Skip to content

Commit

Permalink
feat(ebpf): support events fallback with events state
Browse files Browse the repository at this point in the history
  • Loading branch information
@AlonZivony
AlonZivony committed Apr 7, 2024
1 parent 5211cb7 commit 05ceb49
Showing 1 changed file with 29 additions and 1 deletion.
30 changes: 29 additions & 1 deletion pkg/ebpf/tracee.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,29 @@ func (t *Tracee) addDependencyEventToState(evtID events.ID, dependantEvts []even
}
}

// updateDependenciesStateRecursive change all dependencies submit states to match
// the current state of event emit and dependants submit.
func (t *Tracee) updateDependenciesStateRecursive(eventNode *dependencies.EventNode) {
for _, dependencyEventID := range eventNode.GetDependencies().GetIDs() {
dependencyNode, ok := t.eventsDependencies.GetEvent(dependencyEventID)
if !ok { // event does not exist anymore in dependencies
t.removeEventFromState(dependencyEventID)
continue
}
dependencyState := t.eventsState[dependencyEventID]
newState := events.EventState{
Emit: dependencyState.Emit,
Submit: dependencyState.Emit,
}
for _, dependantID := range dependencyNode.GetDependants() {
dependantState := t.eventsState[dependantID]
newState.Submit |= dependantState.Submit
}
t.eventsState[dependencyEventID] = newState
t.updateDependenciesStateRecursive(dependencyNode)
}
}

func (t *Tracee) removeEventFromState(evtID events.ID) {
logger.Debugw("Cancel event", "event", events.Core.GetDefinitionByID(evtID).GetName())
delete(t.eventsState, evtID)
Expand Down Expand Up @@ -248,6 +271,11 @@ func New(cfg config.Config) (*Tracee, error) {
func(node *dependencies.EventNode) {
t.removeEventFromState(node.GetID())
})
t.eventsDependencies.SubscribeChange(
func(oldNode *dependencies.EventNode, newNode *dependencies.EventNode) {
t.updateDependenciesStateRecursive(oldNode)
t.addDependenciesToStateRecursive(newNode)
})

// Initialize capabilities rings soon

Expand Down Expand Up @@ -928,7 +956,7 @@ func (t *Tracee) validateKallsymsDependencies() {
}

validateEvent := func(eventId events.ID) {
missingDepSyms := getUnavKsyms(evtDefSymDeps(eventId), t.kernelSymbols)
missingDepSyms := getUnavailbaleKsymbols(evtDefSymDeps(eventId), t.kernelSymbols)
shouldFailEvent := false
for _, symDep := range missingDepSyms {
if symDep.IsRequired() {
Expand Down

0 comments on commit 05ceb49

Please sign in to comment.