ebpf: add a new required dependency field.

Marking an event as required will make it so failing to attach it will fail tracee. Otherwise, tracee will continue to load as usual and log the failure. Now events can be loaded with partial dependencies.
aquasecurity · Apr 28, 2022 · 6332704 · 6332704
1 parent 88abde1
commit 6332704
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/pkg/ebpf/events_definitions.go b/pkg/ebpf/events_definitions.go
@@ -25,6 +25,7 @@ type probe struct {
 type eventDependency struct {
 	eventID      int32
 	shouldSubmit bool
+	required     bool
 }
 
 type dependencies struct {
@@ -6202,7 +6203,7 @@ var EventsDefinitions = map[int32]EventDefinition{
 		Name:    "container_create",
 		Probes:  []probe{},
 		Dependencies: dependencies{
-			events: []eventDependency{{eventID: CgroupMkdirEventID, shouldSubmit: true}},
+			events: []eventDependency{{eventID: CgroupMkdirEventID, shouldSubmit: true, required: true}},
 		},
 		Sets: []string{},
 		Params: []trace.ArgMeta{
@@ -6216,7 +6217,7 @@ var EventsDefinitions = map[int32]EventDefinition{
 		Name:    "container_remove",
 		Probes:  []probe{},
 		Dependencies: dependencies{
-			events: []eventDependency{{eventID: CgroupRmdirEventID, shouldSubmit: true}},
+			events: []eventDependency{{eventID: CgroupRmdirEventID, shouldSubmit: true, required: true}},
 		},
 		Sets: []string{},
 		Params: []trace.ArgMeta{
@@ -6314,7 +6315,7 @@ var EventsDefinitions = map[int32]EventDefinition{
 		ID32Bit: sys32undefined,
 		Name:    "detect_hooked_syscalls",
 		Dependencies: dependencies{
-			events: []eventDependency{{eventID: FinitModuleEventID}, {eventID: PrintSyscallTableEventID}, {eventID: InitModuleEventID}},
+			events: []eventDependency{{eventID: FinitModuleEventID, required: true}, {eventID: PrintSyscallTableEventID, required: true}, {eventID: InitModuleEventID, required: true}},
 		},
 		Sets: []string{},
 		Params: []trace.ArgMeta{

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -163,8 +163,9 @@ type fileExecInfo struct {
 }
 
 type eventConfig struct {
-	submit bool // event should be submitted to userspace
-	emit   bool // event should be emitted to the user
+	required bool // event must be attached for tracee to function
+	submit   bool // event should be submitted to userspace
+	emit     bool // event should be emitted to the user
 }
 
 // Tracee traces system calls and system events using eBPF
@@ -214,6 +215,9 @@ func (t *Tracee) handleEventsDependencies(e int32, initReq *RequiredInitValues)
 			if dependentEvent.shouldSubmit {
 				ec.submit = true
 			}
+			if dependentEvent.required {
+				ec.required = true
+			}
 			t.events[dependentEvent.eventID] = ec
 			t.handleEventsDependencies(dependentEvent.eventID, initReq)
 		}
@@ -1052,7 +1056,7 @@ func (t *Tracee) initBPF() error {
 		}
 	}
 
-	for e := range t.events {
+	for e, eventConfig := range t.events {
 		event, ok := EventsDefinitions[e]
 		if !ok {
 			continue
@@ -1083,7 +1087,10 @@ func (t *Tracee) initBPF() error {
 				_, err = prog.AttachRawTracepoint(tpEvent)
 			}
 			if err != nil {
-				return fmt.Errorf("error attaching event %s: %v", probe.event, err)
+				if eventConfig.required {
+					return fmt.Errorf("error attaching required event %s: %v", probe.event, err)
+				}
+				t.handleError(fmt.Errorf("error attaching event %s: %v. event was marked as unrequired and tracee will continue to load", probe.event, err))
 			}
 		}
 	}