From 4db6a48abfdb5494b262f07189e285ccc6a15905 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Geyslan=20Greg=C3=B3rio?= Date: Tue, 10 Oct 2023 18:56:36 -0300 Subject: [PATCH 1/4] chore(flags): remove leftover After the changes of #3262, at this stage, policies.Map() length is always greater than 0. --- pkg/cmd/flags/policy.go | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/pkg/cmd/flags/policy.go b/pkg/cmd/flags/policy.go index 389c38b21e48..66f92e65dc99 100644 --- a/pkg/cmd/flags/policy.go +++ b/pkg/cmd/flags/policy.go @@ -320,25 +320,5 @@ func CreatePolicies(policyScopeMap PolicyScopeMap, policyEventsMap PolicyEventMa } } - if len(policies.Map()) == 0 { - // if nothing was set, let us consider it as a single default policy - eventFilter := eventFilter{ - Equal: []string{}, - NotEqual: []string{}, - } - - var err error - newPolicy := policy.NewPolicy() - newPolicy.EventsToTrace, err = prepareEventsToTrace(eventFilter, eventsNameToID) - if err != nil { - return nil, err - } - - err = policies.Add(newPolicy) - if err != nil { - return nil, err - } - } - return policies, nil } From 58504464ee9bab9ff17ce957bfe7979b594698f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Geyslan=20Greg=C3=B3rio?= Date: Mon, 16 Oct 2023 08:41:05 -0300 Subject: [PATCH 2/4] fix(ebpf): cancel dependencies of the canceled one Context: #3495 https://github.com/aquasecurity/tracee/actions/runs/6475371851/job/17582516454#step:5:42 --- pkg/ebpf/tracee.go | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go index 2573a1d15ef3..521a54d826bf 100644 --- a/pkg/ebpf/tracee.go +++ b/pkg/ebpf/tracee.go @@ -955,6 +955,7 @@ func (t *Tracee) checkUnavailableKSymbols(eventsState map[events.ID]events.Event // missing, it will cancel their event with informative error message. func (t *Tracee) validateKallsymsDependencies() { unavKSymbols := t.checkUnavailableKSymbols(t.eventsState) + depsToCancel := make(map[events.ID]string) // Cancel events with unavailable symbols dependencies for eventToCancel, missingDepSyms := range unavKSymbols { @@ -965,6 +966,27 @@ func (t *Tracee) validateKallsymsDependencies() { ) delete(t.eventsState, eventToCancel) + + // Find all events that depend on eventToCancel + for eventID := range t.eventsState { + depsIDs := events.Core.GetDefinitionByID(eventID).GetDependencies().GetIDs() + for _, depID := range depsIDs { + if depID == eventToCancel { + depsToCancel[eventID] = eventNameToCancel + } + } + } + + // Cancel all events that require eventToCancel + for eventID, depEventName := range depsToCancel { + logger.Errorw( + "Event canceled because it depends on an previously canceled event", + "event", events.Core.GetDefinitionByID(eventID).GetName(), + "dependency", depEventName, + ) + + delete(t.eventsState, eventID) + } } } From 257f36ac47cb78550ddeed5379403b043aef6a43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Geyslan=20Greg=C3=B3rio?= Date: Thu, 26 Oct 2023 15:40:25 -0300 Subject: [PATCH 3/4] fix(ebpf): change error to debug level Some GKE kernels lack the CONFIG_KALLSYMS_ALL enabled, so this level change is to silence the error related to missing kernel symbols. This is a workaround until the 'sys_call_table' address can be retrieved from the kernel in a way other than using '/proc/kallsyms' (see #3397). At that point, the level should be changed back to 'error' again. --- pkg/ebpf/tracee.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go index 521a54d826bf..5cbd6a4d634c 100644 --- a/pkg/ebpf/tracee.go +++ b/pkg/ebpf/tracee.go @@ -960,7 +960,7 @@ func (t *Tracee) validateKallsymsDependencies() { // Cancel events with unavailable symbols dependencies for eventToCancel, missingDepSyms := range unavKSymbols { eventNameToCancel := events.Core.GetDefinitionByID(eventToCancel).GetName() - logger.Errorw( + logger.Debugw( "Event canceled because of missing kernel symbol dependency", "missing symbols", missingDepSyms, "event", eventNameToCancel, ) @@ -979,7 +979,7 @@ func (t *Tracee) validateKallsymsDependencies() { // Cancel all events that require eventToCancel for eventID, depEventName := range depsToCancel { - logger.Errorw( + logger.Debugw( "Event canceled because it depends on an previously canceled event", "event", events.Core.GetDefinitionByID(eventID).GetName(), "dependency", depEventName, From ae80f1aa3f37e7fe7daef3dca1173838df81a738 Mon Sep 17 00:00:00 2001 From: Rafael David Tinoco Date: Mon, 30 Oct 2023 10:01:30 -0300 Subject: [PATCH 4/4] chore(ebpf): minor adjust to miss symbol cancel --- pkg/ebpf/tracee.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go index 5cbd6a4d634c..ec8b1f3cd5a0 100644 --- a/pkg/ebpf/tracee.go +++ b/pkg/ebpf/tracee.go @@ -916,18 +916,20 @@ func (t *Tracee) computeConfigValues() []byte { return configVal } -func (t *Tracee) checkUnavailableKSymbols(eventsState map[events.ID]events.EventState) map[events.ID][]string { +// TODO: move this to Event Definition type, so can be reused by other components +// checkUnavailableKSymbols checks if all kernel symbols required by events are available. +func (t *Tracee) checkUnavailableKSymbols() map[events.ID][]string { reqKSyms := []string{} + kSymbolsToEvents := make(map[string][]events.ID) - unavailableKSymsForEventID := make(map[events.ID][]string) - for id := range eventsState { + // Build a map of kernel symbols to events that require them + for id := range t.eventsState { evtDefinition := events.Core.GetDefinitionByID(id) for _, symDep := range evtDefinition.GetDependencies().GetKSymbols() { if !symDep.IsRequired() { continue } - symbol := symDep.GetSymbol() reqKSyms = append(reqKSyms, symbol) kSymbolsToEvents[symbol] = append(kSymbolsToEvents[symbol], id) @@ -935,13 +937,14 @@ func (t *Tracee) checkUnavailableKSymbols(eventsState map[events.ID]events.Event } kallsymsValues := LoadKallsymsValues(t.kernelSymbols, reqKSyms) + unavailableKSymsForEventID := make(map[events.ID][]string) + // Build a map of events that require unavailable kernel symbols for symName, evtsIDs := range kSymbolsToEvents { ksym, ok := kallsymsValues[symName] if ok && ksym.Address != 0 { continue } - for _, evtID := range evtsIDs { unavailableKSymsForEventID[evtID] = append(unavailableKSymsForEventID[evtID], symName) } @@ -954,17 +957,15 @@ func (t *Tracee) checkUnavailableKSymbols(eventsState map[events.ID]events.Event // from the kallsyms file to check for missing symbols. If some symbols are // missing, it will cancel their event with informative error message. func (t *Tracee) validateKallsymsDependencies() { - unavKSymbols := t.checkUnavailableKSymbols(t.eventsState) depsToCancel := make(map[events.ID]string) // Cancel events with unavailable symbols dependencies - for eventToCancel, missingDepSyms := range unavKSymbols { + for eventToCancel, missingDepSyms := range t.checkUnavailableKSymbols() { eventNameToCancel := events.Core.GetDefinitionByID(eventToCancel).GetName() logger.Debugw( "Event canceled because of missing kernel symbol dependency", "missing symbols", missingDepSyms, "event", eventNameToCancel, ) - delete(t.eventsState, eventToCancel) // Find all events that depend on eventToCancel @@ -984,7 +985,6 @@ func (t *Tracee) validateKallsymsDependencies() { "event", events.Core.GetDefinitionByID(eventID).GetName(), "dependency", depEventName, ) - delete(t.eventsState, eventID) } }