Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new(libsinsp): add aexepath, aexe filter and display option #938

Merged
merged 4 commits into from
Mar 7, 2023
Merged

new(libsinsp): add aexepath, aexe filter and display option #938

merged 4 commits into from
Mar 7, 2023

Conversation

incertum
Copy link
Contributor

@incertum incertum commented Mar 4, 2023
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap-engine-udig

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

Which issue(s) this PR fixes:

Being able to filter process ancestry by exepath can be especially useful for writing rules around shells / RCE originating from java processes, because here often proc.name aka the process name can rather reflect the program name.

This new option provides new opportunities to write filter expressions for many use cases.

Fixes #

Special notes for your reviewer:

  • Would it be ok to also add this for proc.exe for completeness?
  • Light cleanup of the enum in a separate commit, else it is rather just copying existing code and swapping field references
  • Lastly, in a follow up PR we should perhaps change the ordering of the proc.x fields slightly so that the end user has a better overview of all supported fields on the website?

Does this PR introduce a user-facing change?:

new(libsinsp): add aexepath, aexe filter and display option

incertum added 2 commits March 3, 2023 23:32
@incertum
cleanup(libsinsp): remove numbers from check enum
ddcb7ec 
for fields related to proc.x or thread.x

Signed-off-by: Melissa Kilby <[email protected]>
@incertum
new(libsinsp): add aexepath filter and display option
61da17c 
Being able to filter process ancestry by exepath can be
especially useful for writing rules around shells / RCE
originating from java processes, because here often proc.name
aka the process name can rather reflect the current program name.

This new option provides new opportunities to write
filter expressions for many use cases.

Signed-off-by: Melissa Kilby <[email protected]>
@incertum incertum requested review from LucaGuerra and loresuso March 4, 2023 00:11
@poiana poiana requested review from hbrueckner and Molter73 March 4, 2023 00:13
@poiana poiana added the approved label Mar 4, 2023
@LucaGuerra
Copy link
Contributor

I like this PR 🚀 ! I think it's a nice useful field to get. I also love the added test and the fact that you're thinking about the field order in the documentation to make it clearer <3 . Nothing against adding that to exe as well.

Also the cleanup makes sense to me, thanks for adding it as an additional commit.

@jasondellaluce
Copy link
Contributor

/milestone 0.11.0

@poiana poiana added this to the 0.11.0 milestone Mar 6, 2023
loresuso
loresuso reviewed Mar 6, 2023
View reviewed changes
Copy link
Member

@loresuso loresuso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice PR! I am totally on board with this.
Of course, doing the same for proc.exe is relevant as well.
Lastly, I agree also on the reordering of these fields in a subsequent PR

incertum and others added 2 commits March 6, 2023 17:06
@incertum @LucaGuerra
cleanup(unit_tests): re-use field_exists
aa59187 
Co-authored-by: Luca Guerra <[email protected]>
Signed-off-by: Melissa Kilby <[email protected]>
@incertum
new(libsinsp): add aexe filter and display option
800e207 
This new option provides new opportunities to write
filter expressions for many use cases.

Signed-off-by: Melissa Kilby <[email protected]>
@incertum incertum changed the title new(libsinsp): add aexepath filter and display option new(libsinsp): add aexepath, aexe filter and display option Mar 6, 2023
@incertum
Copy link
Contributor Author

incertum commented Mar 6, 2023
edited
Loading

Great @LucaGuerra and @loresuso let's discuss best order and perhaps minor adjustments to explanations in the follow up PR.

Just added aexe, let's all double check that I didn't miss any updates to the right field references when copying and pasting ... thanks a lot!

LucaGuerra
LucaGuerra approved these changes Mar 7, 2023
View reviewed changes
Copy link
Contributor

@LucaGuerra LucaGuerra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@poiana poiana added the lgtm label Mar 7, 2023
@poiana
Copy link
Contributor

poiana commented Mar 7, 2023

LGTM label has been added.

Git tree hash: 921899869c8ea45d2fa0e0c65286e30d849fb687

Andreagit97
Andreagit97 approved these changes Mar 7, 2023
View reviewed changes
Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

userspace/libsinsp/filterchecks.h
Comment on lines +347 to +350
TYPE_PEXE,
TYPE_AEXE,
TYPE_PEXEPATH,
TYPE_AEXEPATH,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

next time probably i would add them at the end since we usually do like this

@poiana poiana merged commit 600edf6 into falcosecurity:master Mar 7, 2023
@poiana
Copy link
Contributor

poiana commented Mar 7, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, incertum, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [Andreagit97,LucaGuerra,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@incertum incertum mentioned this pull request Mar 10, 2023
Merged
This was referenced Apr 4, 2023
Open
Merged
@incertum incertum deleted the exepath-ancestry branch December 8, 2023 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loresuso loresuso loresuso left review comments

@Andreagit97 Andreagit97 Andreagit97 approved these changes

@LucaGuerra LucaGuerra LucaGuerra approved these changes

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

@Molter73 Molter73 Awaiting requested review from Molter73

Assignees

@LucaGuerra LucaGuerra

@Andreagit97 Andreagit97

Labels
approved area/libsinsp dco-signoff: yes kind/cleanup kind/feature New feature or request lgtm release-note size/XL
Projects
None yet
Milestone
0.11.0
Development

Successfully merging this pull request may close these issues.
6 participants
@incertum @LucaGuerra @jasondellaluce @poiana @loresuso @Andreagit97