Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

execveat process events not reported on s390x architecture #122

Open
gentooise opened this issue Feb 8, 2024 · 0 comments
Open

execveat process events not reported on s390x architecture #122

gentooise opened this issue Feb 8, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@gentooise
Copy link

gentooise commented Feb 8, 2024
edited
Loading

Indicate project
libsysflow

Describe the bug
Process events are not reported when using execveat syscall on s390x architecture (tested on 0.6.1-rc1).

To reproduce
Steps to reproduce the behavior:

  1. compile the following tester program (gcc execveat.c -o execveat):
#define _GNU_SOURCE
#include <sys/syscall.h>
#include <linux/fs.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

// Adapted from "Bypass Falco" presentation (Leonardo Di Donato)
// Note: execveat was introduce in Linux kernel v3.19

int main() {
    int dirfd = open("/usr/bin/echo", O_RDONLY);
    const char* pathname = "";
    const char* argv[] = { "echo", "test_arg1", "test_arg2", "test_arg3", "test_arg4", "test_arg5", NULL };
    const char* envp[] = { NULL };
    unsigned int flags = AT_EMPTY_PATH;
    int rc = syscall( SYS_execveat, dirfd, pathname, argv, envp, flags);
    printf("errno: %d\n", errno);
    return rc;
}
  1. run callback example
  2. run execveat program

Expected behavior
The /usr/bin/echo process events should be reported, indicating execveat as parent.

Environment (please complete the following information):

  • OS: Ubuntu 22.04.3 LTS
    • Linux ztest5 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:49 UTC 2023 s390x s390x s390x GNU/Linux
  • SysFlow version: 0.6.1-rc1

Additional context
Similar behavior with this other sample (execveat_no_args):

#define _GNU_SOURCE
#include <sys/syscall.h>
#include <linux/fs.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

// Adapted from "Bypass Falco" presentation (Leonardo Di Donato)
// Note: execveat was introduce in Linux kernel v3.19

int main() {
    int dirfd = open("/usr/bin/ls", O_RDONLY);
    const char* pathname = "";
    const char* argv[] = { "", NULL };
    const char* envp[] = { NULL };
    unsigned int flags = AT_EMPTY_PATH;
    int rc = syscall( SYS_execveat, dirfd, pathname, argv, envp, flags);
    printf("errno: %d\n", errno);
    return rc;
}

Files
Logs from callback example below.

execveat:

****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692139, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 2692139, OpFlags: 9344, OpenFlags 4097, FD 4
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692139, OpFlags: 1536, OpenFlags 0, FD 1
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692139, OpFlags: 1024, OpenFlags 0, FD 2
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /usr/bin/echo
File Flow: TID 2692139, OpFlags: 2176, OpenFlags 2049, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692139, OpFlags 4, Ret 0
****************************************************************

execveat_no_args:

****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692140, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 2692140, OpFlags: 9344, OpenFlags 4097, FD 4
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692140, OpFlags: 1536, OpenFlags 0, FD 1
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692140, OpFlags: 1024, OpenFlags 0, FD 2
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /usr/bin/ls
File Flow: TID 2692140, OpFlags: 2176, OpenFlags 2049, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692140, OpFlags 4, Ret 0
****************************************************************
@gentooise gentooise added the bug Something isn't working label Feb 8, 2024
@gentooise gentooise changed the title execveat process events not reported execveat process events not reported on s390x architecture Feb 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gentooise