-
Notifications
You must be signed in to change notification settings - Fork 411
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add check_syscall_source
event
#3953
base: main
Are you sure you want to change the base?
Conversation
The ebpf code for this event contains a call to the Because this helper uses a callback function or in verifier terms a "bpf-to-bpf call", this program cannot be combined with tail calls (which it uses) on some older kernels, even though the helper call would not be called on those kernels. As a result, this event must be split into 2 separate programs that will be loaded conditionally based on kernel version. Currently no such mechanism exists, but is in the works. When such a mechanism will be implemented this event will be split into 2 programs so it can be merged. EDITThe logic for newer kernels which uses the |
c45b5fc
to
a6c4e35
Compare
d90fe4e
to
3a29a8c
Compare
daec435
to
03d7be9
Compare
This event checks, for preselected syscalls, the VMA from which the syscall was called. It determines if the VMA is the stack, the heap or an anonymous VMA (these are unusual for syscalls to be called from) and submits an event if so.
A unique source is identified by a combination of process (tgid and group leader start time), vma address and syscall number.
Currently there are no supported platforms without the CONFIG_ARCH_HAS_SYSCALL_WRAPPER configuration.
Added cache flushes to prevent issues on ARM CPUs Simplified shellcode to a simple exit(0).
Filtering on check_syscall_source.args.syscall results in the selected syscalls being added to the tail call map for the check_syscall program.
…k_syscall_source event
A recent performance change (f806cb4) results in task info not being populated until the event is submitted.
Init events should be created and submitted even if they should not be emitted.
The usage of this helper prevents the program from being loaded in older kernels, which prevents tracee from running. The alternative VMA lookup logic works only for RB trees (pre 6.1), so this event simply does not generate any output on newer kernels.
308efc3
to
6746a63
Compare
32-bit programs on x86-64 may use a fast syscall method, whose code resides in the VDSO VMA. This VMA is not file backed, so it was incorrectly detected as anonymous memory.
abd31e6
to
eb312fe
Compare
@oshaked1 I'm converting this to draft since we're tackling the release and filtering in ready PRs, ok? Please be welcome to set status again the later. |
1. Explain what the PR does
Add a new event,
check_syscall_source
, which reports invocations of syscalls from unusual code locations (stack, heap and anonymous VMAs).It is implemented using a new tail call placed in
sys_enter
, which triggers the analysis only for syscalls that were selected using a filter, e.g.tracee -e check_syscall_source.args.syscall=open,openat
.Closes #4002
2. Explain how to test it
The easiest way to test the event is using the included tester program, which executes a small shellcode that invokes the
exit
syscall from the stack/heap/anonymous VMA according to the command line argument. Note that it must be compiled with-z execstack
to be able to run the shellcode from the stack.Another way of testing the event (for arbitrary syscalls) is by packing a program: