falcosecurity · poiana · Jul 10, 2025 · Jul 7, 2025
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-3.64.0
+3.65.0
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -1436,57 +1436,60 @@ FILLER(sys_connect_x, true) {
 	int res = bpf_push_s64_to_ring(data, retval);
 	CHECK_RES(res);
 
+	/* Get socket file descriptor, sockaddr pointer and length. */
 	int64_t fd = (int64_t)(int32_t)bpf_syscall_get_argument(data, 0);
-
-	if(retval != 0 && retval != -EINPROGRESS) {
-		/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
-		res = bpf_push_empty_param(data);
-		CHECK_RES(res);
-
-		/* Parameter 3: fd (type: PT_FD) */
-		return bpf_push_s64_to_ring(data, fd);
-	}
-
-	/* Get the sockaddr pointer and length. */
 	struct sockaddr __user *usrsockaddr =
 	        (struct sockaddr __user *)bpf_syscall_get_argument(data, 1);
 	unsigned long usrsockaddr_len = bpf_syscall_get_argument(data, 2);
 
-	/* Evaluate socktuple, leveraging the user-provided sockaddr if possible */
+	/* Copy the user-provided sockaddr into kernel memory, if possible. */
 	struct sockaddr *ksockaddr = (struct sockaddr *)data->tmp_scratch;
-	bool use_sockaddr_user_data = false;
+	bool can_use_sockaddr_data = false;
 	bool push_socktuple = true;
 	if(usrsockaddr != NULL && usrsockaddr_len != 0) {
-		/* Copy the address into kernel memory. */
 		res = bpf_addr_to_kernel(usrsockaddr, usrsockaddr_len, ksockaddr);
 		if(likely(res >= 0)) {
-			/* Convert the fd into socket endpoint information. */
-			use_sockaddr_user_data = true;
+			can_use_sockaddr_data = true;
 		} else {
-			/* Do not send any socket endpoint information. */
 			push_socktuple = false;
 		}
 	}
 
-	uint32_t tuple_size = 0;
-	if(push_socktuple) {
-		/* Convert the fd into socket endpoint information */
-		tuple_size = bpf_fd_to_socktuple(data,
-		                                 fd,
-		                                 ksockaddr,
-		                                 usrsockaddr_len,
-		                                 use_sockaddr_user_data,
-		                                 false,
-		                                 data->tmp_scratch + sizeof(struct sockaddr_storage));
-	}
-
 	/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
-	data->curarg_already_on_frame = true;
-	res = bpf_val_to_ring_len(data, 0, tuple_size);
+	if(retval != 0 && retval != -EINPROGRESS) {
+		res = bpf_push_empty_param(data);
+	} else {
+		uint32_t tuple_size = 0;
+		if(push_socktuple) {
+			/* Use the file descriptor (and possibly the sockaddr) to obtain the socket tuple.
+			 * The socket tuple is stored into the provided temp area. */
+			tuple_size = bpf_fd_to_socktuple(data,
+			                                 fd,
+			                                 ksockaddr,
+			                                 usrsockaddr_len,
+			                                 can_use_sockaddr_data,
+			                                 false,
+			                                 data->tmp_scratch + sizeof(struct sockaddr_storage));
+		}
+
+		data->curarg_already_on_frame = true;
+		res = bpf_val_to_ring_len(data, 0, tuple_size);
+	}
 	CHECK_RES(res);
 
 	/* Parameter 3: fd (type: PT_FD) */
-	return bpf_push_s64_to_ring(data, fd);
+	res = bpf_push_s64_to_ring(data, fd);
+	CHECK_RES(res);
+
+	long addr_size = 0;
+	if(can_use_sockaddr_data) {
+		/* Convert the fd into socket endpoint information. */
+		addr_size = bpf_pack_addr(data, ksockaddr, usrsockaddr_len);
+	}
+
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	data->curarg_already_on_frame = true;
+	return bpf_val_to_ring_len(data, 0, addr_size);
 }
 
 FILLER(sys_socketpair_x, true) {

diff --git a/driver/event_table.c b/driver/event_table.c
@@ -184,16 +184,17 @@ const struct ppm_event_info g_event_info[] = {
                                  {"fd", PT_FD, PF_DEC}}},
         [PPME_SOCKET_CONNECT_E] = {"connect",
                                    EC_NET | EC_SYSCALL,
-                                   EF_USES_FD | EF_MODIFIES_STATE,
+                                   EF_USES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
                                    2,
                                    {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA}}},
         [PPME_SOCKET_CONNECT_X] = {"connect",
                                    EC_NET | EC_SYSCALL,
-                                   EF_USES_FD | EF_MODIFIES_STATE,
-                                   3,
+                                   EF_USES_FD | EF_MODIFIES_STATE | EF_TMP_CONVERTER_MANAGED,
+                                   4,
                                    {{"res", PT_ERRNO, PF_DEC},
                                     {"tuple", PT_SOCKTUPLE, PF_NA},
-                                    {"fd", PT_FD, PF_DEC}}},
+                                    {"fd", PT_FD, PF_DEC},
+                                    {"addr", PT_SOCKADDR, PF_NA}}},
         [PPME_SOCKET_LISTEN_E] = {"listen",
                                   EC_NET | EC_SYSCALL,
                                   EF_USES_FD | EF_TMP_CONVERTER_MANAGED,

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/connect.bpf.c
@@ -29,9 +29,9 @@ int BPF_PROG(connect_e, struct pt_regs *regs, long id) {
 	auxmap__store_s64_param(auxmap, socket_fd);
 
 	/* Parameter 2: addr (type: PT_SOCKADDR) */
-	unsigned long sockaddr_ptr = args[1];
-	uint16_t addrlen = (uint16_t)args[2];
-	auxmap__store_sockaddr_param(auxmap, sockaddr_ptr, addrlen);
+	unsigned long usrsockaddr = args[1];
+	uint16_t usrsockaddr_len = (uint16_t)args[2];
+	auxmap__store_sockaddr_param(auxmap, usrsockaddr, usrsockaddr_len);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -57,16 +57,17 @@ int BPF_PROG(connect_x, struct pt_regs *regs, long ret) {
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
-	unsigned long args[2] = {0};
-	extract__network_args(args, 2, regs);
+	unsigned long args[3] = {0};
+	extract__network_args(args, 3, regs);
 	int64_t socket_fd = (int64_t)(int32_t)args[0];
 
 	/* Parameter 1: res (type: PT_ERRNO) */
 	auxmap__store_s64_param(auxmap, ret);
 
+	struct sockaddr *usrsockaddr = (struct sockaddr *)args[1];
+
 	/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
 	if(ret == 0 || ret == -EINPROGRESS) {
-		struct sockaddr *usrsockaddr = (struct sockaddr *)args[1];
 		/* Notice: the following will push an empty parameter if
 		 * something goes wrong (e.g.: fd not valid). */
 		auxmap__store_socktuple_param(auxmap, (int32_t)socket_fd, OUTBOUND, usrsockaddr);
@@ -77,6 +78,10 @@ int BPF_PROG(connect_x, struct pt_regs *regs, long ret) {
 	/* Parameter 3: fd (type: PT_FD) */
 	auxmap__store_s64_param(auxmap, socket_fd);
 
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	uint16_t usrsockaddr_len = (uint16_t)args[2];
+	auxmap__store_sockaddr_param(auxmap, (unsigned long)usrsockaddr, usrsockaddr_len);
+
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	auxmap__finalize_event_header(auxmap);

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -1726,10 +1726,13 @@ int f_sys_connect_e(struct event_filler_arguments *args) {
 
 	if(usrsockaddr != NULL && usrsockaddr_len != 0) {
 		/* Copy the address into kernel memory. */
-		res = addr_to_kernel(usrsockaddr, val, (struct sockaddr *)&address);
+		res = addr_to_kernel(usrsockaddr, usrsockaddr_len, (struct sockaddr *)&address);
 		if(likely(res >= 0)) {
 			/* Convert the fd into socket endpoint information. */
-			addr_size = pack_addr((struct sockaddr *)&address, val, targetbuf, STR_STORAGE_SIZE);
+			addr_size = pack_addr((struct sockaddr *)&address,
+			                      usrsockaddr_len,
+			                      targetbuf,
+			                      STR_STORAGE_SIZE);
 		}
 	}
 
@@ -1750,63 +1753,63 @@ int f_sys_connect_x(struct event_filler_arguments *args) {
 	struct sockaddr_storage address;
 	struct sockaddr *ksockaddr = NULL;
 	unsigned long sockaddr_len = 0;
-	bool use_sockaddr = false;
+	bool can_use_sockaddr_data = false;
 	char *targetbuf = args->str_storage;
-	uint16_t tuple_size = 0;
+	uint16_t tuple_size = 0, addr_size = 0;
 
 	/* Parameter 1: res (type: PT_ERRNO) */
 	retval = (int64_t)syscall_get_return_value(current, args->regs);
 	res = val_to_ring(args, retval, 0, false, 0);
+	CHECK_RES(res);
 
+	/* Get socket file descriptor, sockaddr pointer and length. */
 	syscall_get_arguments_deprecated(args, 0, 1, &val);
 	fd = (int64_t)(int32_t)val;
-
-	if(retval != 0 && retval != -EINPROGRESS) {
-		/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
-		res = push_empty_param(args);
-		CHECK_RES(res);
-
-		/* Parameter 3: fd (type: PT_FD) */
-		res = val_to_ring(args, fd, 0, false, 0);
-		CHECK_RES(res);
-
-		return add_sentinel(args);
-	}
-
-	/* Get the address */
 	syscall_get_arguments_deprecated(args, 1, 1, &val);
 	usrsockaddr = (struct sockaddr __user *)val;
-
-	/* Get the address len */
 	syscall_get_arguments_deprecated(args, 2, 1, &usrsockaddr_len);
 
+	/* Copy the user-provided sockaddr into kernel memory, if possible. */
 	if(usrsockaddr != NULL && usrsockaddr_len != 0) {
-		/* Copy the address into kernel memory */
 		res = addr_to_kernel(usrsockaddr, usrsockaddr_len, (struct sockaddr *)&address);
 		if(likely(res >= 0)) {
 			ksockaddr = (struct sockaddr *)&address;
 			sockaddr_len = usrsockaddr_len;
-			use_sockaddr = true;
+			can_use_sockaddr_data = true;
 		}
 	}
 
-	/* Convert the fd into socket endpoint information */
-	tuple_size = fd_to_socktuple((int)fd,
-	                             ksockaddr,
-	                             sockaddr_len,
-	                             use_sockaddr,
-	                             false,
-	                             targetbuf,
-	                             STR_STORAGE_SIZE);
-
 	/* Parameter 2: tuple (type: PT_SOCKTUPLE) */
-	res = val_to_ring(args, (uint64_t)(unsigned long)targetbuf, tuple_size, false, 0);
+	if(retval != 0 && retval != -EINPROGRESS) {
+		res = push_empty_param(args);
+	} else {
+		/* Use the file descriptor (and possibly the sockaddr) to obtain the socket tuple.
+		 * The socket tuple is stored into the provided target buffer. */
+		tuple_size = fd_to_socktuple((int)fd,
+		                             ksockaddr,
+		                             sockaddr_len,
+		                             can_use_sockaddr_data,
+		                             false,
+		                             targetbuf,
+		                             STR_STORAGE_SIZE);
+
+		res = val_to_ring(args, (uint64_t)(unsigned long)targetbuf, tuple_size, false, 0);
+	}
 	CHECK_RES(res);
 
 	/* Parameter 3: fd (type: PT_FD) */
 	res = val_to_ring(args, fd, 0, false, 0);
 	CHECK_RES(res);
 
+	if(can_use_sockaddr_data) {
+		/* Encode the address and store it into the target buffer. */
+		addr_size = pack_addr(ksockaddr, sockaddr_len, targetbuf, STR_STORAGE_SIZE);
+	}
+
+	/* Parameter 2: addr (type: PT_SOCKADDR) */
+	res = val_to_ring(args, (uint64_t)targetbuf, addr_size, false, 0);
+	CHECK_RES(res);
+
 	return add_sentinel(args);
 }
 

diff --git a/test/drivers/test_suites/syscall_exit_suite/connect_x.cpp b/test/drivers/test_suites/syscall_exit_suite/connect_x.cpp
@@ -74,9 +74,12 @@ TEST(SyscallExit, connectX_INET) {
 	/* Parameter 3: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(3, (int64_t)client_socket_fd);
 
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	evt_test->assert_addr_info_inet_param(4, PPM_AF_INET, IPV4_SERVER, IPV4_PORT_SERVER_STRING);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(3);
+	evt_test->assert_num_params_pushed(4);
 }
 
 TEST(SyscallExit, connectX_INET6) {
@@ -146,9 +149,12 @@ TEST(SyscallExit, connectX_INET6) {
 	/* Parameter 3: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(3, (int64_t)client_socket_fd);
 
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	evt_test->assert_addr_info_inet6_param(4, PPM_AF_INET6, IPV6_SERVER, IPV6_PORT_SERVER_STRING);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(3);
+	evt_test->assert_num_params_pushed(4);
 }
 
 #ifdef __NR_unlinkat
@@ -235,9 +241,12 @@ TEST(SyscallExit, connectX_UNIX) {
 	/* Parameter 3: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(3, (int64_t)client_socket_fd);
 
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	evt_test->assert_addr_info_unix_param(4, PPM_AF_UNIX, server_symlink);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(3);
+	evt_test->assert_num_params_pushed(4);
 }
 #endif /* __NR_unlinkat */
 
@@ -279,9 +288,12 @@ TEST(SyscallExit, connectX_failure) {
 	/* Parameter 3: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(3, (int64_t)mock_fd);
 
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	evt_test->assert_empty_param(4);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(3);
+	evt_test->assert_num_params_pushed(4);
 }
 
 TEST(SyscallExit, connectX_failure_ECONNREFUSED) {
@@ -340,9 +352,12 @@ TEST(SyscallExit, connectX_failure_ECONNREFUSED) {
 	/* Parameter 3: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(3, (int64_t)client_socket_fd);
 
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	evt_test->assert_addr_info_inet_param(4, PPM_AF_INET, IPV4_SERVER, IPV4_PORT_SERVER_STRING);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(3);
+	evt_test->assert_num_params_pushed(4);
 }
 
 TEST(SyscallExit, connectX_failure_EINPROGRESS) {
@@ -422,8 +437,11 @@ TEST(SyscallExit, connectX_failure_EINPROGRESS) {
 	/* Parameter 3: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(3, (int64_t)client_socket_fd);
 
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	evt_test->assert_addr_info_inet_param(4, PPM_AF_INET, IPV4_SERVER, IPV4_PORT_SERVER_STRING);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(3);
+	evt_test->assert_num_params_pushed(4);
 }
 #endif
diff --git a/test/drivers/test_suites/syscall_exit_suite/socketcall_x.cpp b/test/drivers/test_suites/syscall_exit_suite/socketcall_x.cpp
@@ -220,9 +220,12 @@ TEST(SyscallExit, socketcall_connectX) {
 	/* Parameter 3: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(3, (int64_t)client_socket_fd);
 
+	/* Parameter 4: addr (type: PT_SOCKADDR) */
+	evt_test->assert_addr_info_inet_param(4, PPM_AF_INET, IPV4_SERVER, IPV4_PORT_SERVER_STRING);
+
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 
-	evt_test->assert_num_params_pushed(3);
+	evt_test->assert_num_params_pushed(4);
 }
 #endif
 

diff --git a/test/e2e/tests/test_event_generator/test_network_activity.py b/test/e2e/tests/test_event_generator/test_network_activity.py
@@ -43,7 +43,8 @@ def test_network_activity(sinsp, run_containers: dict):
         },
         {
             "container.id": generator_id,
-            "evt.args": SinspField.regex_field(fr'^res=0 tuple={ipv4_regex}->10\.2\.3\.4:8192 fd=3\(<4u>{ipv4_regex}->10\.2\.3\.4:8192\)$'),
+            "evt.args": SinspField.regex_field(
+                fr'^res=0 tuple={ipv4_regex}->10\.2\.3\.4:8192 fd=3\(<4u>{ipv4_regex}->10\.2\.3\.4:8192\) addr=10.2.3.4:8192$'),
             "evt.category": "net",
             "evt.num": SinspField.numeric_field(),
             "evt.time": SinspField.numeric_field(),