-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ksyms): required ksym scanning #4088
feat(ksyms): required ksym scanning #4088
Conversation
go.mod
Outdated
@@ -180,3 +180,5 @@ require ( | |||
gopkg.in/yaml.v3 v3.0.1 // indirect | |||
kernel.org/pub/linux/libs/security/libcap/psx v1.2.68 // indirect | |||
) | |||
|
|||
replace github.com/aquasecurity/libbpfgo/helpers => ../libbpfgo/helpers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: split PR and remove this
0d01802
to
7a4bab4
Compare
Use modified ksymbols implementation. The new implementation may take a list of required symbols and addresses to track. If the list is given, symbol scanning will only save those symbols or addresses which were given in the list. If a new symbol is queried, then a rescan is needed. Refactor tracee initialization to find all necessary symbols to track ahead of runtime.
7a4bab4
to
4f07d58
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a cursory review, but didn't tested yet. Put some questions.
There's this error in the tests: https://github.com/aquasecurity/tracee/actions/runs/9290348284/job/25574577060?pr=4088#step:5:1471
@@ -1112,9 +1235,8 @@ func (t *Tracee) attachProbes() error { | |||
return nil | |||
} | |||
|
|||
func (t *Tracee) initBPF() error { | |||
func (t *Tracee) initBPFProbes() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good. Logic split like that will make further refactor easier.
if _, ok := t.eventsState[events.PrintMemDump]; ok { | ||
for it := t.config.Policies.CreateAllIterator(); it.HasNext(); { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These two accesses will need to be rethought in the future.
eventsState
has a close relationship with policies, therefore it must either be incorporated into the policy package or a communication mechanism must be created between them.- instead of iterating policies to get a single event information we should provide it available via the PolicyManager (e.g.:
polManager.IsEventChosen(events.PrintMemDump)
.
To be replaced by #4092 that uses |
1. Explain what the PR does
f922536 chore(go.mod): update libbpfgo helpers
0d01802 feat(ksymbols): restore lazy ksyms implementtion
2. Explain how to test it
No change in behavior, all previous tests should pass.
Memory should be reduced, testable with:
ps -p
pgrep tracee-o pid,vsz,rss,cmd
and check rss.
3. Other comments