[CWS] ebpfless handle retval

DataDog · Dec 18, 2023 · 94edb50 · 94edb50
1 parent a87ec42
commit 94edb50
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/pkg/security/probe/probe_epbfless.go b/pkg/security/probe/probe_epbfless.go
@@ -96,6 +96,7 @@ func (p *EBPFLessProbe) handleClientMsg(msg *clientMsg) {
 		p.Resolvers.ProcessResolver.AddForkEntry(process.CacheResolverKey{Pid: syscallMsg.PID, NSID: syscallMsg.NSID}, syscallMsg.Fork.PPID)
 	case ebpfless.SyscallTypeOpen:
 		event.Type = uint32(model.FileOpenEventType)
+		event.Open.Retval = syscallMsg.Retval
 		event.Open.File.PathnameStr = syscallMsg.Open.Filename
 		event.Open.File.BasenameStr = filepath.Base(syscallMsg.Open.Filename)
 		event.Open.Flags = syscallMsg.Open.Flags

diff --git a/pkg/security/proto/ebpfless/msg.go b/pkg/security/proto/ebpfless/msg.go
@@ -103,6 +103,7 @@ type SyscallMsg struct {
 	NSID             uint64
 	Type             SyscallType
 	PID              uint32
+	Retval           int64
 	ContainerContext *ContainerContext
 	Exec             *ExecSyscallMsg
 	Open             *OpenSyscallMsg

diff --git a/pkg/security/ptracer/cws.go b/pkg/security/ptracer/cws.go
@@ -402,6 +402,10 @@ func checkEntryPoint(path string) (string, error) {
 	return name, nil
 }
 
+func isAcceptedRetval(retval int64) bool {
+	return retval < 0 && retval != -int64(syscall.EACCES) && retval != -int64(syscall.EPERM)
+}
+
 // StartCWSPtracer start the ptracer
 func StartCWSPtracer(args []string, probeAddr string, creds Creds, verbose bool) error {
 	entry, err := checkEntryPoint(args[0])
@@ -632,11 +636,12 @@ func StartCWSPtracer(args []string, probeAddr string, creds Creds, verbose bool)
 			case ExecveNr, ExecveatNr:
 				send(process.Nr[nr])
 			case OpenNr, OpenatNr:
-				if ret := tracer.ReadRet(regs); ret >= 0 {
+				if ret := tracer.ReadRet(regs); !isAcceptedRetval(ret) {
 					msg, exists := process.Nr[nr]
 					if !exists {
 						return
 					}
+					msg.Retval = ret
 
 					send(msg)