libs icon indicating copy to clipboard operation
libs copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

new(modern_bpf): add support for `bpf`, `flock`, `ioctl`, `quotactl`, `unshare`, `mount`, `umount2`

Open Andreagit97 opened this issue 1 year ago • 1 comments

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area driver-modern-bpf

/area libpman

/area tests

Does this PR require a change in the driver versions?

What this PR does / why we need it:

This PR is part of a series https://github.com/falcosecurity/libs/issues/513, the final aim is to support the most important syscalls also in the new probe. This PR introduces:

  • bpf
  • flock
  • ioctl
  • quotactl
  • unshare
  • mount
  • umount2

Which issue(s) this PR fixes:

Special notes for your reviewer:

Today we define the events PPME_SYSCALL_UMOUNT_E and PPME_SYSCALL_UMOUNT_X, but we use them for the umount2 syscall, we don't instrument the umount. This is probably due to the fact that in many x64 architectures __NR_umount is not defined

Does this PR introduce a user-facing change?:

new(modern_bpf): add support for `bpf`, `flock`, `ioctl`, `quotactl`, `unshare`, `mount`, `umount2`

Andreagit97 avatar Aug 12 '22 21:08 Andreagit97

LGTM label has been added.

Git tree hash: d2eca8cbc58506d31312cca3665d5e4b29a2e5b1

poiana avatar Aug 30 '22 13:08 poiana

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • ~~OWNERS~~ [Andreagit97,FedeDP]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar Aug 30 '22 14:08 poiana