Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[LIBS PLUGINS] Accessors to libs state tables fields - 2 #1944

Open
7 tasks
incertum opened this issue Jul 2, 2024 · 2 comments
Open
7 tasks

[LIBS PLUGINS] Accessors to libs state tables fields - 2 #1944

incertum opened this issue Jul 2, 2024 · 2 comments
Assignees
@jasondellaluce
Labels
kind/feature New feature or request
Milestone
TBD

Comments

@incertum
Copy link
Contributor

incertum commented Jul 2, 2024
edited
Loading

See the previous issue #1712.
This issue is to track obtaining access to additional critical libs state data.

The approach will be similar to the recent extensions regarding how to access the proc args and fd tables.

  • user & group info
falcosecurity::table_field m_uid
falcosecurity::table_field m_user
falcosecurity::table_field m_loginuid
falcosecurity::table_field m_loginuser
  • capabilities
falcosecurity::table_field m_cap_permitted
falcosecurity::table_field m_cap_inheritable
falcosecurity::table_field m_cap_effective
  • container data
  • uint32_t sinsp_threadinfo::m_flags flags
  • libs lastevent_fd_field per thread cache instance mtinfo
falcosecurity::table_field m_lastevent_fd_field

// Maybe while here just open up all of them
int64_t m_lastevent_fd; ///< The FD os the last event used by this thread.
uint64_t m_lastevent_ts; ///< timestamp of the last event for this thread.
uint64_t m_prevevent_ts; ///< timestamp of the event before the last for this thread.
uint64_t m_lastaccess_ts; ///< The last time this thread was looked up. Used when cleaning up the table.
uint64_t m_clone_ts; ///< When the clone that started this process happened.
uint64_t m_lastexec_ts; ///< The last time exec was called

fdinfo - Make all members accesible

  • scap_fd_type m_type
falcosecurity::table_field m_fd_type_value;
  • sinsp_sockinfo m_sockinfo
falcosecurity::table_field m_fd_sockinfo_value;

This will be a challenging task due to the numerous custom sub-data structures we have. However, without access to these structures, we are unable to support most of the network-related fd.* filtercheck fields through custom logic within a syscalls plugin.

union sinsp_sockinfo
{
	ipv4tuple m_ipv4info; ///< The tuple if this an IPv4 socket.
	ipv6tuple m_ipv6info; ///< The tuple if this an IPv6 socket.
	ipv4serverinfo m_ipv4serverinfo;  ///< Information about an IPv4 server socket.
	ipv6serverinfo m_ipv6serverinfo; ///< Information about an IPv6 server socket.
	unix_tuple m_unixinfo; ///< The tuple if this a unix socket.
};
...

Additional random comments:

  • Uncertain how we would or could access the corresponding enter event, if applicable.
  • How do we get the main thread?

TBD what other data structures shall be made accessible.
@incertum incertum added the kind/feature New feature or request label Jul 2, 2024
@incertum incertum changed the title [LIBS PLUGINS] Accessors to libs state tables fields - 2 (user&group info and containers data) [LIBS PLUGINS] Accessors to libs state tables fields - 2 Aug 17, 2024
@incertum
Copy link
Contributor Author

@jasondellaluce as requested attempted to update the initial comment to reflect a more detailed view of pending tasks #1944 (comment). Thanks.

@incertum incertum mentioned this issue Aug 17, 2024
Open
@incertum
Copy link
Contributor Author

/milestone TBD

/assign @jasondellaluce

@poiana poiana added this to the TBD milestone Aug 17, 2024
@incertum incertum mentioned this issue Aug 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jasondellaluce jasondellaluce

Labels
kind/feature New feature or request
Projects
None yet
Milestone
TBD
Development

No branches or pull requests
3 participants
@jasondellaluce @incertum @poiana