`ExecveInfo.binary_sha256` not populated despite `binary_info` field set for `sentry/execve`

[irfansharif]

Description

Looking at this code block here, it doesn't seem like binary_sha256 of the binary in question is being computed, even if the binary_info optional field is set:

gvisor/pkg/sentry/kernel/task_exec.go

Lines 312 to 343 in d949e71

	func getExecveSeccheckInfo(t *Task, argv, env []string, executable *vfs.FileDescription, pathname string) (seccheck.FieldSet, *pb.ExecveInfo) {
	fields := seccheck.Global.GetFieldSet(seccheck.PointExecve)
	info := &pb.ExecveInfo{
	Argv: argv,
	Env: env,
	}
	if executable != nil {
	info.BinaryPath = pathname
	if fields.Local.Contains(seccheck.FieldSentryExecveBinaryInfo) {
	statOpts := vfs.StatOptions{
	Mask: linux.STATX_TYPE | linux.STATX_MODE | linux.STATX_UID | linux.STATX_GID,
	}
	if stat, err := executable.Stat(t, statOpts); err == nil {
	if stat.Mask&(linux.STATX_TYPE|linux.STATX_MODE) == (linux.STATX_TYPE | linux.STATX_MODE) {
	info.BinaryMode = uint32(stat.Mode)
	}
	if stat.Mask&linux.STATX_UID != 0 {
	info.BinaryUid = stat.UID
	}
	if stat.Mask&linux.STATX_GID != 0 {
	info.BinaryGid = stat.GID
	}
	}
	}
	}
	if !fields.Context.Empty() {
	info.ContextData = &pb.ContextData{}
	LoadSeccheckData(t, fields.Context, info.ContextData)
	}
	return fields, info
	}

We were hoping to make use of it for threat detection.

Steps to reproduce

This was the /etc/falco/pod-init.json we were trying.

{
  "trace_session": {
    ...
    "points": [
      ...
      {
        "context_fields": [
          "cwd",
          "credentials",
          "container_id",
          "thread_id",
          "task_start_time",
          "time",
        ],
        "optional_fields": [
          "binary_info"
        ],
        "name": "sentry/execve"
      }
    ],
  }
}

runsc version

runsc version release-20250203.0
spec: 1.1.0-rc.1

docker version (if using docker)

uname

Linux ip-10-1-5-221.ec2.internal 5.15.0-302.167.6.1.el9uek.x86_64 #2 SMP Thu Nov 21 21:48:29 PST 2024 x86_64 x86_64 x86_64 GNU/Linux

kubectl (if using Kubernetes)

repo state (if built from source)

No response

runsc debug logs (if available)

[fvoznika]

Good finding! That slipped through the cracks and it's not getting populated. A contribution to add this field would be appreciated, otherwise, I'll try to find some time to add it.