Andreagit97
commented
1 year ago I've noticed that we miss other 3 important syscalls that for some reason are never compiled according to our compact files
- llseek
- mmap2
- ugetrlimit
Closed Andreagit97 closed 1 year ago
Andreagit97
commented
1 year ago I've noticed that we miss other 3 important syscalls that for some reason are never compiled according to our compact files
Andreagit97
commented
1 year ago Moreover, there are some syscalls that should be never compiled unless you compile libs on some particular machines:
As you can notice they are all 64/32 bit versions of already implemented syscalls. Let's say that they are low-priority and very easy to implement, we can keep them as a last step to reach full parity :)
FedeDP
commented
1 year ago I've noticed that we miss other 3 important syscalls that for some reason are never compiled according to our compact files
It seems like they're not present on x86: https://marcin.juszkiewicz.com.pl/download/tables/syscalls.html!
I am not sure how to proceed; they exist on other architectures. In syscalls bumper, i assumed that "x86_64" always had the larges possible set; i think we might have to fix that.
Andreagit97
commented
1 year ago yeah, it seems that none of our 3 supported architectures defines them :/
hbrueckner
commented
1 year ago As you can notice they are all 64/32 bit versions of already implemented syscalls. Let's say that they are low-priority and very easy to implement, we can keep them as a last step to reach full parity :)
Looks like that they are only available when the kernel being built without CONFIG_64BIT (for s390x the syscall table is here. For s390x, 32/31-bit support has been removed a while ago and CONFIG_64BIT is the default now. So I think would consider this also a low-priority unless there are use cases I am not aware of.
Andreagit97
commented
1 year ago Hey all, in the next days I will take care of implementing the following syscalls:
writevpwrite64pwritevI post it here so we avoid implementing 2 times same syscalls since now we have different folks from the community working on it (thank you very much @dwindsor @loresuso @hbrueckner :tada: )
Andreagit97
commented
1 year ago Now we can finally say that the modern probe reached the full syscall parity :tada: to be honest we still miss some syscalls but they are never compiled on our architectures so we can implement them also in a second step
Andreagit97
commented
1 year ago BTW i would keep this issue open until we will implement also these corner cases :)
loresuso
commented
1 year ago Great news! 🥳
FedeDP
commented
1 year ago Heroic effort from multiple people! Thank you very much to everyone involved! Let me thanks Andrea specifically for its huge work on the modern bpf architecture, programs(attached and tail called) and testing framework. Superb work!
Andreagit97
commented
1 year ago Collected the remaining points into #1004 we can close this :) /close
Feature
Right now the modern BPF probe support only a subset of the syscall supported by the current one, the so-called "simple set". You can check here the supported syscalls :point_down:
https://github.com/falcosecurity/libs/issues/513
Missing syscalls = 56
There are some syscalls that should be never compiled unless you compile libs on some particular machines (kernel built without
CONFIG_64BIT):As you can notice they are all 64/32 bit versions of already implemented syscalls. Let's say that they are low-priority and very easy to implement, we can keep them as a last step to reach full parity :)
We need also to implement the generic one but this should be quite easy to do:
Missing tracepoints: