fix(ebpf): disable HookedSyscalls as

Disables HookedSyscalls and PrintSyscallTable if HookedSyscalls is not required. This is a temporary solution until the sys_call_table address can be retrieved from the kernel in a different way than '/proc/kallsyms'.
aquasecurity · Oct 9, 2023 · 4daf07b · 4daf07b
1 parent 2ada83f
commit 4daf07b
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -277,6 +277,16 @@ func New(cfg config.Config) (*Tracee, error) {
 		t.handleEventsDependencies(id, state)
 	}
 
+	// The GKE kernel lacks CONFIG_KALLSYMS_ALL enabled, so to silence the
+	// error of missing kernel symbols, the HookedSyscalls and PrintSyscallTable
+	// events are being disabled when HookedSyscalls is not required by the user.
+	// This is a workaround until the 'sys_call_table' address can be retrieved
+	// from the kernel in a different way than '/proc/kallsyms'. See #3397.
+	if !t.policyManager.IsEventEnabled(events.HookedSyscalls) {
+		delete(t.eventsState, events.HookedSyscalls)
+		delete(t.eventsState, events.PrintSyscallTable)
+	}
+
 	// Update capabilities rings with all events dependencies
 
 	for id := range t.eventsState {