Skip to content

fix(monitor): drop only passed file openat events for procfs #2291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AryanBakliwal wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(monitor): drop only passed file openat events for procfs #2291

AryanBakliwal wants to merge 1 commit into from

Conversation

@AryanBakliwal
Copy link
Member

@AryanBakliwal AryanBakliwal commented Dec 5, 2025

Purpose of PR?:
Earlier, KubeArmor was dropping all file open events in procfs and sysfs for sys_openat syscall in the kprobe which caused the permission denied events as well to be dropped. Due to this, alerts were not pushed for file operation events in these directories. This PR corrects this by flagging the events for procfs and sysfs file open operations in kprobe and checks their return value in kretprobe before dropping them.

Fixes #1911

Does this PR introduce a breaking change?
No

If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

  • Bug fix. Fixes I dont see any reports in relay/karmor #1911
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

@AryanBakliwal AryanBakliwal force-pushed the fix-monitor-drops-procfs-events branch from f12fe51 to 1b6e039 Compare December 5, 2025 13:55
@AryanBakliwal
fix(monitor): drop only passed events for procfs
7fd3f97 
Signed-off-by: Aryan Bakliwal <aryanbakliwal12345@gmail.com>
@AryanBakliwal AryanBakliwal force-pushed the fix-monitor-drops-procfs-events branch from 1b6e039 to 7fd3f97 Compare December 8, 2025 09:54
@AryanBakliwal AryanBakliwal changed the title fix(monitor): drop only passed events for sysfs and procfs fix(monitor): drop only passed events for procfs Dec 8, 2025
@AryanBakliwal AryanBakliwal changed the title fix(monitor): drop only passed events for procfs fix(monitor): drop only passed file openat events for procfs Dec 8, 2025
@AryanBakliwal
Copy link
Member Author

AryanBakliwal commented Dec 8, 2025

@rksharma95 updated to only pass permission denied events to user space for sys_openat in procfs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aryan-sharma11 Aryan-sharma11 Awaiting requested review from Aryan-sharma11

@rksharma95 rksharma95 Awaiting requested review from rksharma95

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

I dont see any reports in relay/karmor

1 participant

@AryanBakliwal