Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[LIBS PLUGINS] Accessors to libs state tables fields - 2 #1944

Open
7 tasks
incertum opened this issue Jul 2, 2024 · 4 comments
Open
7 tasks

[LIBS PLUGINS] Accessors to libs state tables fields - 2 #1944

incertum opened this issue Jul 2, 2024 · 4 comments
Assignees
Labels
kind/feature New feature or request lifecycle/rotten
Milestone

Comments

@incertum
Copy link
Contributor

incertum commented Jul 2, 2024

See the previous issue #1712.
This issue is to track obtaining access to additional critical libs state data.

The approach will be similar to the recent extensions regarding how to access the proc args and fd tables.


  • user & group info
falcosecurity::table_field m_uid
falcosecurity::table_field m_user
falcosecurity::table_field m_loginuid
falcosecurity::table_field m_loginuser
  • capabilities
falcosecurity::table_field m_cap_permitted
falcosecurity::table_field m_cap_inheritable
falcosecurity::table_field m_cap_effective
  • container data
  • uint32_t sinsp_threadinfo::m_flags flags
  • libs lastevent_fd_field per thread cache instance mtinfo
falcosecurity::table_field m_lastevent_fd_field

// Maybe while here just open up all of them
int64_t m_lastevent_fd; ///< The FD os the last event used by this thread.
uint64_t m_lastevent_ts; ///< timestamp of the last event for this thread.
uint64_t m_prevevent_ts; ///< timestamp of the event before the last for this thread.
uint64_t m_lastaccess_ts; ///< The last time this thread was looked up. Used when cleaning up the table.
uint64_t m_clone_ts; ///< When the clone that started this process happened.
uint64_t m_lastexec_ts; ///< The last time exec was called

fdinfo - Make all members accesible

  • scap_fd_type m_type
falcosecurity::table_field m_fd_type_value;
  • sinsp_sockinfo m_sockinfo
falcosecurity::table_field m_fd_sockinfo_value;

This will be a challenging task due to the numerous custom sub-data structures we have. However, without access to these structures, we are unable to support most of the network-related fd.* filtercheck fields through custom logic within a syscalls plugin.

union sinsp_sockinfo
{
	ipv4tuple m_ipv4info; ///< The tuple if this an IPv4 socket.
	ipv6tuple m_ipv6info; ///< The tuple if this an IPv6 socket.
	ipv4serverinfo m_ipv4serverinfo;  ///< Information about an IPv4 server socket.
	ipv6serverinfo m_ipv6serverinfo; ///< Information about an IPv6 server socket.
	unix_tuple m_unixinfo; ///< The tuple if this a unix socket.
};
...

Additional random comments:

  • Uncertain how we would or could access the corresponding enter event, if applicable.
  • How do we get the main thread?

TBD what other data structures shall be made accessible.

@incertum incertum added the kind/feature New feature or request label Jul 2, 2024
@incertum incertum changed the title [LIBS PLUGINS] Accessors to libs state tables fields - 2 (user&group info and containers data) [LIBS PLUGINS] Accessors to libs state tables fields - 2 Aug 17, 2024
@incertum
Copy link
Contributor Author

@jasondellaluce as requested attempted to update the initial comment to reflect a more detailed view of pending tasks #1944 (comment). Thanks.

@incertum
Copy link
Contributor Author

/milestone TBD

/assign @jasondellaluce

@poiana
Copy link
Contributor

poiana commented Nov 15, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link
Contributor

poiana commented Dec 15, 2024

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature New feature or request lifecycle/rotten
Projects
None yet
Development

No branches or pull requests

3 participants