Missing socket syscall events (connect, bind,...) with kmod when running 32bit executable

[chkp-egorn]

Describe the bug

I've been testing driver+libscap separately from sysdig and subscribed only to a subset of syscalls (not all of them like sysdig does). When a 32 bit executable is running, the events from socket syscalls are missing. I've made some research and found out that the problem is in driver/src/main.c's record_event_consumer() function. (Consider connect syscall as I've been testing with it mostly). Basically, the function receives events for connect, but on 32 bit system they appear as PPME_GENERIC_E/X and later on they're extended in parse_socketcall() function to PPME_SOCKET_CONNECT_E/X events. The problem is that PPME_GENERIC_E/X is not set in the events_mask, got rejected by test_bit() function and events couldn't get a chance to be parsed properly.

Tested it on Ubuntu 18.04 and CentOS 7.9

How to reproduce it

Compile simple 32 bit executable:

1. Install dependencies:
   • For Ubuntu 18.04: apt-get install libc6-dev-i386 && cd /usr/include && ln -s x86_64-linux-gnu/asm/ asm
   • For Centos 7.9: yum install -y glibc.i686 glibc-devel.i686 libgcc.i686
2. Build: gcc -m32 test_connect.c -o test_connect

Simple executable link (markdown in the ticket breaks)

Modify sysdig to subscribe only to connect syscall:

1. Modify the file in main sysdig repo userspace/sysdig/utils/sinsp_opener.cpp
2. Rebuild sysdig
3. Run it with sysdig evt.type=connect

Run 32 bit executable test_connect

Expected behaviour

Events for connect syscall should be parsed and appear in sysdig output

Screenshots

Compiled two versions of program, run them with modified sysdig. 32 bit version hasn't given any events, while 64 bit showed proper results

Environment

• Falco version: sysdig version 0.30.1 falco libs version: 0.9.1 scap version: 3.0.1+driver

• System info: Not sure, how to build falco utility

• Cloud provider or hardware configuration: VMWare virtual machines: Ubuntu 18.04 and CentOS 7.9

• OS:

  ubuntu$ cat /etc/os-release
  NAME="Ubuntu"
  VERSION="18.04.6 LTS (Bionic Beaver)"
  ID=ubuntu
  ID_LIKE=debian
  PRETTY_NAME="Ubuntu 18.04.6 LTS"
  VERSION_ID="18.04"
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  VERSION_CODENAME=bionic
  UBUNTU_CODENAME=bionic

centos$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

• Kernel: Ubuntu 18.04: 5.4.0-137-generic # 154~18.04.1-Ubuntu SMP Tue Jan 10 16:58:20 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux CentOS 7.9: 3.10.0-1160.81.1.el7.x86_64 # 1 SMP Fri Dec 16 17:29:43 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

• Installation method:

  From source

Additional context

[FedeDP]

Hi! 32bit support is a well known limitation of our eBPF drivers. There is a tracking issue here: #279 .

In this case, since you are talking about the kmod, it should work. Therefore this is actually a new bug. Indeed, this should be fixed in master since we now use the syscall number to filter (and not the event type). See it here: https://github.com/falcosecurity/libs/blob/master/driver/main.c#L1792

But, thanks to you, we actually found a small bug: the socketcall resolved syscalls were not tested against syscalls interesting set on kmod. I am going to open a PR to fix this!

[chkp-egorn]

Hi @FedeDP. Could you please tell which sysdig version is going to include those updates with syscall mask and when it's going to be released?

[FedeDP]

So, i opened a new PR to improve kmod code around socketcall (and eventually became a bigger refactor indeed): https://github.com/falcosecurity/libs/pull/1046.

You can expect a new driver tag in time for Falco 0.35 (end of may); but, since sysdig OSS has a completely unrelated release time frame, the new release can happen at any time. My guess is that it will get released right after Falco 0.35, therefore you can expect a release with these fixes around June.

[Andreagit97]

This should be fixed in Falco

[FedeDP]

/milestone driver-backlog

[FedeDP]

I think this is now tracking the same issue as #279 right? We can close this one in favor of the other?

Also, note that i opened a PR to support ia32 syscalls in bpf drivers: #1196 We haven't got the bandwidth to properly review and test it during this release cycle, therefore the new feature will be part of the Falco release after the next one, ie: Falco 0.37.

[Andreagit97]

uhm actually this was an issue you solved here https://github.com/falcosecurity/libs/pull/1046... Here we are not requiring full support for 32 bits syscalls in all the drivers, it was just a regression

[FedeDP]

Yep, i think we can close this one as solved too.

[Andreagit97]

yeah i asked @therealbobo to check it on OSS sysdig before closing it :)

[therealbobo]

LGTM! I just checked and the socket 32-bit syscall events (connect, bind, socket, ...) with the kmod are correctly received by OSS sysdig 😄 cc @Andreagit97

[FedeDP]

/close

[poiana]

@FedeDP: Closing this issue.

In response to [this](https://github.com/falcosecurity/libs/issues/1045#issuecomment-1705579833): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.