Skip to content

feat!: default to sched_process_exec tracepoint on all architectures #2726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
poiana merged 1 commit into from
Dec 4, 2025
Merged

feat!: default to sched_process_exec tracepoint on all architectures #2726

poiana merged 1 commit into from
Dec 4, 2025

Conversation

@ekoops
Copy link
Contributor

@ekoops ekoops commented Nov 25, 2025
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

/kind sync

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This PR (spiritual continuation of #416) is an attempt to align execve and execveat handling on all architectures:

  • it leverages sched/sched_process_exec tracepoint to generate execve exit events for both successful execve and execveat system calls
  • for failing calls instead, it uses dedicated programs/fillers to generate execve and execveat exit events.

This architectural choice is motivated by the fact that the kernel haven't consistently called the correct tracepoint for execve and execveat calls on all architectures, as well as haven't consistently identified the correct system call in the tracepoint context:

Indeed, the sched/sched_process_exec is correctly triggered on all architectures for successful calls. Moreover, failing calls correctly trigger the sys_exit tracepoint, and are correctly associated to the right syscall number.
In the past, this design was applied just for aarch64, but since it works consistently on all architectures, its application was extended.

The only issue seems to be that now we generate execve exit events for both execve and execveat, on call success: this is not a big problem because, in the previous implementation, for successful execveat calls, we were only able to generate execveat exit event on s390x. For this latter case, users will not be impacted by the new design if they rely on rule conditions matching both execve and execveat event (e.g.: ... evt.type in (execve, execveat) ...).

This patch rearranges execve and execveat driver tests, by moving tests related to successful calls in
test/drivers/test_suites/generic_tracepoints_suite/sched_process_exec.cpp, and keeping tests related to failing calls in
test/drivers/test_suites/syscall_exit_suite/execve_x.cpp and test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp.

Old tests relate to new tests in the following way:

  • execveX_success -> sched_proc_exec_execve
  • execveX_not_upperlayer -> sched_proc_exec_execve_not_upperlayer
  • execveX_upperlayer_success -> sched_proc_exec_execve_upperlayer
  • execveX_success_memfd -> sched_proc_exec_execve_memfd
  • execveX_symlink -> sched_proc_exec_execve_symlink
  • execveatX_correct_exit -> sched_proc_exec_execveat
  • execveatX_execve_exit -> sched_proc_exec_execveat
  • execveatX_execve_exit_comm_equal_to_fd -> sched_proc_exec_execveat_comm_equal_to_fd
  • execveatX_success_memfd -> sched_proc_exec_execveat_memfd

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

/milestone next-driver

Does this PR introduce a user-facing change?:

feat!: default to `sched_process_exec` tracepoint on all architectures

@github-actions
Copy link

github-actions bot commented Nov 25, 2025

Please double check driver/SCHEMA_VERSION file. See versioning.

/hold

@poiana
Copy link
Contributor

poiana commented Nov 25, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@codecov
Copy link

codecov bot commented Nov 25, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.02%. Comparing base (e22484c) to head (5e7043b).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2726   +/-   ##
=======================================
  Coverage   77.02%   77.02%           
=======================================
  Files         296      296           
  Lines       30818    30818           
  Branches     4670     4670           
=======================================
  Hits        23738    23738           
  Misses       7080     7080
Flag Coverage Δ
libsinsp 77.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ekoops ekoops mentioned this pull request Nov 25, 2025
Closed
@ekoops
Copy link
Contributor Author

ekoops commented Nov 25, 2025

False positive 👉 https://github.com/falcosecurity/libs/actions/runs/19668840295/job/56332370933?pr=2726
/remove-hold

@ekoops
feat!: default to sched_process_exec tracepoint on all architectures
5e7043b 
Leverage `sched/sched_process_exec` tracepoint to generate `execve`
exit events for both successful `execve` and `execveat` system calls.
For failing calls, use dedicated programs/fillers to generate `execve`
and `execveat` exit events.

This architectural choice is motivated by the fact that the kernel
haven't consistently called the correct tracepoint for `execve` and
`execveat` calls on all architectures, as well as haven't consistently
identified the correct system call in the tracepoint context:
- on `x86_64`, a successful `execveat` call is identified as `execve`,
  and a failing one is identified as `execveat`
- on `aarch64`, till version 5.18 (actually, the fix was back-ported
  up to 5.15:
  https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.15.y&id=42eede3ae05bbf32cb0d87940b466ec5a76aca3f),
  neither successful `execve`s nor successful `execveat`s used to
  trigger the `sys_exit` (see
  https://www.spinics.net/lists/linux-trace/msg01001.html) tracepoint;
  only failing ones have always triggered the correct behaviour
- on `s390x`, each call correctly triggers `sys_exit` tracepoint and
  is correctly identified as `execve` and `execveat`

Indeed, the `sched/sched_process_exec` is correctly triggered on all
architectures for successful calls. Moreover, failing calls correctly
trigger the `sys_exit` tracepoint, and are correctly associated to the
right syscall number.
In the past, this design was applied just for `aarch64`, but since it
works consistently on all architectures, its application was extended.

The only issue seems to be that now we generate `execve` exit events
for both `execve` and `execveat`, on call success: this is not a big
problem because, in the previous implementation, for successful
`execveat` calls, we were only able to generate `execveat` exit event
on `s390x`. For this latter case, users will not be impacted by the
new design if they rely on rule conditions matching both `execve` and
`execveat` event (e.g.: `... evt.type in (execve, execveat) ...`).

This patch rearranges `execve` and `execveat` driver tests, by moving
tests related to successful calls in
`test/drivers/test_suites/generic_tracepoints_suite/sched_process_exec.cpp`,
and keeping tests related to failing calls in
`test/drivers/test_suites/syscall_exit_suite/execve_x.cpp` and
`test/drivers/test_suites/syscall_exit_suite/execveat_x.cpp`.

Old tests relate to new tests in the following way:
- `execveX_success` -> `sched_proc_exec_execve`
- `execveX_not_upperlayer` -> `sched_proc_exec_execve_not_upperlayer`
- `execveX_upperlayer_success` -> `sched_proc_exec_execve_upperlayer`
- `execveX_success_memfd` -> `sched_proc_exec_execve_memfd`
- `execveX_symlink` -> `sched_proc_exec_execve_symlink`
- `execveatX_correct_exit` -> `sched_proc_exec_execveat`
- `execveatX_execve_exit` -> `sched_proc_exec_execveat`
- `execveatX_execve_exit_comm_equal_to_fd` -> `sched_proc_exec_execveat_comm_equal_to_fd`
- `execveatX_success_memfd` -> `sched_proc_exec_execveat_memfd`

BREAKING CHANGE: emit `execve` exit event instead of `execveat` exit
  event in case of successful `execveat` call on `s390x`

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
@ekoops ekoops force-pushed the ekoops/switch-to-sched-process-exec branch from 6a440bc to 5e7043b Compare December 3, 2025 15:06
@ekoops ekoops added this to the next-driver milestone Dec 3, 2025
@github-actions
Copy link

github-actions bot commented Dec 3, 2025

X64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-5.10 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2023-6.1 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.0 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.7 🟢 🟢 🟢 🟢 🟢 🟢
centos-3.10 🟢 🟢 🟢 🟡 🟡 🟡
centos-4.18 🟢 🟢 🟢 🟢 🟢 🟢
centos-5.14 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.17 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.8 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-4.14 🟢 🟢 🟢 🟢 🟢 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-5.4 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-5.8 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

ARM64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-4.14 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

@poiana poiana added the lgtm label Dec 3, 2025
@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap Dec 4, 2025
@poiana poiana merged commit e65bb86 into master Dec 4, 2025
55 of 59 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap Dec 4, 2025
@poiana poiana deleted the ekoops/switch-to-sched-process-exec branch December 4, 2025 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gnosek gnosek gnosek approved these changes

@leogr leogr leogr approved these changes

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

@irozzo-1A irozzo-1A Awaiting requested review from irozzo-1A

Assignees

@gnosek gnosek

@leogr leogr

Labels

approved area/driver-bpf area/driver-kmod area/driver-modern-bpf area/libpman area/tests dco-signoff: yes kind/design kind/feature New feature or request lgtm release-note size/XXL

Projects

Falco Roadmap
Status: Done

Milestone

9.1.0+driver

Development

Successfully merging this pull request may close these issues.

5 participants

@ekoops @poiana @gnosek @leogr