-
Notifications
You must be signed in to change notification settings - Fork 417
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add check_syscall_source
event
#3953
base: main
Are you sure you want to change the base?
Conversation
The ebpf code for this event contains a call to the Because this helper uses a callback function or in verifier terms a "bpf-to-bpf call", this program cannot be combined with tail calls (which it uses) on some older kernels, even though the helper call would not be called on those kernels. As a result, this event must be split into 2 separate programs that will be loaded conditionally based on kernel version. Currently no such mechanism exists, but is in the works. When such a mechanism will be implemented this event will be split into 2 programs so it can be merged. EDITThe logic for newer kernels which uses the |
c45b5fc
to
a6c4e35
Compare
d90fe4e
to
3a29a8c
Compare
daec435
to
03d7be9
Compare
abd31e6
to
eb312fe
Compare
@oshaked1 I'm converting this to draft since we're tackling the release and filtering in ready PRs, ok? Please be welcome to set status again the later. |
eb312fe
to
609e78f
Compare
6fc9f61
to
4c70e9e
Compare
82bc699
to
49499c2
Compare
0d4d80e
to
6e8e468
Compare
1. Explain what the PR does
Add a new event,
check_syscall_source
, which reports invocations of syscalls from unusual code locations (stack, heap and anonymous VMAs).It is implemented using generic syscall kprobes, which trigger the analysis only for syscalls that were selected using event parameters, e.g.
tracee -e check_syscall_source.args.syscall=open,openat
.Closes #4002
2. Explain how to test it
The easiest way to test the event is using the included tester program, which executes a small shellcode that invokes the
exit
syscall from the stack/heap/anonymous VMA according to the command line argument. Note that it must be compiled with-z execstack
to be able to run the shellcode from the stack.Another way of testing the event (for arbitrary syscalls) is by packing a program: