New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add set_fs_pwd
event
#3919
Add set_fs_pwd
event
#3919
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
72853c5
to
d7632b8
Compare
78a4e94
to
8732fe5
Compare
The bpf_probe_read_user_str helper was added in kernel 5.5, and before that reads from user space were not guaranteed to work if the architecture doesn't support it. In practice, ARM systems couldn't read from user space before this helper was introduced. The test now doesn't expect the unresolved_path (which comes from a userspace read) to conatin anything if the helper doesn't exist.
@@ -129,7 +129,7 @@ for TEST in $TESTS; do | |||
--output option:parse-arguments \ | |||
--log file:$SCRIPT_TMP_DIR/tracee-log-$$ \ | |||
--signatures-dir "$SIG_DIR" \ | |||
--scope comm=echo,mv,ls,tracee,proctreetester,ping,ds_writer,fsnotify_tester,process_execute,tracee-ebpf,writev \ | |||
--scope comm=echo,mv,ls,tracee,proctreetester,ping,ds_writer,fsnotify_tester,process_execute,tracee-ebpf,writev,set_fs_pwd.sh \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need to put the script name in the comm filter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The cd
command which is used to trigger the event is a built-in bash command and not a new executable, so it runs from the script's process
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but we can't get the script name set_fs_pwd.sh
in the comm
field, right?
in the comm field you will only see the executable name (e.g. bash
), not the script name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. Explain what the PR does
Added
set_fs_pwd
event which captures all changes to the current working directory.Closes #4001
2. Explain how to test it
Run tracee with
--events set_fs_pwd
, generate an event by performing any directory change (e.g. usingcd
).