Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: file related dev field extraction is dependent on the Filesystem type #1805

Open
FedeDP opened this issue Apr 19, 2024 · 7 comments
Open

[BUG]: file related dev field extraction is dependent on the Filesystem type #1805

FedeDP opened this issue Apr 19, 2024 · 7 comments
Labels
kind/bug Something isn't working
Milestone
TBD

Comments

@FedeDP
Copy link
Contributor

FedeDP commented Apr 19, 2024

During the development of ppc64 me and @Andreagit97 noticed that some open related tests were failing to assert the dev field:

Expected equality of these values:
 *(T*)(m_event_params[m_current_param].valptr)
   Which is: 29
 param
   Which is: 37

Digging into it, we noticed that vfs_getattr_nosec calls a filesystem dependent getattr callback (https://elixir.bootlin.com/linux/v6.7.7/source/fs/stat.c#L135), that, for btrfs (the filesystem being used by our ppc64 test node), sets dev field differently: https://elixir.bootlin.com/linux/v6.7.7/source/fs/btrfs/inode.c#L8692.

See the call trace:

@[
    generic_fillattr+12
    btrfs_getattr+228
    vfs_getattr_nosec+244
    vfs_fstat+128
    __do_sys_newfstat+80
    system_call_exception+372
    system_call_vectored_common+348
]: 2

This means that our dev field is FS dependent and thus it cannot be relied upon.
There is no way to fix this (at least on eBPF probes), since we miss the needed helpers.
@FedeDP FedeDP added the kind/bug Something isn't working label Apr 19, 2024
@FedeDP
Copy link
Contributor Author

FedeDP commented Apr 19, 2024

/milestone TBD

@poiana poiana added this to the TBD milestone Apr 19, 2024
FedeDP added a commit that referenced this issue Apr 19, 2024
@FedeDP @Andreagit97
fix(test/drivers): only assert dev parameter on ext4 FS.
7a182f9 
Refs #1805

Signed-off-by: Federico Di Pierro <[email protected]>

Co-authored-by: Andrea Terzolo <[email protected]>
@FedeDP FedeDP mentioned this issue Apr 19, 2024
Merged
FedeDP added a commit that referenced this issue Apr 22, 2024
@FedeDP @Andreagit97
fix(test/drivers): only assert dev parameter on ext4 FS.
29867a3 
Refs #1805

Signed-off-by: Federico Di Pierro <[email protected]>

Co-authored-by: Andrea Terzolo <[email protected]>
poiana pushed a commit that referenced this issue Apr 23, 2024
@FedeDP @Andreagit97 @poiana
fix(test/drivers): only assert dev parameter on ext4 FS.
f4faa54 
Refs #1805

Signed-off-by: Federico Di Pierro <[email protected]>

Co-authored-by: Andrea Terzolo <[email protected]>
@poiana
Copy link
Contributor

poiana commented Jul 18, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Oct 17, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@FedeDP
Copy link
Contributor Author

FedeDP commented Oct 17, 2024

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Jan 15, 2025

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@FedeDP
Copy link
Contributor Author

FedeDP commented Jan 15, 2025

/remove-lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
TBD
Development

No branches or pull requests
3 participants
@FedeDP @poiana @Andreagit97