search

falcosecurity / libs

libsinsp, libscap, the kernel module driver, and the eBPF driver sources
https://falcosecurity.github.io/libs/
Apache License 2.0
212 stars 158 forks source link

Add args for `sendmmsg` events #1636

Open Biagio-Dipalma opened 5 months ago

Biagio-Dipalma commented 5 months ago

Motivation

Currently, the sendmmsg syscall is supported, but lacks arguments in both exit and entry events. I believe that adding parameters could significantly enhance the visibility of outbound connection events.

Feature

Add params to the sendmmsg events

Andreagit97 commented 5 months ago

thank you for this! We will try to understand when to schedule this!

oheifetz commented 4 months ago

so basically you would like the sendmmsg to support an array of arguments where every argument is like what sendmsg does, right?

oheifetz commented 4 months ago

I can take it if no one has already started to add this support

Andreagit97 commented 3 months ago

Yes we would like to have something similar to sendmsg syscall

    [PPME_SOCKET_SENDMSG_E] = {"sendmsg", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } },
    [PPME_SOCKET_SENDMSG_X] = {"sendmsg", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },

but since there is no need to have some info in the enter event and others in the exit one, I would go with implementing all the info in the exit event, so something like

    [PPME_SOCKET_SENDMMSG_E] = {"sendmmsg", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD, 0},
    [PPME_SOCKET_SENDMMSG_X] = {"sendmmsg", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD, 5, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"data", PT_BYTEBUF, PF_NA}, {"size", PT_UINT32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } },

I can take it if no one has already started to add this support

Sure! thank you!

oheifetz commented 3 months ago

@Andreagit97 regarding your post above, you think that there is no need to push any data to ringbuf in enter since the only change between the enter and exit is the fact that on exit the msg_len changes and this may be important to user and on exit all other data can be inserted to ring?

Andreagit97 commented 3 months ago

Yes, exactly. In the exit event, we have all syscalls parameters + the return value so it should be enough to collect everything in the exit event, since the enter event doesn't bring any additional value

poiana commented 3 weeks ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 2 weeks ago

/remove-lifecycle stale

FedeDP commented 1 week ago

@oheifetz are you actively working on this? Otherwise i'd like to tackle it :)

Molter73 commented 2 days ago

Hey @FedeDP and @oheifetz, don't know if there has been any progress on this, but I find myself in need of getting date from both sendmmsg and recvmmsg, so I'll likely have to implement them myself for testing unless a PR is opened by either of you guys in the near future.

Just letting you know in case you want me to take over the issue.