You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@OriGlassman I wasn't able to reproduce it by doing the following - if you have a reproducer, please share with us.
Tracee
sudo ./dist/tracee -s comm=nc -e accept4
accept4 with AF_UNIX trigger
I've used accept4 since it make use of save_sockaddr_to_buf. It worth to mention that save_sockaddr_to_buf calls get_unix_sock_addr which already takes care of the struct sockaddr_un size. It's compiling and running without errors in all matrix supported kernels.
nc -Ul /tmp/sock
nc -U /tmp/sock
Perhaps the workaround mentioned in the issue above and in the #1129 isn't required any more for the supported kernels (and llvm version used).
Results
aarch64
uname -a
Linux ip-172-31-22-65 5.13.0-52-generic #59~20.04.1-Ubuntu SMP Fri Jun 17 21:11:05 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
sudo ./dist/tracee -s comm=nc -e accept4
TIME UID COMM PID TID RET EVENT ARGS
13:26:39:049537 1000 nc 8290 8290 4 accept4 sockfd: 3, addr: map[sa_family:AF_UNIX sun_path:], addrlen: 0xffffc74a40e4, flags: 2048
strace nc -Ul /tmp/sock
accept4(3, {sa_family=AF_UNIX}, [128->2], SOCK_NONBLOCK) = 4
x86_64
uname -a
Linux ip-172-31-12-137 5.13.0-52-generic #59~20.04.1-Ubuntu SMP Thu Jun 16 21:21:28 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
sudo ./dist/tracee -s comm=nc -e accept4
TIME UID COMM PID TID RET EVENT ARGS
13:36:31:719160 1000 nc 7406 7406 4 accept4 sockfd: 3, addr: map[sa_family:AF_UNIX sun_path:td], addrlen: 0x7ffdd0676364, flags: 2048
strace nc -Ul /tmp/sock
accept4(3, {sa_family=AF_UNIX}, [128->2], SOCK_NONBLOCK) = 4
Description
Seems the helper 'save_sockaddr_to_buf'
doesn't include this code fix, which results in af_unix becoming af_unspec:
Output of
tracee version
:Output of
uname -a
:Additional details
The text was updated successfully, but these errors were encountered: