af_unix info comes out as af_unspec
Opened this issue · 2 comments
OriGlassman commented
Description
Seems the helper 'save_sockaddr_to_buf'
doesn't include this code fix, which results in af_unix becoming af_unspec:
Output of tracee version:
(paste your output here)
Output of uname -a:
(paste your output here)
Additional details
geyslan commented
Going to run some tests on a 5.13 aarch64.
geyslan commented
@OriGlassman I wasn't able to reproduce it by doing the following - if you have a reproducer, please share with us.
Tracee
sudo ./dist/tracee -s comm=nc -e accept4
accept4 with AF_UNIX trigger
I've used accept4 since it make use of save_sockaddr_to_buf. It worth to mention that save_sockaddr_to_buf calls get_unix_sock_addr which already takes care of the struct sockaddr_un size. It's compiling and running without errors in all matrix supported kernels.
nc -Ul /tmp/sock
nc -U /tmp/sock
Perhaps the workaround mentioned in the issue above and in the #1129 isn't required any more for the supported kernels (and llvm version used).
Results
aarch64
uname -a
Linux ip-172-31-22-65 5.13.0-52-generic #59~20.04.1-Ubuntu SMP Fri Jun 17 21:11:05 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
sudo ./dist/tracee -s comm=nc -e accept4
TIME UID COMM PID TID RET EVENT ARGS
13:26:39:049537 1000 nc 8290 8290 4 accept4 sockfd: 3, addr: map[sa_family:AF_UNIX sun_path:], addrlen: 0xffffc74a40e4, flags: 2048
strace nc -Ul /tmp/sock
accept4(3, {sa_family=AF_UNIX}, [128->2], SOCK_NONBLOCK) = 4
x86_64
uname -a
Linux ip-172-31-12-137 5.13.0-52-generic #59~20.04.1-Ubuntu SMP Thu Jun 16 21:21:28 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
sudo ./dist/tracee -s comm=nc -e accept4
TIME UID COMM PID TID RET EVENT ARGS
13:36:31:719160 1000 nc 7406 7406 4 accept4 sockfd: 3, addr: map[sa_family:AF_UNIX sun_path:td], addrlen: 0x7ffdd0676364, flags: 2048
strace nc -Ul /tmp/sock
accept4(3, {sa_family=AF_UNIX}, [128->2], SOCK_NONBLOCK) = 4