Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eBPF probes: 32 bit applications support #279

Closed
alexburt opened this issue Apr 5, 2022 · 15 comments · Fixed by #1196
Closed

eBPF probes: 32 bit applications support #279

alexburt opened this issue Apr 5, 2022 · 15 comments · Fixed by #1196
Assignees
@FedeDP
Labels
kind/feature New feature or request
Milestone
0.14.0

Comments

@alexburt
Copy link

alexburt commented Apr 5, 2022

Hello,
Is there a reason why 32 bit syscalls is not supported by eBPF driver ?
My test program opens /etc/shadow and normally triggers the alert. But there is no alerts when I compile program as ELF 32-bit (gcc -m32).

Looks like 32 bit calls just skipped by eBPF probe (https://github.com/falcosecurity/libs/blob/master/driver/bpf/probe.c):

if (bpf_in_ia32_syscall())
return 0;

Any reason for that ?
@FedeDP
Copy link
Contributor

FedeDP commented Apr 6, 2022

Hi!
I think that the issue with compat syscalls is that we don't really support them; we'd need to implement its support.
I think that from a security standpoint, we really need that though! I might work on this in my spare time :)

@FedeDP
Copy link
Contributor

FedeDP commented May 11, 2022

/kind feature

@poiana poiana added kind/feature New feature or request and removed needs-kind labels May 11, 2022
@2Bor2C
Copy link

2Bor2C commented May 17, 2022

We would be interested in this feature as well. This may be a big security gap.

@FedeDP
Copy link
Contributor

FedeDP commented May 17, 2022

Yep we know that; that's unfortunate and we must implement its support. I'll try to target 0.33 for this.
0.32 is coming soon and there is no enough time to implement and test it.

@Andreagit97
Copy link
Member

You are right @2Bor2C, we will try to insert it in 0.33

@poiana
Copy link
Contributor

poiana commented Aug 20, 2022

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Nov 18, 2022

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@FedeDP
Copy link
Contributor

FedeDP commented Nov 19, 2022

/remove-lifecycle stale

@FedeDP FedeDP mentioned this issue Nov 29, 2022
Closed
@poiana
Copy link
Contributor

poiana commented Feb 17, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Cryptophobia
Copy link

@FedeDP any update on this?

/remove-lifecycle stale

@FedeDP
Copy link
Contributor

FedeDP commented Feb 17, 2023

Nope :( still need to schedule some time for this!

@incertum incertum mentioned this issue Apr 4, 2023
Closed
@incertum
Copy link
Contributor

incertum commented Apr 5, 2023
edited
Loading

@alexburt Feature is scheduled for Falco 0.36 release and tracked under Falco issue falcosecurity/falco#2472. According to our new roadmap planning we may have 2 libs releases per one Falco release, therefore the feature may land earlier in libs.

@FedeDP FedeDP mentioned this issue Apr 12, 2023
Closed
@Andreagit97 Andreagit97 modified the milestones: 0.12.0, driver-backlog Jun 7, 2023
@oheifetz
Copy link
Contributor

Hi,
I would like to understand the root cause that the bpf_in_ia32_syscall was put in the first place, failed to understand it from git blame, 32bit ARCHes are supported by eBPF, can you please elaborate regarding this issue?

@incertum
Copy link
Contributor

@oheifetz - @FedeDP has this item in his queue. The work has not yet started. We will keep everyone updated here if this is ok? Thank you for your patience 🙏

@FedeDP FedeDP mentioned this issue Jul 12, 2023
Merged
4 tasks
@Andreagit97 Andreagit97 modified the milestones: driver-backlog, 0.14.0 Sep 4, 2023
@leogr leogr moved this from Todo to Done in Falco Roadmap Oct 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FedeDP FedeDP

Labels
kind/feature New feature or request
Projects
Falco Roadmap
Archived in project
Milestone
0.14.0
Development

Successfully merging a pull request may close this issue.

new(driver): ia32 emulation bpf drivers support falcosecurity/libs
8 participants
@FedeDP @2Bor2C @Cryptophobia @incertum @alexburt @poiana @Andreagit97 @oheifetz