You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When tracee tries to resolve a numeric argument to a string (e.g. cmd value of bpf syscall), if the resolution fails, the event field will contain an empty string.
For example, running the following command, which uses a new eBPF feature not supported on my kernel:
sudo bpftool gen skeleton -L hello.bpf.o > hello.skel.h
Results in the following tracee event:
TIME UID COMM PID TID RET EVENT ARGS
11:37:28:562345 0 bpftool 211739 211739 -22 bpf cmd: , attr: 0x7ffc011cdec0, size: 8
The strace output shows that this command is not supported, which explains why the resolution fails:
This is only one example of incorrect handling of failed name resolutions, another example I found is ptrace commands, and there are possibly many others.
An example of a correctly handled name resolution is the syscall name of sys_enter, where an unknown syscall will result in the syscall number as the value.
Output of tracee version:
Tracee version: v0.20.0
Output of uname -a:
Linux ********* 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Additional details
The text was updated successfully, but these errors were encountered:
Description
When tracee tries to resolve a numeric argument to a string (e.g. cmd value of bpf syscall), if the resolution fails, the event field will contain an empty string.
For example, running the following command, which uses a new eBPF feature not supported on my kernel:
sudo bpftool gen skeleton -L hello.bpf.o > hello.skel.h
Results in the following tracee event:
The strace output shows that this command is not supported, which explains why the resolution fails:
This is only one example of incorrect handling of failed name resolutions, another example I found is ptrace commands, and there are possibly many others.
An example of a correctly handled name resolution is the syscall name of sys_enter, where an unknown syscall will result in the syscall number as the value.
Output of
tracee version
:Output of
uname -a
:Additional details
The text was updated successfully, but these errors were encountered: