feat: parse dirfd for special case AT_FDCWD

syscalls with dirfd arg now parse for special case AT_FDCWD when ParseArgumentsFDs is true.
aquasecurity · Jan 15, 2025 · 9676369 · 9676369
1 parent af50e8b
commit 9676369
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go
@@ -276,6 +276,12 @@ func ParseArgsFDs(event *trace.Event, origTimestamp uint64, fdArgPathMap *bpf.BP
 		}
 	}
 
+	if dirfdArg := GetArg(event, "dirfd"); dirfdArg != nil {
+		if dirfd, isInt32 := dirfdArg.Value.(int32); isInt32 {
+			parseDirfdAt(dirfdArg, uint64(dirfd))
+		}
+	}
+
 	return nil
 }
 

diff --git a/pkg/events/parse_args_helpers.go b/pkg/events/parse_args_helpers.go
@@ -3,11 +3,21 @@ package events
 import (
 	"strconv"
 
+	"golang.org/x/sys/unix"
+
 	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/types/trace"
 )
 
+func parseDirfdAt(arg *trace.Argument, dirfd uint64) {
+	if int32(dirfd) == unix.AT_FDCWD {
+		arg.Type = "string"
+		arg.Value = "AT_FDCWD"
+		return
+	}
+}
+
 func parseMMapProt(arg *trace.Argument, prot uint64) {
 	mmapProtArgument := parsers.ParseMmapProt(prot)
 	arg.Type = "string"