Add set_fs_pwd event
#3919
Merged
Add set_fs_pwd event
#3919
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
area/ebpf
kind/documentation
area/testing
area/events
area/build
labels
oshaked1
force-pushed
the
set_fs_pwd_event
branch
from
72853c5
to
d7632b8
Compare
oshaked1
force-pushed
the
set_fs_pwd_event
branch
from
78a4e94
to
8732fe5
Compare
The bpf_probe_read_user_str helper was added in kernel 5.5, and before that reads from user space were not guaranteed to work if the architecture doesn't support it. In practice, ARM systems couldn't read from user space before this helper was introduced. The test now doesn't expect the unresolved_path (which comes from a userspace read) to conatin anything if the helper doesn't exist.
yanivagman
reviewed
May 9, 2024
| @@ -129,7 +129,7 @@ for TEST in $TESTS; do | |||
| --output option:parse-arguments \ | |||
| --log file:$SCRIPT_TMP_DIR/tracee-log-$$ \ | |||
| --signatures-dir "$SIG_DIR" \ | |||
| --scope comm=echo,mv,ls,tracee,proctreetester,ping,ds_writer,fsnotify_tester,process_execute,tracee-ebpf,writev \ | |||
| --scope comm=echo,mv,ls,tracee,proctreetester,ping,ds_writer,fsnotify_tester,process_execute,tracee-ebpf,writev,set_fs_pwd.sh \ | |||
There was a problem hiding this comment.
why do we need to put the script name in the comm filter?
There was a problem hiding this comment.
The cd command which is used to trigger the event is a built-in bash command and not a new executable, so it runs from the script's process
There was a problem hiding this comment.
Yes, but we can't get the script name set_fs_pwd.sh in the comm field, right?
in the comm field you will only see the executable name (e.g. bash), not the script name
There was a problem hiding this comment.
Assuming the script is run directly (which it is), the script name will be in the comm field:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. Explain what the PR does
Added
set_fs_pwdevent which captures all changes to the current working directory.Closes #4001
2. Explain how to test it
Run tracee with
--events set_fs_pwd, generate an event by performing any directory change (e.g. usingcd).