Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot filter on sys_enter.args.syscall #3891

Closed
oshaked1 opened this issue Feb 22, 2024 · 2 comments · Fixed by #3893
Closed

Cannot filter on sys_enter.args.syscall #3891

oshaked1 opened this issue Feb 22, 2024 · 2 comments · Fixed by #3893
Assignees
@geyslan
Labels
kind/bug
Milestone
v0.21.0

Comments

@oshaked1
Copy link
Contributor

Description

Filtering on the syscall argument of sys_enter does not work, neither with a syscall name nor with its number.
e.g. sys_enter.args.syscall=321 or sys_enter.args.syscall=bpf do not work.

Output of tracee version:

Tracee version: v0.20.0

Output of uname -a:

Linux ****** 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Additional details

The problem appears to be in the following check from pkt/filters/args.go line 59:

if argName != "syscall" {
    argVal = fmt.Sprint(argVal)
}

Conversion of the argument value to string form doesn't happen specifically for the syscall argument.
@geyslan
Copy link
Member

geyslan commented Feb 22, 2024
edited
Loading

@oshaked1 thanks for this.

I have an initial solution to make sys_enter.args.syscall=bpf working asap. Making both (number/name) to work would demand changes in the filter parser.

@geyslan geyslan self-assigned this Feb 22, 2024
@geyslan geyslan added this to the v0.21.0 milestone Feb 22, 2024
@oshaked1
Copy link
Contributor Author

Sounds great, filtering on the number is not a priority for me I just mentioned it to clarify that no method worked.

This was referenced Feb 22, 2024
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@geyslan geyslan

Labels
kind/bug
Projects
None yet
Milestone
v0.21.0
Development

Successfully merging a pull request may close this issue.

fix(filters): handle syscall arg geyslan/tracee
2 participants
@geyslan @oshaked1