-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add inum (mount namespace id) for clone, unshare, mount, umount, umount2, open, openat, openat2 #1919
Comments
By the way. We read information from /proc/self/mountinfo because it is the only place where shared subtrees information exists in user space (https://man7.org/linux/man-pages/man7/mount_namespaces.7.html#SHARED_SUBTREES). In this case when we see mount or umount syscalls we can changes not only information in original mount point, but also in other mount point dependent on relationships between this namespaces. |
As an alternative to monitoring all mount point state it is also just possible to put filesystem type for open, openat, openat2 syscalls? As I can see there are already get_fd_dev_ino method with get ino an dev for some reason. And getting sb->s_type->name can be useful for customers as well? |
Is it a chance that this can be implemented? |
ei @albe19029 thank you for the request! Regarding the mount namespace ID, at the moment, I don't see a widespread use case for our libraries, even if I see the value in having it. On the other side, the filesystem type is something we were already considering adding, so yes this is something that could happen, but I can't give you an ETA right now. I will put the milestone TBD ("To be defined") to mark this as a meaningful request but without a precise ETA. BTW thank you for the feature request it definitely makes sense /milestone TBD |
Thanks a lot. Adding filesystem type to open syscalls (sb->s_type->name) will be enough. As s_dev from mountinfo is already there, and monitoring mountinfo only need for us to get filesystem type. |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Good day. In our application that use your driver sometimes we need additional information from mountinfo file. We need information both for host and containers.
What we want is to enter every mount namespace once and read information from it. And then with monitoring mount and umount events just to maintain this in memory. The problem is that for now in mount and umount events from driver we don't see for what namespace this operations are executed.
Maybe it is possible to add task->nsproxy->mnt_ns->ns->inum to clone, unshare, mount, umount, umount2, open, openat, openat2 events. In this case we will see every operation with mount namespace (create: clone, unshare with CLONE_NEWNS, change: mount, umount, umount2) and provide additional information about filesystem on every file open access.
The text was updated successfully, but these errors were encountered: