From bacaf77553f4ef6ab6a34e4fbccec8a5d889911f Mon Sep 17 00:00:00 2001
From: OriGlassman <39296766+OriGlassman@users.noreply.github.com>
Date: Thu, 31 Oct 2024 16:09:32 +0200
Subject: [PATCH] Backport v0.22.0 (#4373)

* feat(events): change log level in hooked_syscall

When unable to locate a syscall symbol, instead of printing an error and
terminate the hook checker goroutine, be more graceful: print a
warning and skip hook check only for the specific syscall

* fix(events): check if init finished in hidden kernel module

On startup, there could be a case where a kernel module is being loaded before
the hidden kernel module initialization function is called and
finished.
---
 pkg/ebpf/hooked_syscall_table.go          | 10 ++++++++--
 pkg/events/derive/hidden_kernel_module.go | 13 ++++++++++++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/pkg/ebpf/hooked_syscall_table.go b/pkg/ebpf/hooked_syscall_table.go
index 4ef19f503f92..b5beb515ddfd 100644
--- a/pkg/ebpf/hooked_syscall_table.go
+++ b/pkg/ebpf/hooked_syscall_table.go
@@ -2,6 +2,7 @@ package ebpf
 
 import (
 	gocontext "context"
+	"fmt"
 	"runtime"
 	"strings"
 	"time"
@@ -189,8 +190,13 @@ func (t *Tracee) populateExpectedSyscallTableArray(tableMap *bpf.BPFMap) error {
 
 		kernelSymbol, err := t.kernelSymbols.GetSymbolByOwnerAndName("system", events.SyscallPrefix+syscallName)
 		if err != nil {
-			logger.Errorw("hooked_syscall: syscall symbol not found", "id", index)
-			return err
+			logger.Warnw(fmt.Sprintf("hooked_syscall: Unable to locate syscall symbol... permanently skipping hook check for syscall ID %d", index))
+			zero := 0
+			err = tableMap.Update(unsafe.Pointer(&index), unsafe.Pointer(&zero))
+			if err != nil {
+				return err
+			}
+			continue
 		}
 
 		var expectedAddress = kernelSymbol[0].Address
diff --git a/pkg/events/derive/hidden_kernel_module.go b/pkg/events/derive/hidden_kernel_module.go
index 703183b7d270..c245670ba81d 100644
--- a/pkg/events/derive/hidden_kernel_module.go
+++ b/pkg/events/derive/hidden_kernel_module.go
@@ -29,6 +29,7 @@ var (
 	newModuleOnlyMap         *bpf.BPFMap
 	recentDeletedModulesMap  *bpf.BPFMap
 	wakeupChannel            = make(chan ScanRequest)
+	isInitialized            = false
 )
 
 const (
@@ -53,6 +54,11 @@ func HiddenKernelModule() DeriveFunction {
 
 func deriveHiddenKernelModulesArgs() multiDeriveArgsFunction {
 	return func(event trace.Event) ([][]interface{}, []error) {
+		if !isInitialized {
+			logger.Debugw("hidden kernel module derive logic: not initialized yet... skipping")
+			return nil, nil
+		}
+
 		address, err := parse.ArgVal[uint64](event.Args, "address")
 		if err != nil {
 			return nil, []error{err}
@@ -115,7 +121,12 @@ func InitHiddenKernelModules(modsMap *bpf.BPFMap, newModMap *bpf.BPFMap, deleted
 	}
 
 	eventsFromHistoryScan, err = lru.New[*trace.Event, struct{}](50) // If there are more hidden modules found in history scan, it'll report only the size of the LRU
-	return err
+	if err != nil {
+		return err
+	}
+
+	isInitialized = true
+	return nil
 }
 
 // handleHistoryScanFinished handles the case where the history scan finished