fs.target.name appears broken

[cccsss01]

fs.target.name creates error in falco-modern-bpf service.

Describe the bug Falco version: 0.36.2 (x86_64)

unable to utilize fs.target.name How to reproduce it install falco-modern-bpf 0.36.2 Fedora 34 distro 5.14.0-362.13.1.el9_3.x86_64

install falco-modern-bpf 0.36.2 Fedora 34 distro 5.14.0-362.13.1.el9_3.x86_64

Create local rules yaml file `- list: file_operation_paths items: [/share]

• macro: open_write condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)

• macro: open_read condition: (evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0)

• macro: open_file_failed condition: (evt.type in (open,openat,openat2) and fd.typechar='f' and fd.num=-1 and evt.res startswith E)

• macro: rename condition: evt.type in (rename, renameat)

• macro: mkdir condition: evt.type = mkdir

• macro: remove condition: evt.type in (rmdir, unlink, unlinkat)

• macro: modify condition: rename or remove

• macro: file_operation condition: (open_read or open_write or modify or open_file_failed or create_symlink or evt.type in (link,linkat))

• rule: Any File Related Operation in Path desc: Detect any file operation on a single path condition: (fs.target.name pmatch (file_operation_paths)) and file_operation output: > Some File Related Operation on Path (evt.type=%evt.type target=%fs.target.name) priority: DEBUG source: syscall` Expected behaviour

I expect service to reload/restart successfully. Screenshots

Environment

• Falco version:

  Falco version: 0.36.2 Libs version: 0.13.4 Plugin API: 3.1.0 Engine: 26 Driver: API version: 5.0.0 Schema version: 2.0.0 Default driver: 6.0.1+driver

• System info:
• Cloud provider or hardware configuration:
• OS: NAME="AlmaLinux" VERSION="9.3 (Shamrock Pampas Cat)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

RPM

1 Errors: In rules content: (/etc/falco/falco_rules.local.yaml:0:0) rule 'Any File Related Operation in Path': (/etc/falco/falco_rules.local.yaml:28:2) rule output: (/etc/falco/falco_rules.local.yaml:31:10)

output: > ^

LOAD_ERR_COMPILE_OUTPUT (Error compiling output): invalid formatting token fs.target.name)

[incertum]

fs.target.name is not a valid field, see https://falco.org/docs/rules/fspath/

fs.path.name
fs.path.nameraw
fs.path.source
fs.path.sourceraw
fs.path.target
fs.path.targetraw

[cccsss01]

Acknowledged. We fixed a couple of things around fs.path.* fields and if ok with you could we wait for 2 weeks until Falco 0.37.0 is out? Then try again?

Or if you can try with the current master build it would be even better.

Yes, sounds good, 0.35.0 it works at least loaded in the service.

fs.target.name is not a valid field, see https://falco.org/docs/rules/fspath/

fs.path.name
fs.path.nameraw
fs.path.source
fs.path.sourceraw
fs.path.target
fs.path.targetraw

very interesting as the example below within the docs referenced it references fs.target.name and again, at least loads with 0.35.0

[cccsss01]

Docs in example is wrong.