 '22 11:05 FedeDP

We would be interested in this feature as well. This may be a big security gap.

2Bor2C avatar May 17 '22 11:05 2Bor2C

Yep we know that; that's unfortunate and we must implement its support. I'll try to target 0.33 for this. 0.32 is coming soon and there is no enough time to implement and test it.

FedeDP avatar May 17 '22 11:05 FedeDP

You are right @2Bor2C, we will try to insert it in 0.33

Andreagit97 avatar May 22 '22 10:05 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Aug 20 '22 15:08 poiana

/remove-lifecycle stale

Andreagit97 avatar Aug 20 '22 16:08 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Nov 18 '22 21:11 poiana

/remove-lifecycle stale

FedeDP avatar Nov 19 '22 13:11 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Feb 17 '23 15:02 poiana

@FedeDP any update on this?

/remove-lifecycle stale

Cryptophobia avatar Feb 17 '23 16:02 Cryptophobia

Nope :( still need to schedule some time for this!

FedeDP avatar Feb 17 '23 17:02 FedeDP

@alexburt Feature is scheduled for Falco 0.36 release and tracked under Falco issue https://github.com/falcosecurity/falco/issues/2472. According to our new roadmap planning we may have 2 libs releases per one Falco release, therefore the feature may land earlier in libs.

incertum avatar Apr 05 '23 14:04 incertum

Hi, I would like to understand the root cause that the bpf_in_ia32_syscall was put in the first place, failed to understand it from git blame, 32bit ARCHes are supported by eBPF, can you please elaborate regarding this issue?

oheifetz avatar Jul 11 '23 09:07 oheifetz

@oheifetz - @FedeDP has this item in his queue. The work has not yet started. We will keep everyone updated here if this is ok? Thank you for your patience 🙏

incertum avatar Jul 11 '23 14:07 incertum