Skip to content

Commit

Permalink
fix empty arguments resolution (#4442)
Browse files Browse the repository at this point in the history 
* fix: empty arguments resolution

When tracee tries to resolve a numeric argument to a string (e.g. cmd value of
bpf syscall), if the resolution fails, the event field will contain an empty
string.

Return the raw value as a string in case of a failed resolution.

* tests: add argument parsers tests
  • Loading branch information
@ShohamBit
ShohamBit authored Jan 15, 2025
1 parent f1cfe4d commit 2c33665
Show file tree
Hide file tree
Showing 2 changed files with 1,409 additions and 21 deletions.
45 changes: 24 additions & 21 deletions pkg/events/parse_args_helpers.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package events

import (
"strconv"

"github.com/aquasecurity/tracee/pkg/events/parsers"
"github.com/aquasecurity/tracee/pkg/logger"
"github.com/aquasecurity/tracee/types/trace"
Expand All @@ -16,7 +18,7 @@ func parseSocketDomainArgument(arg *trace.Argument, domain uint64) {
arg.Type = "string"
socketDomainArgument, err := parsers.ParseSocketDomainArgument(domain)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(domain, 10)
return
}
arg.Value = socketDomainArgument.String()
Expand All @@ -26,7 +28,7 @@ func parseSocketType(arg *trace.Argument, typ uint64) {
arg.Type = "string"
socketTypeArgument, err := parsers.ParseSocketType(typ)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(typ, 10)
return
}
arg.Value = socketTypeArgument.String()
Expand All @@ -36,7 +38,7 @@ func parseInodeMode(arg *trace.Argument, mode uint64) {
arg.Type = "string"
inodeModeArgument, err := parsers.ParseInodeMode(mode)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(mode, 10)
return
}
arg.Value = inodeModeArgument.String()
Expand All @@ -46,7 +48,7 @@ func parseBPFProgType(arg *trace.Argument, progType uint64) {
arg.Type = "string"
bpfProgTypeArgument, err := parsers.ParseBPFProgType(progType)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(progType, 10)
return
}
arg.Value = bpfProgTypeArgument.String()
Expand All @@ -56,7 +58,7 @@ func parseCapability(arg *trace.Argument, capability uint64) {
arg.Type = "string"
capabilityFlagArgument, err := parsers.ParseCapability(capability)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(capability, 10)
return
}
arg.Value = capabilityFlagArgument.String()
Expand All @@ -74,20 +76,21 @@ func parseSyscall(arg *trace.Argument, id int32) {
// NOTE: This might cause data races in the future if the map is modified.
// One solution to keep better CPU time is to segregate the map into two maps:
// one for proper core (read-only) events and another for the dynamic events.
arg.Type = "string"
def, ok := CoreEvents[ID(id)]
if !ok || !def.IsSyscall() {
arg.Value = strconv.FormatInt(int64(id), 10)
return
}

arg.Type = "string"
arg.Value = def.GetName()
}

func parsePtraceRequestArgument(arg *trace.Argument, req uint64) {
arg.Type = "string"
ptraceRequestArgument, err := parsers.ParsePtraceRequestArgument(req)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(req, 10)
return
}
arg.Value = ptraceRequestArgument.String()
Expand All @@ -97,27 +100,27 @@ func parsePrctlOption(arg *trace.Argument, opt uint64) {
arg.Type = "string"
prctlOptionArgument, err := parsers.ParsePrctlOption(opt)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(opt, 10)
return
}
arg.Value = prctlOptionArgument.String()
}

func parseSocketcallCall(arg *trace.Argument, call uint64) {
arg.Type = "string"
socketcallArgument, err := parsers.ParseSocketcallCall(call)
socketCallArgument, err := parsers.ParseSocketcallCall(call)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(call, 10)
return
}
arg.Value = socketcallArgument.String()
arg.Value = socketCallArgument.String()
}

func parseAccessMode(arg *trace.Argument, mode uint64) {
arg.Type = "string"
accessModeArgument, err := parsers.ParseAccessMode(mode)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(mode, 10)
return
}
arg.Value = accessModeArgument.String()
Expand All @@ -127,7 +130,7 @@ func parseExecFlag(arg *trace.Argument, flags uint64) {
arg.Type = "string"
execFlagArgument, err := parsers.ParseExecFlag(flags)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(flags, 10)
return
}
arg.Value = execFlagArgument.String()
Expand All @@ -137,7 +140,7 @@ func parseOpenFlagArgument(arg *trace.Argument, flags uint64) {
arg.Type = "string"
openFlagArgument, err := parsers.ParseOpenFlagArgument(flags)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(flags, 10)
return
}
arg.Value = openFlagArgument.String()
Expand All @@ -147,7 +150,7 @@ func parseCloneFlags(arg *trace.Argument, flags uint64) {
arg.Type = "string"
cloneFlagArgument, err := parsers.ParseCloneFlags(flags)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(flags, 10)
return
}
arg.Value = cloneFlagArgument.String()
Expand All @@ -157,7 +160,7 @@ func parseBPFCmd(arg *trace.Argument, cmd uint64) {
arg.Type = "string"
bpfCommandArgument, err := parsers.ParseBPFCmd(cmd)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(cmd, 10)
return
}
arg.Value = bpfCommandArgument.String()
Expand All @@ -167,7 +170,7 @@ func parseSocketLevel(arg *trace.Argument, level uint64) {
arg.Type = "string"
socketLevelArgument, err := parsers.ParseSocketLevel(level)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(level, 10)
return
}
arg.Value = socketLevelArgument.String()
Expand All @@ -185,15 +188,15 @@ func parseGetSocketOption(arg *trace.Argument, opt uint64, evtID ID) {
if err == nil {
arg.Value = optionNameArgument.String()
} else {
arg.Value = ""
arg.Value = strconv.FormatUint(opt, 10)
}
}

func parseFsNotifyObjType(arg *trace.Argument, objType uint64) {
arg.Type = "string"
fsNotifyObjTypeArgument, err := parsers.ParseFsNotifyObjType(objType)
if err != nil {
arg.Value = ""
arg.Value = strconv.FormatUint(objType, 10)
return
}
arg.Value = fsNotifyObjTypeArgument.String()
Expand All @@ -206,6 +209,7 @@ func parseBpfHelpersUsage(arg *trace.Argument, helpersList []uint64) {
// helper number <i> is used. get its name from libbpfgo
bpfHelper, err := parsers.ParseBPFFunc(uint64(i))
if err != nil {
usedHelpers = append(usedHelpers, strconv.FormatInt(int64(i), 10))
continue
}
usedHelpers = append(usedHelpers, bpfHelper.String())
Expand Down Expand Up @@ -235,9 +239,8 @@ func parseBpfAttachType(arg *trace.Argument, attachType int32) {
case 5:
attTypeName = "uretprobe"
default:
arg.Value = ""
attTypeName = strconv.FormatInt(int64(attachType), 10)
logger.Errorw("Unknown attach_type got from bpf_attach event")
return
}

arg.Value = attTypeName
Expand Down
Loading

0 comments on commit 2c33665

Please sign in to comment.