diff --git a/pkg/ebpf/probes/cgroup.go b/pkg/ebpf/probes/cgroup.go index 9b742f623106..4f592fa48d41 100644 --- a/pkg/ebpf/probes/cgroup.go +++ b/pkg/ebpf/probes/cgroup.go @@ -8,6 +8,8 @@ import ( "github.com/aquasecurity/tracee/pkg/errfmt" ) +// NOTE: thread-safety guaranteed by the ProbeGroup big lock. + // // Cgroup // @@ -23,14 +25,21 @@ import ( // // DetachAll() -type cgroupProbe struct { +type CgroupProbe struct { programName string attachType bpf.BPFAttachType bpfLink *bpf.BPFLink } -// attach attaches an eBPF program to a cgroup -func (p *cgroupProbe) attach(module *bpf.Module, args ...interface{}) error { +// NewCgroupProbe creates a new cgroup probe. +func NewCgroupProbe(a bpf.BPFAttachType, progName string) *CgroupProbe { + return &CgroupProbe{ + programName: progName, + attachType: a, + } +} + +func (p *CgroupProbe) attach(module *bpf.Module, args ...interface{}) error { var cgroups *cgroup.Cgroups for _, arg := range args { @@ -78,8 +87,7 @@ func (p *cgroupProbe) attach(module *bpf.Module, args ...interface{}) error { return nil } -// detach detaches an eBPF program from a cgroup -func (p *cgroupProbe) detach(args ...interface{}) error { +func (p *CgroupProbe) detach(args ...interface{}) error { var err error if p.bpfLink == nil { @@ -104,7 +112,6 @@ func (p *cgroupProbe) detach(args ...interface{}) error { return nil } -// autoload sets an eBPF program to autoload (true|false) -func (p *cgroupProbe) autoload(module *bpf.Module, autoload bool) error { +func (p *CgroupProbe) autoload(module *bpf.Module, autoload bool) error { return enableDisableAutoload(module, p.programName, autoload) } diff --git a/pkg/ebpf/probes/common.go b/pkg/ebpf/probes/common.go index 3985f125d7b2..6acec15e7e11 100644 --- a/pkg/ebpf/probes/common.go +++ b/pkg/ebpf/probes/common.go @@ -6,7 +6,7 @@ import ( "github.com/aquasecurity/tracee/pkg/errfmt" ) -// enableDisableAutoload enables or disables an eBPF program autoload setting +// enableDisableAutoload enables or disables an eBPF program automatic attachment to/from its hook. func enableDisableAutoload(module *bpf.Module, programName string, autoload bool) error { var err error diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go new file mode 100644 index 000000000000..81a800f416c8 --- /dev/null +++ b/pkg/ebpf/probes/probe_group.go @@ -0,0 +1,222 @@ +package probes + +import ( + "sync" + + bpf "github.com/aquasecurity/libbpfgo" + + "github.com/aquasecurity/tracee/pkg/errfmt" + "github.com/aquasecurity/tracee/pkg/logger" +) + +// +// ProbeGroup +// + +// ProbeGroup is a collection of probes. +type ProbeGroup struct { + probesLock *sync.Mutex // disallow concurrent access to the probe group + module *bpf.Module + probes map[Handle]Probe +} + +// NewProbeGroup creates a new ProbeGroup. +func NewProbeGroup(m *bpf.Module, p map[Handle]Probe) *ProbeGroup { + return &ProbeGroup{ + probesLock: &sync.Mutex{}, // no parallel attaching/detaching of probes + probes: p, + module: m, + } +} + +// GetProbe returns a probe type by its handle. +func (p *ProbeGroup) GetProbeType(handle Handle) string { + p.probesLock.Lock() + defer p.probesLock.Unlock() + + if r, ok := p.probes[handle]; ok { + if probe, ok := r.(*TraceProbe); ok { + switch probe.probeType { + case KProbe: + return "kprobe" + case KretProbe: + return "kretprobe" + case Tracepoint: + return "tracepoint" + case RawTracepoint: + return "raw_tracepoint" + } + } + } + + return "" +} + +// Attach attaches a probe's program to its hook, by given handle. +func (p *ProbeGroup) Attach(handle Handle, args ...interface{}) error { + p.probesLock.Lock() + defer p.probesLock.Unlock() + + if _, ok := p.probes[handle]; !ok { + return errfmt.Errorf("probe handle (%d) does not exist", handle) + } + + return p.probes[handle].attach(p.module, args...) +} + +// Detach detaches a probe's program from its hook, by given handle. +func (p *ProbeGroup) Detach(handle Handle, args ...interface{}) error { + p.probesLock.Lock() + defer p.probesLock.Unlock() + + if _, ok := p.probes[handle]; !ok { + return errfmt.Errorf("probe handle (%d) does not exist", handle) + } + + return p.probes[handle].detach(args...) +} + +// DetachAll detaches all existing probes programs from their hooks. +func (p *ProbeGroup) DetachAll() error { + p.probesLock.Lock() + defer p.probesLock.Unlock() + + for _, pr := range p.probes { + err := pr.detach() + if err != nil { + return errfmt.WrapError(err) + } + } + + return nil +} + +// Autoload disables autoload feature for a given handle's program. +func (p *ProbeGroup) Autoload(handle Handle, autoload bool) error { + p.probesLock.Lock() + defer p.probesLock.Unlock() + return p.probes[handle].autoload(p.module, autoload) +} + +// NewDefaultProbeGroup initializes the default ProbeGroup (TODO: extensions will use probe groups) +func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, error) { + binaryPath := "/proc/self/exe" + + allProbes := map[Handle]Probe{ + SysEnter: NewTraceProbe(RawTracepoint, "raw_syscalls:sys_enter", "trace_sys_enter"), + SyscallEnter__Internal: NewTraceProbe(RawTracepoint, "raw_syscalls:sys_enter", "tracepoint__raw_syscalls__sys_enter"), + SysExit: NewTraceProbe(RawTracepoint, "raw_syscalls:sys_exit", "trace_sys_exit"), + SyscallExit__Internal: NewTraceProbe(RawTracepoint, "raw_syscalls:sys_exit", "tracepoint__raw_syscalls__sys_exit"), + SchedProcessFork: NewTraceProbe(RawTracepoint, "sched:sched_process_fork", "tracepoint__sched__sched_process_fork"), + SchedProcessExec: NewTraceProbe(RawTracepoint, "sched:sched_process_exec", "tracepoint__sched__sched_process_exec"), + SchedProcessExit: NewTraceProbe(RawTracepoint, "sched:sched_process_exit", "tracepoint__sched__sched_process_exit"), + SchedProcessFree: NewTraceProbe(RawTracepoint, "sched:sched_process_free", "tracepoint__sched__sched_process_free"), + SchedSwitch: NewTraceProbe(RawTracepoint, "sched:sched_switch", "tracepoint__sched__sched_switch"), + DoExit: NewTraceProbe(KProbe, "do_exit", "trace_do_exit"), + CapCapable: NewTraceProbe(KProbe, "cap_capable", "trace_cap_capable"), + VfsWrite: NewTraceProbe(KProbe, "vfs_write", "trace_vfs_write"), + VfsWriteRet: NewTraceProbe(KretProbe, "vfs_write", "trace_ret_vfs_write"), + VfsWriteV: NewTraceProbe(KProbe, "vfs_writev", "trace_vfs_writev"), + VfsWriteVRet: NewTraceProbe(KretProbe, "vfs_writev", "trace_ret_vfs_writev"), + KernelWrite: NewTraceProbe(KProbe, "__kernel_write", "trace_kernel_write"), + KernelWriteRet: NewTraceProbe(KretProbe, "__kernel_write", "trace_ret_kernel_write"), + CgroupAttachTask: NewTraceProbe(RawTracepoint, "cgroup:cgroup_attach_task", "tracepoint__cgroup__cgroup_attach_task"), + CgroupMkdir: NewTraceProbe(RawTracepoint, "cgroup:cgroup_mkdir", "tracepoint__cgroup__cgroup_mkdir"), + CgroupRmdir: NewTraceProbe(RawTracepoint, "cgroup:cgroup_rmdir", "tracepoint__cgroup__cgroup_rmdir"), + SecurityBPRMCheck: NewTraceProbe(KProbe, "security_bprm_check", "trace_security_bprm_check"), + SecurityFileOpen: NewTraceProbe(KProbe, "security_file_open", "trace_security_file_open"), + SecurityFilePermission: NewTraceProbe(KProbe, "security_file_permission", "trace_security_file_permission"), + SecuritySocketCreate: NewTraceProbe(KProbe, "security_socket_create", "trace_security_socket_create"), + SecuritySocketListen: NewTraceProbe(KProbe, "security_socket_listen", "trace_security_socket_listen"), + SecuritySocketConnect: NewTraceProbe(KProbe, "security_socket_connect", "trace_security_socket_connect"), + SecuritySocketAccept: NewTraceProbe(KProbe, "security_socket_accept", "trace_security_socket_accept"), + SecuritySocketBind: NewTraceProbe(KProbe, "security_socket_bind", "trace_security_socket_bind"), + SecuritySocketSetsockopt: NewTraceProbe(KProbe, "security_socket_setsockopt", "trace_security_socket_setsockopt"), + SecuritySbMount: NewTraceProbe(KProbe, "security_sb_mount", "trace_security_sb_mount"), + SecurityBPF: NewTraceProbe(KProbe, "security_bpf", "trace_security_bpf"), + SecurityBPFMap: NewTraceProbe(KProbe, "security_bpf_map", "trace_security_bpf_map"), + SecurityKernelReadFile: NewTraceProbe(KProbe, "security_kernel_read_file", "trace_security_kernel_read_file"), + SecurityKernelPostReadFile: NewTraceProbe(KProbe, "security_kernel_post_read_file", "trace_security_kernel_post_read_file"), + SecurityInodeMknod: NewTraceProbe(KProbe, "security_inode_mknod", "trace_security_inode_mknod"), + SecurityInodeSymlink: NewTraceProbe(KProbe, "security_inode_symlink", "trace_security_inode_symlink"), + SecurityInodeUnlink: NewTraceProbe(KProbe, "security_inode_unlink", "trace_security_inode_unlink"), + SecurityMmapAddr: NewTraceProbe(KProbe, "security_mmap_addr", "trace_mmap_alert"), + SecurityMmapFile: NewTraceProbe(KProbe, "security_mmap_file", "trace_security_mmap_file"), + DoSplice: NewTraceProbe(KProbe, "do_splice", "trace_do_splice"), + DoSpliceRet: NewTraceProbe(KretProbe, "do_splice", "trace_ret_do_splice"), + ProcCreate: NewTraceProbe(KProbe, "proc_create", "trace_proc_create"), + SecurityFileMProtect: NewTraceProbe(KProbe, "security_file_mprotect", "trace_security_file_mprotect"), + CommitCreds: NewTraceProbe(KProbe, "commit_creds", "trace_commit_creds"), + SwitchTaskNS: NewTraceProbe(KProbe, "switch_task_namespaces", "trace_switch_task_namespaces"), + RegisterKprobe: NewTraceProbe(KProbe, "register_kprobe", "trace_register_kprobe"), + RegisterKprobeRet: NewTraceProbe(KretProbe, "register_kprobe", "trace_ret_register_kprobe"), + CallUsermodeHelper: NewTraceProbe(KProbe, "call_usermodehelper", "trace_call_usermodehelper"), + DebugfsCreateFile: NewTraceProbe(KProbe, "debugfs_create_file", "trace_debugfs_create_file"), + DebugfsCreateDir: NewTraceProbe(KProbe, "debugfs_create_dir", "trace_debugfs_create_dir"), + DeviceAdd: NewTraceProbe(KProbe, "device_add", "trace_device_add"), + RegisterChrdev: NewTraceProbe(KProbe, "__register_chrdev", "trace___register_chrdev"), + RegisterChrdevRet: NewTraceProbe(KretProbe, "__register_chrdev", "trace_ret__register_chrdev"), + DoInitModule: NewTraceProbe(KProbe, "do_init_module", "trace_do_init_module"), + DoInitModuleRet: NewTraceProbe(KretProbe, "do_init_module", "trace_ret_do_init_module"), + LoadElfPhdrs: NewTraceProbe(KProbe, "load_elf_phdrs", "trace_load_elf_phdrs"), + Filldir64: NewTraceProbe(KProbe, "filldir64", "trace_filldir64"), + TaskRename: NewTraceProbe(RawTracepoint, "task:task_rename", "tracepoint__task__task_rename"), + PrintSyscallTable: NewUprobe("print_syscall_table", "uprobe_syscall_trigger", binaryPath, "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerSyscallsIntegrityCheckCall"), + HiddenKernelModuleSeeker: NewUprobe("hidden_kernel_module", "uprobe_lkm_seeker", binaryPath, "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerKernelModuleSeeker"), + HiddenKernelModuleVerifier: NewUprobe("hidden_kernel_module", "uprobe_lkm_seeker_submitter", binaryPath, "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerKernelModuleSubmitter"), + PrintNetSeqOps: NewUprobe("print_net_seq_ops", "uprobe_seq_ops_trigger", binaryPath, "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerSeqOpsIntegrityCheckCall"), + PrintMemDump: NewUprobe("print_mem_dump", "uprobe_mem_dump_trigger", binaryPath, "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerMemDumpCall"), + SecurityInodeRename: NewTraceProbe(KProbe, "security_inode_rename", "trace_security_inode_rename"), + DoSigaction: NewTraceProbe(KProbe, "do_sigaction", "trace_do_sigaction"), + SecurityBpfProg: NewTraceProbe(KProbe, "security_bpf_prog", "trace_security_bpf_prog"), + SecurityFileIoctl: NewTraceProbe(KProbe, "security_file_ioctl", "trace_security_file_ioctl"), + CheckHelperCall: NewTraceProbe(KProbe, "check_helper_call", "trace_check_helper_call"), + CheckMapFuncCompatibility: NewTraceProbe(KProbe, "check_map_func_compatibility", "trace_check_map_func_compatibility"), + KallsymsLookupName: NewTraceProbe(KProbe, "kallsyms_lookup_name", "trace_kallsyms_lookup_name"), + KallsymsLookupNameRet: NewTraceProbe(KretProbe, "kallsyms_lookup_name", "trace_ret_kallsyms_lookup_name"), + SockAllocFile: NewTraceProbe(KProbe, "sock_alloc_file", "trace_sock_alloc_file"), + SockAllocFileRet: NewTraceProbe(KretProbe, "sock_alloc_file", "trace_ret_sock_alloc_file"), + SecuritySkClone: NewTraceProbe(KProbe, "security_sk_clone", "trace_security_sk_clone"), + SecuritySocketSendmsg: NewTraceProbe(KProbe, "security_socket_sendmsg", "trace_security_socket_sendmsg"), + SecuritySocketRecvmsg: NewTraceProbe(KProbe, "security_socket_recvmsg", "trace_security_socket_recvmsg"), + CgroupBPFRunFilterSKB: NewTraceProbe(KProbe, "__cgroup_bpf_run_filter_skb", "cgroup_bpf_run_filter_skb"), + CgroupSKBIngress: NewCgroupProbe(bpf.BPFAttachTypeCgroupInetIngress, "cgroup_skb_ingress"), + CgroupSKBEgress: NewCgroupProbe(bpf.BPFAttachTypeCgroupInetEgress, "cgroup_skb_egress"), + DoMmap: NewTraceProbe(KProbe, "do_mmap", "trace_do_mmap"), + DoMmapRet: NewTraceProbe(KretProbe, "do_mmap", "trace_ret_do_mmap"), + VfsRead: NewTraceProbe(KProbe, "vfs_read", "trace_vfs_read"), + VfsReadRet: NewTraceProbe(KretProbe, "vfs_read", "trace_ret_vfs_read"), + VfsReadV: NewTraceProbe(KProbe, "vfs_readv", "trace_vfs_readv"), + VfsReadVRet: NewTraceProbe(KretProbe, "vfs_readv", "trace_ret_vfs_readv"), + VfsUtimes: NewTraceProbe(KProbe, "vfs_utimes", "trace_vfs_utimes"), + UtimesCommon: NewTraceProbe(KProbe, "utimes_common", "trace_utimes_common"), + DoTruncate: NewTraceProbe(KProbe, "do_truncate", "trace_do_truncate"), + FileUpdateTime: NewTraceProbe(KProbe, "file_update_time", "trace_file_update_time"), + FileUpdateTimeRet: NewTraceProbe(KretProbe, "file_update_time", "trace_ret_file_update_time"), + FileModified: NewTraceProbe(KProbe, "file_modified", "trace_file_modified"), + FileModifiedRet: NewTraceProbe(KretProbe, "file_modified", "trace_ret_file_modified"), + FdInstall: NewTraceProbe(KProbe, "fd_install", "trace_fd_install"), + FilpClose: NewTraceProbe(KProbe, "filp_close", "trace_filp_close"), + InotifyFindInode: NewTraceProbe(KProbe, "inotify_find_inode", "trace_inotify_find_inode"), + InotifyFindInodeRet: NewTraceProbe(KretProbe, "inotify_find_inode", "trace_ret_inotify_find_inode"), + BpfCheck: NewTraceProbe(KProbe, "bpf_check", "trace_bpf_check"), + ExecBinprm: NewTraceProbe(KProbe, "exec_binprm", "trace_exec_binprm"), + ExecBinprmRet: NewTraceProbe(KretProbe, "exec_binprm", "trace_ret_exec_binprm"), + TpProbeRegPrioMayExist: NewTraceProbe(KProbe, "tracepoint_probe_register_prio_may_exist", "trace_tracepoint_probe_register_prio_may_exist"), + ModuleLoad: NewTraceProbe(RawTracepoint, "module:module_load", "tracepoint__module__module_load"), + ModuleFree: NewTraceProbe(RawTracepoint, "module:module_free", "tracepoint__module__module_free"), + LayoutAndAllocate: NewTraceProbe(KretProbe, "layout_and_allocate", "trace_ret_layout_and_allocate"), + } + + if !netEnabled { + // disable network cgroup probes (avoid effective CAP_NET_ADMIN if not needed) + if err := allProbes[CgroupSKBIngress].autoload(module, false); err != nil { + logger.Errorw("CgroupSKBIngress probe autoload", "error", err) + } + if err := allProbes[CgroupSKBEgress].autoload(module, false); err != nil { + logger.Errorw("CgroupSKBEgress probe autoload", "error", err) + } + } + + return NewProbeGroup(module, allProbes), nil +} diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go index 010e200fdec3..153c41d3e2df 100644 --- a/pkg/ebpf/probes/probes.go +++ b/pkg/ebpf/probes/probes.go @@ -2,241 +2,23 @@ package probes import ( bpf "github.com/aquasecurity/libbpfgo" - - "github.com/aquasecurity/tracee/pkg/errfmt" - "github.com/aquasecurity/tracee/pkg/logger" ) -// -// Probes: -// -// NOTE: keeping both (Probes and Probe) interfaces with variadic args on -// **purpose** until we define real use cases, by extending supported -// "probes" types (trace, tc, socket, xdp, tunnel, cgroup, ...) ** -// - -type Probes interface { - Attach(handle Handle, args ...interface{}) error - Detach(handle Handle, args ...interface{}) error - DetachAll() error - GetProbeType(handle Handle) string - GetEventName(handle Handle) (string, string) -} - -type probes struct { - module *bpf.Module - probes map[Handle]Probe -} - -// Init initializes a Probes interface -func Init(module *bpf.Module, netEnabled bool) (Probes, error) { - binaryPath := "/proc/self/exe" - - allProbes := map[Handle]Probe{ - SysEnter: &traceProbe{eventName: "raw_syscalls:sys_enter", probeType: rawTracepoint, programName: "trace_sys_enter"}, - SyscallEnter__Internal: &traceProbe{eventName: "raw_syscalls:sys_enter", probeType: rawTracepoint, programName: "tracepoint__raw_syscalls__sys_enter"}, - SysExit: &traceProbe{eventName: "raw_syscalls:sys_exit", probeType: rawTracepoint, programName: "trace_sys_exit"}, - SyscallExit__Internal: &traceProbe{eventName: "raw_syscalls:sys_exit", probeType: rawTracepoint, programName: "tracepoint__raw_syscalls__sys_exit"}, - SchedProcessFork: &traceProbe{eventName: "sched:sched_process_fork", probeType: rawTracepoint, programName: "tracepoint__sched__sched_process_fork"}, - SchedProcessExec: &traceProbe{eventName: "sched:sched_process_exec", probeType: rawTracepoint, programName: "tracepoint__sched__sched_process_exec"}, - SchedProcessExit: &traceProbe{eventName: "sched:sched_process_exit", probeType: rawTracepoint, programName: "tracepoint__sched__sched_process_exit"}, - SchedProcessFree: &traceProbe{eventName: "sched:sched_process_free", probeType: rawTracepoint, programName: "tracepoint__sched__sched_process_free"}, - SchedSwitch: &traceProbe{eventName: "sched:sched_switch", probeType: rawTracepoint, programName: "tracepoint__sched__sched_switch"}, - DoExit: &traceProbe{eventName: "do_exit", probeType: kprobe, programName: "trace_do_exit"}, - CapCapable: &traceProbe{eventName: "cap_capable", probeType: kprobe, programName: "trace_cap_capable"}, - VfsWrite: &traceProbe{eventName: "vfs_write", probeType: kprobe, programName: "trace_vfs_write"}, - VfsWriteRet: &traceProbe{eventName: "vfs_write", probeType: kretprobe, programName: "trace_ret_vfs_write"}, - VfsWriteV: &traceProbe{eventName: "vfs_writev", probeType: kprobe, programName: "trace_vfs_writev"}, - VfsWriteVRet: &traceProbe{eventName: "vfs_writev", probeType: kretprobe, programName: "trace_ret_vfs_writev"}, - KernelWrite: &traceProbe{eventName: "__kernel_write", probeType: kprobe, programName: "trace_kernel_write"}, - KernelWriteRet: &traceProbe{eventName: "__kernel_write", probeType: kretprobe, programName: "trace_ret_kernel_write"}, - CgroupAttachTask: &traceProbe{eventName: "cgroup:cgroup_attach_task", probeType: rawTracepoint, programName: "tracepoint__cgroup__cgroup_attach_task"}, - CgroupMkdir: &traceProbe{eventName: "cgroup:cgroup_mkdir", probeType: rawTracepoint, programName: "tracepoint__cgroup__cgroup_mkdir"}, - CgroupRmdir: &traceProbe{eventName: "cgroup:cgroup_rmdir", probeType: rawTracepoint, programName: "tracepoint__cgroup__cgroup_rmdir"}, - SecurityBPRMCheck: &traceProbe{eventName: "security_bprm_check", probeType: kprobe, programName: "trace_security_bprm_check"}, - SecurityFileOpen: &traceProbe{eventName: "security_file_open", probeType: kprobe, programName: "trace_security_file_open"}, - SecurityFilePermission: &traceProbe{eventName: "security_file_permission", probeType: kprobe, programName: "trace_security_file_permission"}, - SecuritySocketCreate: &traceProbe{eventName: "security_socket_create", probeType: kprobe, programName: "trace_security_socket_create"}, - SecuritySocketListen: &traceProbe{eventName: "security_socket_listen", probeType: kprobe, programName: "trace_security_socket_listen"}, - SecuritySocketConnect: &traceProbe{eventName: "security_socket_connect", probeType: kprobe, programName: "trace_security_socket_connect"}, - SecuritySocketAccept: &traceProbe{eventName: "security_socket_accept", probeType: kprobe, programName: "trace_security_socket_accept"}, - SecuritySocketBind: &traceProbe{eventName: "security_socket_bind", probeType: kprobe, programName: "trace_security_socket_bind"}, - SecuritySocketSetsockopt: &traceProbe{eventName: "security_socket_setsockopt", probeType: kprobe, programName: "trace_security_socket_setsockopt"}, - SecuritySbMount: &traceProbe{eventName: "security_sb_mount", probeType: kprobe, programName: "trace_security_sb_mount"}, - SecurityBPF: &traceProbe{eventName: "security_bpf", probeType: kprobe, programName: "trace_security_bpf"}, - SecurityBPFMap: &traceProbe{eventName: "security_bpf_map", probeType: kprobe, programName: "trace_security_bpf_map"}, - SecurityKernelReadFile: &traceProbe{eventName: "security_kernel_read_file", probeType: kprobe, programName: "trace_security_kernel_read_file"}, - SecurityKernelPostReadFile: &traceProbe{eventName: "security_kernel_post_read_file", probeType: kprobe, programName: "trace_security_kernel_post_read_file"}, - SecurityInodeMknod: &traceProbe{eventName: "security_inode_mknod", probeType: kprobe, programName: "trace_security_inode_mknod"}, - SecurityInodeSymlink: &traceProbe{eventName: "security_inode_symlink", probeType: kprobe, programName: "trace_security_inode_symlink"}, - SecurityInodeUnlink: &traceProbe{eventName: "security_inode_unlink", probeType: kprobe, programName: "trace_security_inode_unlink"}, - SecurityMmapAddr: &traceProbe{eventName: "security_mmap_addr", probeType: kprobe, programName: "trace_mmap_alert"}, - SecurityMmapFile: &traceProbe{eventName: "security_mmap_file", probeType: kprobe, programName: "trace_security_mmap_file"}, - DoSplice: &traceProbe{eventName: "do_splice", probeType: kprobe, programName: "trace_do_splice"}, - DoSpliceRet: &traceProbe{eventName: "do_splice", probeType: kretprobe, programName: "trace_ret_do_splice"}, - ProcCreate: &traceProbe{eventName: "proc_create", probeType: kprobe, programName: "trace_proc_create"}, - SecurityFileMProtect: &traceProbe{eventName: "security_file_mprotect", probeType: kprobe, programName: "trace_security_file_mprotect"}, - CommitCreds: &traceProbe{eventName: "commit_creds", probeType: kprobe, programName: "trace_commit_creds"}, - SwitchTaskNS: &traceProbe{eventName: "switch_task_namespaces", probeType: kprobe, programName: "trace_switch_task_namespaces"}, - RegisterKprobe: &traceProbe{eventName: "register_kprobe", probeType: kprobe, programName: "trace_register_kprobe"}, - RegisterKprobeRet: &traceProbe{eventName: "register_kprobe", probeType: kretprobe, programName: "trace_ret_register_kprobe"}, - CallUsermodeHelper: &traceProbe{eventName: "call_usermodehelper", probeType: kprobe, programName: "trace_call_usermodehelper"}, - DebugfsCreateFile: &traceProbe{eventName: "debugfs_create_file", probeType: kprobe, programName: "trace_debugfs_create_file"}, - DebugfsCreateDir: &traceProbe{eventName: "debugfs_create_dir", probeType: kprobe, programName: "trace_debugfs_create_dir"}, - DeviceAdd: &traceProbe{eventName: "device_add", probeType: kprobe, programName: "trace_device_add"}, - RegisterChrdev: &traceProbe{eventName: "__register_chrdev", probeType: kprobe, programName: "trace___register_chrdev"}, - RegisterChrdevRet: &traceProbe{eventName: "__register_chrdev", probeType: kretprobe, programName: "trace_ret__register_chrdev"}, - DoInitModule: &traceProbe{eventName: "do_init_module", probeType: kprobe, programName: "trace_do_init_module"}, - DoInitModuleRet: &traceProbe{eventName: "do_init_module", probeType: kretprobe, programName: "trace_ret_do_init_module"}, - LoadElfPhdrs: &traceProbe{eventName: "load_elf_phdrs", probeType: kprobe, programName: "trace_load_elf_phdrs"}, - Filldir64: &traceProbe{eventName: "filldir64", probeType: kprobe, programName: "trace_filldir64"}, - TaskRename: &traceProbe{eventName: "task:task_rename", probeType: rawTracepoint, programName: "tracepoint__task__task_rename"}, - PrintSyscallTable: &uProbe{eventName: "print_syscall_table", binaryPath: binaryPath, symbolName: "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerSyscallsIntegrityCheckCall", programName: "uprobe_syscall_trigger"}, - HiddenKernelModuleSeeker: &uProbe{eventName: "hidden_kernel_module", binaryPath: binaryPath, symbolName: "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerKernelModuleSeeker", programName: "uprobe_lkm_seeker"}, - HiddenKernelModuleVerifier: &uProbe{eventName: "hidden_kernel_module", binaryPath: binaryPath, symbolName: "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerKernelModuleSubmitter", programName: "uprobe_lkm_seeker_submitter"}, - PrintNetSeqOps: &uProbe{eventName: "print_net_seq_ops", binaryPath: binaryPath, symbolName: "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerSeqOpsIntegrityCheckCall", programName: "uprobe_seq_ops_trigger"}, - PrintMemDump: &uProbe{eventName: "print_mem_dump", binaryPath: binaryPath, symbolName: "github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerMemDumpCall", programName: "uprobe_mem_dump_trigger"}, - SecurityInodeRename: &traceProbe{eventName: "security_inode_rename", probeType: kprobe, programName: "trace_security_inode_rename"}, - DoSigaction: &traceProbe{eventName: "do_sigaction", probeType: kprobe, programName: "trace_do_sigaction"}, - SecurityBpfProg: &traceProbe{eventName: "security_bpf_prog", probeType: kprobe, programName: "trace_security_bpf_prog"}, - SecurityFileIoctl: &traceProbe{eventName: "security_file_ioctl", probeType: kprobe, programName: "trace_security_file_ioctl"}, - CheckHelperCall: &traceProbe{eventName: "check_helper_call", probeType: kprobe, programName: "trace_check_helper_call"}, - CheckMapFuncCompatibility: &traceProbe{eventName: "check_map_func_compatibility", probeType: kprobe, programName: "trace_check_map_func_compatibility"}, - KallsymsLookupName: &traceProbe{eventName: "kallsyms_lookup_name", probeType: kprobe, programName: "trace_kallsyms_lookup_name"}, - KallsymsLookupNameRet: &traceProbe{eventName: "kallsyms_lookup_name", probeType: kretprobe, programName: "trace_ret_kallsyms_lookup_name"}, - SockAllocFile: &traceProbe{eventName: "sock_alloc_file", probeType: kprobe, programName: "trace_sock_alloc_file"}, - SockAllocFileRet: &traceProbe{eventName: "sock_alloc_file", probeType: kretprobe, programName: "trace_ret_sock_alloc_file"}, - SecuritySkClone: &traceProbe{eventName: "security_sk_clone", probeType: kprobe, programName: "trace_security_sk_clone"}, - SecuritySocketSendmsg: &traceProbe{eventName: "security_socket_sendmsg", probeType: kprobe, programName: "trace_security_socket_sendmsg"}, - SecuritySocketRecvmsg: &traceProbe{eventName: "security_socket_recvmsg", probeType: kprobe, programName: "trace_security_socket_recvmsg"}, - CgroupBPFRunFilterSKB: &traceProbe{eventName: "__cgroup_bpf_run_filter_skb", probeType: kprobe, programName: "cgroup_bpf_run_filter_skb"}, - CgroupSKBIngress: &cgroupProbe{programName: "cgroup_skb_ingress", attachType: bpf.BPFAttachTypeCgroupInetIngress}, - CgroupSKBEgress: &cgroupProbe{programName: "cgroup_skb_egress", attachType: bpf.BPFAttachTypeCgroupInetEgress}, - DoMmap: &traceProbe{eventName: "do_mmap", probeType: kprobe, programName: "trace_do_mmap"}, - DoMmapRet: &traceProbe{eventName: "do_mmap", probeType: kretprobe, programName: "trace_ret_do_mmap"}, - VfsRead: &traceProbe{eventName: "vfs_read", probeType: kprobe, programName: "trace_vfs_read"}, - VfsReadRet: &traceProbe{eventName: "vfs_read", probeType: kretprobe, programName: "trace_ret_vfs_read"}, - VfsReadV: &traceProbe{eventName: "vfs_readv", probeType: kprobe, programName: "trace_vfs_readv"}, - VfsReadVRet: &traceProbe{eventName: "vfs_readv", probeType: kretprobe, programName: "trace_ret_vfs_readv"}, - VfsUtimes: &traceProbe{eventName: "vfs_utimes", probeType: kprobe, programName: "trace_vfs_utimes"}, - UtimesCommon: &traceProbe{eventName: "utimes_common", probeType: kprobe, programName: "trace_utimes_common"}, - DoTruncate: &traceProbe{eventName: "do_truncate", probeType: kprobe, programName: "trace_do_truncate"}, - FileUpdateTime: &traceProbe{eventName: "file_update_time", probeType: kprobe, programName: "trace_file_update_time"}, - FileUpdateTimeRet: &traceProbe{eventName: "file_update_time", probeType: kretprobe, programName: "trace_ret_file_update_time"}, - FileModified: &traceProbe{eventName: "file_modified", probeType: kprobe, programName: "trace_file_modified"}, - FileModifiedRet: &traceProbe{eventName: "file_modified", probeType: kretprobe, programName: "trace_ret_file_modified"}, - FdInstall: &traceProbe{eventName: "fd_install", probeType: kprobe, programName: "trace_fd_install"}, - FilpClose: &traceProbe{eventName: "filp_close", probeType: kprobe, programName: "trace_filp_close"}, - InotifyFindInode: &traceProbe{eventName: "inotify_find_inode", probeType: kprobe, programName: "trace_inotify_find_inode"}, - InotifyFindInodeRet: &traceProbe{eventName: "inotify_find_inode", probeType: kretprobe, programName: "trace_ret_inotify_find_inode"}, - BpfCheck: &traceProbe{eventName: "bpf_check", probeType: kprobe, programName: "trace_bpf_check"}, - ExecBinprm: &traceProbe{eventName: "exec_binprm", probeType: kprobe, programName: "trace_exec_binprm"}, - ExecBinprmRet: &traceProbe{eventName: "exec_binprm", probeType: kretprobe, programName: "trace_ret_exec_binprm"}, - TpProbeRegPrioMayExist: &traceProbe{eventName: "tracepoint_probe_register_prio_may_exist", probeType: kprobe, programName: "trace_tracepoint_probe_register_prio_may_exist"}, - ModuleLoad: &traceProbe{eventName: "module:module_load", probeType: rawTracepoint, programName: "tracepoint__module__module_load"}, - ModuleFree: &traceProbe{eventName: "module:module_free", probeType: rawTracepoint, programName: "tracepoint__module__module_free"}, - LayoutAndAllocate: &traceProbe{eventName: "layout_and_allocate", probeType: kretprobe, programName: "trace_ret_layout_and_allocate"}, - } - - if !netEnabled { - // disable network cgroup probes (avoid effective CAP_NET_ADMIN if not needed) - if err := allProbes[CgroupSKBIngress].autoload(module, false); err != nil { - logger.Errorw("CgroupSKBIngress probe autoload", "error", err) - } - if err := allProbes[CgroupSKBEgress].autoload(module, false); err != nil { - logger.Errorw("CgroupSKBEgress probe autoload", "error", err) - } - } - - return &probes{ - probes: allProbes, - module: module, - }, nil -} - -func (p *probes) GetEventName(handle Handle) (string, string) { - if r, ok := p.probes[handle]; ok { - if probe, ok := r.(*traceProbe); ok { - return probe.eventName, probe.programName - } - } - return "", "" -} - -func (p *probes) GetProbeType(handle Handle) string { - if r, ok := p.probes[handle]; ok { - if probe, ok := r.(*traceProbe); ok { - switch probe.probeType { - case kprobe: - return "kprobe" - case kretprobe: - return "kretprobe" - case tracepoint: - return "tracepoint" - case rawTracepoint: - return "raw_tracepoint" - } - } - } - return "" -} - -// Attach attaches given handle's program to its hook -func (p *probes) Attach(handle Handle, args ...interface{}) error { - if _, ok := p.probes[handle]; !ok { - return errfmt.Errorf("probe handle (%d) does not exist", handle) - } - - return p.probes[handle].attach(p.module, args...) -} - -// Detach detaches given handle's program from its hook -func (p *probes) Detach(handle Handle, args ...interface{}) error { - if _, ok := p.probes[handle]; !ok { - return errfmt.Errorf("probe handle (%d) does not exist", handle) - } - - return p.probes[handle].detach(args...) -} - -// DetachAll detaches all existing probes (programs from their hooks) -func (p *probes) DetachAll() error { - for _, pr := range p.probes { - err := pr.detach() - if err != nil { - return errfmt.WrapError(err) - } - } - - return nil -} - -// Autoload disables autoload feature for a given handle's program -func (p *probes) Autoload(handle Handle, autoload bool) error { - return p.probes[handle].autoload(p.module, autoload) -} - // // Probe // -type probeType uint8 - -const ( - kprobe = iota // github.com/iovisor/bcc/blob/master/docs/reference_guide.md#1-kp - kretprobe // github.com/iovisor/bcc/blob/master/docs/reference_guide.md#1-kp - tracepoint // github.com/iovisor/bcc/blob/master/docs/reference_guide.md#3-tracep - rawTracepoint // github.com/iovisor/bcc/blob/master/docs/reference_guide.md#7-raw-tracep -) - type Probe interface { + // attach attaches the probe's program to its hook. attach(module *bpf.Module, args ...interface{}) error + // detach detaches the probe's program from its hook. detach(...interface{}) error + // autoload sets the probe's ebpf program automatic attaching to its hook. autoload(module *bpf.Module, autoload bool) error } // -// Event Handles +// Event Probe Handles // type Handle int32 diff --git a/pkg/ebpf/probes/trace.go b/pkg/ebpf/probes/trace.go index b52e63984b28..d9390da7b362 100644 --- a/pkg/ebpf/probes/trace.go +++ b/pkg/ebpf/probes/trace.go @@ -8,10 +8,21 @@ import ( "github.com/aquasecurity/tracee/pkg/errfmt" ) +// NOTE: thread-safety guaranteed by the ProbeGroup big lock. + // // traceProbe // +type ProbeType uint8 + +const ( + KProbe = iota // github.com/iovisor/bcc/blob/master/docs/reference_guide.md#1-kp + KretProbe // github.com/iovisor/bcc/blob/master/docs/reference_guide.md#1-kp + Tracepoint // github.com/iovisor/bcc/blob/master/docs/reference_guide.md#3-tracep + RawTracepoint // github.com/iovisor/bcc/blob/master/docs/reference_guide.md#7-raw-tracep +) + // When attaching a traceProbe, by handle, to its eBPF program: // // Handle == traceProbe (types: rawTracepoint, kprobe, kretprobe) @@ -23,15 +34,23 @@ import ( // // DetachAll() -type traceProbe struct { - probeType probeType +type TraceProbe struct { eventName string programName string + probeType ProbeType bpfLink *bpf.BPFLink } -// attach attaches an eBPF program to its probe -func (p *traceProbe) attach(module *bpf.Module, args ...interface{}) error { +// NewTraceProbe creates a new tracing probe (kprobe, kretprobe, tracepoint, raw_tracepoint). +func NewTraceProbe(t ProbeType, evtName string, progName string) *TraceProbe { + return &TraceProbe{ + programName: progName, + eventName: evtName, + probeType: t, + } +} + +func (p *TraceProbe) attach(module *bpf.Module, args ...interface{}) error { var link *bpf.BPFLink if p.bpfLink != nil { @@ -48,16 +67,16 @@ func (p *traceProbe) attach(module *bpf.Module, args ...interface{}) error { } switch p.probeType { - case kprobe: + case KProbe: link, err = prog.AttachKprobe(p.eventName) - case kretprobe: + case KretProbe: link, err = prog.AttachKretprobe(p.eventName) - case tracepoint: + case Tracepoint: tp := strings.Split(p.eventName, ":") tpClass := tp[0] tpEvent := tp[1] link, err = prog.AttachTracepoint(tpClass, tpEvent) - case rawTracepoint: + case RawTracepoint: tpEvent := strings.Split(p.eventName, ":")[1] link, err = prog.AttachRawTracepoint(tpEvent) } @@ -71,8 +90,7 @@ func (p *traceProbe) attach(module *bpf.Module, args ...interface{}) error { return nil } -// detach detaches an eBPF program from its probe -func (p *traceProbe) detach(args ...interface{}) error { +func (p *TraceProbe) detach(args ...interface{}) error { var err error if p.bpfLink == nil { @@ -89,7 +107,6 @@ func (p *traceProbe) detach(args ...interface{}) error { return nil } -// autoload sets an eBPF program to autoload (true|false) -func (p *traceProbe) autoload(module *bpf.Module, autoload bool) error { +func (p *TraceProbe) autoload(module *bpf.Module, autoload bool) error { return enableDisableAutoload(module, p.programName, autoload) } diff --git a/pkg/ebpf/probes/uprobe.go b/pkg/ebpf/probes/uprobe.go index 27572acb5021..1e5d89cb20c0 100644 --- a/pkg/ebpf/probes/uprobe.go +++ b/pkg/ebpf/probes/uprobe.go @@ -7,11 +7,13 @@ import ( "github.com/aquasecurity/tracee/pkg/errfmt" ) +// NOTE: thread-safety guaranteed by the ProbeGroup big lock. + // // uProbe // -type uProbe struct { +type Uprobe struct { eventName string programName string // eBPF program to execute when uprobe triggered binaryPath string // ELF file path to attach uprobe to @@ -19,8 +21,17 @@ type uProbe struct { bpfLink *bpf.BPFLink } -// attach attaches an eBPF program to its probe -func (p *uProbe) attach(module *bpf.Module, args ...interface{}) error { +// NewUprobe creates a new uprobe. +func NewUprobe(evtName string, progName string, binPath string, symName string) *Uprobe { + return &Uprobe{ + programName: progName, + eventName: evtName, + binaryPath: binPath, + symbolName: symName, + } +} + +func (p *Uprobe) attach(module *bpf.Module, args ...interface{}) error { var link *bpf.BPFLink if p.bpfLink != nil { @@ -51,8 +62,7 @@ func (p *uProbe) attach(module *bpf.Module, args ...interface{}) error { return nil } -// detach detaches an eBPF program from its probe -func (p *uProbe) detach(args ...interface{}) error { +func (p *Uprobe) detach(args ...interface{}) error { var err error if p.bpfLink == nil { @@ -69,7 +79,6 @@ func (p *uProbe) detach(args ...interface{}) error { return nil } -// autoload sets an eBPF program to autoload (true|false) -func (p *uProbe) autoload(module *bpf.Module, autoload bool) error { +func (p *Uprobe) autoload(module *bpf.Module, autoload bool) error { return enableDisableAutoload(module, p.programName, autoload) } diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go index 94a53f6a71b8..040edbb4a7a1 100644 --- a/pkg/ebpf/tracee.go +++ b/pkg/ebpf/tracee.go @@ -86,7 +86,7 @@ type Tracee struct { kernelSymbols helpers.KernelSymbolTable // eBPF bpfModule *bpf.Module - probes probes.Probes + probes *probes.ProbeGroup // BPF Maps StackAddressesMap *bpf.BPFMap FDArgPathMap *bpf.BPFMap @@ -501,24 +501,24 @@ func (t *Tracee) generateInitValues() (InitValues, error) { return initVals, nil } -// Initialize tail calls program array -func (t *Tracee) initTailCall(mapName string, mapIndexes []uint32, progName string) error { - bpfMap, err := t.bpfModule.GetMap(mapName) +// initTailCall initializes a given tailcall. +func (t *Tracee) initTailCall(tailCall *events.TailCall) error { + bpfMap, err := t.bpfModule.GetMap(tailCall.GetMapName()) if err != nil { return errfmt.WrapError(err) } - bpfProg, err := t.bpfModule.GetProgram(progName) + bpfProg, err := t.bpfModule.GetProgram(tailCall.GetProgName()) if err != nil { - return errfmt.Errorf("could not get BPF program %s: %v", progName, err) + return errfmt.Errorf("could not get BPF program %s: %v", tailCall.GetProgName(), err) } fd := bpfProg.FileDescriptor() if fd < 0 { - return errfmt.Errorf("could not get BPF program FD for %s: %v", progName, err) + return errfmt.Errorf("could not get BPF program FD for %s: %v", tailCall.GetProgName(), err) } - for _, index := range mapIndexes { + // Attach internal syscall probes if needed. + for _, index := range tailCall.GetMapIndexes() { def := events.Definitions.Get(events.ID(index)) - // attach internal syscall probes if needed from tailcalls if def.Syscall { err := t.probes.Attach(probes.SyscallEnter__Internal) if err != nil { @@ -534,6 +534,7 @@ func (t *Tracee) initTailCall(mapName string, mapIndexes []uint32, progName stri return errfmt.WrapError(err) } } + return nil } @@ -1130,7 +1131,7 @@ func (t *Tracee) populateBPFMaps() error { return errfmt.WrapError(err) } for _, tailCall := range tailCalls { - err := t.initTailCall(tailCall.MapName, tailCall.MapIndexes, tailCall.ProgName) + err := t.initTailCall(tailCall) if err != nil { return errfmt.Errorf("failed to initialize tail call: %v", err) } @@ -1139,77 +1140,76 @@ func (t *Tracee) populateBPFMaps() error { return nil } -// getTailCalls collects all tailcall dependencies from required events, and -// generates additional tailcall per syscall traced. For syscall tracing, there -// are 4 different relevant tail calls: +// getTailCalls collects all tailcall dependencies for the events picked to be traced, and generates +// additional tailcall per syscall traced. +// +// For syscall tracing, there are 4 different relevant tail +// calls: // // 1. sys_enter_init - syscall data saving is done here // 2. sys_enter_submit - some syscall submits are done here // 3. sys_exit_init - syscall validation on exit is done here // 4. sys_exit_submit - most syscalls are submitted at this point // -// This division is done because some events only require the syscall saving -// logic, and not event submitting. As such, in order to actually track syscalls -// we need to initialize, these 4 tail calls per syscall event requested for -// submission. In pkg/events/events.go one can see that some events will -// require the sys_enter_init tail call, this is because they require syscall -// data saving in their probe (for example security_file_open needs open, openat -// and openat2). -func getTailCalls(eventConfigs map[events.ID]eventConfig) ([]events.TailCall, error) { - enterInitTailCall := events.TailCall{ - MapName: "sys_enter_init_tail", - MapIndexes: []uint32{}, - ProgName: "sys_enter_init", - } - enterSubmitTailCall := events.TailCall{ - MapName: "sys_enter_submit_tail", - MapIndexes: []uint32{}, - ProgName: "sys_enter_submit", - } - exitInitTailCall := events.TailCall{ - MapName: "sys_exit_init_tail", - MapIndexes: []uint32{}, - ProgName: "sys_exit_init", - } - exitSubmitTailCall := events.TailCall{ - MapName: "sys_exit_submit_tail", - MapIndexes: []uint32{}, - ProgName: "sys_exit_submit", - } - - // For tracking only unique tail call, we use it's string form as the key in - // a "set" map (map[string]bool). We use a string, and not the struct - // itself, because it includes an array. +// This division is done because some events only require the syscall saving logic, and not event +// submission one. As such, in order to track syscalls, tracee needs to initialize these 4 tail +// calls per syscall event to be submitted. +// +// NOTE: In pkg/events/events.go, one can see that some events will require the sys_enter_init tail +// call, this is because they require syscall data saving in their probe (for example +// security_file_open needs open, openat and openat2). +func getTailCalls(eventConfigs map[events.ID]eventConfig) ([]*events.TailCall, error) { + enterInitTailCall := events.NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{}, + ) + enterSubmitTailCall := events.NewTailCall( + "sys_enter_submit_tail", + "sys_enter_submit", + []uint32{}, + ) + exitInitTailCall := events.NewTailCall( + "sys_exit_init_tail", + "sys_exit_init", + []uint32{}, + ) + exitSubmitTailCall := events.NewTailCall( + "sys_exit_submit_tail", + "sys_exit_submit", + []uint32{}, + ) + + // For tracking only unique tail call, we use it's string form as the key in a "set" map + // (map[string]bool). We use a string, and not the struct itself, because it includes an array. // - // NOTE: In golang, map keys must be a comparable type, which are numerics - // and strings. structs can also be used as keys, but only if they are - // composed solely from comparable types. + // NOTE: In golang, map keys must be a comparable type, which are numerics and strings. structs + // can also be used as keys, but only if they are composed solely from comparable types. // - // arrays/slices are not comparable, so we need to use the string form - // of the struct as a key instead. we then only append the actual - // tail call struct to a list if it's string form is not found in the - // map. + // arrays/slices are not comparable, so we need to use the string form of the struct as a + // key instead. we then only append the actual tail call struct to a list if it's string + // form is not found in the map. tailCallProgs := map[string]bool{} - tailCalls := []events.TailCall{} + tailCalls := []*events.TailCall{} for e, cfg := range eventConfigs { def := events.Definitions.Get(e) for _, tailCall := range def.Dependencies.TailCalls { - if len(tailCall.MapIndexes) == 0 { + if tailCall.GetMapIndexesLen() == 0 { continue // skip if tailcall has no indexes defined } - for _, index := range tailCall.MapIndexes { + for _, index := range tailCall.GetMapIndexes() { if index >= uint32(events.MaxCommonID) { logger.Debugw( "Removing index from tail call (over max event id)", - "tail_call_map", tailCall.MapName, + "tail_call_map", tailCall.GetMapName(), "index", index, "max_event_id", events.MaxCommonID, "pkgName", pkgName, ) - tailCall.RemoveIndex(index) // remove undef syscalls (eg. arm64) + tailCall.DelIndex(index) // remove undef syscalls (eg. arm64) } } tailCallStr := fmt.Sprint(tailCall) @@ -1228,15 +1228,17 @@ func getTailCalls(eventConfigs map[events.ID]eventConfig) ([]events.TailCall, er } } - tailCalls = append( - tailCalls, enterInitTailCall, enterSubmitTailCall, - exitInitTailCall, exitSubmitTailCall, + tailCalls = append(tailCalls, + enterInitTailCall, + enterSubmitTailCall, + exitInitTailCall, + exitSubmitTailCall, ) return tailCalls, nil } -func (t *Tracee) GetTailCalls() ([]events.TailCall, error) { +func (t *Tracee) GetTailCalls() ([]*events.TailCall, error) { return getTailCalls(t.events) } @@ -1265,7 +1267,7 @@ func (t *Tracee) attachProbes() error { } // attach probes for selected events - for _, dep := range event.Probes { + for _, dep := range event.Dependencies.Probes { err = t.probes.Attach(dep.Handle, t.cgroups) if err != nil && dep.Required { return errfmt.Errorf("failed to attach required probe: %v", err) @@ -1296,7 +1298,7 @@ func (t *Tracee) initBPF() error { // Initialize probes - t.probes, err = probes.Init(t.bpfModule, t.netEnabled()) + t.probes, err = probes.NewDefaultProbeGroup(t.bpfModule, t.netEnabled()) if err != nil { return errfmt.WrapError(err) } diff --git a/pkg/ebpf/tracee_test.go b/pkg/ebpf/tracee_test.go index 6d59408966cf..ebc39a9c5205 100644 --- a/pkg/ebpf/tracee_test.go +++ b/pkg/ebpf/tracee_test.go @@ -1,7 +1,7 @@ package ebpf import ( - "sort" + "reflect" "testing" "github.com/stretchr/testify/assert" @@ -14,7 +14,7 @@ func Test_getTailCalls(t *testing.T) { testCases := []struct { name string events map[events.ID]eventConfig - expectedTailCalls []events.TailCall + expectedTailCalls []*events.TailCall expectedErr error }{ { @@ -26,41 +26,118 @@ func Test_getTailCalls(t *testing.T) { events.MemProtAlert: {submit: ^uint64(0), emit: ^uint64(0)}, events.SocketDup: {submit: ^uint64(0), emit: ^uint64(0)}, }, - expectedTailCalls: []events.TailCall{ - {MapName: "sys_exit_tails", MapIndexes: []uint32{uint32(events.Dup), uint32(events.Dup2), uint32(events.Dup3)}, ProgName: "sys_dup_exit_tail"}, - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(events.Dup), uint32(events.Dup2), uint32(events.Dup3)}, ProgName: "sys_enter_init"}, - {MapName: "sys_exit_init_tail", MapIndexes: []uint32{uint32(events.Dup), uint32(events.Dup2), uint32(events.Dup3)}, ProgName: "sys_exit_init"}, - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{ - uint32(events.Open), uint32(events.Openat), uint32(events.Openat2), uint32(events.OpenByHandleAt), - uint32(events.Execve), uint32(events.Execveat), - }, ProgName: "sys_enter_init"}, - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(events.Mmap), uint32(events.Mprotect), uint32(events.PkeyMprotect)}, ProgName: "sys_enter_init"}, - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(events.Ptrace), uint32(events.ClockSettime)}, ProgName: "sys_enter_init"}, - {MapName: "sys_enter_submit_tail", MapIndexes: []uint32{uint32(events.Ptrace), uint32(events.ClockSettime)}, ProgName: "sys_enter_submit"}, - {MapName: "sys_exit_init_tail", MapIndexes: []uint32{uint32(events.Ptrace), uint32(events.ClockSettime)}, ProgName: "sys_exit_init"}, - {MapName: "sys_exit_submit_tail", MapIndexes: []uint32{uint32(events.Ptrace), uint32(events.ClockSettime)}, ProgName: "sys_exit_submit"}, + expectedTailCalls: []*events.TailCall{ + events.NewTailCall( + "sys_exit_tails", + "sys_dup_exit_tail", + []uint32{ + uint32(events.Dup), + uint32(events.Dup2), + uint32(events.Dup3), + }, + ), + events.NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{ + uint32(events.Dup), + uint32(events.Dup2), + uint32(events.Dup3), + }, + ), + events.NewTailCall( + "sys_exit_init_tail", + "sys_exit_init", + []uint32{ + uint32(events.Dup), + uint32(events.Dup2), + uint32(events.Dup3), + }, + ), + events.NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{ + uint32(events.Open), + uint32(events.Openat), + uint32(events.Openat2), + uint32(events.OpenByHandleAt), + uint32(events.Execve), + uint32(events.Execveat), + }, + ), + events.NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{ + uint32(events.Mmap), + uint32(events.Mprotect), + uint32(events.PkeyMprotect), + }, + ), + events.NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{ + uint32(events.Ptrace), + uint32(events.ClockSettime), + }, + ), + events.NewTailCall( + "sys_enter_submit_tail", + "sys_enter_submit", + []uint32{ + uint32(events.Ptrace), + uint32(events.ClockSettime), + }, + ), + events.NewTailCall( + "sys_exit_init_tail", + "sys_exit_init", + []uint32{ + uint32(events.Ptrace), + uint32(events.ClockSettime), + }, + ), + events.NewTailCall( + "sys_exit_submit_tail", + "sys_exit_submit", + []uint32{ + uint32(events.Ptrace), + uint32(events.ClockSettime), + }, + ), }, }, } for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - tailCalls, err := getTailCalls(tc.events) - if tc.expectedErr != nil { - assert.ErrorIs(t, err, tc.expectedErr) - } else { - require.NoError(t, err) - for n := range tailCalls { - sort.Slice(tailCalls[n].MapIndexes, func(i, j int) bool { - return tailCalls[n].MapIndexes[i] < tailCalls[n].MapIndexes[j] - }) + t.Run(tc.name, + func(t *testing.T) { + tailCalls, err := getTailCalls(tc.events) + if tc.expectedErr != nil { + assert.ErrorIs(t, err, tc.expectedErr) + return } - for n := range tc.expectedTailCalls { - sort.Slice(tc.expectedTailCalls[n].MapIndexes, func(i, j int) bool { - return tc.expectedTailCalls[n].MapIndexes[i] < tc.expectedTailCalls[n].MapIndexes[j] - }) + require.NoError(t, err) + for i := 0; i < len(tailCalls); i++ { + found := false + for j := 0; j < len(tc.expectedTailCalls); j++ { + if tailCalls[i].GetMapName() != tc.expectedTailCalls[j].GetMapName() { + continue + } + if tailCalls[i].GetProgName() != tc.expectedTailCalls[j].GetProgName() { + continue + } + if !reflect.DeepEqual(tailCalls[i].GetMapIndexes(), + tc.expectedTailCalls[j].GetMapIndexes(), + ) { + continue + } + found = true + } + assert.True(t, found) } - assert.ElementsMatch(t, tailCalls, tc.expectedTailCalls) - } - }) + }, + ) } } diff --git a/pkg/events/events.go b/pkg/events/events.go index c20f4b32b4ec..d094166898fc 100644 --- a/pkg/events/events.go +++ b/pkg/events/events.go @@ -1,6 +1,9 @@ package events import ( + "sync" + "sync/atomic" + "kernel.org/pub/linux/libs/security/libcap/cap" "github.com/aquasecurity/tracee/pkg/capabilities" @@ -10,71 +13,203 @@ import ( "github.com/aquasecurity/tracee/types/trace" ) -type dependencies struct { - Events []eventDependency // Events required to be loaded and/or submitted for the event to happen - KSymbols *[]kSymbolDependency // nil pointer means no symbols needed, empty slice indicates for dynamic symbols which their names aren't known at the time of compilation - TailCalls []TailCall // Map containing tail calls programs, index containing given program - Capabilities capDependency // Capabilities needed in events processor or derivation phases +// +// Extensions WIP: +// +// NOTE: Historically the events were defined as static data with value receivers, instead of +// pointer receivers, and public fields were accessed directly from many places. That happened +// because the data never changed and there was no need for concurrency. That is no longer +// true, so all the events should now be defined as pointers with private fields and public +// getters/setters. This way access to events can be synchronized in the object themselves, +// instead of having to do it from the outside (and missing to do so). +// +// TODO: Because of dynamically loading/unloading work (and parallelism): +// +// 1. Simple types should be atomics (bool, int, uint, pointers, etc.): +// - os long as object changes are atomic (no need for multiple field updates) +// - usually requires object to have an immutable handle (ID) +// - protect loads/stores but not objects single view among 2 CPUs +// 2. Complex types should have mutexes (maps, slices, etc.) +// - updates aren't copy-on-write like atomic types +// - complex types are walked through, and not copy-on-write changed +// 3. All types should be private (no public fields) +// 4. All types should have getters/setters +// 5. Return copies of complex types (maps, slices, etc.) +// +// +// Types (keep in a single file for now): +// +// 0. ID immutable +// 1. EventGroup mutable, map protected by a mutex +// 2. Event mutable with atomic types (no transactional updates needed) +// 3. Dependencies mutable with atomic types (no transactional updates needed) +// 4. ProbeDependency mutable (atomic "required" field) +// 5. KSymbolDependency mutable (atomic "required" field) +// 6. CapDependency mutable, map protected by a mutex +// 7. TailCall mutable, slice protected by a mutex, atomic strings +// + +// TODO: turn event definitions into EventDefGroup of EventDefs: + +// +// TailCall +// + +const ( + TailVfsWrite uint32 = iota // Index of a function to be used in a bpf tailcall. + TailVfsWritev // Matches defined values in ebpf code for prog_array map. + TailSendBin + TailSendBinTP + TailKernelWrite + TailSchedProcessExecEventSubmit + TailVfsRead + TailVfsReadv + TailExecBinprm1 + TailExecBinprm2 + TailHiddenKernelModuleProc + TailHiddenKernelModuleKset + TailHiddenKernelModuleModTree + TailHiddenKernelModuleNewModOnly + MaxTail +) + +type TailCall struct { + mapName *atomic.Pointer[string] // atomic: atomic pointer load/store (get/set) + progName *atomic.Pointer[string] // atomic: atomic pointer load/store (get/set) + mapIndexes []uint32 // load/store for array pointer also protected by mutex + mutex *sync.RWMutex // mutex: protect the array iterations (transactions) } -type probeDependency struct { - Handle probes.Handle - Required bool // should tracee fail if probe fails to attach +// NewTailCall creates a new TailCall with default values. +func NewTailCall(mapName, progName string, mapIndexes []uint32) *TailCall { + mapNamePtr := &atomic.Pointer[string]{} + progNamePtr := &atomic.Pointer[string]{} + + mapNamePtr.Store(&mapName) + progNamePtr.Store(&progName) + + return &TailCall{ + mapName: mapNamePtr, + progName: progNamePtr, + mapIndexes: mapIndexes, + mutex: &sync.RWMutex{}, + } } -type kSymbolDependency struct { - Symbol string - Required bool // should tracee cancel the event if the symbol is missing +// AddIndex adds an index to the tail call. +func (tc *TailCall) AddIndex(givenIndex uint32) { + tc.mutex.Lock() + defer tc.mutex.Unlock() + tc.addIndexes([]uint32{givenIndex}) } -type eventDependency struct { - EventID ID +// AddIndexes adds indexes to the tail call. +func (tc *TailCall) AddIndexes(givenIndexes []uint32) { + tc.mutex.Lock() + defer tc.mutex.Unlock() + tc.addIndexes(givenIndexes) } -type capDependency map[capabilities.RingType][]cap.Value // array of needed capabilities per ring type +// addIndexes adds indexes to the tail call (thread-unsafe). +func (tc *TailCall) addIndexes(givenIndexes []uint32) { + tc.mapIndexes = append(tc.mapIndexes, givenIndexes...) +} -type TailCall struct { - MapName string - MapIndexes []uint32 - ProgName string +// DelIndexes removes indexes from the tail call. +func (tc *TailCall) DelIndexes(givenIndexes []uint32) { + tc.mutex.Lock() + defer tc.mutex.Unlock() + + for _, index := range givenIndexes { + tc.delIndex(index) + } } -func (tc *TailCall) AddIndex(i uint32) { - tc.MapIndexes = append(tc.MapIndexes, i) +// DelIndex removes an index from the tail call. +func (tc *TailCall) DelIndex(givenIndex uint32) { + tc.mutex.Lock() + defer tc.mutex.Unlock() + tc.delIndex(givenIndex) } -func (tc *TailCall) RemoveIndex(i uint32) { +// delIndex removes an index from the tail call (thread-unsafe). +func (tc *TailCall) delIndex(givenIndex uint32) { indexOfIndex := -1 - for index, val := range tc.MapIndexes { - if i == val { + + for index, val := range tc.mapIndexes { + if givenIndex == val { indexOfIndex = index break } } if indexOfIndex != -1 { - tc.MapIndexes = append(tc.MapIndexes[:indexOfIndex], tc.MapIndexes[indexOfIndex+1:]...) + tc.mapIndexes = append( + tc.mapIndexes[:indexOfIndex], + tc.mapIndexes[indexOfIndex+1:]..., + ) } } -// an enum that specifies the index of a function to be used in a bpf tail call -// tail function indexes should match defined values in ebpf code for prog_array map -const ( - tailVfsWrite uint32 = iota - tailVfsWritev - tailSendBin - tailSendBinTP - tailKernelWrite - tailSchedProcessExecEventSubmit - tailVfsRead - tailVfsReadv - TailExecBinprm1 - TailExecBinprm2 - tailHiddenKernelModuleProc - tailHiddenKernelModuleKset - tailHiddenKernelModuleModTree - tailHiddenKernelModuleNewModOnly - MaxTail -) +// GetMapName returns a copy of the map's name. +func (tc *TailCall) GetMapName() string { + return *tc.mapName.Load() +} + +// SetMapName sets the map's name. +func (tc *TailCall) SetMapName(mapName string) { + tc.mapName.Store(&mapName) +} + +// GetProgName returns a copy of the program's name. +func (tc *TailCall) GetProgName() string { + return *tc.progName.Load() +} + +// SetProgName sets the program's name. +func (tc *TailCall) SetProgName(progName string) { + tc.progName.Store(&progName) +} + +// GetMapIndexes returns a copy of the map's indexes at the time of the call. +func (tc *TailCall) GetMapIndexes() []uint32 { + tc.mutex.RLock() + defer tc.mutex.RUnlock() + return tc.mapIndexes // array copy protected by mutex +} + +func (tc *TailCall) GetMapIndexesLen() int { + tc.mutex.RLock() + defer tc.mutex.RUnlock() + return len(tc.mapIndexes) // array length protected by mutex +} + +// +// Extensions TODO (below) +// + +type dependencies struct { + Events []eventDependency // events required by this event + KSymbols *[]kSymbolDependency // nil == no symbols needed, empty == unknown (yet) + TailCalls []*TailCall // tailcalls required for this event (or proccessing logic) + Capabilities capsDependency // Capabilities needed in events processor or derivation phases + Probes []probeDependency +} + +type probeDependency struct { + Handle probes.Handle + Required bool // tracee fails if probe can't be attached +} + +type kSymbolDependency struct { + Symbol string + Required bool // tracee fails if symbol is not found +} + +type eventDependency struct { + EventID ID +} + +type capsDependency map[capabilities.RingType][]cap.Value // array of needed capabilities per ring type // Event is a struct describing an event configuration type Event struct { @@ -83,7 +218,6 @@ type Event struct { DocPath string // Relative to the 'doc/events' directory Internal bool Syscall bool - Probes []probeDependency Dependencies dependencies Sets []string Params []trace.ArgMeta @@ -961,8 +1095,12 @@ var Definitions = eventDefinitions{ Name: "execve", Syscall: true, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_tails", MapIndexes: []uint32{uint32(Execve)}, ProgName: "syscall__execve"}, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_tails", + "syscall__execve", + []uint32{uint32(Execve)}, + ), }, }, Sets: []string{"syscalls", "proc", "proc_life"}, @@ -3716,8 +3854,12 @@ var Definitions = eventDefinitions{ Name: "execveat", Syscall: true, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_tails", MapIndexes: []uint32{uint32(Execveat)}, ProgName: "syscall__execveat"}, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_tails", + "syscall__execveat", + []uint32{uint32(Execveat)}, + ), }, }, Sets: []string{"syscalls", "proc", "proc_life"}, @@ -5004,8 +5146,10 @@ var Definitions = eventDefinitions{ SysEnter: { ID32Bit: sys32undefined, Name: "sys_enter", - Probes: []probeDependency{ - {Handle: probes.SysEnter, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SysEnter, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5015,8 +5159,10 @@ var Definitions = eventDefinitions{ SysExit: { ID32Bit: sys32undefined, Name: "sys_exit", - Probes: []probeDependency{ - {Handle: probes.SysExit, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SysExit, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5026,8 +5172,10 @@ var Definitions = eventDefinitions{ SchedProcessFork: { ID32Bit: sys32undefined, Name: "sched_process_fork", - Probes: []probeDependency{ - {Handle: probes.SchedProcessFork, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SchedProcessFork, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5045,15 +5193,19 @@ var Definitions = eventDefinitions{ SchedProcessExec: { ID32Bit: sys32undefined, Name: "sched_process_exec", - Probes: []probeDependency{ - {Handle: probes.SchedProcessExec, Required: true}, - {Handle: probes.LoadElfPhdrs, Required: false}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "prog_array_tp", MapIndexes: []uint32{tailSchedProcessExecEventSubmit}, ProgName: "sched_process_exec_event_submit_tail"}, + Probes: []probeDependency{ + {Handle: probes.SchedProcessExec, Required: true}, + {Handle: probes.LoadElfPhdrs, Required: false}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "prog_array_tp", + "sched_process_exec_event_submit_tail", + []uint32{TailSchedProcessExecEventSubmit}, + ), }, - Capabilities: capDependency{ + Capabilities: capsDependency{ capabilities.Base: []cap.Value{ // 1. set by processSchedProcessFork IF ExecHash enabled // 2. set by processSchedProcessExec by CaptureExec if needed @@ -5084,9 +5236,11 @@ var Definitions = eventDefinitions{ SchedProcessExit: { ID32Bit: sys32undefined, Name: "sched_process_exit", - Probes: []probeDependency{ - {Handle: probes.SchedProcessExit, Required: true}, - {Handle: probes.SchedProcessFree, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SchedProcessExit, Required: true}, + {Handle: probes.SchedProcessFree, Required: true}, + }, }, Sets: []string{"proc", "proc_life"}, Params: []trace.ArgMeta{ @@ -5100,8 +5254,10 @@ var Definitions = eventDefinitions{ SchedSwitch: { ID32Bit: sys32undefined, Name: "sched_switch", - Probes: []probeDependency{ - {Handle: probes.SchedSwitch, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SchedSwitch, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5115,8 +5271,10 @@ var Definitions = eventDefinitions{ DoExit: { ID32Bit: sys32undefined, Name: "do_exit", - Probes: []probeDependency{ - {Handle: probes.DoExit, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.DoExit, Required: true}, + }, }, Sets: []string{"proc", "proc_life"}, Params: []trace.ArgMeta{}, @@ -5124,8 +5282,10 @@ var Definitions = eventDefinitions{ CapCapable: { ID32Bit: sys32undefined, Name: "cap_capable", - Probes: []probeDependency{ - {Handle: probes.CapCapable, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.CapCapable, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5135,9 +5295,11 @@ var Definitions = eventDefinitions{ VfsWrite: { ID32Bit: sys32undefined, Name: "vfs_write", - Probes: []probeDependency{ - {Handle: probes.VfsWrite, Required: true}, - {Handle: probes.VfsWriteRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.VfsWrite, Required: true}, + {Handle: probes.VfsWriteRet, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5151,9 +5313,11 @@ var Definitions = eventDefinitions{ VfsWritev: { ID32Bit: sys32undefined, Name: "vfs_writev", - Probes: []probeDependency{ - {Handle: probes.VfsWriteV, Required: true}, - {Handle: probes.VfsWriteVRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.VfsWriteV, Required: true}, + {Handle: probes.VfsWriteVRet, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5167,14 +5331,18 @@ var Definitions = eventDefinitions{ MemProtAlert: { ID32Bit: sys32undefined, Name: "mem_prot_alert", - Probes: []probeDependency{ - {Handle: probes.SecurityMmapAddr, Required: true}, - {Handle: probes.SecurityFileMProtect, Required: true}, - {Handle: probes.SyscallEnter__Internal, Required: true}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Mmap), uint32(Mprotect), uint32(PkeyMprotect)}, ProgName: "sys_enter_init"}, + Probes: []probeDependency{ + {Handle: probes.SecurityMmapAddr, Required: true}, + {Handle: probes.SecurityFileMProtect, Required: true}, + {Handle: probes.SyscallEnter__Internal, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{uint32(Mmap), uint32(Mprotect), uint32(PkeyMprotect)}, + ), }, }, Sets: []string{}, @@ -5193,8 +5361,10 @@ var Definitions = eventDefinitions{ CommitCreds: { ID32Bit: sys32undefined, Name: "commit_creds", - Probes: []probeDependency{ - {Handle: probes.CommitCreds, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.CommitCreds, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5205,8 +5375,10 @@ var Definitions = eventDefinitions{ SwitchTaskNS: { ID32Bit: sys32undefined, Name: "switch_task_ns", - Probes: []probeDependency{ - {Handle: probes.SwitchTaskNS, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SwitchTaskNS, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5223,13 +5395,15 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "magic_write", DocPath: "security_alerts/magic_write.md", - Probes: []probeDependency{ - {Handle: probes.VfsWrite, Required: true}, - {Handle: probes.VfsWriteRet, Required: true}, - {Handle: probes.VfsWriteV, Required: false}, - {Handle: probes.VfsWriteVRet, Required: false}, - {Handle: probes.KernelWrite, Required: false}, - {Handle: probes.KernelWriteRet, Required: false}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.VfsWrite, Required: true}, + {Handle: probes.VfsWriteRet, Required: true}, + {Handle: probes.VfsWriteV, Required: false}, + {Handle: probes.VfsWriteVRet, Required: false}, + {Handle: probes.KernelWrite, Required: false}, + {Handle: probes.KernelWriteRet, Required: false}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5242,8 +5416,10 @@ var Definitions = eventDefinitions{ CgroupAttachTask: { ID32Bit: sys32undefined, Name: "cgroup_attach_task", - Probes: []probeDependency{ - {Handle: probes.CgroupAttachTask, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.CgroupAttachTask, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5255,8 +5431,10 @@ var Definitions = eventDefinitions{ CgroupMkdir: { ID32Bit: sys32undefined, Name: "cgroup_mkdir", - Probes: []probeDependency{ - {Handle: probes.CgroupMkdir, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.CgroupMkdir, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5268,8 +5446,10 @@ var Definitions = eventDefinitions{ CgroupRmdir: { ID32Bit: sys32undefined, Name: "cgroup_rmdir", - Probes: []probeDependency{ - {Handle: probes.CgroupRmdir, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.CgroupRmdir, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5281,8 +5461,10 @@ var Definitions = eventDefinitions{ SecurityBprmCheck: { ID32Bit: sys32undefined, Name: "security_bprm_check", - Probes: []probeDependency{ - {Handle: probes.SecurityBPRMCheck, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityBPRMCheck, Required: true}, + }, }, Sets: []string{"lsm_hooks", "proc", "proc_life"}, Params: []trace.ArgMeta{ @@ -5294,16 +5476,21 @@ var Definitions = eventDefinitions{ SecurityFileOpen: { ID32Bit: sys32undefined, Name: "security_file_open", - Probes: []probeDependency{ - {Handle: probes.SecurityFileOpen, Required: true}, - {Handle: probes.SyscallEnter__Internal, Required: true}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{ - uint32(Open), uint32(Openat), uint32(Openat2), uint32(OpenByHandleAt), - uint32(Execve), uint32(Execveat), - }, ProgName: "sys_enter_init"}, + Probes: []probeDependency{ + {Handle: probes.SecurityFileOpen, Required: true}, + {Handle: probes.SyscallEnter__Internal, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{ + uint32(Open), uint32(Openat), uint32(Openat2), + uint32(OpenByHandleAt), uint32(Execve), + uint32(Execveat), + }, + ), }, }, Sets: []string{"lsm_hooks", "fs", "fs_file_ops"}, @@ -5319,8 +5506,10 @@ var Definitions = eventDefinitions{ SecurityInodeUnlink: { ID32Bit: sys32undefined, Name: "security_inode_unlink", - Probes: []probeDependency{ - {Handle: probes.SecurityInodeUnlink, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityInodeUnlink, Required: true}, + }, }, Sets: []string{"default", "lsm_hooks", "fs", "fs_file_ops"}, Params: []trace.ArgMeta{ @@ -5333,8 +5522,10 @@ var Definitions = eventDefinitions{ SecuritySocketCreate: { ID32Bit: sys32undefined, Name: "security_socket_create", - Probes: []probeDependency{ - {Handle: probes.SecuritySocketCreate, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecuritySocketCreate, Required: true}, + }, }, Sets: []string{"lsm_hooks", "net", "net_sock"}, Params: []trace.ArgMeta{ @@ -5347,13 +5538,17 @@ var Definitions = eventDefinitions{ SecuritySocketListen: { ID32Bit: sys32undefined, Name: "security_socket_listen", - Probes: []probeDependency{ - {Handle: probes.SecuritySocketListen, Required: true}, - {Handle: probes.SyscallEnter__Internal, Required: true}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Listen)}, ProgName: "sys_enter_init"}, + Probes: []probeDependency{ + {Handle: probes.SecuritySocketListen, Required: true}, + {Handle: probes.SyscallEnter__Internal, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{uint32(Listen)}, + ), }, }, Sets: []string{"lsm_hooks", "net", "net_sock"}, @@ -5366,13 +5561,17 @@ var Definitions = eventDefinitions{ SecuritySocketConnect: { ID32Bit: sys32undefined, Name: "security_socket_connect", - Probes: []probeDependency{ - {Handle: probes.SecuritySocketConnect, Required: true}, - {Handle: probes.SyscallEnter__Internal, Required: true}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Connect)}, ProgName: "sys_enter_init"}, + Probes: []probeDependency{ + {Handle: probes.SecuritySocketConnect, Required: true}, + {Handle: probes.SyscallEnter__Internal, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{uint32(Connect)}, + ), }, }, Sets: []string{"default", "lsm_hooks", "net", "net_sock"}, @@ -5384,13 +5583,17 @@ var Definitions = eventDefinitions{ SecuritySocketAccept: { ID32Bit: sys32undefined, Name: "security_socket_accept", - Probes: []probeDependency{ - {Handle: probes.SecuritySocketAccept, Required: true}, - {Handle: probes.SyscallEnter__Internal, Required: true}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Accept), uint32(Accept4)}, ProgName: "sys_enter_init"}, + Probes: []probeDependency{ + {Handle: probes.SecuritySocketAccept, Required: true}, + {Handle: probes.SyscallEnter__Internal, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{uint32(Accept), uint32(Accept4)}, + ), }, }, Sets: []string{"default", "lsm_hooks", "net", "net_sock"}, @@ -5402,13 +5605,17 @@ var Definitions = eventDefinitions{ SecuritySocketBind: { ID32Bit: sys32undefined, Name: "security_socket_bind", - Probes: []probeDependency{ - {Handle: probes.SecuritySocketBind, Required: true}, - {Handle: probes.SyscallEnter__Internal, Required: true}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Bind)}, ProgName: "sys_enter_init"}, + Probes: []probeDependency{ + {Handle: probes.SecuritySocketBind, Required: true}, + {Handle: probes.SyscallEnter__Internal, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{uint32(Bind)}, + ), }, }, Sets: []string{"default", "lsm_hooks", "net", "net_sock"}, @@ -5421,13 +5628,17 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "security_socket_setsockopt", DocPath: "lsm_hooks/security_socket_setsockopt.md", - Probes: []probeDependency{ - {Handle: probes.SecuritySocketSetsockopt, Required: true}, - {Handle: probes.SyscallEnter__Internal, Required: true}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Setsockopt)}, ProgName: "sys_enter_init"}, + Probes: []probeDependency{ + {Handle: probes.SecuritySocketSetsockopt, Required: true}, + {Handle: probes.SyscallEnter__Internal, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{uint32(Setsockopt)}, + ), }, }, Sets: []string{"lsm_hooks", "net", "net_sock"}, @@ -5441,8 +5652,10 @@ var Definitions = eventDefinitions{ SecuritySbMount: { ID32Bit: sys32undefined, Name: "security_sb_mount", - Probes: []probeDependency{ - {Handle: probes.SecuritySbMount, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecuritySbMount, Required: true}, + }, }, Sets: []string{"default", "lsm_hooks", "fs"}, Params: []trace.ArgMeta{ @@ -5455,8 +5668,10 @@ var Definitions = eventDefinitions{ SecurityBPF: { ID32Bit: sys32undefined, Name: "security_bpf", - Probes: []probeDependency{ - {Handle: probes.SecurityBPF, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityBPF, Required: true}, + }, }, Sets: []string{"lsm_hooks"}, Params: []trace.ArgMeta{ @@ -5466,8 +5681,10 @@ var Definitions = eventDefinitions{ SecurityBPFMap: { ID32Bit: sys32undefined, Name: "security_bpf_map", - Probes: []probeDependency{ - {Handle: probes.SecurityBPFMap, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityBPFMap, Required: true}, + }, }, Sets: []string{"lsm_hooks"}, Params: []trace.ArgMeta{ @@ -5478,8 +5695,10 @@ var Definitions = eventDefinitions{ SecurityKernelReadFile: { ID32Bit: sys32undefined, Name: "security_kernel_read_file", - Probes: []probeDependency{ - {Handle: probes.SecurityKernelReadFile, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityKernelReadFile, Required: true}, + }, }, Sets: []string{"lsm_hooks"}, Params: []trace.ArgMeta{ @@ -5493,8 +5712,10 @@ var Definitions = eventDefinitions{ SecurityPostReadFile: { ID32Bit: sys32undefined, Name: "security_kernel_post_read_file", - Probes: []probeDependency{ - {Handle: probes.SecurityKernelPostReadFile, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityKernelPostReadFile, Required: true}, + }, }, Sets: []string{"lsm_hooks"}, Params: []trace.ArgMeta{ @@ -5506,8 +5727,10 @@ var Definitions = eventDefinitions{ SecurityInodeMknod: { ID32Bit: sys32undefined, Name: "security_inode_mknod", - Probes: []probeDependency{ - {Handle: probes.SecurityInodeMknod, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityInodeMknod, Required: true}, + }, }, Sets: []string{"lsm_hooks"}, Params: []trace.ArgMeta{ @@ -5519,8 +5742,10 @@ var Definitions = eventDefinitions{ SecurityInodeSymlinkEventId: { ID32Bit: sys32undefined, Name: "security_inode_symlink", - Probes: []probeDependency{ - {Handle: probes.SecurityInodeSymlink, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityInodeSymlink, Required: true}, + }, }, Sets: []string{"lsm_hooks", "fs", "fs_file_ops"}, Params: []trace.ArgMeta{ @@ -5531,8 +5756,10 @@ var Definitions = eventDefinitions{ SecurityMmapFile: { ID32Bit: sys32undefined, Name: "security_mmap_file", - Probes: []probeDependency{ - {Handle: probes.SecurityMmapFile, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityMmapFile, Required: true}, + }, }, Sets: []string{"lsm_hooks", "fs", "fs_file_ops", "proc", "proc_mem"}, Params: []trace.ArgMeta{ @@ -5548,9 +5775,11 @@ var Definitions = eventDefinitions{ DoMmap: { ID32Bit: sys32undefined, Name: "do_mmap", - Probes: []probeDependency{ - {Handle: probes.DoMmap, Required: true}, - {Handle: probes.DoMmapRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.DoMmap, Required: true}, + {Handle: probes.DoMmapRet, Required: true}, + }, }, Sets: []string{"fs", "fs_file_ops", "proc", "proc_mem"}, Params: []trace.ArgMeta{ @@ -5570,13 +5799,17 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "security_file_mprotect", DocPath: "lsm_hooks/security_file_mprotect.md", - Probes: []probeDependency{ - {Handle: probes.SecurityFileMProtect, Required: true}, - {Handle: probes.SyscallEnter__Internal, Required: true}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Mprotect), uint32(PkeyMprotect)}, ProgName: "sys_enter_init"}, + Probes: []probeDependency{ + {Handle: probes.SecurityFileMProtect, Required: true}, + {Handle: probes.SyscallEnter__Internal, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{uint32(Mprotect), uint32(PkeyMprotect)}, + ), }, }, Sets: []string{"lsm_hooks", "proc", "proc_mem", "fs", "fs_file_ops"}, @@ -5595,7 +5828,7 @@ var Definitions = eventDefinitions{ Name: "init_namespaces", Sets: []string{}, Dependencies: dependencies{ - Capabilities: capDependency{ + Capabilities: capsDependency{ capabilities.Base: []cap.Value{ cap.SYS_PTRACE, }, @@ -5618,10 +5851,22 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "socket_dup", Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}, ProgName: "sys_enter_init"}, - {MapName: "sys_exit_init_tail", MapIndexes: []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}, ProgName: "sys_exit_init"}, - {MapName: "sys_exit_tails", MapIndexes: []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}, ProgName: "sys_dup_exit_tail"}, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}, + ), + NewTailCall( + "sys_exit_init_tail", + "sys_exit_init", + []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}, + ), + NewTailCall( + "sys_exit_tails", + "sys_dup_exit_tail", + []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}, + ), }, }, Sets: []string{}, @@ -5634,8 +5879,10 @@ var Definitions = eventDefinitions{ HiddenInodes: { ID32Bit: sys32undefined, Name: "hidden_inodes", - Probes: []probeDependency{ - {Handle: probes.Filldir64, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.Filldir64, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5645,9 +5892,11 @@ var Definitions = eventDefinitions{ KernelWrite: { ID32Bit: sys32undefined, Name: "__kernel_write", - Probes: []probeDependency{ - {Handle: probes.KernelWrite, Required: true}, - {Handle: probes.KernelWriteRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.KernelWrite, Required: true}, + {Handle: probes.KernelWriteRet, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5661,12 +5910,12 @@ var Definitions = eventDefinitions{ DirtyPipeSplice: { ID32Bit: sys32undefined, Name: "dirty_pipe_splice", - Probes: []probeDependency{ - {Handle: probes.DoSplice, Required: true}, - {Handle: probes.DoSpliceRet, Required: true}, - }, - Sets: []string{}, + Sets: []string{}, Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.DoSplice, Required: true}, + {Handle: probes.DoSpliceRet, Required: true}, + }, KSymbols: &[]kSymbolDependency{ {Symbol: "pipefifo_fops", Required: true}, }, @@ -5733,8 +5982,10 @@ var Definitions = eventDefinitions{ ProcCreate: { ID32Bit: sys32undefined, Name: "proc_create", - Probes: []probeDependency{ - {Handle: probes.ProcCreate, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.ProcCreate, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5745,9 +5996,11 @@ var Definitions = eventDefinitions{ KprobeAttach: { ID32Bit: sys32undefined, Name: "kprobe_attach", - Probes: []probeDependency{ - {Handle: probes.RegisterKprobe, Required: true}, - {Handle: probes.RegisterKprobeRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.RegisterKprobe, Required: true}, + {Handle: probes.RegisterKprobeRet, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5759,8 +6012,10 @@ var Definitions = eventDefinitions{ CallUsermodeHelper: { ID32Bit: sys32undefined, Name: "call_usermodehelper", - Probes: []probeDependency{ - {Handle: probes.CallUsermodeHelper, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.CallUsermodeHelper, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5773,8 +6028,10 @@ var Definitions = eventDefinitions{ DebugfsCreateFile: { ID32Bit: sys32undefined, Name: "debugfs_create_file", - Probes: []probeDependency{ - {Handle: probes.DebugfsCreateFile, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.DebugfsCreateFile, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5788,10 +6045,10 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "print_syscall_table", Internal: true, - Probes: []probeDependency{ - {Handle: probes.PrintSyscallTable, Required: true}, - }, Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.PrintSyscallTable, Required: true}, + }, KSymbols: &[]kSymbolDependency{ {Symbol: "sys_call_table", Required: true}, }, @@ -5821,26 +6078,42 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "hidden_kernel_module_seeker", Internal: true, - Probes: []probeDependency{ - {Handle: probes.HiddenKernelModuleSeeker, Required: true}, - {Handle: probes.HiddenKernelModuleVerifier, Required: true}, - {Handle: probes.ModuleLoad, Required: true}, - {Handle: probes.ModuleFree, Required: true}, - {Handle: probes.DoInitModule, Required: true}, - {Handle: probes.DoInitModuleRet, Required: true}, - {Handle: probes.LayoutAndAllocate, Required: true}, - }, Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.HiddenKernelModuleSeeker, Required: true}, + {Handle: probes.HiddenKernelModuleVerifier, Required: true}, + {Handle: probes.ModuleLoad, Required: true}, + {Handle: probes.ModuleFree, Required: true}, + {Handle: probes.DoInitModule, Required: true}, + {Handle: probes.DoInitModuleRet, Required: true}, + {Handle: probes.LayoutAndAllocate, Required: true}, + }, KSymbols: &[]kSymbolDependency{ {Symbol: "modules", Required: true}, {Symbol: "module_kset", Required: true}, {Symbol: "mod_tree", Required: true}, }, - TailCalls: []TailCall{ - {MapName: "prog_array", MapIndexes: []uint32{tailHiddenKernelModuleProc}, ProgName: "lkm_seeker_proc_tail"}, - {MapName: "prog_array", MapIndexes: []uint32{tailHiddenKernelModuleKset}, ProgName: "lkm_seeker_kset_tail"}, - {MapName: "prog_array", MapIndexes: []uint32{tailHiddenKernelModuleModTree}, ProgName: "lkm_seeker_mod_tree_tail"}, - {MapName: "prog_array", MapIndexes: []uint32{tailHiddenKernelModuleNewModOnly}, ProgName: "lkm_seeker_new_mod_only_tail"}, + TailCalls: []*TailCall{ + NewTailCall( + "prog_array", + "lkm_seeker_proc_tail", + []uint32{TailHiddenKernelModuleProc}, + ), + NewTailCall( + "prog_array", + "lkm_seeker_kset_tail", + []uint32{TailHiddenKernelModuleKset}, + ), + NewTailCall( + "prog_array", + "lkm_seeker_mod_tree_tail", + []uint32{TailHiddenKernelModuleModTree}, + ), + NewTailCall( + "prog_array", + "lkm_seeker_new_mod_only_tail", + []uint32{TailHiddenKernelModuleNewModOnly}, + ), }, }, Sets: []string{}, @@ -5863,7 +6136,7 @@ var Definitions = eventDefinitions{ {EventID: DoInitModule}, {EventID: PrintSyscallTable}, }, - Capabilities: capDependency{ + Capabilities: capsDependency{ capabilities.Base: []cap.Value{ cap.SYSLOG, // read /proc/kallsyms }, @@ -5877,8 +6150,10 @@ var Definitions = eventDefinitions{ DebugfsCreateDir: { ID32Bit: sys32undefined, Name: "debugfs_create_dir", - Probes: []probeDependency{ - {Handle: probes.DebugfsCreateDir, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.DebugfsCreateDir, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5889,8 +6164,10 @@ var Definitions = eventDefinitions{ DeviceAdd: { ID32Bit: sys32undefined, Name: "device_add", - Probes: []probeDependency{ - {Handle: probes.DeviceAdd, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.DeviceAdd, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5901,9 +6178,11 @@ var Definitions = eventDefinitions{ RegisterChrdev: { ID32Bit: sys32undefined, Name: "register_chrdev", - Probes: []probeDependency{ - {Handle: probes.RegisterChrdev, Required: true}, - {Handle: probes.RegisterChrdevRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.RegisterChrdev, Required: true}, + {Handle: probes.RegisterChrdevRet, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -5916,11 +6195,11 @@ var Definitions = eventDefinitions{ SharedObjectLoaded: { ID32Bit: sys32undefined, Name: "shared_object_loaded", - Probes: []probeDependency{ - {Handle: probes.SecurityMmapFile, Required: true}, - }, Dependencies: dependencies{ - Capabilities: capDependency{ + Probes: []probeDependency{ + {Handle: probes.SecurityMmapFile, Required: true}, + }, + Capabilities: capsDependency{ capabilities.Base: []cap.Value{ cap.SYS_PTRACE, // loadSharedObjectDynamicSymbols() }, @@ -5939,7 +6218,6 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "symbols_loaded", DocPath: "security_alerts/symbols_load.md", - Probes: []probeDependency{}, Dependencies: dependencies{ Events: []eventDependency{ {EventID: SharedObjectLoaded}, @@ -5956,7 +6234,6 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "symbols_collision", DocPath: "security_alerts/symbols_collision.md", - Probes: []probeDependency{}, Dependencies: dependencies{ Events: []eventDependency{ {EventID: SharedObjectLoaded}, @@ -5974,20 +6251,36 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "capture_file_write", Internal: true, - Probes: []probeDependency{ - {Handle: probes.VfsWrite, Required: true}, - {Handle: probes.VfsWriteRet, Required: true}, - {Handle: probes.VfsWriteV, Required: false}, - {Handle: probes.VfsWriteVRet, Required: false}, - {Handle: probes.KernelWrite, Required: false}, - {Handle: probes.KernelWriteRet, Required: false}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "prog_array", MapIndexes: []uint32{tailVfsWrite}, ProgName: "trace_ret_vfs_write_tail"}, - {MapName: "prog_array", MapIndexes: []uint32{tailVfsWritev}, ProgName: "trace_ret_vfs_writev_tail"}, - {MapName: "prog_array", MapIndexes: []uint32{tailKernelWrite}, ProgName: "trace_ret_kernel_write_tail"}, - {MapName: "prog_array", MapIndexes: []uint32{tailSendBin}, ProgName: "send_bin"}, + Probes: []probeDependency{ + {Handle: probes.VfsWrite, Required: true}, + {Handle: probes.VfsWriteRet, Required: true}, + {Handle: probes.VfsWriteV, Required: false}, + {Handle: probes.VfsWriteVRet, Required: false}, + {Handle: probes.KernelWrite, Required: false}, + {Handle: probes.KernelWriteRet, Required: false}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "prog_array", + "trace_ret_vfs_write_tail", + []uint32{TailVfsWrite}, + ), + NewTailCall( + "prog_array", + "trace_ret_vfs_writev_tail", + []uint32{TailVfsWritev}, + ), + NewTailCall( + "prog_array", + "trace_ret_kernel_write_tail", + []uint32{TailKernelWrite}, + ), + NewTailCall( + "prog_array", + "send_bin", + []uint32{TailSendBin}, + ), }, KSymbols: &[]kSymbolDependency{ {Symbol: "pipefifo_fops", Required: true}, @@ -5998,17 +6291,29 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "capture_file_read", Internal: true, - Probes: []probeDependency{ - {Handle: probes.VfsRead, Required: true}, - {Handle: probes.VfsReadRet, Required: true}, - {Handle: probes.VfsReadV, Required: false}, - {Handle: probes.VfsReadVRet, Required: false}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "prog_array", MapIndexes: []uint32{tailVfsRead}, ProgName: "trace_ret_vfs_read_tail"}, - {MapName: "prog_array", MapIndexes: []uint32{tailVfsReadv}, ProgName: "trace_ret_vfs_readv_tail"}, - {MapName: "prog_array", MapIndexes: []uint32{tailSendBin}, ProgName: "send_bin"}, + Probes: []probeDependency{ + {Handle: probes.VfsRead, Required: true}, + {Handle: probes.VfsReadRet, Required: true}, + {Handle: probes.VfsReadV, Required: false}, + {Handle: probes.VfsReadVRet, Required: false}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "prog_array", + "trace_ret_vfs_read_tail", + []uint32{TailVfsRead}, + ), + NewTailCall( + "prog_array", + "trace_ret_vfs_readv_tail", + []uint32{TailVfsReadv}, + ), + NewTailCall( + "prog_array", + "send_bin", + []uint32{TailSendBin}, + ), }, KSymbols: &[]kSymbolDependency{ {Symbol: "pipefifo_fops", Required: true}, @@ -6025,7 +6330,7 @@ var Definitions = eventDefinitions{ EventID: SchedProcessExec, }, }, - Capabilities: capDependency{ + Capabilities: capsDependency{ capabilities.Base: []cap.Value{ cap.SYS_PTRACE, // processSchedProcessExec() performance }, @@ -6036,17 +6341,29 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "capture_module", Internal: true, - Probes: []probeDependency{ - {Handle: probes.SyscallEnter__Internal, Required: true}, - {Handle: probes.SyscallExit__Internal, Required: true}, - {Handle: probes.SecurityKernelPostReadFile, Required: true}, - }, Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SyscallEnter__Internal, Required: true}, + {Handle: probes.SyscallExit__Internal, Required: true}, + {Handle: probes.SecurityKernelPostReadFile, Required: true}, + }, Events: []eventDependency{{EventID: SchedProcessExec}}, - TailCalls: []TailCall{ - {MapName: "sys_enter_tails", MapIndexes: []uint32{uint32(InitModule)}, ProgName: "syscall__init_module"}, - {MapName: "prog_array_tp", MapIndexes: []uint32{tailSendBinTP}, ProgName: "send_bin_tp"}, - {MapName: "prog_array", MapIndexes: []uint32{tailSendBin}, ProgName: "send_bin"}, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_tails", + "syscall__init_module", + []uint32{uint32(InitModule)}, + ), + NewTailCall( + "prog_array_tp", + "send_bin_tp", + []uint32{TailSendBinTP}, + ), + NewTailCall( + "prog_array", + "send_bin", + []uint32{TailSendBin}, + ), }, }, }, @@ -6055,8 +6372,12 @@ var Definitions = eventDefinitions{ Name: "capture_mem", Internal: true, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "prog_array", MapIndexes: []uint32{tailSendBin}, ProgName: "send_bin"}, + TailCalls: []*TailCall{ + NewTailCall( + "prog_array", + "send_bin", + []uint32{TailSendBin}, + ), }, }, }, @@ -6064,24 +6385,29 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "capture_bpf", Internal: true, - Probes: []probeDependency{ - {Handle: probes.SecurityBPF, Required: true}, - }, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "prog_array", MapIndexes: []uint32{tailSendBin}, ProgName: "send_bin"}, + Probes: []probeDependency{ + {Handle: probes.SecurityBPF, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "prog_array", + "send_bin", + []uint32{TailSendBin}, + ), }, }, }, DoInitModule: { ID32Bit: sys32undefined, Name: "do_init_module", - Probes: []probeDependency{ - {Handle: probes.DoInitModule, Required: true}, - {Handle: probes.DoInitModuleRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.DoInitModule, Required: true}, + {Handle: probes.DoInitModuleRet, Required: true}, + }, }, - Dependencies: dependencies{}, - Sets: []string{}, + Sets: []string{}, Params: []trace.ArgMeta{ {Type: "const char*", Name: "name"}, {Type: "const char*", Name: "version"}, @@ -6091,11 +6417,12 @@ var Definitions = eventDefinitions{ ModuleLoad: { ID32Bit: sys32undefined, Name: "module_load", - Probes: []probeDependency{ - {Handle: probes.ModuleLoad, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.ModuleLoad, Required: true}, + }, }, - Dependencies: dependencies{}, - Sets: []string{}, + Sets: []string{}, Params: []trace.ArgMeta{ {Type: "const char*", Name: "name"}, {Type: "const char*", Name: "version"}, @@ -6105,11 +6432,12 @@ var Definitions = eventDefinitions{ ModuleFree: { ID32Bit: sys32undefined, Name: "module_free", - Probes: []probeDependency{ - {Handle: probes.ModuleFree, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.ModuleFree, Required: true}, + }, }, - Dependencies: dependencies{}, - Sets: []string{}, + Sets: []string{}, Params: []trace.ArgMeta{ {Type: "const char*", Name: "name"}, {Type: "const char*", Name: "version"}, @@ -6120,14 +6448,18 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "socket_accept", Internal: false, - Probes: []probeDependency{ - {Handle: probes.SyscallEnter__Internal, Required: true}, - {Handle: probes.SyscallExit__Internal, Required: true}, - }, Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SyscallEnter__Internal, Required: true}, + {Handle: probes.SyscallExit__Internal, Required: true}, + }, Events: []eventDependency{{EventID: SecuritySocketAccept}}, - TailCalls: []TailCall{ - {MapName: "sys_exit_tails", MapIndexes: []uint32{uint32(Accept), uint32(Accept4)}, ProgName: "syscall__accept4"}, + TailCalls: []*TailCall{ + NewTailCall( + "sys_exit_tails", + "syscall__accept4", + []uint32{uint32(Accept), uint32(Accept4)}, + ), }, }, Sets: []string{}, @@ -6139,8 +6471,10 @@ var Definitions = eventDefinitions{ LoadElfPhdrs: { ID32Bit: sys32undefined, Name: "load_elf_phdrs", - Probes: []probeDependency{ - {Handle: probes.LoadElfPhdrs, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.LoadElfPhdrs, Required: true}, + }, }, Sets: []string{"proc"}, Params: []trace.ArgMeta{ @@ -6152,10 +6486,10 @@ var Definitions = eventDefinitions{ HookedProcFops: { ID32Bit: sys32undefined, Name: "hooked_proc_fops", - Probes: []probeDependency{ - {Handle: probes.SecurityFilePermission, Required: true}, - }, Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityFilePermission, Required: true}, + }, KSymbols: &[]kSymbolDependency{ {Symbol: "_stext", Required: true}, {Symbol: "_etext", Required: true}, @@ -6163,7 +6497,7 @@ var Definitions = eventDefinitions{ Events: []eventDependency{ {EventID: DoInitModule}, }, - Capabilities: capDependency{ + Capabilities: capsDependency{ capabilities.Base: []cap.Value{ cap.SYSLOG, // read /proc/kallsyms }, @@ -6177,10 +6511,10 @@ var Definitions = eventDefinitions{ PrintNetSeqOps: { ID32Bit: sys32undefined, Name: "print_net_seq_ops", - Probes: []probeDependency{ - {Handle: probes.PrintNetSeqOps, Required: true}, - }, Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.PrintNetSeqOps, Required: true}, + }, KSymbols: &[]kSymbolDependency{ {Symbol: "tcp4_seq_ops", Required: true}, {Symbol: "tcp6_seq_ops", Required: true}, @@ -6209,7 +6543,7 @@ var Definitions = eventDefinitions{ {EventID: PrintNetSeqOps}, {EventID: DoInitModule}, }, - Capabilities: capDependency{ + Capabilities: capsDependency{ capabilities.Base: []cap.Value{ cap.SYSLOG, // read /proc/kallsyms }, @@ -6223,8 +6557,10 @@ var Definitions = eventDefinitions{ TaskRename: { ID32Bit: sys32undefined, Name: "task_rename", - Probes: []probeDependency{ - {Handle: probes.TaskRename, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.TaskRename, Required: true}, + }, }, Sets: []string{"proc"}, Params: []trace.ArgMeta{ @@ -6235,8 +6571,10 @@ var Definitions = eventDefinitions{ SecurityInodeRename: { ID32Bit: sys32undefined, Name: "security_inode_rename", - Probes: []probeDependency{ - {Handle: probes.SecurityInodeRename, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityInodeRename, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -6247,8 +6585,10 @@ var Definitions = eventDefinitions{ DoSigaction: { ID32Bit: sys32undefined, Name: "do_sigaction", - Probes: []probeDependency{ - {Handle: probes.DoSigaction, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.DoSigaction, Required: true}, + }, }, Sets: []string{"proc"}, Params: []trace.ArgMeta{ @@ -6269,13 +6609,15 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "bpf_attach", DocPath: "docs/events/builtin/extra/bpf_attach.md", - Probes: []probeDependency{ - {Handle: probes.SecurityFileIoctl, Required: true}, - {Handle: probes.SecurityBpfProg, Required: true}, - {Handle: probes.SecurityBPF, Required: true}, - {Handle: probes.TpProbeRegPrioMayExist, Required: true}, - {Handle: probes.CheckHelperCall, Required: false}, - {Handle: probes.CheckMapFuncCompatibility, Required: false}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityFileIoctl, Required: true}, + {Handle: probes.SecurityBpfProg, Required: true}, + {Handle: probes.SecurityBPF, Required: true}, + {Handle: probes.TpProbeRegPrioMayExist, Required: true}, + {Handle: probes.CheckHelperCall, Required: false}, + {Handle: probes.CheckMapFuncCompatibility, Required: false}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -6292,9 +6634,11 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "kallsyms_lookup_name", DocPath: "kprobes/kallsyms_lookup_name.md", - Probes: []probeDependency{ - {Handle: probes.KallsymsLookupName, Required: true}, - {Handle: probes.KallsymsLookupNameRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.KallsymsLookupName, Required: true}, + {Handle: probes.KallsymsLookupNameRet, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -6306,36 +6650,38 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "print_mem_dump", Sets: []string{}, - Params: []trace.ArgMeta{ - {Type: "bytes", Name: "bytes"}, - {Type: "void*", Name: "address"}, - {Type: "u64", Name: "length"}, - {Type: "u64", Name: "caller_context_id"}, - {Type: "char*", Name: "arch"}, - {Type: "char*", Name: "symbol_name"}, - {Type: "char*", Name: "symbol_owner"}, - }, - Probes: []probeDependency{ - {Handle: probes.PrintMemDump, Required: true}, - }, Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.PrintMemDump, Required: true}, + }, Events: []eventDependency{ {EventID: DoInitModule}, }, KSymbols: &[]kSymbolDependency{}, - Capabilities: capDependency{ + Capabilities: capsDependency{ capabilities.Base: []cap.Value{ cap.SYSLOG, // read /proc/kallsyms }, }, }, + Params: []trace.ArgMeta{ + {Type: "bytes", Name: "bytes"}, + {Type: "void*", Name: "address"}, + {Type: "u64", Name: "length"}, + {Type: "u64", Name: "caller_context_id"}, + {Type: "char*", Name: "arch"}, + {Type: "char*", Name: "symbol_name"}, + {Type: "char*", Name: "symbol_owner"}, + }, }, VfsRead: { ID32Bit: sys32undefined, Name: "vfs_read", - Probes: []probeDependency{ - {Handle: probes.VfsRead, Required: true}, - {Handle: probes.VfsReadRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.VfsRead, Required: true}, + {Handle: probes.VfsReadRet, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -6349,9 +6695,11 @@ var Definitions = eventDefinitions{ VfsReadv: { ID32Bit: sys32undefined, Name: "vfs_readv", - Probes: []probeDependency{ - {Handle: probes.VfsReadV, Required: true}, - {Handle: probes.VfsReadVRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.VfsReadV, Required: true}, + {Handle: probes.VfsReadVRet, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -6365,9 +6713,11 @@ var Definitions = eventDefinitions{ VfsUtimes: { ID32Bit: sys32undefined, Name: "vfs_utimes", - Probes: []probeDependency{ - {Handle: probes.VfsUtimes, Required: false}, // this probe exits in kernels >= 5.9 - {Handle: probes.UtimesCommon, Required: false}, // this probe exits in kernels < 5.9 + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.VfsUtimes, Required: false}, // this probe exits in kernels >= 5.9 + {Handle: probes.UtimesCommon, Required: false}, // this probe exits in kernels < 5.9 + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -6381,8 +6731,10 @@ var Definitions = eventDefinitions{ DoTruncate: { ID32Bit: sys32undefined, Name: "do_truncate", - Probes: []probeDependency{ - {Handle: probes.DoTruncate, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.DoTruncate, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -6404,21 +6756,25 @@ var Definitions = eventDefinitions{ {Type: "unsigned long", Name: "old_ctime"}, {Type: "unsigned long", Name: "new_ctime"}, }, - Probes: []probeDependency{ - {Handle: probes.FdInstall, Required: true}, - {Handle: probes.FilpClose, Required: true}, - {Handle: probes.FileUpdateTime, Required: true}, - {Handle: probes.FileUpdateTimeRet, Required: true}, - {Handle: probes.FileModified, Required: false}, // not required because doesn't ... - {Handle: probes.FileModifiedRet, Required: false}, // ... exist in kernels < 5.3 + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.FdInstall, Required: true}, + {Handle: probes.FilpClose, Required: true}, + {Handle: probes.FileUpdateTime, Required: true}, + {Handle: probes.FileUpdateTimeRet, Required: true}, + {Handle: probes.FileModified, Required: false}, // not required because doesn't ... + {Handle: probes.FileModifiedRet, Required: false}, // ... exist in kernels < 5.3 + }, }, }, InotifyWatch: { ID32Bit: sys32undefined, Name: "inotify_watch", - Probes: []probeDependency{ - {Handle: probes.InotifyFindInode, Required: true}, - {Handle: probes.InotifyFindInodeRet, Required: true}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.InotifyFindInode, Required: true}, + {Handle: probes.InotifyFindInodeRet, Required: true}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -6431,11 +6787,13 @@ var Definitions = eventDefinitions{ ID32Bit: sys32undefined, Name: "security_bpf_prog", DocPath: "docs/events/builtin/extra/security_bpf_prog.md", - Probes: []probeDependency{ - {Handle: probes.SecurityBpfProg, Required: true}, - {Handle: probes.BpfCheck, Required: true}, - {Handle: probes.CheckHelperCall, Required: false}, - {Handle: probes.CheckMapFuncCompatibility, Required: false}, + Dependencies: dependencies{ + Probes: []probeDependency{ + {Handle: probes.SecurityBpfProg, Required: true}, + {Handle: probes.BpfCheck, Required: true}, + {Handle: probes.CheckHelperCall, Required: false}, + {Handle: probes.CheckMapFuncCompatibility, Required: false}, + }, }, Sets: []string{}, Params: []trace.ArgMeta{ @@ -6451,10 +6809,26 @@ var Definitions = eventDefinitions{ Name: "process_execute_failed", Sets: []string{"proc"}, Dependencies: dependencies{ - TailCalls: []TailCall{ - {MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Execve), uint32(Execveat)}, ProgName: "sys_enter_init"}, - {MapName: "prog_array", MapIndexes: []uint32{TailExecBinprm1}, ProgName: "trace_ret_exec_binprm1"}, - {MapName: "prog_array", MapIndexes: []uint32{TailExecBinprm2}, ProgName: "trace_ret_exec_binprm2"}, + Probes: []probeDependency{ + {Handle: probes.ExecBinprm, Required: true}, + {Handle: probes.ExecBinprmRet, Required: true}, + }, + TailCalls: []*TailCall{ + NewTailCall( + "sys_enter_init_tail", + "sys_enter_init", + []uint32{uint32(Execve), uint32(Execveat)}, + ), + NewTailCall( + "prog_array", + "trace_ret_exec_binprm1", + []uint32{TailExecBinprm1}, + ), + NewTailCall( + "prog_array", + "trace_ret_exec_binprm2", + []uint32{TailExecBinprm2}, + ), }, }, Params: []trace.ArgMeta{ @@ -6471,10 +6845,6 @@ var Definitions = eventDefinitions{ {Type: "const char*const*", Name: "binary.arguments"}, {Type: "const char*const*", Name: "environment"}, }, - Probes: []probeDependency{ - {Handle: probes.ExecBinprm, Required: true}, - {Handle: probes.ExecBinprmRet, Required: true}, - }, }, // // Network Protocol Event Types (add new events above here) @@ -6484,21 +6854,21 @@ var Definitions = eventDefinitions{ Name: "net_packet_base", Internal: true, Dependencies: dependencies{ - Capabilities: capDependency{ + Capabilities: capsDependency{ capabilities.EBPF: []cap.Value{ cap.NET_ADMIN, // needed for BPF_PROG_TYPE_CGROUP_SKB }, }, - }, - Probes: []probeDependency{ - {Handle: probes.CgroupSKBIngress, Required: true}, - {Handle: probes.CgroupSKBEgress, Required: true}, - {Handle: probes.SockAllocFile, Required: true}, - {Handle: probes.SockAllocFileRet, Required: true}, - {Handle: probes.CgroupBPFRunFilterSKB, Required: true}, - {Handle: probes.SecuritySocketRecvmsg, Required: true}, - {Handle: probes.SecuritySocketSendmsg, Required: true}, - {Handle: probes.SecuritySkClone, Required: true}, + Probes: []probeDependency{ + {Handle: probes.CgroupSKBIngress, Required: true}, + {Handle: probes.CgroupSKBEgress, Required: true}, + {Handle: probes.SockAllocFile, Required: true}, + {Handle: probes.SockAllocFileRet, Required: true}, + {Handle: probes.CgroupBPFRunFilterSKB, Required: true}, + {Handle: probes.SecuritySocketRecvmsg, Required: true}, + {Handle: probes.SecuritySocketSendmsg, Required: true}, + {Handle: probes.SecuritySkClone, Required: true}, + }, }, Sets: []string{"network_events"}, Params: []trace.ArgMeta{},