Process execute failed #4233
Process execute failed #4233
Conversation
|
|
OriGlassman
force-pushed
the
process_execute_failed
branch
from
4138fbb
to
2c74ffa
Compare
OriGlassman
force-pushed
the
process_execute_failed
branch
5 times, most recently
from
5e01daa
to
205f618
Compare
OriGlassman
force-pushed
the
process_execute_failed
branch
2 times, most recently
from
09cd304
to
82b51d4
Compare
|
Since this PR currently have some issues and we want to proceed with removing sys_enter/exit dependency from this event as well, I added it to my generic kprobes PR at #4256. |
|
Eventually picked #4259 |
|
@OriGlassman was this resolved by #4259? |
OriGlassman
force-pushed
the
process_execute_failed
branch
2 times, most recently
from
ae0e6d8
to
335479b
Compare
OriGlassman
force-pushed
the
process_execute_failed
branch
from
335479b
to
2360aa3
Compare
There was a problem hiding this comment.
I've tested in three scenarios:
checking ./tests/e2e-inst-signatures/scripts/process_execute_failed.sh
19:55:04:856921 1000 process_execute 94695 94695 -8 process_execute_failed dirfd: <nil>, flags: <nil>, pathname: /tmp/test.sh, binary.path: /tmp/test.sh, binary.device_id: 44, binary.inode_number: 1861, binary.ctime: 1725494781586232082, binary.inode_mode: 33261, interpreter_path: /tmp/test.sh, stdin_type: 8192, stdin_path: /dev/null, kernel_invoked: 0, argv: [/tmp/test.sh], envp: <nil>
checking a failed execveat:
19:52:46:050970 1000 fake 92599 92599 -14 process_execute_failed dirfd: 69, flags: 0, pathname: <nil>, binary.path: <nil>, binary.device_id: <nil>, binary.inode_number: <nil>, binary.ctime: <nil>, binary.inode_mode: <nil>, interpreter_path: <nil>, stdin_type: <nil>, stdin_path: <nil>, kernel_invoked: <nil>, argv: [], envp: <nil>
without filter (mostly with only pathname and argv):
19:47:58:827702 1000 code 86452 86452 -2 process_execute_failed dirfd: <nil>, flags: <nil>, pathname: /home/gg/.goenv/versions/1.22.4/bin/docker, binary.path: <nil>, binary.device_id: <nil>, binary.inode_number: <nil>, binary.ctime: <nil>, binary.inode_mode: <nil>, interpreter_path: <nil>, stdin_type: <nil>, stdin_path: <nil>, kernel_invoked: <nil>, argv: [docker context ls --format {{json .}}], envp: <nil>
...
19:47:58:827727 1000 code 86452 86452 -2 process_execute_failed dirfd: <nil>, flags: <nil>, pathname: /home/gg/.goenv/bin/docker, binary.path: <nil>, binary.device_id: <nil>, binary.inode_number: <nil>, binary.ctime: <nil>, binary.inode_mode: <nil>, interpreter_path: <nil>, stdin_type: <nil>, stdin_path: <nil>, kernel_invoked: <nil>, argv: [docker context ls --format {{json .}}], envp: <nil>
LGTM overall. I've approved but there's some putting to be considered.
| newEvent.Args[parse.ArgIndex(newEvent.Args, "argv")] = execInfo.args[parse.ArgIndex(execInfo.args, "argv")] | ||
| newEvent.Args[parse.ArgIndex(newEvent.Args, "envp")] = execInfo.args[parse.ArgIndex(execInfo.args, "envp")] | ||
|
|
There was a problem hiding this comment.
If index is not found by ArgIndex, this will crash with -1 as index.
There was a problem hiding this comment.
Indeed. But the whole logic assumes that tracee fills all arguments, even ones that are not set from kernelspace so there must be argv and envp
| events.ModuleLoad: pb.EventId_module_load, | ||
| events.ModuleFree: pb.EventId_module_free, | ||
| events.ExecuteFinished: pb.EventId_execute_finished, | ||
| events.ProcessExecuteFailedInternal: pb.EventId_security_bprm_creds_for_exec, |
There was a problem hiding this comment.
I suppose that as SecurityBprmCredsForExec was removed as an event (remaining as a probe), this relation should be renamed as well.
Run make -f builder/Makefile.protoc protoc-run to update event.pb.go.
Insert in this PR the commit related to gprc bump (temporarily). So before merge it can be dropped and cherry-picked into a next PR. @rscampos know better about this proceedings.
There was a problem hiding this comment.
Ran that - it didn't seem to change tracee.go, rather api/v1beta1/event.pb.go
|
@rscampos v0.22.1 |
1. Explain what the PR does
"Replace me with
make check-proutput"2. Explain how to test it
3. Other comments