Skip to content

execveat process events not reported on s390x architecture #122

New issue
New issue
Open
Open
execveat process events not reported on s390x architecture#122
Labels
bugSomething isn't working
@gentooise

Description

@gentooise
gentooise
opened on Feb 8, 2024

Indicate project
libsysflow

Describe the bug
Process events are not reported when using execveat syscall on s390x architecture (tested on 0.6.1-rc1).

To reproduce
Steps to reproduce the behavior:

  1. compile the following tester program (gcc execveat.c -o execveat):
#define _GNU_SOURCE
#include <sys/syscall.h>
#include <linux/fs.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

// Adapted from "Bypass Falco" presentation (Leonardo Di Donato)
// Note: execveat was introduce in Linux kernel v3.19

int main() {
    int dirfd = open("/usr/bin/echo", O_RDONLY);
    const char* pathname = "";
    const char* argv[] = { "echo", "test_arg1", "test_arg2", "test_arg3", "test_arg4", "test_arg5", NULL };
    const char* envp[] = { NULL };
    unsigned int flags = AT_EMPTY_PATH;
    int rc = syscall( SYS_execveat, dirfd, pathname, argv, envp, flags);
    printf("errno: %d\n", errno);
    return rc;
}
  1. run callback example
  2. run execveat program

Expected behavior
The /usr/bin/echo process events should be reported, indicating execveat as parent.

Environment (please complete the following information):

  • OS: Ubuntu 22.04.3 LTS
    • Linux ztest5 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:49 UTC 2023 s390x s390x s390x GNU/Linux
  • SysFlow version: 0.6.1-rc1

Additional context
Similar behavior with this other sample (execveat_no_args):

#define _GNU_SOURCE
#include <sys/syscall.h>
#include <linux/fs.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

// Adapted from "Bypass Falco" presentation (Leonardo Di Donato)
// Note: execveat was introduce in Linux kernel v3.19

int main() {
    int dirfd = open("/usr/bin/ls", O_RDONLY);
    const char* pathname = "";
    const char* argv[] = { "", NULL };
    const char* envp[] = { NULL };
    unsigned int flags = AT_EMPTY_PATH;
    int rc = syscall( SYS_execveat, dirfd, pathname, argv, envp, flags);
    printf("errno: %d\n", errno);
    return rc;
}

Files
Logs from callback example below.

execveat:

****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692139, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 2692139, OpFlags: 9344, OpenFlags 4097, FD 4
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692139, OpFlags: 1536, OpenFlags 0, FD 1
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692139, OpFlags: 1024, OpenFlags 0, FD 2
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /usr/bin/echo
File Flow: TID 2692139, OpFlags: 2176, OpenFlags 2049, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692139 Creation Time, 1707400137605781579, Exe /home/test/sf-collector/examples/out/execveat, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692139, OpFlags 4, Ret 0
****************************************************************

execveat_no_args:

****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692140, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 2692140, OpFlags: 9344, OpenFlags 4097, FD 4
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692140, OpFlags: 1536, OpenFlags 0, FD 1
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /dev/pts/0
File Flow: TID 2692140, OpFlags: 1024, OpenFlags 0, FD 2
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
File: Type 102, Path /usr/bin/ls
File Flow: TID 2692140, OpFlags: 2176, OpenFlags 2049, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name
Process: PID 2692140 Creation Time, 1707400142058170619, Exe /home/test/sf-collector/examples/out/execveat_no_args, Exe Args , User Name test, Group Name sysflow, TTY 1
Proc Evt: TID 2692140, OpFlags 4, Ret 0
****************************************************************

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions