search

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers
http://www.sysdig.com/
Other
7.79k stars 728 forks source link

Undetected syscall error #2061

Closed d4l-w4r closed 1 month ago

d4l-w4r commented 10 months ago

Hi! I just noticed that sysdig seems to miss a syscall error that is caught by both auditd and strace. Note: I'm using sysdig without eBPF

When I run the following command from my normal, non-privileged user

[ -r /root ] || echo "not root"

sysdig correctly catches that the syscall faccessat2 is used by this expression, however no correspondingEACCES error is found in the "Errors" view of csysdig.

When using the same expression with strace, I get the following line in the output: access("/root", R_OK) = -1 EACCES (Permission denied)

And also auditd will log this EACCES (13) event when I add the rule -a always,exit -S all -F exit=-EACCES: type=SYSCALL (...) syscall=439 success=no exit=-13 (...) comm="bash" exe="/usr/bin/bash" (...) SYSCALL=faccessat2

If I instead try to use touch /root/test as a non-privileged user, csysdig will correctly show an EACCES error caused by the openat syscall.

Is this a bug, or somehow expected/intended behavior?

The only real difference I see here is that [ or the equivalent test are built-ins of the shell.

github-actions[bot] commented 6 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.