Closed NitroCao closed 8 months ago
Hi!
In current code, alloc_handle() doesn't initialize engine->m_attached_progs[j].efd to -1, which leads to detach_bpf_prog() closing those file descriptors which is equal to 0 unexpectedly.
This is a great catch; thank you very much for spending the time to discover this issue. Would you be open to patch it through a PR? We are approaching a 0.36.2 patch release for Falco; this fix would be great!
/milestone 0.13.4
Describe the bug https://github.com/falcosecurity/libs/blob/56b6e591cf8bf6849c27adfccc1557835daa1529/userspace/libscap/engine/bpf/scap_bpf.c#L118-L135 https://github.com/falcosecurity/libs/blob/56b6e591cf8bf6849c27adfccc1557835daa1529/userspace/libscap/engine/bpf/attached_prog.c#L215-L224 In current code,
alloc_handle()
doesn't initializeengine->m_attached_progs[j].efd
to-1
, which leads todetach_bpf_prog()
closing those file descriptors which is equal to0
unexpectedly.How to reproduce it The bug was first found in latest version of Falco. Falco will monitor the directories stored rules using inotify and reload rules automatically when modifications are made. To reproduce this bug, just run the latest version of Falco and modify the rules specified in configuration file. Falco would restart and reload rules at the first time. Then we'll get the error message
Failed read with inotify handler, shutting down watcher...
. and the monitor doesn't work anymore, Falco wouldn't reload rules if we make any modification. If we check entries in/proc/[PID]/fd
, we couldn't find any inotify file descriptor.Expected behaviour
Screenshots
Environment
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.8 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.8"