Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ebpf): use kprobes for execute_finished #4025

Merged
merged 1 commit into from
May 8, 2024
Merged

fix(ebpf): use kprobes for execute_finished #4025

merged 1 commit into from
May 8, 2024

Conversation

AlonZivony
Copy link
Contributor

@AlonZivony AlonZivony commented May 6, 2024
edited
Loading

1. Explain what the PR does

Recently, the process_execute_failed event implementation had been changed to use the new inner execute_finished event. This event has used syscall tracepoints in its implementation. However, tracepoints rely on debugfs, which was not a requirement of tracee until now. To remove this requirement (at least for now), move to use architecture-specific kprobes instead.

Fix #4026

2. Explain how to test it

3. Other comments

@AlonZivony
fix(ebpf): use kprobes for execute_finished
7fb05a5 
Recently, the process_execute_failed event implementation had been changed to use the new inner execute_finished event.
This event has used syscall tracepoints in its implementation.
However, tracepoints rely on debugfs, which was not a requirement of tracee until now.
To remove this requirement (at least for now), move to use architecture-specific kprobes instead.
@AlonZivony AlonZivony requested a review from yanivagman May 6, 2024 13:25
@AlonZivony AlonZivony force-pushed the feature/execute-finished-using-kprobes branch from 9f276d4 to 7fb05a5 Compare May 6, 2024 13:26
@AlonZivony AlonZivony requested a review from OriGlassman May 6, 2024 13:27
yanivagman
yanivagman approved these changes May 8, 2024
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Please backport to v0.21.0 branch as well

@yanivagman yanivagman merged commit 14c106e into aquasecurity:main May 8, 2024
32 checks passed
AlonZivony added a commit to AlonZivony/tracee that referenced this pull request May 8, 2024
@AlonZivony
fix(ebpf): use kprobes for execute_finished (aquasecurity#4025)
1786b62 
Recently, the process_execute_failed event implementation had been changed to use the new inner execute_finished event.
This event has used syscall tracepoints in its implementation.
However, tracepoints rely on debugfs, which was not a requirement of tracee until now.
To remove this requirement (at least for now), move to use architecture-specific kprobes instead.

(cherry picked from commit 14c106e)
@AlonZivony AlonZivony mentioned this pull request May 8, 2024
Merged
yanivagman pushed a commit that referenced this pull request May 8, 2024
@AlonZivony
fix(ebpf): use kprobes for execute_finished (#4025) (#4030)
fee4447 
Recently, the process_execute_failed event implementation had been changed to use the new inner execute_finished event.
This event has used syscall tracepoints in its implementation.
However, tracepoints rely on debugfs, which was not a requirement of tracee until now.
To remove this requirement (at least for now), move to use architecture-specific kprobes instead.

(cherry picked from commit 14c106e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman approved these changes

@OriGlassman OriGlassman OriGlassman approved these changes

Assignees

@AlonZivony AlonZivony

Labels
area/ebpf area/events milestone/v0.21.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

execute_finished tracepoints are missing when debugfs is not accessible
3 participants
@AlonZivony @yanivagman @OriGlassman