libs icon indicating copy to clipboard operation
libs copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

fix(libsinsp): retrieve the correct `exepath` with `execveat` syscall

Open Andreagit97 opened this issue 3 years ago • 1 comments

What type of PR is this?

/kind bug

/kind cleanup

Any specific area of the project related to this PR?

/area libsinsp

/area tests

Does this PR require a change in the driver versions?

No

What this PR does / why we need it:

This PR fixes the retrieval of the execveat enter event when sinsp is parsing the execve exit event. Before this commit it was only possible to retrieve the enter event associated with the exit event we are parsing, so for example PPME_SYSCALL_EXECVE_19_X could only retrieve PPME_SYSCALL_EXECVE_19_E but not PPME_SYSCALL_EXECVEAT_E and this was a bug since in some cases the PPME_SYSCALL_EXECVE_19_X corresponds to a PPME_SYSCALL_EXECVEAT_E and not to a PPME_SYSCALL_EXECVE_19_E.

The execveat syscall is a wrapper of execve, when the call succeeds the event returned is simply an execve exit event. So if an execveat is correctly executed we will have, a PPME_SYSCALL_EXECVEAT_E as enter event and a PPME_SYSCALL_EXECVE_19_X as exit one.

Moreover since we parse the exit event only if the syscall succeeds, i removed the support for PPME_SYSCALL_EXECVEAT_X in the parse_execve_exit method since we will never obtain a PPME_SYSCALL_EXECVEAT_X if the execveat call is successful.

I've added some tests to stress the new logic :)

Which issue(s) this PR fixes:

Fixes #543

Special notes for your reviewer:

This PR depends on https://github.com/falcosecurity/libs/pull/551, here we suppose that in userspace we receive only <NA> for empty PT_CHARBUF params.

Does this PR introduce a user-facing change?:

fix(libsinsp): retrieve the correct `exepath` with `execveat` syscall

Andreagit97 avatar Aug 16 '22 13:08 Andreagit97

Thanks for this fix @Andreagit97! I tested it and the exepath is correct for the example program I posted in #543.

We look forward to seeing it merged soon!

araujof avatar Aug 25 '22 05:08 araujof

LGTM label has been added.

Git tree hash: 5e0e74ec85bc056c7a29bbf2af8d2817d8893d9a

poiana avatar Aug 25 '22 13:08 poiana

I've just rebased to have the CI working again! :)

Andreagit97 avatar Aug 25 '22 14:08 Andreagit97

LGTM label has been added.

Git tree hash: d8a52fafd9a4f3a85996a9da44593a86ddeee222

poiana avatar Aug 25 '22 14:08 poiana

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • ~~OWNERS~~ [Andreagit97,FedeDP]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar Aug 25 '22 14:08 poiana