New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

More ef drop falco #1105

Merged
merged 4 commits into from Apr 24, 2018

Conversation

Projects
None yet
2 participants
@mstemm
Contributor

mstemm commented Apr 20, 2018

Several changes to expand the set of events that are skipped by falco, and to centralize the logic for knowing which events to skip.

mstemm added some commits Apr 19, 2018

Syncing driver and libscap event tables.
Compare the driver and libscap event tables and fix any differences:

 - Some earlier unlink/unlinkat syscalls were missing the EF_OLD_VERSION
   flag.
 - Infrastructure events have an EC_INTERNAL flag.
Start skipping more syscalls at falco level
Add an additional set of syscalls to be skipped by falco. Summarized,
these are:

 - getsock*, getpeer*: fetching info on sockets
 - getcwd: getting current directory
 - pread,pwrite: reading from fds, so should be skipped like read/write
 - get,setrlimit: changing process resources. Yes, set is a change, but
   it's only for the current process and not other processes.
 - splice: copying from one fd to another, so skipped like read/write
 - get*uid*: getting user information. Note that set*uid is still
   considered.
 - signaldeliver: noting that a process has been signaled
 - sem*: semaphore operations
 - access: file access, so should be skipped like stat, etc.
Change EF_DROP_FALCO flag for additional syscalls
Add an additional set of syscalls to be skipped by falco. Summarized,
these are:

 - time/alarm/times/nanosleep: reading current time
 - brk: changing process memory usage
 - get*pid/pgrp/pgid/sid/tid/uid/gid/capget: getting process user/group
   information
 - access/ustat/newfstatat: reading file information
 - umask: changing default file mask. All opens are still considered.
 - setrlimit/getrusage/{u}getrlimit: getting resource usage and changing memory usage
   for current process.
 - getpriority/getscheduler/sched_get...: get current scheduling
   priority. set... is still considered.
 - uname/getcpu/olduname: get kernel info
 - fsync/fdatasync: sync file to storage
 - mprotect/madvise/mlock/munlock{all}/mremap/mincore: protect/control memory areas
 - rt_sig*/pause/signalfd*/eventfd*/sigprocmask/sigpending: signal/event handling
 - getcwd: current working directory
 - get/listxattr: reading file attributes. set is still considered.
 - io_*: async io controls
 - exit_group: exiting a process
 - remap_file_pages: file mapping
 - mq_*: message queue handling
 - waitid/waitpid: waiting on other process
 - get_robust_list: robust futex handling. set is still considered
 - vmsplice: like splice
 - getsock*/peer*: getting info on sockets
 - sem*/msg*: semaphore/message queue operations. Creating message
   queues is still considered
 - newselect: should be skipped like select/poll/etc.

Also *remove* the EF_DROP_FALCO flag for
 - sendto/recvfrom/sendmsg/recvmsg: these were previously changed to
   allowed

mstemm added a commit to falcosecurity/falco that referenced this pull request Apr 20, 2018

Use better way to skip falco events
Use the new method falco_consider() to determine which events to
skip. This centralizes the logic in a single function.

This depends on draios/sysdig#1105.

@mstemm mstemm requested a review from mattpag Apr 20, 2018

@mstemm

This comment has been minimized.

Contributor

mstemm commented Apr 20, 2018

@mattpag, could you take a look at the syscalls I excluded? I tried to be consistent about keeping any syscalls that could modify state outside of the process.

mstemm added a commit to falcosecurity/falco that referenced this pull request Apr 20, 2018

Use better way to skip falco events
Use the new method falco_consider() to determine which events to
skip. This centralizes the logic in a single function.

This depends on draios/sysdig#1105.
Add falco_consider to centralize flag comparisons
In a few places we look at event flags to consider whether or not to
include an event. Centralize this in a method
sinsp_evt::falco_consider() which in turn uses static methods
falco_consider_{evtnum,syscallid}.

The flags that will result in a skipped event are any of:
 - EF_SKIPPARSERESET
 - EF_UNUSED
 - EF_OLD_VERSION
 - EF_DROP_FALCO
@mattpag

lgtm! A few of them may be useful in the future but in that case we will just re-enable them.

@mstemm mstemm merged commit aa3b498 into dev Apr 24, 2018

3 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
sign-off-checker The commit doesn't require sysdig sign-off CLA because it belongs to mstemm part of draios/sysdig collaborators
Details

@mstemm mstemm deleted the more-ef-drop-falco branch Apr 24, 2018

mstemm added a commit to falcosecurity/falco that referenced this pull request Apr 24, 2018

Use better way to skip falco events
Use the new method falco_consider() to determine which events to
skip. This centralizes the logic in a single function. All events will
still be considered if falco was run with -A.

This depends on draios/sysdig#1105.

mstemm added a commit to falcosecurity/falco that referenced this pull request Apr 24, 2018

Use better way to skip falco events (#356)
* Use better way to skip falco events

Use the new method falco_consider() to determine which events to
skip. This centralizes the logic in a single function. All events will
still be considered if falco was run with -A.

This depends on draios/sysdig#1105.

* Add ability to specify -A flag in tests

test attribute all_events corresponds to the -A flag. Add for some tests
that would normally refer to skipped events.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment