[BUG] scap-driver: compilation failure with kernel 6.2.0 #918
Labels
kind/bug
Something isn't working
Comments
hhoffstaette
changed the title
|
Here's a patch. Please note that I'm poking around in an older release, so no PR but the code in current git master looks the same: With this fix the driver compiles & runs on 6.2 - tested with csysdig. |
|
Hi! Thank you very much! I am going to upgrade my arch box in a couple of days (as soon as it enters core repo) and will test this! |
hhoffstaette
added a commit
to hhoffstaette/falcosecurity-libs
that referenced
this issue
Feb 21, 2023
Attributes in "struct device*" are now const, so add a matching prototype for ppm_devnode(). Fixes falcosecurity#918 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
poiana
pushed a commit
that referenced
this issue
Feb 22, 2023
Attributes in "struct device*" are now const, so add a matching prototype for ppm_devnode(). Fixes #918 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
FedeDP
pushed a commit
that referenced
this issue
Feb 23, 2023
Attributes in "struct device*" are now const, so add a matching prototype for ppm_devnode(). Fixes #918 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
poiana
pushed a commit
that referenced
this issue
Feb 28, 2023
Attributes in "struct device*" are now const, so add a matching prototype for ppm_devnode(). Fixes #918 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
hbrueckner
added a commit
to hbrueckner/falcosecurity-libs
that referenced
this issue
Mar 24, 2023
* chore(driver): check minimum kernel versions for each driver. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(driver): only warn when kernel version is lower than minimum one. One can build our drivers against a not running kernel, ie: driverkit does this. Just throw a warning instead of fatal error. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * chore(driver): updated warning string. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup(libsinsp): extend ppm_sc sinsp API Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup: uniform feature gates between drivers Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * docs: add modern probe debug mode as default Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new: support `poll` syscall Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new: support `ppoll` syscall Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new: support `mmap2` syscall Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup: review comment Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> * ci: remove arm64 jobs from GHA Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new(ci): add semgrep checks for insecure API usage Signed-off-by: Luca Guerra <luca@guerra.sh> * new(driver/modern_bpf): add support for semget syscall Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(test): add unit tests for semget enter and exit events Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(driver/modern_bpf): add support for semctl syscall Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(test): add unit tests for semctl enter and exit events Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * fix(modern_bpf): actually extract minor page fault number Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new: support sampling ratio in the modern bpf probe Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * tests: add some tests for sampling logic Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup: move sampling ratio logic Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> * fix(ci): split insecure-api check from ci; it will be triggered only on PRs. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * new(libsinsp): add container.ip to filter/display fields Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * new(libsinsp, cri): extract pod info cniResult Interfaces for CRI container engine Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * new(libsinsp): add container.ips_cniresult_interfaces to display fields Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): cleanup container.ip definition Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Co-authored-by: Hendrik Brueckner <brueckner@de.ibm.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * fix(build) for falco-builder Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): cleanup container.cni.json definition Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Co-authored-by: Hendrik Brueckner <brueckner@de.ibm.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(cri): optimize cri container ip and cni interfaces requests Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(cri): support container.cni.json for cri-o runtime Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(cri): add cri-o socket as secondary default value Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(cri): optimize cniresult parsing Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(cri): add cniresult to container_to_json Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): optimize container filterchecks, add k8s synonyms for ip related fields * Community feedback inspired to also add k8s.pod.ip and k8s.pod.cni.json to ensure technical clarity re the fact that pod ip <-> container ip etc are the same given the shared network stack of all containers within a pod * Reduce some redundant lookups for container fields filterchecks Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(cri): add k3s containerd path as 3rd default Requested by community in order to accomodate more defaults when the cri arg is empty. Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(cri): leave comment re future schema standardizations possibility * for the cni result json schema and/or pod status info schema * falcosecurity/falco#2387 Co-authored-by: Hendrik Brueckner <brueckner@de.ibm.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(cri): simplify cniresult json handling Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): extract cni_json in parse_container_json_evt Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): introduce set operations utils functions Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): use more performant set operations Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): add more set operations Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): use standard libs for ordered sets in new set utils Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * new: support `page_faults` tracepoints Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * test: refactor generic event test const Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new: support `signal_deliver` tracepoint Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * fix: use the correct event version in `sched_switch` Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * update: add sampling logic to new tracepoints Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * tests: address review comments Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> * chore(driver,userspace,test)!: properly use ppm_sc and ppme enum (defined as types now) in ppm_sc sinsp API. Note: basically multiple uint32_t became `ppm_sc_code` or `ppm_event_code` types (that under the hood is an enum type). Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * cleanup(userspace)!: added a libsinsp::events:: namespace that holds ppm_sc,tp,events related static functions. We just moved stuff under the new namespace. This breaks libsinsp API. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * cleanup(userspace/libsinsp): renamed sinsp_{ppm_sc,tp} to sinsp_events_{ppm_sc,tp}. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * cleanup(driver,userspace)!: ported tp enum to a ppm_tp_code type. Similarly to first commit, this one moves tracepoint to use `ppm_to_code` instead of plain uint32_t. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * new(userspace)!: added libsinsp::events::set template class. Use it in ppm_sc,ppm_events and ppm_tp APIs. It is a generalization from Falco `falco_event_types` class. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(userspace): fix various tests. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * new(userspace/libsinsp): add `add` method on libsinsp::events::set, ie: a union function. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * fix(userspace/libsinp): provide hash methods for ppm_{sc,tp,event}_code types. This should fix build on macos. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(userspace/libsinsp): renamed `len` and `max` to `m_size` and `m_max` in set class. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(userspace/libsinsp)!: renamed all `libsinsp::events::` API functions. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> * cleanup(userspace/libscap,userspace/libsinsp)!: added 3 new APIs: `all_event_set`, `event_set_to_sc_set`, `names_to_event_set`. Moreover, cleanup scap.h related API to take `uint8_t` arrays, and optmize multiple calls to these APIs by adding a new `libsinsp::events::set.data()` method that returns underlying uint8_t vector data. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * new(tests): added unit test for libsinsp::events::set class. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * cleanup(userspace/libsinsp): moved libsinsp::events namespace API under libsinsp/events folder. Moreover, properly account for generic events in `names_to_event_set()`. Finally, added a const version of `data()` API for libsinsp::events::set() class, ie: `const_data()`. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * cleanup(libsinsp): move filter_evttype_resolver to libsinsp * move filter_evttype_resolver from falco to libsinsp in order to support sinsp-example e2e tests for configuring interesting sets of syscalls based on ruleset evttypes * falco_event_types renamed to sinsp_event_types Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): integrate filter_evttype_resolver + sinsp-example evttypes extraction Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): add filter_evttype_resolver.ut * port existing unit tests over from falco * add few more conditions Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): port evttype indexing corrections to libsinsp * falcosecurity/falco#2397 * Update w/ novel scanning approach implemented by Jason Dellaluce to also handle corner cases correctly in filter_evttype_resolver * add additional comments Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): port filter_evttypes_resolver.ut.cpp updates to libsinsp * falcosecurity/falco#2397 * Update unit tests Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): start evttype_resolver refactor Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): update sinsp-example event names extraction Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * fix(userspace/libsinsp): fix event set diff and add std operators Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * update(userspace/libsinsp): add filter ast operation for searching ppm_event_codes Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * update(userspace/libsinsp): sync sinsp example to new ast evttypes api Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * fix: check if the key exists in defer_lookup async_key_value_source provides a TTL mechanism, the problem is that when dequeue_next_key is invoked there is no check for the existence of the key in m_value_map. If the value was pruned due to TTL expiration it gets put back by std::map::operator[], which triggers the creation of a new lookup_request. Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com> * fix: remove 2 event check types not used Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new: support `recvmmsg` syscall Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new: support `sendmmsg` syscall Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new: add a new `ringbuf__store_s16` helper Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new: support `semop` syscall Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new: support `sendfile` syscall Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * fix: old bpf sendfile filler this filler used `bpf_probe_read` helper instead of the new one `bpf_probe_read_user` Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * tests: fix broken tests on arm64 the behavior of `semop` syscall changes between architectures. Calling `semop` with a wrong number of `nsops` like in `semopX_wrong_nops` doesn't cause a failure on arm64 but only on x86 architecture. Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup(userspace): remove unused API Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup: remove DEPRECATED `set_cri_delay` Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup: remove DEPRECATED `get_info_category` Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup: remove unused func from scap-open Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup: remove unused API in modern bpf probe Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup(libsinsp,libscap,libpman): cleanups, fixes for return values, memory management, allocations Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Roberto Scolaro <roberto.scolaro21@gmail.com> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> * fix(libscap): more readable cleanup in expand_buffer Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Roberto Scolaro <roberto.scolaro21@gmail.com> * fix(libsinsp): do not attempt to free the storage buffer that will be cleaned by the destructor Signed-off-by: Luca Guerra <luca@guerra.sh> * update(libsinsp): check gmtime as well Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Roberto Scolaro <roberto.scolaro21@gmail.com> * Update userspace/libsinsp/threadinfo.cpp Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Luca Guerra <luca@guerra.sh> * Update userspace/libsinsp/threadinfo.cpp Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Luca Guerra <luca@guerra.sh> * Update userspace/libsinsp/threadinfo.cpp Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Luca Guerra <luca@guerra.sh> * Update userspace/libsinsp/threadinfo.cpp Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Luca Guerra <luca@guerra.sh> * Update userspace/libsinsp/threadinfo.cpp Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Luca Guerra <luca@guerra.sh> * Update userspace/libsinsp/threadinfo.cpp Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Luca Guerra <luca@guerra.sh> * update(chisel): skip invalid fd tables Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Roberto Scolaro <roberto.scolaro21@gmail.com> * update(libsinsp): error if it's not possible to store the last event Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Roberto Scolaro <roberto.scolaro21@gmail.com> * fix(libpman): fix fclose Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * update(userspace/libsinsp): include filter ast headers in sinsp header Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * fix(userspace/libsinsp): solve scap_open issues Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * refactor(userspace/libsinsp): split and improve events set implementation Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * update(userspace/libsinsp): improve event codes api Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * doc: update syscall report Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new(driver/modern_bpf): add support for futex syscall Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(test): add unit test for futex enter and exit events Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * update(libsinsp): fix reduced_ variable names Signed-off-by: Luca Guerra <luca@guerra.sh> * cleanup: remove unused `drop_event_flags` logic Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * fix: initialize a flag Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * new(driver/modern_bpf): add support for lseek syscall Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(driver/modern_bpf): add support for llseek syscall Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(test): add unit test for lseek enter and exit events Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(test): add unit test for llseek enter and exit events Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * fix: fix lseek tests failing for fd Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * fix(build): add right dependencies on minimal build Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * fix(userspace/libsinsp): include syscalls in sinsp_state_event_set Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * fix(driver): verifier issues on clang-7 Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * ci: add a CI job to test clang-7 Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * test: fix io_uring tests compilation Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * fix(cmake): make scap_engine_savefile depend on zlib only if not in minimal build Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * Add modern probe for getresgid Signed-off-by: David Windsor <dwindsor@secureworks.com> * s/uid/gid Signed-off-by: David Windsor <dwindsor@secureworks.com> * new(driver/modern_bpf): add support for select syscall Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(test): add unit test for select enter and exit events Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * update(driver): add support for chown syscall family Signed-off-by: Yaroslav Oliinyk <yoliinyk@secureworks.com> * Update driver/ppm_flag_helpers.h Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it> Signed-off-by: Yaro <104372025+yo348@users.noreply.github.com> * new(driver/modern_bpf): add support for splice syscall Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(driver): add support for splice syscall enter event Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(driver/bpf): add support for splice syscall enter event Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * new(test): add unit tests for splice enter and exit events Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> * Add modern probe for getresuid Signed-off-by: David Windsor <dwindsor@secureworks.com> * fix(driver): fix build on linux-6.2 Attributes in "struct device*" are now const, so add a matching prototype for ppm_devnode(). Fixes falcosecurity#918 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com> * fix(libsinsp): removed libsinsp::events::set.data() writable method. By letting others write directly to our inner vector, we did not update size. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * chore(ci): added driverkit test build on a 6.0 kernel and 6.2 kernel (refs falcosecurity#919). Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * new(ci): added a daily cron job to test kmod build against latest kernel available on archlinux. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * fix(ci): fixed latest-kernel job. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(ci): renamed latest_kernel to latest-kernel, following convention. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(ci): bump ci driverkit to use latest image tag. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * fix(ci): only build 6.2 arch kernel with driverkit as only 6.x kernel. Moreover, fixed wrong input name in latest-kernel. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com> * chore(ci): moved build-libs-driverkit to a matrix. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(ci): always test probe building in build-libs-driverkit job. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * fix(ci): fixed kernelrelease in build-driverkit matrix. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * fix(driver/bpf): fixed bpf probe build on kernel >= 6.2 Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(docs): add badge for new `Test build latest kernel available in archlinux` action. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * Add nullpointer check to struct passwd parsing. When node is using NIS / nss_compat for user management, /etc/passwd entries can refer to NIS groups or users, which causes parser to return null pointers instead of c-strings. This change includes checks agains those. In addition, a check is added to /etc/group parsing. Signed-off-by: Wiktor Gołgowski <wiktor.golgowski@sysdig.com> * fix(userspace/libsinsp): properly compute set size Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * update(userspace/libsinsp): add ppm_sc_code search in filter ASTs Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * test(userspace/libsinsp): grow and improve filter ppm codes tests Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * test(userspace/libsinsp): temporary disable some filter evt code tests Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * fix(userspace/filter): support ast evt code research with no information loss Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> * Add modern probe for mmap Signed-off-by: David Windsor <dwindsor@secureworks.com> * Add munmap Signed-off-by: David Windsor <dwindsor@secureworks.com> * Use event_test::assert_numeric_param when handling addresses; align addresses to page boundary Signed-off-by: David Windsor <dwindsor@secureworks.com> * fix(drivers): convert fd to s64 Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: David Windsor <dwindsor@secureworks.com> * Add modern probe for read Signed-off-by: David Windsor <dwindsor@secureworks.com> * Add test for read(2) failure case Signed-off-by: David Windsor <dwindsor@secureworks.com> * test: add a test for the snaplen case Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: David Windsor <dwindsor@secureworks.com> * fix(drivers): convert fd to s64 Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: David Windsor <dwindsor@secureworks.com> * cleanup(unit_tests): add new test macros for ppm sc API tests Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(unit_tests): add more ppm sc API tests * more cleanup for easier debugging * pointing out that few tests still need ppm sc API fixes for the generic events cases * event_set_to_sc_set * event_set_to_names Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(unit_tests): address reviewers comments plus additional cleanup, including shortening variable names across the board and adopt a consistent style Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * chore(driver): use gcc4.6+ `_Static_assert` to assert event table size. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(driver): use designated initializers for whole event_table. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(test/drivers): statically assert `cgroup_prefix_array` size. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * chore(driver): properly check that event_table is being built by gcc or with a c standard >= c11. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * new: Relax required kernel version for modern bpf Currently, modern bpf engine supports only kernels newer than 5.8, assuming all the dependencies (BTF, ring buffer maps, tracing progs) are supported on those kernels. This prevents it from supporting older versions, where BTF and ring buffers were back patched. Make modern bpf engine to check the ring buffer maps and tracing progs dependencies explicitly using libbpf helper. BTF vmlinux will be checked later on by libbpf with the corresponding error message (it makes sense to verify bpf features beforehand, because otherwise one have to figure it out from verified error logs, which is suboptimal). Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> * fix(sinsp): don't crash without filter in sinsp-example If `-f` is not passed to sinsp-example, `get_filter_ast()` returns nullptr, so we immediately crash when trying to analyze the (non-existent) AST. Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> * new(driver/modern_bpf): add support for stat syscall Signed-off-by: Wiktor Gołgowski <wiktor.golgowski@sysdig.com> * new(test): add unit tests for stat events Signed-off-by: Wiktor Gołgowski <wiktor.golgowski@sysdig.com> * cleanup(scap): split scap_t allocation and initialization Otherwise, the proc callback (set from sinsp) gets called while m_h is still null, which requires passing the full handle as a separate callback parameter. Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> * cleanup(scap): remove scap_t parameter from proc_callback We alreaedy have m_h set to the right value, no point in overwriting it with every new proc scan result Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> * fix(build): Fix an include path `sinsp_events.h` doesn't reside in the same directory as `event.h`, so include it with a relative path. This avoids including `event.h` from libevent here. Signed-off-by: Gerald Combs <gerald@wireshark.org> * new(libpman): Improve error logging When logging an error via libpman, it uses strerror to represent the error. libbpf in turn uses -ESRCH for certain scenarios when some objects were not found, e.g. vmlinux or btf id. This makes libpman report "No such process" together with the error message, which is confusing. Add a special case to handle -ESRCH in error reporting logic. Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> * new(modern_bpf): Extend error logging for probing Be more verbose during feature probing, letting the caller know what exactly went wrong. Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> * cleanup(modern_probe): Remove unnecessary definitions Cleaup leftovers after lifting restrictions on the oldest supported kernel version. Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> * cleanup(libsinsp): add all_generic_sc_event_set, all_non_generic_sc_event_set, all_non_sc_event_set to ppm sc API Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * fix(libsinsp): handle corner cases and special snowflakes in names_to_sc_set in ppm sc API Extra back and forth mapping to resolve overloaded event <-> sc names, e.g. accept -> accept, accept4 Plus account for variants that share event codes, e.g. eventfd, eventfd2 share PPME_SYSCALL_EVENTFD_E, PPME_SYSCALL_EVENTFD_X Plus handle special snowflakes, e.g. "umount" event string maps to PPME_SYSCALL_UMOUNT_E, PPME_SYSCALL_UMOUNT_X, but in actuality applies for "umount2" syscall as "umount" syscall is a generic event -> end result is activating both umount, umount2 Since names_to_event_set would resolve generic sc events, we only apply these extra lookups for non generic sc event codes New tests added as well. Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): refactor event_set_to_names in ppm sc API Refactor so that event_set_to_names is more ppm sc API native and easier to audit. New method achieves equivalent results, no regression. Extend unit tests. Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): add resolve_sc bool to event_set_to_names in ppm sc API Have the option to convert event_set to names as defined in the event_table without proper sc resolution. Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * fix(driver): link to PPME_SYSCALL_ def for lstat64 in syscall table Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * chore(unit_tests): add event_set_to_sc_set_generic_events Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * chore(libsinsp): improve ppm sc API docs Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * fix(unit_tests) Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(driver): fix for lstat64 included in another PR, purge again Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): address reviewers comments Do not add additional sinsp APIs and instead use one liner filters Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): adjust event_set_to_names event_set_to_names -> adjust option to resolve to sc names, but only for generic events to not duplicate sc_set_to_names Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * chore(libsinsp): improve comments Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * chore(libsinsp): leave todo comment for future refactor Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(libsinsp): adjust event_set_to_names After a fresh look optimize event_set_to_names given we sequentially adjusted approach in one PR. Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * Add modern probe for nanosleep Signed-off-by: David Windsor <dwindsor@secureworks.com> * Finalize auxmap header before submitting Signed-off-by: David Windsor <dwindsor@secureworks.com> * Use fixed_size api Signed-off-by: David Windsor <dwindsor@secureworks.com> * fix: adapt timespec logic between drivers Using `struct timespec` in kernels >= 4.18 we cannot catch the nanoseconds Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: David Windsor <dwindsor@secureworks.com> * cleanup: adapt `ppoll` logic to new timespec extraction Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: David Windsor <dwindsor@secureworks.com> * fix: solve some inconsistencies with `PPM_SC_UMOUNT` and `PPM_SC_LSTAT64` before this commit these two syscalls were considered "generic" but they had an associate event in the event table. Now these two syscalls use specific events and are no more generic. Please note that we need to craft new events for `PPM_SC_UMOUNT` and `PPM_SC_UMOUNT2` since `PPM_SC_UMOUNT` cannot use `PPME_SYSCALL_UMOUNT_E`, this is just a tmp patch. Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * fix: add 2 new syscalls `PPM_SC_RECV` and `PPM_SC_SEND` Before this commit we just had event pairs to instrument these syscalls but not a real code to identify them, for this reason their event pairs were associated to `PPM_SC_UNKNOWN`. Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup: use "NA" as unknown event name Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * update: support new `umount` event pair Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * tests: remove `PPME_CONTAINER_X` event remove `PPME_CONTAINER_X` event from `event_set_to_names_no_generic_events1` test since after this fix it is associated with `NA` name instead of `container` Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * cleanup(libsinsp): remove numbers from check enum for fields related to proc.x or thread.x Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * new(libsinsp): add aexepath filter and display option Being able to filter process ancestry by exepath can be especially useful for writing rules around shells / RCE originating from java processes, because here often proc.name aka the process name can rather reflect the current program name. This new option provides new opportunities to write filter expressions for many use cases. Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * cleanup(unit_tests): re-use field_exists Co-authored-by: Luca Guerra <luca@guerra.sh> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * new(libsinsp): add aexe filter and display option This new option provides new opportunities to write filter expressions for many use cases. Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> * new(driver/modern_bpf): Allow excluding tail-called programs Since modern bpf drivers contains a bunch of various tail-called progs, it makes sense to customize their build and linking process, making it more flexible. It could be helpful in a few scenarios: * Consider a situation when one of those programs found to be faulty. In this case one have no other options except to wait for bugfix, where in theory the problematic bpf prog could be excluded from the driver. * Another example is when the set of useful syscalls to capture is limited via `g_64bit_interesting_syscalls_table`. In such case the caller is not interested in anything else besides specified syscalls, and excluding not needed progs will reduce the overall bpf probe size. Introduce possibility to exclude tail-called programs from the build if the name is matching specified regex, e.g.: -DMODERN_BPF_EXCLUDE_PROGS='^(clone3|io_uring_setup)$' In this way affected tail-called programs will not get build and linked into the main bpf probe. Subsequent attempts to load them and put into the tail-call map will not find those progs by name, but not it's not considered a hard failure. In case if the corresponding syscalls behind excluded bpf progs are still captured, a generic "stub" program will be used instead. Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> * update(cmake): upgrade to libtbb v2021.8.0 Signed-off-by: Luca Guerra <luca@guerra.sh> * new(libscap,libsinsp): added a new g_events_to_sc_map libscap table to map each PPME_EVENT to the PPM_SC that generate it. Moreover, small improvements to libsinsp::events API. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * cleanup(libsinsp): cleaned up libsinsp tests by removing ifdefs. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * fix(libsinsp/test): fixed tests. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * fix(libscap,libsinsp): fixed g_events_to_sc_map after rebase. Moreover, cleaned up interesting_syscalls test and added a new events_set test. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> * Add modern probe for write Signed-off-by: David Windsor <dwindsor@secureworks.com> * Fix build errors Signed-off-by: David Windsor <dwindsor@secureworks.com> * Push correct parameter for size Signed-off-by: David Windsor <dwindsor@secureworks.com> * Fix tests Signed-off-by: David Windsor <dwindsor@secureworks.com> * Open test file for writing Signed-off-by: David Windsor <dwindsor@secureworks.com> * Check for return of 'open' rather than 'write' Signed-off-by: David Windsor <dwindsor@secureworks.com> * Add O_WRONLY to open flags for write() test Signed-off-by: David Windsor <dwindsor@secureworks.com> * Assert correct parameter Signed-off-by: David Windsor <dwindsor@secureworks.com> * Revert last change Signed-off-by: David Windsor <dwindsor@secureworks.com> * Hard-code file descriptor value Signed-off-by: David Windsor <dwindsor@secureworks.com> * fix(drivers): broken tests - conversion of `fd` to `s64` - management of syscall failure Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: David Windsor <dwindsor@secureworks.com> * new(modern_bpf): support for socketcall multiplexer Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(test): add socketcall multiplexer tests Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(bpf): support for socketcall multiplexer Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Hendrik Brueckner <brueckner@de.ibm.com> * update(tests): correct socket tests Perform socket call tests in child process to not interfere with scap socket calibration. Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Hendrik Brueckner <brueckner@de.ibm.com> * update(kmod): avoid the simple consumer mode with socketcall Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> * update(README): add BPF driver support for `s390x` With BPF probe read variants for kernel and user space, as well as, socketcall support, the BPF driver now works on s390x. Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `recv`/`sendmmsg` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `shutdown` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `accept`/`accept4` Note on s390x: The `SYS_ACCEPT` socketcall is dispatched to the `accept4` because `accept` does not exist. This also requires some special handling in the tests for `accept`. Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * chore(tests): socketcall define clean-up Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * update(tests): ignore socketcall accept tests for kmod The kernel module evaluates the socketcall identifier and maps it to events. The BPF and modern BPF probe implementations are based on syscalls directly. With the lack of `accept` on s390x, the BPF implementations map the event to an `accept4`. Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * driver(bpf,modern_bpf): socketcall remarks on `accept4` The BPF and modern BPF implementation supports socketcalls based on the system call identifier. On s390x, the `accept` system call does not exist and the implementation maps a `SYS_ACCEPT` to an `accept4` system call. The current `accept4` implementation ignores the `flags` parameter and returns zero. If this will be changed, there is a need to test for `SYS_ACCEPT` to avoid reading beyond the passed parameters as well as to avoid an information leak. Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `listen` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(bpf,modern_bpf): socketcall support for `send` and `recv` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `recvfrom` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(bpf,modern_bpf): socketcall for `getsockname` and `getpeername` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `socketpair` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `sendto` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `sendmsg` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `recvmsg` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `getsockopt` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * new(tests): socketcall tests for `setsockopt` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * update(tests): enclose all socketcall tests with `__NR_socketcall` Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * fix(kmod): use socketcall args in {get,set}sockopt_x Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> * [Stackrox] fixes following merge to 0.10.3 * new: Relax required kernel version for modern bpf Currently, modern bpf engine supports only kernels newer than 5.8, assuming all the dependencies (BTF, ring buffer maps, tracing progs) are supported on those kernels. This prevents it from supporting older versions, where BTF and ring buffers were back patched. Make modern bpf engine to check the ring buffer maps and tracing progs dependencies explicitly using libbpf helper. BTF vmlinux will be checked later on by libbpf with the corresponding error message (it makes sense to verify bpf features beforehand, because otherwise one have to figure it out from verified error logs, which is suboptimal). Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> * new(libpman): Improve error logging When logging an error via libpman, it uses strerror to represent the error. libbpf in turn uses -ESRCH for certain scenarios when some objects were not found, e.g. vmlinux or btf id. This makes libpman report "No such process" together with the error message, which is confusing. Add a special case to handle -ESRCH in error reporting logic. Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> * new(modern_bpf): Extend error logging for probing Be more verbose during feature probing, letting the caller know what exactly went wrong. Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> * cleanup(modern_probe): Remove unnecessary definitions Cleaup leftovers after lifting restrictions on the oldest supported kernel version. Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> * new(driver/modern_bpf): Allow excluding tail-called programs Since modern bpf drivers contains a bunch of various tail-called progs, it makes sense to customize their build and linking process, making it more flexible. It could be helpful in a few scenarios: * Consider a situation when one of those programs found to be faulty. In this case one have no other options except to wait for bugfix, where in theory the problematic bpf prog could be excluded from the driver. * Another example is when the set of useful syscalls to capture is limited via `g_64bit_interesting_syscalls_table`. In such case the caller is not interested in anything else besides specified syscalls, and excluding not needed progs will reduce the overall bpf probe size. Introduce possibility to exclude tail-called programs from the build if the name is matching specified regex, e.g.: -DMODERN_BPF_EXCLUDE_PROGS='^(clone3|io_uring_setup)$' In this way affected tail-called programs will not get build and linked into the main bpf probe. Subsequent attempts to load them and put into the tail-call map will not find those progs by name, but not it's not considered a hard failure. In case if the corresponding syscalls behind excluded bpf progs are still captured, a generic "stub" program will be used instead. Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> --------- Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it> Signed-off-by: Luca Guerra <luca@guerra.sh> Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com> Signed-off-by: David Windsor <dwindsor@secureworks.com> Signed-off-by: Yaroslav Oliinyk <yoliinyk@secureworks.com> Signed-off-by: Yaro <104372025+yo348@users.noreply.github.com> Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com> Signed-off-by: Wiktor Gołgowski <wiktor.golgowski@sysdig.com> Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com> Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Signed-off-by: Gerald Combs <gerald@wireshark.org> Signed-off-by: Hendrik Brueckner <brueckner@de.ibm.com> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com> Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Co-authored-by: Hendrik Brueckner <brueckner@de.ibm.com> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Iacopo Rozzo <iacopo@sysdig.com> Co-authored-by: Roberto Scolaro <roberto.scolaro21@gmail.com> Co-authored-by: David Windsor <dwindsor@secureworks.com> Co-authored-by: Yaroslav Oliinyk <yoliinyk@secureworks.com> Co-authored-by: Yaro <104372025+yo348@users.noreply.github.com> Co-authored-by: Holger Hoffstätte <holger@applied-asynchrony.com> Co-authored-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com> Co-authored-by: Wiktor Gołgowski <wiktor.golgowski@sysdig.com> Co-authored-by: Dmitrii Dolgov <9erthalion6@gmail.com> Co-authored-by: Gerald Combs <gerald@wireshark.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(previous sysdig contributor & Gentoo maintainer here :)
The old-style scap driver fails to build against kernel 6.2.0:
This cryptic message stems from the fact that apparently some attributes of the
struct devicereturned from class_create() are const since 6.2 and the conditionalppm_devnodeprototypes no longer match, since they are declared to take a non-conststruct device*.The fix is easy: more
#ifdefs 😆The text was updated successfully, but these errors were encountered: