feat(ksymbols): reimplement ksymbols

This implementation stores all symbols, or if a `requiredDataSymbolsOnly` flag is used when creating the symbol table, only non-data symbols are saved (and required data symbols must be registered before updating). This new implementation uses a generic symbol table implementation that is responsible for managing symbol lookups, and can be used by future code for managing exeutable file symbols.
aquasecurity · Dec 26, 2024 · 421eb9b · 421eb9b
1 parent a481d11
commit 421eb9b
Show file tree

Hide file tree

Showing 13 changed files with 865 additions and 407 deletions.
diff --git a/pkg/ebpf/hooked_syscall_table.go b/pkg/ebpf/hooked_syscall_table.go
@@ -170,7 +170,7 @@ func (t *Tracee) populateExpectedSyscallTableArray(tableMap *bpf.BPFMap) error {
 			return e
 		}
 	}
-	niSyscallAddress := niSyscallSymbol[0].Address
+	niSyscallAddress := niSyscallSymbol[0].Address()
 
 	for i, kernelRestrictionArr := range events.SyscallSymbolNames {
 		syscallName := t.getSyscallNameByKerVer(kernelRestrictionArr)
@@ -199,7 +199,7 @@ func (t *Tracee) populateExpectedSyscallTableArray(tableMap *bpf.BPFMap) error {
 			continue
 		}
 
-		var expectedAddress = kernelSymbol[0].Address
+		var expectedAddress = kernelSymbol[0].Address()
 		err = tableMap.Update(unsafe.Pointer(&index), unsafe.Pointer(&expectedAddress))
 		if err != nil {
 			return err

diff --git a/pkg/ebpf/ksymbols.go b/pkg/ebpf/ksymbols.go
@@ -54,8 +54,8 @@ func (t *Tracee) UpdateKallsyms() error {
 		// ... and update the eBPF map with the symbol address.
 		for _, sym := range symbol {
 			key := make([]byte, maxKsymNameLen)
-			copy(key, sym.Name)
-			addr := sym.Address
+			copy(key, sym.Name())
+			addr := sym.Address()
 
 			// Update the eBPF map with the symbol address.
 			err := bpfKsymsMap.Update(

diff --git a/pkg/ebpf/probes/trace.go b/pkg/ebpf/probes/trace.go
@@ -111,7 +111,7 @@ func (p *TraceProbe) attach(module *bpf.Module, args ...interface{}) error {
 		var err error
 		var link *bpf.BPFLink
 		var attachFunc func(uint64) (*bpf.BPFLink, error)
-		var syms []environment.KernelSymbol
+		var syms []*environment.KernelSymbol
 		// https://github.com/aquasecurity/tracee/issues/3653#issuecomment-1832642225
 		//
 		// After commit b022f0c7e404 ('tracing/kprobes: Return EADDRNOTAVAIL
@@ -141,10 +141,10 @@ func (p *TraceProbe) attach(module *bpf.Module, args ...interface{}) error {
 				goto rollback
 			}
 			if p.probeType == SyscallEnter {
-				link, err = prog.AttachKprobe(syms[0].Name)
+				link, err = prog.AttachKprobe(syms[0].Name())
 			}
 			if p.probeType == SyscallExit {
-				link, err = prog.AttachKretprobe(syms[0].Name)
+				link, err = prog.AttachKretprobe(syms[0].Name())
 			}
 			if err != nil {
 				goto rollback
@@ -155,21 +155,21 @@ func (p *TraceProbe) attach(module *bpf.Module, args ...interface{}) error {
 			symsCompat, _ := ksyms.GetSymbolByName(SyscallPrefixCompat + p.eventName)
 			if len(symsCompat) > 0 {
 				if p.probeType == SyscallEnter {
-					link, _ = prog.AttachKprobe(symsCompat[0].Name)
+					link, _ = prog.AttachKprobe(symsCompat[0].Name())
 				}
 				if p.probeType == SyscallExit {
-					link, _ = prog.AttachKretprobe(symsCompat[0].Name)
+					link, _ = prog.AttachKretprobe(symsCompat[0].Name())
 				}
 				p.bpfLink = append(p.bpfLink, link)
 			}
 			// In x86, there are 2 possible compat prefixes - we handle it here
 			symsCompat, _ = ksyms.GetSymbolByName(SyscallPrefixCompat2 + p.eventName)
 			if len(symsCompat) > 0 {
 				if p.probeType == SyscallEnter {
-					link, _ = prog.AttachKprobe(symsCompat[0].Name)
+					link, _ = prog.AttachKprobe(symsCompat[0].Name())
 				}
 				if p.probeType == SyscallExit {
-					link, _ = prog.AttachKretprobe(symsCompat[0].Name)
+					link, _ = prog.AttachKretprobe(symsCompat[0].Name())
 				}
 				p.bpfLink = append(p.bpfLink, link)
 			}
@@ -188,9 +188,9 @@ func (p *TraceProbe) attach(module *bpf.Module, args ...interface{}) error {
 		case 1: // single address, attach kprobe using symbol name
 			switch p.probeType {
 			case KProbe:
-				link, err = prog.AttachKprobe(syms[0].Name)
+				link, err = prog.AttachKprobe(syms[0].Name())
 			case KretProbe:
-				link, err = prog.AttachKretprobe(syms[0].Name)
+				link, err = prog.AttachKretprobe(syms[0].Name())
 			}
 			if err != nil {
 				goto rollback
@@ -204,7 +204,7 @@ func (p *TraceProbe) attach(module *bpf.Module, args ...interface{}) error {
 				attachFunc = prog.AttachKretprobeOnOffset
 			}
 			for _, sym := range syms {
-				link, err := attachFunc(sym.Address)
+				link, err := attachFunc(sym.Address())
 				if err != nil {
 					goto rollback
 				}

diff --git a/pkg/ebpf/processor_funcs.go b/pkg/ebpf/processor_funcs.go
@@ -233,7 +233,7 @@ func (t *Tracee) processDoInitModule(event *trace.Event) error {
 
 	err := capabilities.GetInstance().EBPF(
 		func() error {
-			err := t.kernelSymbols.Refresh()
+			err := t.kernelSymbols.Update()
 			if err != nil {
 				return errfmt.WrapError(err)
 			}
@@ -281,8 +281,8 @@ func (t *Tracee) processHookedProcFops(event *trace.Event) error {
 		if addr == 0 { // address is in text segment, marked as 0
 			continue
 		}
-		hookingFunction := utils.ParseSymbol(addr, t.kernelSymbols)
-		if hookingFunction.Owner == "system" {
+		hookingFunction := t.kernelSymbols.GetPotentiallyHiddenSymbolByAddr(addr)[0]
+		if hookingFunction.Owner() == "system" {
 			continue
 		}
 		functionName := "unknown"
@@ -292,7 +292,7 @@ func (t *Tracee) processHookedProcFops(event *trace.Event) error {
 		case Iterate:
 			functionName = "iterate"
 		}
-		hookedFops = append(hookedFops, trace.HookedSymbolData{SymbolName: functionName, ModuleOwner: hookingFunction.Owner})
+		hookedFops = append(hookedFops, trace.HookedSymbolData{SymbolName: functionName, ModuleOwner: hookingFunction.Owner()})
 	}
 	err = events.SetArgValue(event, hookedFopsPointersArgName, hookedFops)
 	if err != nil {
@@ -326,7 +326,7 @@ func (t *Tracee) processPrintMemDump(event *trace.Event) error {
 	}
 
 	addressUint64 := uint64(address)
-	symbol := utils.ParseSymbol(addressUint64, t.kernelSymbols)
+	symbol := t.kernelSymbols.GetPotentiallyHiddenSymbolByAddr(addressUint64)[0]
 	var utsName unix.Utsname
 	arch := ""
 	if err := unix.Uname(&utsName); err != nil {
@@ -337,11 +337,11 @@ func (t *Tracee) processPrintMemDump(event *trace.Event) error {
 	if err != nil {
 		return err
 	}
-	err = events.SetArgValue(event, "symbol_name", symbol.Name)
+	err = events.SetArgValue(event, "symbol_name", symbol.Name())
 	if err != nil {
 		return err
 	}
-	err = events.SetArgValue(event, "symbol_owner", symbol.Owner)
+	err = events.SetArgValue(event, "symbol_owner", symbol.Owner())
 	if err != nil {
 		return err
 	}

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -362,12 +362,16 @@ func (t *Tracee) Init(ctx gocontext.Context) error {
 
 	err = capabilities.GetInstance().Specific(
 		func() error {
-			t.kernelSymbols, err = environment.NewKernelSymbolTable(
-				environment.WithRequiredSymbols(t.requiredKsyms),
-			)
+			t.kernelSymbols = environment.NewKernelSymbolTable(true, true)
+			// t.requiredKsyms may contain non-data symbols, but it doesn't affect the validity of this call
+			t.kernelSymbols.AddRequiredDataSymbols(t.requiredKsyms)
+			err := t.kernelSymbols.Update()
+			if err != nil {
+				return err
+			}
 			// Cleanup memory in list
 			t.requiredKsyms = []string{}
-			return err
+			return nil
 		},
 		cap.SYSLOG,
 	)
@@ -920,7 +924,7 @@ func getUnavailbaleKsymbols(ksymbols []events.KSymbol, kernelSymbols *environmen
 			continue
 		}
 		for _, s := range sym {
-			if s.Address == 0 {
+			if s.Address() == 0 {
 				// Same if the symbol is found but its address is 0.
 				unavailableSymbols = append(unavailableSymbols, ksymbol)
 			}
@@ -1726,7 +1730,7 @@ func (t *Tracee) triggerSeqOpsIntegrityCheck(event trace.Event) {
 		if err != nil {
 			continue
 		}
-		seqOpsPointers[i] = seqOpsStruct[0].Address
+		seqOpsPointers[i] = seqOpsStruct[0].Address()
 	}
 	eventHandle := t.triggerContexts.Store(event)
 	_ = t.triggerSeqOpsIntegrityCheckCall(
@@ -1852,7 +1856,7 @@ func (t *Tracee) triggerMemDump(event trace.Event) []error {
 					}
 				}
 				eventHandle := t.triggerContexts.Store(event)
-				_ = t.triggerMemDumpCall(symbol[0].Address, length, uint64(eventHandle))
+				_ = t.triggerMemDumpCall(symbol[0].Address(), length, uint64(eventHandle))
 			}
 		}
 	}

diff --git a/pkg/events/derive/hooked_seq_ops.go b/pkg/events/derive/hooked_seq_ops.go
@@ -4,7 +4,6 @@ import (
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/events/parse"
-	"github.com/aquasecurity/tracee/pkg/utils"
 	"github.com/aquasecurity/tracee/pkg/utils/environment"
 	"github.com/aquasecurity/tracee/types/trace"
 )
@@ -43,11 +42,11 @@ func deriveHookedSeqOpsArgs(kernelSymbols *environment.KernelSymbolTable) derive
 			if addr == 0 {
 				continue
 			}
-			hookingFunction := utils.ParseSymbol(addr, kernelSymbols)
+			hookingFunction := kernelSymbols.GetPotentiallyHiddenSymbolByAddr(addr)[0]
 			seqOpsStruct := NetSeqOps[i/4]
 			seqOpsFunc := NetSeqOpsFuncs[i%4]
 			hookedSeqOps[seqOpsStruct+"_"+seqOpsFunc] =
-				trace.HookedSymbolData{SymbolName: hookingFunction.Name, ModuleOwner: hookingFunction.Owner}
+				trace.HookedSymbolData{SymbolName: hookingFunction.Name(), ModuleOwner: hookingFunction.Owner()}
 		}
 		return []interface{}{hookedSeqOps}, nil
 	}

diff --git a/pkg/events/derive/hooked_syscall.go b/pkg/events/derive/hooked_syscall.go
@@ -54,8 +54,8 @@ func deriveDetectHookedSyscallArgs(kernelSymbols *environment.KernelSymbolTable)
 		hookedOwner := ""
 		hookedFuncSymbol, err := kernelSymbols.GetSymbolByAddr(address)
 		if err == nil {
-			hookedFuncName = hookedFuncSymbol[0].Name
-			hookedOwner = hookedFuncSymbol[0].Owner
+			hookedFuncName = hookedFuncSymbol[0].Name()
+			hookedOwner = hookedFuncSymbol[0].Owner()
 		}
 
 		syscallName := convertToSyscallName(syscallId)