Regression in `proc.aname` list comparison in libs > 0.17.x #2018

LucaGuerra · 2024-08-26T10:16:55Z

Describe the bug

From: https://falco.org/docs/reference/rules/supported-fields/

The proc.name (truncated after 16 characters) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aname[1] retrieves the proc.name of the parent process, proc.aname[2] retrieves the proc.name of the grandparent process, and so on. The current process's proc.name line can be obtained using proc.aname[0]. When used without any arguments, proc.aname is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.aname=bash to match any process ancestor whose name is bash.

This is no longer working and aname only matches the current process name. Falco 0.38.x appears to be unaffected but I can reproduce the issue on the latest libs.

How to reproduce it

TEST_F(sinsp_with_test_input, contains_aname)
{
	DEFAULT_TREE

	/* Now we call an execve on p6_t1 */
	auto evt = generate_execve_enter_and_exit_event(0, p6_t1_tid, p6_t1_tid, p6_t1_pid, p6_t1_ptid, "/good-exe", "good-exe", "/good-exe");

	printf("proc.aname[0]=%s, proc.aname[1]=%s, proc.aname[2]=%s, proc.aname[3]=%s, proc.aname[4]=%s, proc.aname[5]=%s\n", 
		get_field_as_string(evt, "proc.aname[0]").c_str(),
		get_field_as_string(evt, "proc.aname[1]").c_str(),
		get_field_as_string(evt, "proc.aname[2]").c_str(),
		get_field_as_string(evt, "proc.aname[3]").c_str(),
		get_field_as_string(evt, "proc.aname[4]").c_str(),
		get_field_as_string(evt, "proc.aname[5]").c_str());

	EXPECT_TRUE(eval_filter(evt, "proc.aname in (init)")); // fail
	EXPECT_TRUE(eval_filter(evt, "proc.aname in (bash)")); // fail
	EXPECT_TRUE(eval_filter(evt, "proc.aname in (good-exe, init)")); // fail
	EXPECT_TRUE(eval_filter(evt, "proc.aname = bash")); // ok
	EXPECT_TRUE(eval_filter(evt, "proc.aname = init")); // ok

	EXPECT_FALSE(eval_filter(evt, "proc.aname in (good-exe)")); // ok -- docs unclear but I think it's right
	EXPECT_FALSE(eval_filter(evt, "proc.aname = good-exe")); // ok -- docs unclear but I think it's right
	EXPECT_FALSE(eval_filter(evt, "proc.aname in (bad-exe)")); // ok
}

Expected behaviour

All tests above passing

Screenshots

Environment

Falco version: libs master 9d76298

Additional context

Found from Falco test failure: falcosecurity/falco#3283

The text was updated successfully, but these errors were encountered:

LucaGuerra · 2024-08-26T10:17:45Z

/milestone 0.18.0

FedeDP · 2024-08-26T11:16:20Z

Thanks for tracking and the providing the test!

LucaGuerra added the kind/bug Something isn't working label Aug 26, 2024

poiana added this to the 0.18.0 milestone Aug 26, 2024

LucaGuerra mentioned this issue Aug 26, 2024

update(cmake): bump libs and driver to latest master falcosecurity/falco#3283

Merged

FedeDP mentioned this issue Aug 26, 2024

fix(userspace/libsinsp): fixed CO_IN filter crafted value. #2019

Merged

poiana closed this as completed in #2019 Aug 26, 2024

LucaGuerra changed the title ~~Regression in proc.aname comparison in libs > 0.17.x~~ Regression in proc.aname list comparison in libs > 0.17.x Aug 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Regression in `proc.aname` list comparison in libs > 0.17.x #2018

Regression in `proc.aname` list comparison in libs > 0.17.x #2018

LucaGuerra commented Aug 26, 2024 •

edited

Loading

LucaGuerra commented Aug 26, 2024

FedeDP commented Aug 26, 2024

Regression in proc.aname list comparison in libs > 0.17.x #2018

Regression in proc.aname list comparison in libs > 0.17.x #2018

Comments

LucaGuerra commented Aug 26, 2024 • edited Loading

LucaGuerra commented Aug 26, 2024

FedeDP commented Aug 26, 2024

Regression in `proc.aname` list comparison in libs > 0.17.x #2018

Regression in `proc.aname` list comparison in libs > 0.17.x #2018

LucaGuerra commented Aug 26, 2024 •

edited

Loading