Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

segmentation fault after SIGHUP #1446

Closed
leogr opened this issue Oct 15, 2020 · 0 comments · Fixed by #1447
Closed

segmentation fault after SIGHUP #1446

leogr opened this issue Oct 15, 2020 · 0 comments · Fixed by #1447
Labels
kind/bug

Comments

@leogr
Copy link
Member

leogr commented Oct 15, 2020

Describe the bug

Falco can restart itself when a SIGHUP is received (this feature was introduced by #457).

Unfortunately, with the current development version (ie. the current code on the master branch) when a SIGHUP is received then after a while Falco crashes (just before printing out any other alerts).

Note that this problem is not present in the last published version 0.26.1.

How to reproduce it

Build Falco from sources. I used cmake -DCMAKE_BUILD_TYPE=Release ...

Run Falco (eg. sudo userspace/falco/falco -c /etc/falco/falco.yaml) and generate some activity (eg. sudo cat /etc/shadow).

Send a SIGHUP (eg. sudo kill -s SIGHUP <pid>).

Falco will restart itself as expected, then generate some activity (eg. sudo cat /etc/shadow) again, and Falco will crash.

Expected behaviour

No segmentation fault.

Screenshots

Thu Oct 15 18:37:43 2020: Falco version 0.26.1-43+47fa7d5 (driver version 2aa88dcf6243982697811df4c1b484bcbe9488a2)
Thu Oct 15 18:37:43 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Thu Oct 15 18:37:43 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Thu Oct 15 18:37:43 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Thu Oct 15 18:37:43 2020: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Thu Oct 15 18:37:44 2020: Starting internal webserver, listening on port 8765
18:37:48.016285983: Warning Sensitive file opened for reading by non-trusted program (user=root user_loginuid=1000 program=cat command=cat /etc/shadow file=/etc/shadow parent=sudo gparent=zsh ggparent=tmux: gggparent=systemd container_id=host image=<NA>)
Thu Oct 15 18:38:08 2020: SIGHUP received, restarting...
Events detected: 1
Rule counts by severity:
   WARNING: 1
Triggered rules by rule name:
   Read sensitive file untrusted: 1
Syscall event drop monitoring:
   - event drop detected: 0 occurrences
   - num times actions taken: 0
Thu Oct 15 18:38:08 2020: Falco version 0.26.1-43+47fa7d5 (driver version 2aa88dcf6243982697811df4c1b484bcbe9488a2)
Thu Oct 15 18:38:08 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Thu Oct 15 18:38:08 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Thu Oct 15 18:38:08 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Thu Oct 15 18:38:08 2020: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Thu Oct 15 18:38:09 2020: Starting internal webserver, listening on port 8765
[1]    180475 segmentation fault  sudo userspace/falco/falco -c /etc/falco/falco.yaml

Environment

  • Falco version: 0.26.1-43+47fa7d5 (driver version 2aa88dcf6243982697811df4c1b484bcbe9488a2)

  • System info:

  • Cloud provider or hardware configuration:
  • OS: Arch
  • Kernel: 5.8.14-arch1-1
  • Installation method: from source

Additional context

This problem might be related to #1412
@leogr leogr added the kind/bug label Oct 15, 2020
leogr added a commit that referenced this issue Oct 15, 2020
@leogr
fix(userspace/engine): free formatters, if any
c0f3b5a 
Previously, formatters were freed by LUA code when re-opening outputs.
Since now, outputs are not controlling anymore the falco_formats class (see #1412), we just free formatters only if were already initialized.

That is needed when the engine restarts (see #1446).

By doing so, we also ensure that correct inspector instance is set to the formatter cache.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
@leogr leogr mentioned this issue Oct 15, 2020
Merged
leogr added a commit that referenced this issue Oct 16, 2020
@leogr
fix(userspace/engine): free formatters, if any
cd2e66f 
Previously, formatters were freed by LUA code when re-opening outputs.
Since now, outputs are not controlling anymore the falco_formats class (see #1412), we just free formatters only if were already initialized.

That is needed when the engine restarts (see #1446).

By doing so, we also ensure that correct inspector instance is set to the formatter cache.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
poiana pushed a commit that referenced this issue Oct 27, 2020
@leogr @poiana
fix(userspace/engine): free formatters, if any
cebec11 
Previously, formatters were freed by LUA code when re-opening outputs.
Since now, outputs are not controlling anymore the falco_formats class (see #1412), we just free formatters only if were already initialized.

That is needed when the engine restarts (see #1446).

By doing so, we also ensure that correct inspector instance is set to the formatter cache.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(userspace/engine): free formatters, if any falcosecurity/falco
1 participant
@leogr