More ef drop falco #1105
Merged
More ef drop falco #1105
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Compare the driver and libscap event tables and fix any differences: - Some earlier unlink/unlinkat syscalls were missing the EF_OLD_VERSION flag. - Infrastructure events have an EC_INTERNAL flag.
Add an additional set of syscalls to be skipped by falco. Summarized, these are: - getsock*, getpeer*: fetching info on sockets - getcwd: getting current directory - pread,pwrite: reading from fds, so should be skipped like read/write - get,setrlimit: changing process resources. Yes, set is a change, but it's only for the current process and not other processes. - splice: copying from one fd to another, so skipped like read/write - get*uid*: getting user information. Note that set*uid is still considered. - signaldeliver: noting that a process has been signaled - sem*: semaphore operations - access: file access, so should be skipped like stat, etc.
Add an additional set of syscalls to be skipped by falco. Summarized,
these are:
- time/alarm/times/nanosleep: reading current time
- brk: changing process memory usage
- get*pid/pgrp/pgid/sid/tid/uid/gid/capget: getting process user/group
information
- access/ustat/newfstatat: reading file information
- umask: changing default file mask. All opens are still considered.
- setrlimit/getrusage/{u}getrlimit: getting resource usage and changing memory usage
for current process.
- getpriority/getscheduler/sched_get...: get current scheduling
priority. set... is still considered.
- uname/getcpu/olduname: get kernel info
- fsync/fdatasync: sync file to storage
- mprotect/madvise/mlock/munlock{all}/mremap/mincore: protect/control memory areas
- rt_sig*/pause/signalfd*/eventfd*/sigprocmask/sigpending: signal/event handling
- getcwd: current working directory
- get/listxattr: reading file attributes. set is still considered.
- io_*: async io controls
- exit_group: exiting a process
- remap_file_pages: file mapping
- mq_*: message queue handling
- waitid/waitpid: waiting on other process
- get_robust_list: robust futex handling. set is still considered
- vmsplice: like splice
- getsock*/peer*: getting info on sockets
- sem*/msg*: semaphore/message queue operations. Creating message
queues is still considered
- newselect: should be skipped like select/poll/etc.
Also *remove* the EF_DROP_FALCO flag for
- sendto/recvfrom/sendmsg/recvmsg: these were previously changed to
allowed
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Apr 20, 2018
Use the new method falco_consider() to determine which events to skip. This centralizes the logic in a single function. This depends on draios/sysdig#1105.
|
@mattpag, could you take a look at the syscalls I excluded? I tried to be consistent about keeping any syscalls that could modify state outside of the process. |
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Apr 20, 2018
Use the new method falco_consider() to determine which events to skip. This centralizes the logic in a single function. This depends on draios/sysdig#1105.
In a few places we look at event flags to consider whether or not to
include an event. Centralize this in a method
sinsp_evt::falco_consider() which in turn uses static methods
falco_consider_{evtnum,syscallid}.
The flags that will result in a skipped event are any of:
- EF_SKIPPARSERESET
- EF_UNUSED
- EF_OLD_VERSION
- EF_DROP_FALCO
mstemm
force-pushed
the
more-ef-drop-falco
branch
from
f09e7ad to
8309e9d
Compare
mattpag
approved these changes
Apr 24, 2018
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Apr 24, 2018
Use the new method falco_consider() to determine which events to skip. This centralizes the logic in a single function. All events will still be considered if falco was run with -A. This depends on draios/sysdig#1105.
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Apr 24, 2018
* Use better way to skip falco events Use the new method falco_consider() to determine which events to skip. This centralizes the logic in a single function. All events will still be considered if falco was run with -A. This depends on draios/sysdig#1105. * Add ability to specify -A flag in tests test attribute all_events corresponds to the -A flag. Add for some tests that would normally refer to skipped events.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Several changes to expand the set of events that are skipped by falco, and to centralize the logic for knowing which events to skip.