Closed Andreagit97 closed 1 year ago
I've noticed that we miss other 3 important syscalls that for some reason are never compiled according to our compact files
Moreover, there are some syscalls that should be never compiled unless you compile libs on some particular machines:
As you can notice they are all 64/32 bit versions of already implemented syscalls. Let's say that they are low-priority and very easy to implement, we can keep them as a last step to reach full parity :)
I've noticed that we miss other 3 important syscalls that for some reason are never compiled according to our compact files
It seems like they're not present on x86: https://marcin.juszkiewicz.com.pl/download/tables/syscalls.html!
I am not sure how to proceed; they exist on other architectures. In syscalls bumper, i assumed that "x86_64" always had the larges possible set; i think we might have to fix that.
yeah, it seems that none of our 3 supported architectures defines them :/
As you can notice they are all 64/32 bit versions of already implemented syscalls. Let's say that they are low-priority and very easy to implement, we can keep them as a last step to reach full parity :)
Looks like that they are only available when the kernel being built without CONFIG_64BIT
(for s390x the syscall table is here. For s390x
, 32/31-bit support has been removed a while ago and CONFIG_64BIT
is the default now. So I think would consider this also a low-priority unless there are use cases I am not aware of.
Hey all, in the next days I will take care of implementing the following syscalls:
writev
pwrite64
pwritev
I post it here so we avoid implementing 2 times same syscalls since now we have different folks from the community working on it (thank you very much @dwindsor @loresuso @hbrueckner :tada: )
Now we can finally say that the modern probe reached the full syscall parity :tada: to be honest we still miss some syscalls but they are never compiled on our architectures so we can implement them also in a second step
BTW i would keep this issue open until we will implement also these corner cases :)
Great news! 🥳
Heroic effort from multiple people! Thank you very much to everyone involved! Let me thanks Andrea specifically for its huge work on the modern bpf architecture, programs(attached and tail called) and testing framework. Superb work!
Collected the remaining points into #1004 we can close this :) /close
Feature
Right now the modern BPF probe support only a subset of the syscall supported by the current one, the so-called "simple set". You can check here the supported syscalls :point_down:
https://github.com/falcosecurity/libs/issues/513
Missing syscalls = 56
There are some syscalls that should be never compiled unless you compile libs on some particular machines (kernel built without
CONFIG_64BIT
):As you can notice they are all 64/32 bit versions of already implemented syscalls. Let's say that they are low-priority and very easy to implement, we can keep them as a last step to reach full parity :)
We need also to implement the generic one but this should be quite easy to do:
Missing tracepoints: