-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Process execute failed #4233
Process execute failed #4233
Conversation
4138fbb
to
2c74ffa
Compare
5e01daa
to
205f618
Compare
09cd304
to
82b51d4
Compare
Since this PR currently have some issues and we want to proceed with removing sys_enter/exit dependency from this event as well, I added it to my generic kprobes PR at #4256. |
Eventually picked #4259 |
@OriGlassman was this resolved by #4259? |
ae0e6d8
to
335479b
Compare
335479b
to
2360aa3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tested in three scenarios:
checking ./tests/e2e-inst-signatures/scripts/process_execute_failed.sh
19:55:04:856921 1000 process_execute 94695 94695 -8 process_execute_failed dirfd: <nil>, flags: <nil>, pathname: /tmp/test.sh, binary.path: /tmp/test.sh, binary.device_id: 44, binary.inode_number: 1861, binary.ctime: 1725494781586232082, binary.inode_mode: 33261, interpreter_path: /tmp/test.sh, stdin_type: 8192, stdin_path: /dev/null, kernel_invoked: 0, argv: [/tmp/test.sh], envp: <nil>
checking a failed execveat:
19:52:46:050970 1000 fake 92599 92599 -14 process_execute_failed dirfd: 69, flags: 0, pathname: <nil>, binary.path: <nil>, binary.device_id: <nil>, binary.inode_number: <nil>, binary.ctime: <nil>, binary.inode_mode: <nil>, interpreter_path: <nil>, stdin_type: <nil>, stdin_path: <nil>, kernel_invoked: <nil>, argv: [], envp: <nil>
without filter (mostly with only pathname and argv):
19:47:58:827702 1000 code 86452 86452 -2 process_execute_failed dirfd: <nil>, flags: <nil>, pathname: /home/gg/.goenv/versions/1.22.4/bin/docker, binary.path: <nil>, binary.device_id: <nil>, binary.inode_number: <nil>, binary.ctime: <nil>, binary.inode_mode: <nil>, interpreter_path: <nil>, stdin_type: <nil>, stdin_path: <nil>, kernel_invoked: <nil>, argv: [docker context ls --format {{json .}}], envp: <nil>
...
19:47:58:827727 1000 code 86452 86452 -2 process_execute_failed dirfd: <nil>, flags: <nil>, pathname: /home/gg/.goenv/bin/docker, binary.path: <nil>, binary.device_id: <nil>, binary.inode_number: <nil>, binary.ctime: <nil>, binary.inode_mode: <nil>, interpreter_path: <nil>, stdin_type: <nil>, stdin_path: <nil>, kernel_invoked: <nil>, argv: [docker context ls --format {{json .}}], envp: <nil>
LGTM overall. I've approved but there's some putting to be considered.
newEvent.Args[parse.ArgIndex(newEvent.Args, "argv")] = execInfo.args[parse.ArgIndex(execInfo.args, "argv")] | ||
newEvent.Args[parse.ArgIndex(newEvent.Args, "envp")] = execInfo.args[parse.ArgIndex(execInfo.args, "envp")] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If index is not found by ArgIndex
, this will crash with -1 as index.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed. But the whole logic assumes that tracee fills all arguments, even ones that are not set from kernelspace so there must be argv and envp
events.ModuleLoad: pb.EventId_module_load, | ||
events.ModuleFree: pb.EventId_module_free, | ||
events.ExecuteFinished: pb.EventId_execute_finished, | ||
events.ProcessExecuteFailedInternal: pb.EventId_security_bprm_creds_for_exec, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose that as SecurityBprmCredsForExec
was removed as an event (remaining as a probe), this relation should be renamed as well.
Run make -f builder/Makefile.protoc protoc-run
to update event.pb.go
.
Insert in this PR the commit related to gprc bump (temporarily). So before merge it can be dropped and cherry-picked into a next PR. @rscampos know better about this proceedings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran that - it didn't seem to change tracee.go, rather api/v1beta1/event.pb.go
@rscampos v0.22.1 |
1. Explain what the PR does
"Replace me with
make check-pr
output"2. Explain how to test it
3. Other comments