`ExecveInfo.binary_sha256` not populated despite `binary_info` field set for `sentry/execve` #11466

irfansharif · 2025-02-11T22:08:48Z

Description

Looking at this code block here, it doesn't seem like binary_sha256 of the binary in question is being computed, even if the binary_info optional field is set:

gvisor/pkg/sentry/kernel/task_exec.go

Lines 312 to 343 in d949e71

    
           func getExecveSeccheckInfo(t *Task, argv, env []string, executable *vfs.FileDescription, pathname string) (seccheck.FieldSet, *pb.ExecveInfo) { 
        
           	fields := seccheck.Global.GetFieldSet(seccheck.PointExecve) 
        
           	info := &pb.ExecveInfo{ 
        
           		Argv: argv, 
        
           		Env:  env, 
        
           	} 
        
           	if executable != nil { 
        
           		info.BinaryPath = pathname 
        
           		if fields.Local.Contains(seccheck.FieldSentryExecveBinaryInfo) { 
        
           			statOpts := vfs.StatOptions{ 
        
           				Mask: linux.STATX_TYPE | linux.STATX_MODE | linux.STATX_UID | linux.STATX_GID, 
        
           			} 
        
           			if stat, err := executable.Stat(t, statOpts); err == nil { 
        
           				if stat.Mask&(linux.STATX_TYPE|linux.STATX_MODE) == (linux.STATX_TYPE | linux.STATX_MODE) { 
        
           					info.BinaryMode = uint32(stat.Mode) 
        
           				} 
        
           				if stat.Mask&linux.STATX_UID != 0 { 
        
           					info.BinaryUid = stat.UID 
        
           				} 
        
           				if stat.Mask&linux.STATX_GID != 0 { 
        
           					info.BinaryGid = stat.GID 
        
           				} 
        
           			} 
        
           		} 
        
           	} 
        
           	if !fields.Context.Empty() { 
        
           		info.ContextData = &pb.ContextData{} 
        
           		LoadSeccheckData(t, fields.Context, info.ContextData) 
        
           	} 
        
           	return fields, info 
        
           }

We were hoping to make use of it for threat detection.

Steps to reproduce

This was the /etc/falco/pod-init.json we were trying.

{
  "trace_session": {
    ...
    "points": [
      ...
      {
        "context_fields": [
          "cwd",
          "credentials",
          "container_id",
          "thread_id",
          "task_start_time",
          "time",
        ],
        "optional_fields": [
          "binary_info"
        ],
        "name": "sentry/execve"
      }
    ],
  }
}

runsc version

runsc version release-20250203.0
spec: 1.1.0-rc.1

docker version (if using docker)

uname

Linux ip-10-1-5-221.ec2.internal 5.15.0-302.167.6.1.el9uek.x86_64 #2 SMP Thu Nov 21 21:48:29 PST 2024 x86_64 x86_64 x86_64 GNU/Linux

kubectl (if using Kubernetes)

repo state (if built from source)

No response

runsc debug logs (if available)

The text was updated successfully, but these errors were encountered:

fvoznika · 2025-02-12T19:35:28Z

Good finding! That slipped through the cracks and it's not getting populated. A contribution to add this field would be appreciated, otherwise, I'll try to find some time to add it.

Fixes #11466 PiperOrigin-RevId: 733027762

8000

irfansharif added the type: bug Something isn't working label Feb 11, 2025

fvoznika added status: help wanted Extra attention is needed good first issue Good for newcomers labels Feb 12, 2025

copybara-service bot pushed a commit that referenced this issue Mar 3, 2025

Add missing binary_sha256 field

4ad116c

Fixes #11466 PiperOrigin-RevId: 733027762

copybara-service bot mentioned this issue Mar 3, 2025

Add missing binary_sha256 field #11507

Merged

copybara-service bot pushed a commit that referenced this issue Mar 5, 2025

Add missing binary_sha256 field

40969b9

Fixes #11466 PiperOrigin-RevId: 733027762

copybara-service bot pushed a commit that referenced this issue Mar 6, 2025

Add missing binary_sha256 field

3fd14bf

Fixes #11466 PiperOrigin-RevId: 733027762

copybara-service bot closed this as completed in c041d9b Mar 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

`ExecveInfo.binary_sha256` not populated despite `binary_info` field set for `sentry/execve` #11466

`ExecveInfo.binary_sha256` not populated despite `binary_info` field set for `sentry/execve` #11466

Uh oh!

ExecveInfo.binary_sha256 not populated despite binary_info field set for sentry/execve #11466

ExecveInfo.binary_sha256 not populated despite binary_info field set for sentry/execve #11466

Comments

Description

Steps to reproduce

runsc version

docker version (if using docker)

uname

kubectl (if using Kubernetes)

repo state (if built from source)

runsc debug logs (if available)

Uh oh!

`ExecveInfo.binary_sha256` not populated despite `binary_info` field set for `sentry/execve` #11466

`ExecveInfo.binary_sha256` not populated despite `binary_info` field set for `sentry/execve` #11466