"renameat2" syscall support #1603
Comments
|
The same issue on Arch |
5 tasks
leogr
added a commit
to falcosecurity/falco
that referenced
this issue
Jun 4, 2020
Since `evt.arg[1]` does not work for all syscalls, switch to - `evt.arg.path` for `rmdir`, `unlink`, and `unlinkat` (used by `remove` macro) - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro) That ensures `Modify binary dirs` works properly. Note that we cannot yet use `renameat2` (not supported by sinsp, see draios/sysdig#1603 ) Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
added a commit
to falcosecurity/falco
that referenced
this issue
Jun 4, 2020
Since `evt.arg[1]` does not work for all syscalls, switch to - `evt.arg.path` for `rmdir`, `unlink`, and `unlinkat` (used by `remove` macro) - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro) That ensures `Modify binary dirs` works properly. Note that we cannot yet use `renameat2` (not supported by sinsp, see draios/sysdig#1603 ) Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
added a commit
to falcosecurity/falco
that referenced
this issue
Jun 4, 2020
Since `evt.arg[1]` does not work for all syscalls, switch to - `evt.arg.path` for `rmdir`, `unlink`, and `unlinkat` (used by `remove` macro) - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro) That ensures `Modify binary dirs` works properly. Note that we cannot yet use `renameat2` (not supported by sinsp, see draios/sysdig#1603 ) Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
added a commit
to falcosecurity/falco
that referenced
this issue
Jun 4, 2020
Since `evt.arg[1]` does not work for all syscalls, switch to: - `evt.arg.path` for `rmdir` and `unlink` (used by `remove` macro) - `evt.arg.name` for `unlinkat` (used by `remove` macro) - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro) That ensures `Modify binary dirs` works properly. Note that we cannot yet use `renameat2` (not supported by sinsp, see draios/sysdig#1603 ) Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
3 tasks
poiana
pushed a commit
to falcosecurity/falco
that referenced
this issue
Jun 10, 2020
Since `evt.arg[1]` does not work for all syscalls, switch to: - `evt.arg.path` for `rmdir` and `unlink` (used by `remove` macro) - `evt.arg.name` for `unlinkat` (used by `remove` macro) - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro) That ensures `Modify binary dirs` works properly. Note that we cannot yet use `renameat2` (not supported by sinsp, see draios/sysdig#1603 ) Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
fntlnz
pushed a commit
to fntlnz/falco
that referenced
this issue
Jun 26, 2020
Since `evt.arg[1]` does not work for all syscalls, switch to: - `evt.arg.path` for `rmdir` and `unlink` (used by `remove` macro) - `evt.arg.name` for `unlinkat` (used by `remove` macro) - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro) That ensures `Modify binary dirs` works properly. Note that we cannot yet use `renameat2` (not supported by sinsp, see draios/sysdig#1603 ) Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
added a commit
to falcosecurity/rules
that referenced
this issue
Dec 21, 2022
Since `evt.arg[1]` does not work for all syscalls, switch to: - `evt.arg.path` for `rmdir` and `unlink` (used by `remove` macro) - `evt.arg.name` for `unlinkat` (used by `remove` macro) - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro) That ensures `Modify binary dirs` works properly. Note that we cannot yet use `renameat2` (not supported by sinsp, see draios/sysdig#1603 ) Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
added a commit
to falcosecurity/rules
that referenced
this issue
Dec 21, 2022
Since `evt.arg[1]` does not work for all syscalls, switch to: - `evt.arg.path` for `rmdir` and `unlink` (used by `remove` macro) - `evt.arg.name` for `unlinkat` (used by `remove` macro) - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro) That ensures `Modify binary dirs` works properly. Note that we cannot yet use `renameat2` (not supported by sinsp, see draios/sysdig#1603 ) Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some applications like "mv" on RHEL 8.1 are using renameat2 syscall for file rename operations. Sysdig driver doesn't provide information about this syscall.
RHEL8.1:
[user@localhost ~]$ sudo sysdig proc.name=mv | grep newname
...
[user@localhost ~]$ sudo strace mv oldname newname 2>&1 | grep rename
renameat2(AT_FDCWD, "oldname", AT_FDCWD, "newname", RENAME_NOREPLACE) = 0
Ubuntu 18.04:
sudo sysdig proc.name=mv | grep newname
...
8853 05:32:48.621815439 1 mv (5522) < rename res=0 oldpath=old(/home/user/old) newpath=newname(/home/user/newname)
The text was updated successfully, but these errors were encountered: