cleanup(driver): fix flags param

[ecbadeaux]

What type of PR is this?

/kind bug

/kind cleanup

Any specific area of the project related to this PR?

/area driver-bpf

Does this PR require a change in the driver versions?

I am not sure about this.

What this PR does / why we need it:

I am trying to address the issue where dup3 is handling the flag params as an unsigned integer when it should be handling it as in int.

Which issue(s) this PR fixes:

part of #515
(partial fix other issues still remain in 515)

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[github-actions]

Please double check driver/API_VERSION file. See versioning.

/hold

[incertum]

Ty! We may need another rebase.

[ecbadeaux]

@incertum Should be good now.

[ecbadeaux]

@incertum @Andreagit97 changes implemented

[FedeDP]

I just started kernel matrixes tests against this branch, to check whether we break anything!
https://github.com/falcosecurity/libs/actions/runs/6949833686

[ecbadeaux]

case __NR_dup3:
			ret.status = scap_gvisor::fillers::fill_event_dup3_x(
			                 scap_buf, &ret.size, scap_err,
			                 gvisor_evt.exit().result(),
			                 gvisor_evt.old_fd(),
			                 gvisor_evt.new_fd(),
			                 dup3_flags_to_scap(gvisor_evt.flags()));
			break;

@incertum @Andreagit97
Can someone point to the codebase where I can find out the integer type for gvisor_evt.flags()? This may need to be C casted to (int) since it makes use of dup3_flags_to_scap()

[FedeDP]

Matrix for arm64:

KERNEL	CMAKE-CONFIGURE	KMOD BUILD	KMOD SCAP-OPEN	BPF-PROBE BUILD	BPF-PROBE SCAP-OPEN	MODERN-BPF SCAP-OPEN
amazonlinux2-5.4	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2022-5.15	🟢	🟢	🟢	🟢	🟢	🟢
fedora-6.2	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-4.14	🟢	🟢	🟢	🟡	🟡	🟡
oraclelinux-5.15	🟢	🟢	🟢	🟢	🟢	🟢
ubuntu-6.3	🟢	🟢	🟢	🟢	🟢	🟢

Matrix for x86_64:

KERNEL	CMAKE-CONFIGURE	KMOD BUILD	KMOD SCAP-OPEN	BPF-PROBE BUILD	BPF-PROBE SCAP-OPEN	MODERN-BPF SCAP-OPEN
amazonlinux2-4.19	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2-5.10	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2-5.15	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2-5.4	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2022-5.15	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2023-6.1	🟢	🟢	🟢	🟢	🟢	🟢
archlinux-6.0	🟢	🟢	🟢	🟢	🟢	🟢
centos-3.10	🟢	🟢	🟢	🟡	🟡	🟡
centos-4.18	🟢	❌	❌	🟢	🟢	🟢
centos-5.14	🟢	🟢	🟢	🟢	🟢	🟢
fedora-5.17	🟢	❌	❌	🟢	🟢	🟢
fedora-5.8	🟢	🟢	🟢	🟢	🟢	🟢
fedora-6.2	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-3.10	🟢	🟢	🟢	🟡	🟡	🟡
oraclelinux-4.14	🟢	🟢	🟢	🟢	🟢	🟡
oraclelinux-5.15	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-5.4	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-4.15	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-6.3	🟢	🟢	🟢	🟢	🟢	🟢

No regressions from master!

[Andreagit97]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 250e9c1d7f2b4796dccbd6ea818149a4ab8cc628

[Andreagit97]

/hold

[Andreagit97]

@incertum @Andreagit97
Can someone point to the codebase where I can find out the integer type for gvisor_evt.flags()? This may need to be C casted to (int) since it makes use of dup3_flags_to_scap()

I think that the right way to do that would be to change the proto message

libs/userspace/libscap/engine/gvisor/proto/pkg/sentry/seccheck/points/syscall.proto

Line 170 in 4e9a3cc

message Dup {

but i'm not sure this is what we want, in the end, it is already on 32 bits... WDYT? @LucaGuerra

[FedeDP]

/approve

[LucaGuerra]

I think that the right way to do that would be to change the proto message

That proto is vendored from gVisor and we should not change it directly in the Falco codebase. I think a cast (implicit like it is now or explicit) is fine in this case.

[ecbadeaux]

Can you guys reapprove @FedeDP @Andreagit97 and merge? I added the explicit cast to parsers.cpp now everything is consistent.

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 884e361d2e608978aa3dd7dfdad4b3190ba1dcbe

[incertum]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, ecbadeaux, FedeDP, incertum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[incertum]

/unhold