feat!: make enter events related to TOCTOU mitigation "scap converter"-managed #2649
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add `C_ACTION_STORE_AND_SKIP` converter action to indicate that a copy of the event should be stored in the scap converter's internal event storage and, at the same time, that another copy of the event should proceed to the upper layers. As stated in the code, the current implementation is identical to the `C_ACTION_STORE` one. However, in the future, `C_ACTION_STORE` will return something to indicate that the event should be dropped, while `C_ACTION_STORE_AND_SKIP` will return `CONVERSION_SKIP` (or whatever is the name we choose to indicate that the event should proceed... Maybe we can reuse `CONVERSION_COMPLETE`). Update the implementation once we are ready to change the `C_ACTION_STORE` logic. Signed-off-by: Leonardo Di Giovanna <[email protected]>
Use the scap converter action `C_ACTION_STORE_AND_SKIP` to state the intention to store events with type `PPME_SOCKET_CONNECT_E` and 2 parameters in the scap converter's internal event storage and, at the same time, send an event copy to the upper layers. This is a refactor and not a feature because, currently, `C_ACTION_STORE_AND_SKIP` implementation is equivalent to `C_ACTION_STORE`. Signed-off-by: Leonardo Di Giovanna <[email protected]>
BREAKING CHANGE: `PPME_SYSCALL_OPEN_{E,X}` evts with old layouts not
delivered anymore to sinsp
Signed-off-by: Leonardo Di Giovanna <[email protected]>
BREAKING CHANGE: `PPME_SYSCALL_CREAT_{E,X}` evts with old layouts not
delivered anymore to sinsp
Signed-off-by: Leonardo Di Giovanna <[email protected]>
BREAKING CHANGE: `PPME_SYSCALL_OPENAT2_{E,X}` evts with old layouts
not delivered anymore to sinsp
Signed-off-by: Leonardo Di Giovanna <[email protected]>
BREAKING CHANGE: `PPME_SYSCALL_OPENAT_2_{E,X}` evts with old layouts
not delivered anymore to sinsp
Signed-off-by: Leonardo Di Giovanna <[email protected]>
poiana
added
the
kind/test
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ekoops The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
poiana
added
kind/feature
|
Please double check driver/SCHEMA_VERSION file. See versioning. /hold |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2649 +/- ##
=======================================
Coverage 78.19% 78.19%
=======================================
Files 292 292
Lines 31793 31789 -4
Branches 4662 4655 -7
=======================================
- Hits 24860 24857 -3
+ Misses 6933 6932 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
leogr
approved these changes
Sep 26, 2025
Contributor
Author
|
/hold cancel |
irozzo-1A
reviewed
Sep 26, 2025
89 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind design
/kind test
/kind feature
Any specific area of the project related to this PR?
/area libscap-engine-savefile
/area libsinsp
/area tests
Does this PR require a change in the driver versions?
What this PR does / why we need it:
This PR makes enter events related to TOCTOU mitigation managed by the scap converter. All old event versions are converter to their new corresponding versions, and the sinsp code is updated to support the new possibly-empty parameters.
Moreover, this PR adds the new scap converter action
C_ACTION_STORE_AND_SKIP. This new action code allows to state the intention that a copy of the event should be stored in the scap converter's internal event storage and, at the same time, that another copy of the event should proceed to the upper layers.As stated in the code, the current implementation of
C_ACTION_STORE_AND_SKIPis identical to theC_ACTION_STOREone. However, in the future,C_ACTION_STOREwill return something to indicate that the event should be dropped, whileC_ACTION_STORE_AND_SKIPwill returnCONVERSION_SKIP(or whatever is the name we choose to indicate that the event should proceed... Maybe we can reuseCONVERSION_COMPLETE).Finally, this PR adds some scap converter tests for the new scap converter table entries.
Notice that
PPME_SOCKET_CONNECT_Ewas already flagged asEF_TMP_CONVERTER_MANAGED: for this event type, the PR just update the scap converter table's entry for the latest version (the one with two parameters) to use the new action codeC_ACTION_STORE_AND_SKIP.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Not bumping the driver schema version is currently a practice we are following as we will bump it in a single shot once we are done with the #2068 proposal.
/milestone 0.22.0
Does this PR introduce a user-facing change?: