search

exein-io / pulsar

A modular and blazing fast runtime security tool for the IoT, powered by eBPF.
https://pulsar.sh
Other
888 stars 52 forks source link

fix(file-system-monitor): De-duplicate `FileOpen` alerts for containers #239

Closed vadorovsky closed 8 months ago

vadorovsky commented 8 months ago

When reading files inside container, the file_open LSM hook gets triggered twice. Before this change, it resulted in threat alerts being issued twice in case the opened file matched a rule.

The only difference which can be spotted between struct file instances in both calls of file_open is an additional bit in file->f_flags during the second call.

When calling cat /etc/shadow inside container, the f_flags are respectively:

banditopazzo commented 8 months ago

closed as it seems the normal behaviour