Closed chkp-egorn closed 10 months ago
Hi! 32bit support is a well known limitation of our eBPF drivers. There is a tracking issue here: #279 .
In this case, since you are talking about the kmod, it should work. Therefore this is actually a new bug. Indeed, this should be fixed in master since we now use the syscall number to filter (and not the event type). See it here: https://github.com/falcosecurity/libs/blob/master/driver/main.c#L1792
But, thanks to you, we actually found a small bug: the socketcall
resolved syscalls were not tested against syscalls interesting set on kmod.
I am going to open a PR to fix this!
Hi @FedeDP. Could you please tell which sysdig version is going to include those updates with syscall mask and when it's going to be released?
So, i opened a new PR to improve kmod code around socketcall (and eventually became a bigger refactor indeed): https://github.com/falcosecurity/libs/pull/1046.
You can expect a new driver tag in time for Falco 0.35 (end of may); but, since sysdig OSS has a completely unrelated release time frame, the new release can happen at any time. My guess is that it will get released right after Falco 0.35, therefore you can expect a release with these fixes around June.
This should be fixed in Falco
/milestone driver-backlog
I think this is now tracking the same issue as #279 right? We can close this one in favor of the other?
Also, note that i opened a PR to support ia32 syscalls in bpf drivers: #1196 We haven't got the bandwidth to properly review and test it during this release cycle, therefore the new feature will be part of the Falco release after the next one, ie: Falco 0.37.
uhm actually this was an issue you solved here https://github.com/falcosecurity/libs/pull/1046... Here we are not requiring full support for 32 bits syscalls in all the drivers, it was just a regression
Yep, i think we can close this one as solved too.
yeah i asked @therealbobo to check it on OSS sysdig before closing it :)
LGTM! I just checked and the socket 32-bit syscall events (connect, bind, socket, ...) with the kmod are correctly received by OSS sysdig 😄 cc @Andreagit97
/close
@FedeDP: Closing this issue.
Describe the bug
I've been testing driver+libscap separately from sysdig and subscribed only to a subset of syscalls (not all of them like sysdig does). When a 32 bit executable is running, the events from socket syscalls are missing. I've made some research and found out that the problem is in
driver/src/main.c
'srecord_event_consumer()
function. (Considerconnect
syscall as I've been testing with it mostly). Basically, the function receives events forconnect
, but on 32 bit system they appear asPPME_GENERIC_E/X
and later on they're extended inparse_socketcall()
function toPPME_SOCKET_CONNECT_E/X
events. The problem is thatPPME_GENERIC_E/X
is not set in theevents_mask
, got rejected bytest_bit()
function and events couldn't get a chance to be parsed properly.Tested it on Ubuntu 18.04 and CentOS 7.9
How to reproduce it
Compile simple 32 bit executable:
apt-get install libc6-dev-i386 && cd /usr/include && ln -s x86_64-linux-gnu/asm/ asm
yum install -y glibc.i686 glibc-devel.i686 libgcc.i686
gcc -m32 test_connect.c -o test_connect
Simple executable link (markdown in the ticket breaks)
Modify sysdig to subscribe only to
connect
syscall:userspace/sysdig/utils/sinsp_opener.cpp
sysdig evt.type=connect
Run 32 bit executable
test_connect
Expected behaviour
Events for
connect
syscall should be parsed and appear in sysdig outputScreenshots
Compiled two versions of program, run them with modified sysdig. 32 bit version hasn't given any events, while 64 bit showed proper results
Environment
Falco version: sysdig version 0.30.1 falco libs version: 0.9.1 scap version: 3.0.1+driver
System info: Not sure, how to build
falco
utilityCloud provider or hardware configuration: VMWare virtual machines: Ubuntu 18.04 and CentOS 7.9
OS:
Kernel: Ubuntu 18.04: 5.4.0-137-generic # 154~18.04.1-Ubuntu SMP Tue Jan 10 16:58:20 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux CentOS 7.9: 3.10.0-1160.81.1.el7.x86_64 # 1 SMP Fri Dec 16 17:29:43 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Installation method:
From source
Additional context