-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix ksymbols mem consumption 0.21 #4097
Closed
yanivagman
wants to merge
29
commits into
aquasecurity:main
from
yanivagman:fix_ksymbols_mem_consumption_0.21
Closed
Fix ksymbols mem consumption 0.21 #4097
yanivagman
wants to merge
29
commits into
aquasecurity:main
from
yanivagman:fix_ksymbols_mem_consumption_0.21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix an issue that usermode events are only created if they should be emitted. commit: cc1eea7 (main), cherry-pick
The previous probe was missing from different distros and kernels. The new probes are safer, but only exist starting from v5.8 of the kernel. commit: a496a9e (main), cherry-pick
…uasecurity#4020) The MAX_NUM_MODULES was recently decreased from 600 to 450 and is anyway relatively small. In case there are more modules to iterate on than the number of the iterations done, it will report the rest as false positives. To mitigate that, an LRU holds the suspected events and waits until the scan finishes: if the scan finished successfully, sends the events and otherwise deletes them. This was introduced in kernels 6.5 where the mod_tree contains 3x nodes as before, and 450 iterations are not enough if there are about 450/3 modules loaded in the system. When it's possible to use bpf_loop (currently RHEL verifier fails if the helper exists in the code; specific program loading might solve it), this patch needs to be reverted and the patch that uses bpf_loop needs to be used instead.
Allow the procfs scanning and querying to be configured by the user. For now Tracee only enable to disable the procfs querying upon lost events. This should help to improve performance on high-load systems.
Commit 3ddf73d changed various probe_read calls to probe_read_kernel. However, io capture relies on reading userspace buffers, as such the pointers being read are userspace pointers. Therefore the relevant calls in some of these changes, affecting IO capture, were changed to probe_read_user. commit: e08d553 (main), cherry-pick
Add an e2e instrumentation test for the vfs_writev event. Due to the event being broken on some kernels, it is currently disabled (missing in declaration in pr.yaml). commit: ce26df3 (main), cherry-pick
commit: d89195c (main), cherry-pick
Commit f806cb4 changed context initialization to occur in the submit stage. However, network events do not have access to that context during their submit stage (since they happen in a cgroup_skb program). Therefore, add a call to init_task_context in the pre cgroup bpf program (cgroup_bpf_run_filter_skb). In addition add a validation in the e2e tests so that task context initialization in network events doesn't break. commit: cf391b4 (main), cherry-pick
…security#4030) Recently, the process_execute_failed event implementation had been changed to use the new inner execute_finished event. This event has used syscall tracepoints in its implementation. However, tracepoints rely on debugfs, which was not a requirement of tracee until now. To remove this requirement (at least for now), move to use architecture-specific kprobes instead. (cherry picked from commit 14c106e)
aquasecurity#4037) The symbols_loaded event currently log all errors received in its logic. However, there is a case that an object is loaded to a process which is not ELF (for example, jsa files of Java). As the event is not meant to parse such files, avoid logging errors in parsing them. (cherry picked from commit 134f281)
…ity#4041) Errors from the SO loader are pretty frequent because of race conditions. As the user has nothing to do with it, the log level should be lowered from WARN.
Fix aquasecurity#4012 The documentation sports a "Format" security event: https://aquasecurity.github.io/tracee/latest/docs/events/builtin/signatures/format/ This is some error with how the documentation got created by AI. Remove this "event" from docs.
…#4047) (aquasecurity#4052) Fix tests so they will make sure to close channels properly and clean goroutines. (cherry picked from commit cd7ed0d)
…asecurity#4055) This reverts commit 7d63078. commit: 70abe5e (main), cherry-pick
…ecurity#4057) commit: a458fa9 (main), cherry-pick Co-authored-by: Raphael Campos <raphaelcampos.rp@gmail.com>
Add limitation to the amount of logged objects in the changelog. This should help in reducing the chance of memory leakage.
The current proces tree takes a lot of memory (~150MB from calculation). However, it is a new feature and not all of its info has high chance to be used. For now, it was decided to not save the interpreter and interp information for processes until it was proven to be needed. This should reduce the process tree size by at least 60MB (but will probably reduce more than that).
File paths are created by concatting the dentries names from the root to the file, and concattign the file name in the end. Although each dentry and file name has max length, the entire path has none. To avoid memorly leakage caused by saving file paths, introduce a limit to the save path length.
libelf might be built with zstd support in some environments, so for static builds (mainly) it is necessary to ensure that the zstd library is available. https://sourceware.org/git/?p=elfutils.git;a=commit;h=ed688a59b4d4f5ccf6ef15244e5a9139f71769a3 commit: 5e42f2c (main), cherry-pick
commit: d2cd2c3 (main), cherry-pick
AMIs have to be updated and installations like this commented out. commit: ba4db8b (main), cherry-pick
When running Tracee from within a container, multiple mount points of the cgroup filesystem may exist. In such cases, we need to ensure that we select the mountpoint from the host cgroup namespace. By checking for an inode equal to 1, we can identify the cgroupfs mountpoint belonging to the host cgroup namespace. This ensures that Tracee can discover preexisting containers using the host cgroup filesystem. Additionally, a warning log is emitted if the cgroup mountpoint does not have an inode of 1, indicating that it might not be part of the host cgroup namespace.
The GetCgroupPath function previously used recursion for directory traversal, which could consume excessive memory for deep directory structures. This commit refactors the function to use an iterative approach, reducing memory usage and improving performance. Additionally, the comments and error handling in the function have been updated for clarity and consistency.
Copied helpers package from libbpfgo to local repo to avoid dependency issues. This eliminates frequent updates of libbpfgo and simplifies our workflow. Allows faster bug fixes and updates, improving development efficiency.
Ensure safe type assertions in kernel config parsing to prevent potential panics. Used type switch assignment and added type checks for value comparisons.
Ensure errors from file closures are handled to prevent potential issues. - Added deferred anonymous functions to check and log errors from f.Close(). - Improved logging for better error tracking.
This commit integrates the libbpfgo packages into the tracee repository. These packages were previously copied over from libbpfgo in a separate PR (aquasecurity#4090) to resolve dependency issues. Now, tracee is utilizing these packages, providing better compatibility and ensuring smoother development.
The hooked_syscalls event requires CAP_SYSLOG in order to refresh its symbol table when reading /proc/kallsyms. Add this missing dependency.
Use modified ksymbols implementation. The new implementation may take a list of required symbols and addresses to track. If the list is given, symbol scanning will only save those symbols or addresses which were given in the list. If a new symbol is queried, then a rescan is needed. Refactor tracee initialization to find all necessary symbols to track ahead of runtime. Co-authored-by: Geyslan Gregório <geyslan@gmail.com> Co-authored-by: Yaniv Agman <yanivagman@gmail.com>
Wrong branch |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. Explain what the PR does
Also fix a missing dependency (CAP_SYSLOG) of hooked_syscall event
2. Explain how to test it
3. Other comments
Fix #4098