Describe the bug
Process events are not reported when using execveat syscall on s390x architecture (tested on 0.6.1-rc1).
To reproduce
Steps to reproduce the behavior:
compile the following tester program (gcc execveat.c -o execveat):
#define _GNU_SOURCE
#include <sys/syscall.h>
#include <linux/fs.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
// Adapted from "Bypass Falco" presentation (Leonardo Di Donato)
// Note: execveat was introduce in Linux kernel v3.19
int main() {
int dirfd = open("/usr/bin/echo", O_RDONLY);
const char* pathname = "";
const char* argv[] = { "echo", "test_arg1", "test_arg2", "test_arg3", "test_arg4", "test_arg5", NULL };
const char* envp[] = { NULL };
unsigned int flags = AT_EMPTY_PATH;
int rc = syscall( SYS_execveat, dirfd, pathname, argv, envp, flags);
printf("errno: %d\n", errno);
return rc;
}
run callback example
run execveat program
Expected behavior
The /usr/bin/echo process events should be reported, indicating execveat as parent.
Environment (please complete the following information):
OS: Ubuntu 22.04.3 LTS
Linux ztest5 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:49 UTC 2023 s390x s390x s390x GNU/Linux
SysFlow version: 0.6.1-rc1
Additional context
Similar behavior with this other sample (execveat_no_args):
#define _GNU_SOURCE
#include <sys/syscall.h>
#include <linux/fs.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
// Adapted from "Bypass Falco" presentation (Leonardo Di Donato)
// Note: execveat was introduce in Linux kernel v3.19
int main() {
int dirfd = open("/usr/bin/ls", O_RDONLY);
const char* pathname = "";
const char* argv[] = { "", NULL };
const char* envp[] = { NULL };
unsigned int flags = AT_EMPTY_PATH;
int rc = syscall( SYS_execveat, dirfd, pathname, argv, envp, flags);
printf("errno: %d\n", errno);
return rc;
}
Files
Logs from callback example below.
execveat:
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692139, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 2692139, OpFlags: 9344, OpenFlags 4097, FD 4
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692139, OpFlags: 1536, OpenFlags 0, FD 1
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692139, OpFlags: 1024, OpenFlags 0, FD 2
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /usr/bin/echo
File Flow: TID 2692139, OpFlags: 2176, OpenFlags 2049, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692139, OpFlags 4, Ret 0
****************************************************************
execveat_no_args:
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692140, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 2692140, OpFlags: 9344, OpenFlags 4097, FD 4
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692140, OpFlags: 1536, OpenFlags 0, FD 1
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692140, OpFlags: 1024, OpenFlags 0, FD 2
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /usr/bin/ls
File Flow: TID 2692140, OpFlags: 2176, OpenFlags 2049, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692140, OpFlags 4, Ret 0
****************************************************************
Indicate project libsysflow
Describe the bug Process events are not reported when using
execveatsyscall ons390xarchitecture (tested on0.6.1-rc1).To reproduce Steps to reproduce the behavior:
gcc execveat.c -o execveat):execveatprogramExpected behavior The
/usr/bin/echoprocess events should be reported, indicatingexecveatas parent.Environment (please complete the following information):
Linux ztest5 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:49 UTC 2023 s390x s390x s390x GNU/LinuxAdditional context Similar behavior with this other sample (
execveat_no_args):Files Logs from callback example below.
execveat:execveat_no_args: