Closed alexburt closed 1 year ago
FedeDP
commented
2 years ago Hi! I think that the issue with compat syscalls is that we don't really support them; we'd need to implement its support. I think that from a security standpoint, we really need that though! I might work on this in my spare time :)
FedeDP
commented
2 years ago /kind feature
2Bor2C
commented
2 years ago We would be interested in this feature as well. This may be a big security gap.
FedeDP
commented
2 years ago Yep we know that; that's unfortunate and we must implement its support. I'll try to target 0.33 for this. 0.32 is coming soon and there is no enough time to implement and test it.
Andreagit97
commented
2 years ago You are right @2Bor2C, we will try to insert it in 0.33
poiana
commented
2 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Andreagit97
commented
2 years ago /remove-lifecycle stale
poiana
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
FedeDP
commented
1 year ago /remove-lifecycle stale
poiana
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Cryptophobia
commented
1 year ago @FedeDP any update on this?
/remove-lifecycle stale
FedeDP
commented
1 year ago Nope :( still need to schedule some time for this!
incertum
commented
1 year ago @alexburt Feature is scheduled for Falco 0.36 release and tracked under Falco issue https://github.com/falcosecurity/falco/issues/2472. According to our new roadmap planning we may have 2 libs releases per one Falco release, therefore the feature may land earlier in libs.
oheifetz
commented
1 year ago Hi,
I would like to understand the root cause that the bpf_in_ia32_syscall was put in the first place, failed to understand it from git blame, 32bit ARCHes are supported by eBPF, can you please elaborate regarding this issue?
incertum
commented
1 year ago @oheifetz - @FedeDP has this item in his queue. The work has not yet started. We will keep everyone updated here if this is ok? Thank you for your patience 🙏
Hello, Is there a reason why 32 bit syscalls is not supported by eBPF driver ? My test program opens /etc/shadow and normally triggers the alert. But there is no alerts when I compile program as ELF 32-bit (gcc -m32).
Looks like 32 bit calls just skipped by eBPF probe (https://github.com/falcosecurity/libs/blob/master/driver/bpf/probe.c):
if (bpf_in_ia32_syscall()) return 0;
Any reason for that ?