-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix ksymbols mem consumption 0.21 #4097
Fix ksymbols mem consumption 0.21 #4097
Commits on Apr 29, 2024
-
fix(events): create usermode events for submit
Fix an issue that usermode events are only created if they should be emitted. commit: cc1eea7 (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for 3a743fa - Browse repository at this point
Copy the full SHA 3a743faView commit details -
fix(events): change process_execute_failed probes
The previous probe was missing from different distros and kernels. The new probes are safer, but only exist starting from v5.8 of the kernel. commit: a496a9e (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for 1dea382 - Browse repository at this point
Copy the full SHA 1dea382View commit details
Commits on May 5, 2024
-
fix(events): hidden_kernel_module - change history scan behaviour (aq…
…uasecurity#4020) The MAX_NUM_MODULES was recently decreased from 600 to 450 and is anyway relatively small. In case there are more modules to iterate on than the number of the iterations done, it will report the rest as false positives. To mitigate that, an LRU holds the suspected events and waits until the scan finishes: if the scan finished successfully, sends the events and otherwise deletes them. This was introduced in kernels 6.5 where the mod_tree contains 3x nodes as before, and 450 iterations are not enough if there are about 450/3 modules loaded in the system. When it's possible to use bpf_loop (currently RHEL verifier fails if the helper exists in the code; specific program loading might solve it), this patch needs to be reverted and the patch that uses bpf_loop needs to be used instead.
Configuration menu - View commit details
-
Copy full SHA for f899a86 - Browse repository at this point
Copy the full SHA f899a86View commit details -
feat(proctree): control procfs query by config (aquasecurity#4022)
Allow the procfs scanning and querying to be configured by the user. For now Tracee only enable to disable the procfs querying upon lost events. This should help to improve performance on high-load systems.
Configuration menu - View commit details
-
Copy full SHA for b4be8a3 - Browse repository at this point
Copy the full SHA b4be8a3View commit details
Commits on May 7, 2024
-
fix: restore io capture output
Commit 3ddf73d changed various probe_read calls to probe_read_kernel. However, io capture relies on reading userspace buffers, as such the pointers being read are userspace pointers. Therefore the relevant calls in some of these changes, affecting IO capture, were changed to probe_read_user. commit: e08d553 (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for d8a6c25 - Browse repository at this point
Copy the full SHA d8a6c25View commit details -
tests(inst): add vfs_writev test (disabled)
Add an e2e instrumentation test for the vfs_writev event. Due to the event being broken on some kernels, it is currently disabled (missing in declaration in pr.yaml). commit: ce26df3 (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for cafc3ea - Browse repository at this point
Copy the full SHA cafc3eaView commit details -
tests(integration): add capture tests
commit: d89195c (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for 0609071 - Browse repository at this point
Copy the full SHA 0609071View commit details -
fix: network event context (aquasecurity#4029)
Commit f806cb4 changed context initialization to occur in the submit stage. However, network events do not have access to that context during their submit stage (since they happen in a cgroup_skb program). Therefore, add a call to init_task_context in the pre cgroup bpf program (cgroup_bpf_run_filter_skb). In addition add a validation in the e2e tests so that task context initialization in network events doesn't break. commit: cf391b4 (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for 8c14a5f - Browse repository at this point
Copy the full SHA 8c14a5fView commit details
Commits on May 8, 2024
-
fix(ebpf): use kprobes for execute_finished (aquasecurity#4025) (aqua…
…security#4030) Recently, the process_execute_failed event implementation had been changed to use the new inner execute_finished event. This event has used syscall tracepoints in its implementation. However, tracepoints rely on debugfs, which was not a requirement of tracee until now. To remove this requirement (at least for now), move to use architecture-specific kprobes instead. (cherry picked from commit 14c106e)
Configuration menu - View commit details
-
Copy full SHA for fee4447 - Browse repository at this point
Copy the full SHA fee4447View commit details
Commits on May 9, 2024
-
fix: avoid logging warnings for non-ELF so loading (aquasecurity#4034) (
aquasecurity#4037) The symbols_loaded event currently log all errors received in its logic. However, there is a case that an object is loaded to a process which is not ELF (for example, jsa files of Java). As the event is not meant to parse such files, avoid logging errors in parsing them. (cherry picked from commit 134f281)
Configuration menu - View commit details
-
Copy full SHA for 70a0841 - Browse repository at this point
Copy the full SHA 70a0841View commit details
Commits on May 13, 2024
-
chore(events): decrease SO loader error log level to debug (aquasecur…
…ity#4041) Errors from the SO loader are pretty frequent because of race conditions. As the user has nothing to do with it, the log level should be lowered from WARN.
Configuration menu - View commit details
-
Copy full SHA for ea687e2 - Browse repository at this point
Copy the full SHA ea687e2View commit details -
fix: remove invalid "format" event from docs
Fix aquasecurity#4012 The documentation sports a "Format" security event: https://aquasecurity.github.io/tracee/latest/docs/events/builtin/signatures/format/ This is some error with how the documentation got created by AI. Remove this "event" from docs.
Configuration menu - View commit details
-
Copy full SHA for 5653483 - Browse repository at this point
Copy the full SHA 5653483View commit details
Commits on May 16, 2024
-
fix(tests): fix goroutines leakage in integration tests (aquasecurity…
…#4047) (aquasecurity#4052) Fix tests so they will make sure to close channels properly and clean goroutines. (cherry picked from commit cd7ed0d)
Configuration menu - View commit details
-
Copy full SHA for 1ba8a3d - Browse repository at this point
Copy the full SHA 1ba8a3dView commit details -
Revert "chore(k8s): prepare v0.21.0 release (aquasecurity#4007)" (aqu…
…asecurity#4055) This reverts commit 7d63078. commit: 70abe5e (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for ce4fe64 - Browse repository at this point
Copy the full SHA ce4fe64View commit details -
chore(helm): rename helm field config file (aquasecurity#4018) (aquas…
…ecurity#4057) commit: a458fa9 (main), cherry-pick Co-authored-by: Raphael Campos <raphaelcampos.rp@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 9e64ce2 - Browse repository at this point
Copy the full SHA 9e64ce2View commit details
Commits on May 21, 2024
-
feat(proctree): limit changelog size
Add limitation to the amount of logged objects in the changelog. This should help in reducing the chance of memory leakage.
Configuration menu - View commit details
-
Copy full SHA for 5890f40 - Browse repository at this point
Copy the full SHA 5890f40View commit details -
fix(proctree): reduce process info memory
The current proces tree takes a lot of memory (~150MB from calculation). However, it is a new feature and not all of its info has high chance to be used. For now, it was decided to not save the interpreter and interp information for processes until it was proven to be needed. This should reduce the process tree size by at least 60MB (but will probably reduce more than that).
Configuration menu - View commit details
-
Copy full SHA for 75a7915 - Browse repository at this point
Copy the full SHA 75a7915View commit details -
fix(proctree): limit saved file path length
File paths are created by concatting the dentries names from the root to the file, and concattign the file name in the end. Although each dentry and file name has max length, the entire path has none. To avoid memorly leakage caused by saving file paths, introduce a limit to the save path length.
Configuration menu - View commit details
-
Copy full SHA for 6143226 - Browse repository at this point
Copy the full SHA 6143226View commit details
Commits on May 22, 2024
-
fix(build): static build might require zstd lib
libelf might be built with zstd support in some environments, so for static builds (mainly) it is necessary to ensure that the zstd library is available. https://sourceware.org/git/?p=elfutils.git;a=commit;h=ed688a59b4d4f5ccf6ef15244e5a9139f71769a3 commit: 5e42f2c (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for e4e3f33 - Browse repository at this point
Copy the full SHA e4e3f33View commit details -
chore: install required bpftool from btfhub
commit: d2cd2c3 (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for ef039e1 - Browse repository at this point
Copy the full SHA ef039e1View commit details -
chore: temp fix for install libzstd on AMIs
AMIs have to be updated and installations like this commented out. commit: ba4db8b (main), cherry-pick
Configuration menu - View commit details
-
Copy full SHA for 3d7178e - Browse repository at this point
Copy the full SHA 3d7178eView commit details
Commits on May 26, 2024
-
fix: select cgroup mountpoint with the smallest inode number
When running Tracee from within a container, multiple mount points of the cgroup filesystem may exist. In such cases, we need to ensure that we select the mountpoint from the host cgroup namespace. By checking for an inode equal to 1, we can identify the cgroupfs mountpoint belonging to the host cgroup namespace. This ensures that Tracee can discover preexisting containers using the host cgroup filesystem. Additionally, a warning log is emitted if the cgroup mountpoint does not have an inode of 1, indicating that it might not be part of the host cgroup namespace.
Configuration menu - View commit details
-
Copy full SHA for 59566b4 - Browse repository at this point
Copy the full SHA 59566b4View commit details
Commits on May 29, 2024
-
Refactor: Optimize GetCgroupPath() memory utilization
The GetCgroupPath function previously used recursion for directory traversal, which could consume excessive memory for deep directory structures. This commit refactors the function to use an iterative approach, reducing memory usage and improving performance. Additionally, the comments and error handling in the function have been updated for clarity and consistency.
Configuration menu - View commit details
-
Copy full SHA for 738bd99 - Browse repository at this point
Copy the full SHA 738bd99View commit details
Commits on Jun 2, 2024
-
chore: Move helpers package from libbpfgo to local repository
Copied helpers package from libbpfgo to local repo to avoid dependency issues. This eliminates frequent updates of libbpfgo and simplifies our workflow. Allows faster bug fixes and updates, improving development efficiency.
Configuration menu - View commit details
-
Copy full SHA for 51bbc8f - Browse repository at this point
Copy the full SHA 51bbc8fView commit details -
fix: unchecked type assertions in kernel config parsing
Ensure safe type assertions in kernel config parsing to prevent potential panics. Used type switch assignment and added type checks for value comparisons.
Configuration menu - View commit details
-
Copy full SHA for 5286aff - Browse repository at this point
Copy the full SHA 5286affView commit details -
fix: unchecked errors for file closures
Ensure errors from file closures are handled to prevent potential issues. - Added deferred anonymous functions to check and log errors from f.Close(). - Improved logging for better error tracking.
Configuration menu - View commit details
-
Copy full SHA for a8c5cc5 - Browse repository at this point
Copy the full SHA a8c5cc5View commit details -
chore: Integrate libbpfgo packages into project
This commit integrates the libbpfgo packages into the tracee repository. These packages were previously copied over from libbpfgo in a separate PR (aquasecurity#4090) to resolve dependency issues. Now, tracee is utilizing these packages, providing better compatibility and ensuring smoother development.
Configuration menu - View commit details
-
Copy full SHA for 5eee162 - Browse repository at this point
Copy the full SHA 5eee162View commit details -
fix: add missing dependency for hooked_syscalls event
The hooked_syscalls event requires CAP_SYSLOG in order to refresh its symbol table when reading /proc/kallsyms. Add this missing dependency.
Configuration menu - View commit details
-
Copy full SHA for f76c502 - Browse repository at this point
Copy the full SHA f76c502View commit details -
feat(ksymbols): restore lazy ksyms implementation
Use modified ksymbols implementation. The new implementation may take a list of required symbols and addresses to track. If the list is given, symbol scanning will only save those symbols or addresses which were given in the list. If a new symbol is queried, then a rescan is needed. Refactor tracee initialization to find all necessary symbols to track ahead of runtime. Co-authored-by: Geyslan Gregório <geyslan@gmail.com> Co-authored-by: Yaniv Agman <yanivagman@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 03e3d7c - Browse repository at this point
Copy the full SHA 03e3d7cView commit details