Hi everyone,
While testing Falco on arm64 my team and I encountered some weird
issues; basically, it seems like execve() exit tracepoint is never
called.
Moreover, the clone() exit tracepoint referred to the child process is
also missing.
The issue is present on both the kmod and eBPF probe.
I tested on amznlinux2 with kernel 5.10.96-90.460.amzn2.aarch64, but
other team members tested on other kernel versions too (down to
4.14.X).
I was also able to reproduce the problem using bpftrace tool: hooking
on tracepoint:syscalls:sys_exit_execve; no event is received:
bpftrace -e 'tracepoint:syscalls:sys_exit_execve { printf("execve!\n"); }'
Since sys_enter tracepoints are indeed called, we'd expect the
sys_exit ones to be called too, just like it happens on x86.
The question is: are we missing anything obvious here?
Thank you very much for your time,
Regards
Federico
|