Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exe full path missing in Exe field #107

Open
dcarolloz opened this issue Jul 4, 2023 · 0 comments
Open

Exe full path missing in Exe field #107

dcarolloz opened this issue Jul 4, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@dcarolloz
Copy link

Indicate project
libsysflow

Describe the bug
The exe full path is sometimes not reported

To reproduce
Steps to reproduce the behavior:

  1. Build and run sf-collector example
  2. Compile and run code example reported below

Expected behavior
The exe full path should be reported. In the example, Exe is expected to show /usr/bin/echo.

Environment:

  • OS: Ubuntu 20.04.4 LTS
  • kernel: 5.4.0-128-generic
  • SysFlow version: v0.5.1 (from master branch)
  • Configurations: eBPF driver

Code example

#define _GNU_SOURCE
#include <sys/syscall.h>
#include <linux/fs.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

int main(){
    const char* pathname = "/usr/bin/echo";
    const char* argv[] = { "echo", "arg1", "arg2", "arg3", "arg4", "arg5", NULL };
    const char* envp[] = { NULL };
    int rc = syscall( SYS_execve, pathname, argv, envp);
    printf("errno: %d\n", errno);
}

sf-collector example log

****************************************************************
Header: Exporter , IP , File name 
Process: PID 13246 Creation Time, 1688476758875589088, Exe /usr/bin/bash, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 13246, OpFlags 1, Ret 23207
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /usr/bin/bash, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 1, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /home/vagrant/syscall-testers-master/execve, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /home/vagrant/syscall-testers-master/execve, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 23207, OpFlags: 9344, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe /home/vagrant/syscall-testers-master/execve, Exe Args , User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /lib/x86_64-linux-gnu/libc.so.6
File Flow: TID 23207, OpFlags: 9600, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /etc/ld.so.cache
File Flow: TID 23207, OpFlags: 9344, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /lib/x86_64-linux-gnu/libc.so.6
File Flow: TID 23207, OpFlags: 9600, OpenFlags 4097, FD 3
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /dev/pts/1
File Flow: TID 23207, OpFlags: 1536, OpenFlags 0, FD 1
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
File: Type 102, Path /dev/pts/1
File Flow: TID 23207, OpFlags: 1024, OpenFlags 0, FD 2
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 23207 Creation Time, 1688476762777075981, Exe echo, Exe Args arg1 arg2 arg3 arg4 arg5, User Name vagrant, Group Name vagrant, TTY 1
Proc Evt: TID 23207, OpFlags 4, Ret 0
****************************************************************
@dcarolloz dcarolloz added the bug Something isn't working label Jul 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dcarolloz