fix(epbf): fix incorrect parsed syscall name #4402
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It looks like this commit just translates from 32bit to 64bit and not the other way around. I don't see anything redundant with this change since we still need to convert back to 32bit syscall id in userspace |
|
We don't need to convert back to 32-bit, the syscall name is derived from the 64-bit syscall ID by looking up the tracee event with that ID, which should be the syscall event. If the syscall ID that comes from eBPF is already 64-bit, the translation returns an unrelated ID. The translation is not from 64-bit back to 32-bit, it is the opposite. |
But then you return the 64bit syscall name, and not the 32bit syscall name. So the solution should be to create a reverse map from 64bit to 32bit and give it as an argument to this function |
|
But 64 to 32 bit mapping is useless, there is nothing we can do with the 32-bit ID as the syscall name is retrieved from the 64-bit counterpart. We could build a mapping of all 32-bit syscall names and that way the correct syscall can be displayed in case translation to 64-bit ID is not possible (which could happen for certain syscalls that only exist on 32-bit). But for now, my point is that currently an incorrect name is displayed, and my change fixes it. |
The correct way to go is to build such a mapping of 32bit syscall ids to their respective names, similar to what we have here for 64bit syscalls: https://github.com/aquasecurity/tracee/blob/main/pkg/events/core_amd64.go#L917 |
I agree that it would be better, but for now we should fix the current issue. My fix does not get rid of any preexisting functionality. |
Commit b21174d introduced syscall ID translation for compat processes in eBPF, which makes the translation in userspace redundant. The redundant translation caused an incorrect syscall name to be displayed.
784d213 to
64a281a
Compare
|
@oshaked1 we're getting this error randomly: https://github.com/aquasecurity/tracee/actions/runs/12677319392/job/35332416412?pr=4414#step:4:1248 You can notice an event without syscall name: {"timestamp":1736364222376986209,"threadStartTime":1736364222359254403,"processorId":0,"processId":11943,"cgroupId":4294967297,"threadId":11952,"parentProcessId":11592,"hostProcessId":11943,"hostThreadId":11952,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"exit_group","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":1432093063,"processEntityId":2631642510,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222377128725,"threadStartTime":1736364222358762711,"processorId":0,"processId":11943,"cgroupId":4294967297,"threadId":11950,"parentProcessId":11592,"hostProcessId":11943,"hostThreadId":11950,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"nanosleep","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":1592680371,"processEntityId":2631642510,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222377232110,"threadStartTime":1736364222358997541,"processorId":1,"processId":11943,"cgroupId":4294967297,"threadId":11951,"parentProcessId":11592,"hostProcessId":11943,"hostThreadId":11951,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":898027561,"processEntityId":2631642510,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222377255421,"threadStartTime":1736364222361007574,"processorId":0,"processId":11943,"cgroupId":4294967297,"threadId":11957,"parentProcessId":11592,"hostProcessId":11943,"hostThreadId":11957,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":2288775043,"processEntityId":2631642510,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222393230646,"threadStartTime":1736364222355423457,"processorId":0,"processId":11943,"cgroupId":4294967297,"threadId":11943,"parentProcessId":11592,"hostProcessId":11943,"hostThreadId":11943,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":2631642510,"processEntityId":2631642510,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":true}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222398698547,"threadStartTime":1736364222362498002,"processorId":0,"processId":11945,"cgroupId":4294967297,"threadId":11958,"parentProcessId":11592,"hostProcessId":11945,"hostThreadId":11958,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"nanosleep","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":3374576934,"processEntityId":1350474501,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222398698747,"threadStartTime":1736364222355868767,"processorId":1,"processId":11945,"cgroupId":4294967297,"threadId":11945,"parentProcessId":11592,"hostProcessId":11945,"hostThreadId":11945,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"exit_group","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":1350474501,"pr
8000
ocessEntityId":1350474501,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222398784321,"threadStartTime":1736364222363721839,"processorId":0,"processId":11945,"cgroupId":4294967297,"threadId":11962,"parentProcessId":11592,"hostProcessId":11945,"hostThreadId":11962,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":888612201,"processEntityId":1350474501,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222398788381,"threadStartTime":1736364222362781915,"processorId":1,"processId":11945,"cgroupId":4294967297,"threadId":11959,"parentProcessId":11592,"hostProcessId":11945,"hostThreadId":11959,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":302791643,"processEntityId":1350474501,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222400707370,"threadStartTime":1736364222356069177,"processorId":0,"processId":11946,"cgroupId":4294967297,"threadId":11946,"parentProcessId":11592,"hostProcessId":11946,"hostThreadId":11946,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"exit_group","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":265494941,"processEntityId":265494941,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222400714890,"threadStartTime":1736364222357977214,"processorId":1,"processId":11946,"cgroupId":4294967297,"threadId":11947,"parentProcessId":11592,"hostProcessId":11946,"hostThreadId":11947,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"nanosleep","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":2453838923,"processEntityId":265494941,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222400772483,"threadStartTime":1736364222363229286,"processorId":0,"processId":11946,"cgroupId":4294967297,"threadId":11961,"parentProcessId":11592,"hostProcessId":11946,"hostThreadId":11961,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":2047390068,"processEntityId":265494941,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222400774483,"threadStartTime":1736364222358266908,"processorId":1,"processId":11946,"cgroupId":4294967297,"threadId":11949,"parentProcessId":11592,"hostProcessId":11946,"hostThreadId":11949,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":3986393455,"processEntityId":265494941,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222400839296,"threadStartTime":1736364222358128471,"processorId":1,"processId":11946,"cgroupId":4294967297,"threadId":11948,"parentProcessId":11592,"hostProcessId":11946,"hostThreadId":11948,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":3510061905,"processEntityId":265494941,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222401570619,"threadStartTime":1736364222362999315,"processorId":1,"processId":11945,"cgroupId":4294967297,"threadId":11960,"parentProcessId":11592,"hostProcessId":11945,"hostThreadId":11960,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":1256966897,"processEntityId":1350474501,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":true}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222401570629,"threadStartTime":1736364222360759442,"processorId":0,"processId":11946,"cgroupId":4294967297,"threadId":11956,"parentProcessId":11592,"hostProcessId":11946,"hostThreadId":11956,"hostParentProcessId":11592,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":2463790917,"processEntityId":265494941,"parentEntityId":1086590446,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":true}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222402681260,"threadStartTime":1736364222360403776,"processorId":0,"processId":11944,"cgroupId":4294967297,"threadId":11954,"parentProcessId":1,"hostProcessId":11944,"hostThreadId":11954,"hostParentProcessId":1,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"exit_group","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":2361549685,"processEntityId":3334569756,"parentEntityId":48428317,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222402736763,"threadStartTime":1736364222360568794,"processorId":0,"processId":11944,"cgroupId":4294967297,"threadId":11955,"parentProcessId":1,"hostProcessId":11944,"hostThreadId":11955,"hostParentProcessId":1,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":2511398910,"processEntityId":3334569756,"parentEntityId":48428317,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222402736793,"threadStartTime":1736364222360226888,"processorId":1,"processId":11944,"cgroupId":4294967297,"threadId":11953,"parentProcessId":1,"hostProcessId":11944,"hostThreadId":11953,"hostParentProcessId":1,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"nanosleep","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":770391265,"processEntityId":3334569756,"parentEntityId":48428317,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222402780595,"threadStartTime":1736364222365312832,"processorId":0,"processId":11944,"cgroupId":4294967297,"threadId":11963,"parentProcessId":1,"hostProcessId":11944,"hostThreadId":11963,"hostParentProcessId":1,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":2458242117,"processEntityId":3334569756,"parentEntityId":48428317,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":false}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}
{"timestamp":1736364222403354081,"threadStartTime":1736364222355658918,"processorId":0,"processId":11944,"cgroupId":4294967297,"threadId":11944,"parentProcessId":1,"hostProcessId":11944,"hostThreadId":11944,"hostParentProcessId":1,"userId":0,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"ds_writer","executable":{"path":"/actions-runner/_work/tracee/tracee/tests/e2e-inst-signatures/scripts/ds_writer/ds_writer"},"hostName":"ip-10-1-5-162","containerId":"","container":{},"kubernetes":{},"eventId":"6011","eventName":"WRITABLE_DATA_SOURCE","matchedPolicies":[""],"argsNum":1,"returnValue":0,"syscall":"futex","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":3334569756,"processEntityId":3334569756,"parentEntityId":48428317,"args":[{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"exit_code","type":"long","value":0},{"name":"process_group_exit","type":"bool","value":true}],"id":716,"name":"sched_process_exit","returnValue":0}}],"metadata":{"Version":"0.1.0","Description":"Instrumentation events E2E Tests: Writable Data Source Test","Tags":["e2e","instrumentation"],"Properties":{"Category":null,"Severity":null,"Technique":null,"external_id":null,"id":null,"signatureID":"WRITABLE_DATA_SOURCE","signatureName":"Writable Data Source Test"}}}I didn't analise it sufficiently but it might be related. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit b21174d introduced syscall ID translation for compat processes in eBPF, which makes the translation in userspace redundant. The redundant translation caused an incorrect syscall name to be displayed.
Closes #4401