Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Probes don't export updated gid information for execve system call #2144

Open
ekoops opened this issue Nov 4, 2024 · 1 comment · May be fixed by #2161
Open

Probes don't export updated gid information for execve system call #2144

ekoops opened this issue Nov 4, 2024 · 1 comment · May be fixed by #2161
Labels
kind/feature New feature or request
Milestone
next-driver

Comments

@ekoops
Copy link

ekoops commented Nov 4, 2024

Describe the bug

For execve system calls, probes correctly export the effective user ID as uid. However, they don't export the effective group ID, which can change when the user run a set-group-ID program.

How to reproduce it

Run the execve system call on a binary having the set-group-ID bit set and belonging to a group different from the current user's one.

Expected behaviour

The probes correctly exports the effective group id and Falco uses this information to update the internal state for the process.

Screenshots

Environment

  • Falco version:

0.39.1

  • System info:
{
  "machine": "x86_64",
  "nodename": "ekoops-XPS-15-9530",
  "release": "6.8.0-48-generic",
  "sysname": "Linux",
  "version": "#48~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct  7 11:24:13 UTC 2"
}
  • Cloud provider or hardware configuration:
  • OS:
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
  • Kernel:

Linux ekoops-XPS-15-9530 6.8.0-48-generic #48~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 7 11:24:13 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

  • Installation method:

From source.
Additional context
@ekoops ekoops added the kind/bug Something isn't working label Nov 4, 2024
@Andreagit97 Andreagit97 added kind/feature New feature or request and removed kind/bug Something isn't working labels Nov 4, 2024
@ekoops ekoops linked a pull request Nov 15, 2024 that will close this issue
Open
@FedeDP
Copy link
Contributor

FedeDP commented Nov 15, 2024

/milestone next-driver

@poiana poiana added this to the next-driver milestone Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature New feature or request
Projects
None yet
Milestone
next-driver
Development

Successfully merging a pull request may close this issue.

feat: add gid field support for exec* family ekoops/libs
4 participants
@FedeDP @ekoops @poiana @Andreagit97