Comments (6)
gianlucaborello
commented on July 30, 2024
Confirmed.
In f_proc_startupdate() (ppm_fillers.c) we use current->mm to get the command line of the new executable, which doesn't work when execve fails. In that case, it should be possible to just parse the execve arguments and copy the array of strings from userspace. There are similar examples in fs/exec.c in the kernel code.
Any volunteer? :)
from sysdig.
dkogan
commented on July 30, 2024
I volunteer!!!
So I have a prototype branch that does this. There's quite a bit of code in fs/exec.c that I'd love to reuse, but it's not exported. Current strategy is to copy it to our driver, possibly simplifying where possible. Is this what we want?
from sysdig.
gianlucaborello
commented on July 30, 2024
Unfortunately that's the only way we're aware of, which is why code like this:
was never merged into master in the first place. However, parsing the exe from the arguments list should be easier and should not require any locking, making it less bug-prone.
from sysdig.
dkogan
commented on July 30, 2024
OK. I have a fix. Due to #352 I tested this on an older release, not on the dev branch. In the areas the code touches they don't differ, so I imagine it works in dev too. The tested tree is at https://github.com/dkogan/sysdig/tree/failed_execve_print_master and the untested dev-rebased tree is at https://github.com/dkogan/sysdig/tree/failed_execve_print_dev
One aspect I'm unsure about is what to do with args->event_type. I don't know what the difference is between PPME_SYSCALL_EXECVE_8_X and PPME_SYSCALL_EXECVE_13_X and so on. So I report exe,args only for 8,13,14 (dev branch has more but I'm not testing for them) and env only for 14 or 16 (whatever the code that was already there is doing). And I'm not doing any of this for clone()
from sysdig.
dkogan
commented on July 30, 2024
So #352 appears to not actually be a problem, so I'm now focusing only on the dev branch. I just deleted my failed_execve_print_master branch, and pushed a small correction to failed_execve_print_dev
from sysdig.
github-actions
commented on July 30, 2024
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from sysdig.
Related Issues (20)
- [MacOS] DYLIB Injection through "DYLD_INSERT_LIBRARIES" env variable HOT 1
- How to distinguish between local ip and remote ip from socket ? HOT 2
- if use "container.id" or "container.name" ,there is no feedback or output HOT 2
- How to install or use sysdig in container on Fedora Silverblue or Fedora CoreOS? HOT 3
- Red Hat 9 isn't supported - SHA 1 deprecated HOT 2
- Tools for tracking down I/O Wait HOT 1
- Container image missing tools used in chisels
- CPU usage reported as 0.00 when using `--modern-bpf` HOT 2
- sysdig manual needs to be updated HOT 4
- The tracking of orphan processes is lost. HOT 2
- The situation where syscall events are lost when tracing programs with frequent system calls. HOT 3
- Docker image build "E: Unable to locate package clang-7 E: Unable to locate package llvm-7 E: Unable to locate package libmpx2" HOT 4
- Compilation error: “install TARGETS given target "sinsp" which does not exist in this directory.” HOT 4
- Unable to load the driver. Error opening device /dev/scap0 HOT 3
- CSysdig Rendering IPv6 Addresses For IPv4 Addresses? HOT 1
- Compile error for BPF driver on arm64 GKE server HOT 50
- Undetected syscall error HOT 1
- All chisels are broken: `attempt to index global 'sysdig' (a nil value)` HOT 13
- `evt.res` and `evt.rawres` and `evt.failed` are gone HOT 2
- csysdig Crashes When `~/chisels` Directory Is Missing HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sysdig.