Tetragon does not raise an event when the resolved value is null

[tdaudi]

What happened?

Let's take an example to illustrate this with the below policy. To trigger this policy, run any command in bash.

In security_bprm_check the bprm.interpreter attribute is null, but Tetragon does not raise the error
https://elixir.bootlin.com/linux/v6.14-rc3/source/include/linux/binfmts.h#L54

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "lsm"
spec:
  lsmhooks:
  - hook: "bprm_check_security"
    args:
    - index: 0
      type: "string"
      resolve: "executable.f_path.dentry.d_name.name"
    selectors:
    - matchActions:
      - action: Post

No events are raised when this policy is applied.
If you try

    - index: 0
      type: "uint32"
      resolve: "executable.f_mode"

A 0 is raised where it should not, because here this is not the f_mode that is null but the executable.

This happened in the below code.

tetragon/bpf/process/generic_calls.h

Lines 70 to 78 in e3c2b34

	extract_arg_depth(u32 i, struct extract_arg_data *data)
	{
	if (i >= MAX_BTF_ARG_DEPTH || !data->btf_config[i].is_initialized)
	return 1;
	*data->arg = *data->arg + data->btf_config[i].offset;
	if (data->btf_config[i].is_pointer)
	probe_read((void *)data->arg, sizeof(char *), (void *)*data->arg);
	return 0;
	}

We do not track errors on the extract or later on the copy value.

Tetragon Version

latest

Kernel Version

6.14