Backport v0.22.0 (#4373)

* feat(events): change log level in hooked_syscall When unable to locate a syscall symbol, instead of printing an error and terminate the hook checker goroutine, be more graceful: print a warning and skip hook check only for the specific syscall * fix(events): check if init finished in hidden kernel module On startup, there could be a case where a kernel module is being loaded before the hidden kernel module initialization function is called and finished.
aquasecurity · Oct 31, 2024 · bacaf77 · bacaf77
1 parent 79a7777
commit bacaf77
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/pkg/ebpf/hooked_syscall_table.go b/pkg/ebpf/hooked_syscall_table.go
@@ -2,6 +2,7 @@ package ebpf
 
 import (
 	gocontext "context"
+	"fmt"
 	"runtime"
 	"strings"
 	"time"
@@ -189,8 +190,13 @@ func (t *Tracee) populateExpectedSyscallTableArray(tableMap *bpf.BPFMap) error {
 
 		kernelSymbol, err := t.kernelSymbols.GetSymbolByOwnerAndName("system", events.SyscallPrefix+syscallName)
 		if err != nil {
-			logger.Errorw("hooked_syscall: syscall symbol not found", "id", index)
-			return err
+			logger.Warnw(fmt.Sprintf("hooked_syscall: Unable to locate syscall symbol... permanently skipping hook check for syscall ID %d", index))
+			zero := 0
+			err = tableMap.Update(unsafe.Pointer(&index), unsafe.Pointer(&zero))
+			if err != nil {
+				return err
+			}
+			continue
 		}
 
 		var expectedAddress = kernelSymbol[0].Address

diff --git a/pkg/events/derive/hidden_kernel_module.go b/pkg/events/derive/hidden_kernel_module.go
@@ -29,6 +29,7 @@ var (
 	newModuleOnlyMap         *bpf.BPFMap
 	recentDeletedModulesMap  *bpf.BPFMap
 	wakeupChannel            = make(chan ScanRequest)
+	isInitialized            = false
 )
 
 const (
@@ -53,6 +54,11 @@ func HiddenKernelModule() DeriveFunction {
 
 func deriveHiddenKernelModulesArgs() multiDeriveArgsFunction {
 	return func(event trace.Event) ([][]interface{}, []error) {
+		if !isInitialized {
+			logger.Debugw("hidden kernel module derive logic: not initialized yet... skipping")
+			return nil, nil
+		}
+
 		address, err := parse.ArgVal[uint64](event.Args, "address")
 		if err != nil {
 			return nil, []error{err}
@@ -115,7 +121,12 @@ func InitHiddenKernelModules(modsMap *bpf.BPFMap, newModMap *bpf.BPFMap, deleted
 	}
 
 	eventsFromHistoryScan, err = lru.New[*trace.Event, struct{}](50) // If there are more hidden modules found in history scan, it'll report only the size of the LRU
-	return err
+	if err != nil {
+		return err
+	}
+
+	isInitialized = true
+	return nil
 }
 
 // handleHistoryScanFinished handles the case where the history scan finished