Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: show argv on failed execve events #3922

Merged
merged 1 commit into from
Apr 17, 2024
Merged

fix: show argv on failed execve events #3922

merged 1 commit into from
Apr 17, 2024

Conversation

yanivagman
Copy link
Collaborator

1. Explain what the PR does

Failed execve calls never showed argv nor envp.
That is since it was handled by the generic syscall handler, which doesn't handle string array arguments.

Fix by adding a dedicated handler at execve(at) exit.

"Replace me with make check-pr output"

2. Explain how to test it

3. Other comments

Fix: #2847

@yanivagman yanivagman added this to the v0.21.0 milestone Mar 19, 2024
@yanivagman yanivagman requested a review from AlonZivony March 19, 2024 20:50
@yanivagman yanivagman force-pushed the fix_execve_failed_nil_args branch from 7aab36a to 24c73ed Compare March 24, 2024 15:22
AlonZivony
AlonZivony reviewed Mar 25, 2024
View reviewed changes
Copy link
Contributor

@AlonZivony AlonZivony left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code itself looks great.
I think we should add an e2e test for it to make sure that it works well as intended. WDYT?

@geyslan geyslan removed this from the v0.21.0 milestone Apr 16, 2024
@yanivagman
Copy link
Collaborator Author

The code itself looks great. I think we should add an e2e test for it to make sure that it works well as intended. WDYT?

Agree. Let's merge this PR since it is a required fix and I tested it manually.
We are starting an effort to improve functional tests in Tracee for all the events originated from BPF code. We should add this test there as well

@yanivagman yanivagman force-pushed the fix_execve_failed_nil_args branch from 24c73ed to 7e0d737 Compare April 16, 2024 21:59
@yanivagman
fix: show argv on failed execve events
ee22c8c 
Failed execve calls never showed argv nor envp.
That is since it was handled by the generic syscall handler, which
doesn't handle string array arguments.

Fix by adding a dedicated handler at execve(at) exit.
@yanivagman yanivagman force-pushed the fix_execve_failed_nil_args branch from 7e0d737 to ee22c8c Compare April 16, 2024 22:04
@yanivagman yanivagman merged commit fb2e188 into aquasecurity:main Apr 17, 2024
32 checks passed
@yanivagman yanivagman deleted the fix_execve_failed_nil_args branch April 17, 2024 05:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlonZivony AlonZivony AlonZivony approved these changes

Assignees

@yanivagman yanivagman

Labels
area/ebpf area/events kind/bug milestone/v0.21.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

execve nil argv, envp
3 participants
@yanivagman @AlonZivony @geyslan