From 0be27d1844feec05174f5318ce647ffef6dd1857 Mon Sep 17 00:00:00 2001 From: Ori Glassman Date: Mon, 28 Oct 2024 10:31:39 +0200 Subject: [PATCH 1/2] feat(events): change log level in hooked_syscall When unable to locate a syscall symbol, instead of printing an error and terminate the hook checker goroutine, be more graceful: print a warning and skip hook check only for the specific syscall --- pkg/ebpf/hooked_syscall_table.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/pkg/ebpf/hooked_syscall_table.go b/pkg/ebpf/hooked_syscall_table.go index 4ef19f503f92..b5beb515ddfd 100644 --- a/pkg/ebpf/hooked_syscall_table.go +++ b/pkg/ebpf/hooked_syscall_table.go @@ -2,6 +2,7 @@ package ebpf import ( gocontext "context" + "fmt" "runtime" "strings" "time" @@ -189,8 +190,13 @@ func (t *Tracee) populateExpectedSyscallTableArray(tableMap *bpf.BPFMap) error { kernelSymbol, err := t.kernelSymbols.GetSymbolByOwnerAndName("system", events.SyscallPrefix+syscallName) if err != nil { - logger.Errorw("hooked_syscall: syscall symbol not found", "id", index) - return err + logger.Warnw(fmt.Sprintf("hooked_syscall: Unable to locate syscall symbol... permanently skipping hook check for syscall ID %d", index)) + zero := 0 + err = tableMap.Update(unsafe.Pointer(&index), unsafe.Pointer(&zero)) + if err != nil { + return err + } + continue } var expectedAddress = kernelSymbol[0].Address From ea5334425613417fac15869803b340ffd3d5124d Mon Sep 17 00:00:00 2001 From: Ori Glassman Date: Mon, 28 Oct 2024 16:05:01 +0200 Subject: [PATCH 2/2] fix(events): check if init finished in hidden kernel module On startup, there could be a case where a kernel module is being loaded before the hidden kernel module initialization function is called and finished. --- pkg/events/derive/hidden_kernel_module.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/pkg/events/derive/hidden_kernel_module.go b/pkg/events/derive/hidden_kernel_module.go index 703183b7d270..c245670ba81d 100644 --- a/pkg/events/derive/hidden_kernel_module.go +++ b/pkg/events/derive/hidden_kernel_module.go @@ -29,6 +29,7 @@ var ( newModuleOnlyMap *bpf.BPFMap recentDeletedModulesMap *bpf.BPFMap wakeupChannel = make(chan ScanRequest) + isInitialized = false ) const ( @@ -53,6 +54,11 @@ func HiddenKernelModule() DeriveFunction { func deriveHiddenKernelModulesArgs() multiDeriveArgsFunction { return func(event trace.Event) ([][]interface{}, []error) { + if !isInitialized { + logger.Debugw("hidden kernel module derive logic: not initialized yet... skipping") + return nil, nil + } + address, err := parse.ArgVal[uint64](event.Args, "address") if err != nil { return nil, []error{err} @@ -115,7 +121,12 @@ func InitHiddenKernelModules(modsMap *bpf.BPFMap, newModMap *bpf.BPFMap, deleted } eventsFromHistoryScan, err = lru.New[*trace.Event, struct{}](50) // If there are more hidden modules found in history scan, it'll report only the size of the LRU - return err + if err != nil { + return err + } + + isInitialized = true + return nil } // handleHistoryScanFinished handles the case where the history scan finished