Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(events): hidden_kernel_module - change history scan behaviour #4020

Merged
merged 1 commit into from
May 5, 2024
Merged

fix(events): hidden_kernel_module - change history scan behaviour #4020

merged 1 commit into from
May 5, 2024

Conversation

OriGlassman
Copy link
Collaborator

@OriGlassman OriGlassman commented May 5, 2024
edited by yanivagman
Loading

1. Explain what the PR does

fix(events): hidden_kernel_module - change history scan behaviour

The MAX_NUM_MODULES was recently decreased from 600 to 450 and is anyway relatively small.
In case there are more modules to iterate on than the number of the
iterations done, it will report the rest as false positives.
To mitigate that, an LRU holds the suspected events and waits until the
scan finishes: if the scan finished successfully, sends the events and
otherwise deletes them.

This was introduced in kernels 6.5 where the mod_tree contains 3x nodes
as before, and 450 iterations are not enough if there are about 450/3
modules loaded in the system.

When it's possible to use bpf_loop (currently RHEL verifier fails if the
helper exists in the code; specific program loading might solve it),
this patch needs to be reverted and the patch that uses bpf_loop needs
to be used instead.

Close #4021

2. Explain how to test it

./tracee -e=hidden_kernel_module

3. Other comments

@OriGlassman @randomname21
fix(events): hidden_kernel_module - change history scan behaviour
1bac608 
The MAX_NUM_MODULES was recently decreased from 600 to 450 and is anyway relatively small.
In case there are more modules to iterate on than the number of the
iterations done, it will report the rest as false positives.
To mitigate that, an LRU holds the suspected events and waits until the
scan finishes: if the scan finished successfully, sends the events and
otherwise deletes them.

This was introduced in kernels 6.5 where the mod_tree contains 3x nodes
as before, and 450 iterations are not enough if there are about 450/3
modules loaded in the system.

When it's possible to use bpf_loop (currently RHEL verifier fails if the
helper exists in the code; specific program loading might solve it),
this patch needs to be reverted and the patch that uses bpf_loop needs
to be used instead.
@OriGlassman OriGlassman requested a review from yanivagman May 5, 2024 11:20
yanivagman
yanivagman approved these changes May 5, 2024
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yanivagman yanivagman merged commit f899a86 into aquasecurity:v0.21.0 May 5, 2024
3 checks passed
@yanivagman yanivagman linked an issue May 9, 2024 that may be closed by this pull request
hidden kernel module potential FP #4021
Closed
@yanivagman yanivagman mentioned this pull request May 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman approved these changes

Assignees

@OriGlassman OriGlassman

Labels
area/ebpf area/events
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

hidden kernel module potential FP
2 participants
@OriGlassman @yanivagman