8000 capture: fixes and tests by NDStrahilevitz · Pull Request #4016 · aquasecurity/tracee · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

capture: fixes and tests #4016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 7, 2024
Merged

capture: fixes and tests #4016

merged 3 commits into from
May 7, 2024

Conversation

NDStrahilevitz
Copy link
Collaborator
@NDStrahilevitz NDStrahilevitz commented May 2, 2024
edited
Loading

1. Explain what the PR does

d92f13f tests(integration): add capture tests
8ad9959 tests(inst): add vfs_writev test
bb7cd56 fix: restore io capture output

bb7cd56 fix: restore io capture output

Commit 3ddf73d changed various probe_read calls to probe_read_kernel.
However, io capture relies on reading userspace buffers, as such the
pointers being read are userspace pointers. Therefore the relevant calls
in some of these changes, affecting IO capture, were changed to
probe_read_user.

2. Explain how to test it

  1. With the new integration test
    OR
  2. Run tracee with tracee -c read=/home/ubuntu/output* -c write=/home/ubuntu/output*
  3. echo Hello > /home/ubuntu/output.txt
  4. cat /home/ubuntu/output.txt
  5. Check /tmp/tracee/out/host for the relevant files and confirm their content (both should be Hello)

3. Other comments

Resolve #4013

@NDStrahilevitz NDStrahilevitz self-assigned this May 2, 2024
yanivagman
yanivagman approved these changes May 5, 2024
View reviewed changes
Copy link
Collaborator
@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, LGTM,
For some reason, the github actions to run tests on a new PR are not working as expected, so we can't see if the new tests work as they should.
Let's wait to see the new tests pass as expected before merging this PR.
We also need to backport it to v0.21.0

@NDStrahilevitz
fix: restore io capture output
6f6f1ab 
Commit 3ddf73d changed various probe_read calls to probe_read_kernel.
However, io capture relies on reading userspace buffers, as such the
pointers being read are userspace pointers. Therefore the relevant calls
in some of these changes, affecting IO capture, were changed to
probe_read_user.
@NDStrahilevitz NDStrahilevitz mentioned this pull request May 5, 2024
Merged
@NDStrahilevitz
tests(inst): add vfs_writev test (disabled)
21e0202 
Add an e2e instrumentation test for the vfs_writev event. Due to the
event being broken on some kernels, it is currently disabled (missing
in declaration in pr.yaml).
@NDStrahilevitz NDStrahilevitz force-pushed the fix_capture_output branch 2 times, most recently from 7251dd1 to d192a1e Compare May 7, 2024 08:27
@NDStrahilevitz NDStrahilevitz merged commit d89195c into aquasecurity:main May 7, 2024
@NDStrahilevitz NDStrahilevitz mentioned this pull request May 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman approved these changes

@geyslan geyslan Awaiting requested review from geyslan

@AlonZivony AlonZivony Awaiting requested review from AlonZivony

Assignees

@NDStrahilevitz NDStrahilevitz

Labels
area/build area/ebpf area/testing kind/bug kind/chore milestone/v0.21.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Capture IO is received empty
2 participants
@NDStrahilevitz @yanivagman
0