Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle zero-value types for unavailable fields - ArgMeta #4336

Merged
merged 3 commits into from
Oct 8, 2024
Merged

Handle zero-value types for unavailable fields - ArgMeta #4336

merged 3 commits into from
Oct 8, 2024

Conversation

geyslan
Copy link
Member

@geyslan geyslan commented Oct 4, 2024
edited
Loading

Close: #4335

1. Explain what the PR does

2f31471 fix(events): setuid16 arg name typo
4737625 fix: handle zero-value types for unavailable fields
41eeb29 chore(go.mod): bump types to latest version

2f31471 fix(events): setuid16 arg name typo

'git log --grep old_old_uid_t' in Linux kernel code didn't return any
results.

4737625 fix: handle zero-value types for unavailable fields

Some event arguments, such as "interpreter_*" from sched_process_exec,
were not being populated because the kernel might not always provide
them. This was causing errors during the gRPC proto conversion, as
the values couldn't be asserted - they were nil.

With this change, ArgMeta now holds the Zero value of the type, ensuring
that assignment is always possible without requiring additional parsing
in the pipeline.

This also might help parsing since the Zero field will always have
value, making it easier to assert its type instead of checking for
Name field (string).

2. Explain how to test it

3. Other comments

@geyslan geyslan self-assigned this Oct 4, 2024
@geyslan
Copy link
Member Author

geyslan commented Oct 4, 2024

@trvll do you mind testing?

geyslan
geyslan commented Oct 4, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@geyslan geyslan force-pushed the 4335-fix-missing-values branch 2 times, most recently from 8a96e92 to 1cc78f0 Compare October 4, 2024 23:31
@NDStrahilevitz
Copy link
Collaborator

NDStrahilevitz commented Oct 7, 2024
edited
Loading

I'll review this thoroughly tomorrow.
From a quick glance I have these to say:

  1. We should use the effort of type conversion here and already move to hardcoded ArgType enums. These should be used instead of the strings. (We can then add a timestamp argument type and have it autonormalized in the decode stage as I've hinted at in register normalizeTimeArg processor only when proctree is on #4332 (comment))
  2. I believe we're handling this issue or a similar one through the argument helper here: https://github.com/aquasecurity/tracee/blob/main/signatures/helpers/arguments_helpers.go#L35. What is the difference in issue? I think further elaboration in the resolved issue would have helped clear the difference.

@geyslan
Copy link
Member Author

geyslan commented Oct 7, 2024

I believe we're handling this issue or a similar one through the argument helper here: https://github.com/aquasecurity/tracee/blob/main/signatures/helpers/arguments_helpers.go#L35.

I don't believe so, GetTraceeArgumentByName only checks for nil and errs. We don't want to err in the consumer end since the event is fine.

What is the difference in issue? I think further elaboration in the resolved issue would have helped clear the difference.

The Arg transmitted via grpc arrives lacking the Type since it's nil, then an incomplete Event Arg. When that end tries to convert it back to an event, it fails. Take a look at #4335.

This assures that when an arg field not filled (whatever reason), it sets it with the correspondent zero value.

We should use the effort of type conversion here and already move to hardcoded ArgType enums.

I believe we should indeed, in a chore PR, since it will require to change types and the whole core events fields.

NDStrahilevitz
NDStrahilevitz approved these changes Oct 8, 2024
View reviewed changes
Copy link
Collaborator

@NDStrahilevitz NDStrahilevitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just please add the comment documentation i've requested.

pkg/events/definition_group.go Show resolved Hide resolved
types/trace/trace.go Outdated Show resolved Hide resolved
@geyslan geyslan mentioned this pull request Oct 8, 2024
Merged
@geyslan
fix: handle zero-value types for unavailable fields
4737625 
Some event arguments, such as "interpreter_*" from sched_process_exec,
were not being populated because the kernel might not always provide
them. This was causing errors during the gRPC proto conversion, as
the values couldn't be asserted - they were nil.

With this change, ArgMeta now holds the Zero value of the type, ensuring
that assignment is always possible without requiring additional parsing
in the pipeline.

This also might help parsing since the Zero field will always have
value, making it easier to assert its type instead of checking for
Name field (string).
@geyslan
fix(events): setuid16 arg name typo
2f31471 
'git log --grep old_old_uid_t' in Linux kernel code didn't return any
results.
@geyslan
Copy link
Member Author

geyslan commented Oct 8, 2024

/fast-forward

@github-actions github-actions bot merged commit 2f31471 into aquasecurity:main Oct 8, 2024
26 checks passed
@geyslan geyslan added the candidate/v0.22.3 Candidate to be cherry-picked or backported into v0.22.3 release label Oct 8, 2024
@geyslan geyslan removed the candidate/v0.22.3 Candidate to be cherry-picked or backported into v0.22.3 release label Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NDStrahilevitz NDStrahilevitz NDStrahilevitz approved these changes

Assignees

@geyslan geyslan

Labels
area/build area/events area/signatures cherry-picked/v0.22.3 kind/bug milestone/v0.23.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Event sched_process_exec is sending ArgMeta with nil value in gRPC
3 participants
@geyslan @NDStrahilevitz @rscampos