feat(ksymbols): reimplement ksymbols

This implementation stores all symbols, or if a `requiredDataSymbolsOnly`
flag is used when creating the symbol table, only non-data symbols are saved
(and required data symbols must be registered before updating).
This new implementation uses a generic symbol table implementation that is
responsible for managing symbol lookups, and can be used by future code for
managing exeutable file symbols.

pkg/ebpf/probes/trace.go

@@ -111,7 +111,7 @@ func (p *TraceProbe) attach(module *bpf.Module, args ...interface{}) error {
 		var err error
 		var link *bpf.BPFLink
 		var attachFunc func(uint64) (*bpf.BPFLink, error)
-		var syms []environment.KernelSymbol
+		var syms []*environment.KernelSymbol
 		// https://github.com/aquasecurity/tracee/issues/3653#issuecomment-1832642225
 		//
 		// After commit b022f0c7e404 ('tracing/kprobes: Return EADDRNOTAVAIL

pkg/ebpf/processor_funcs.go

@@ -233,7 +233,7 @@ func (t *Tracee) processDoInitModule(event *trace.Event) error {
 
 	err := capabilities.GetInstance().EBPF(
 		func() error {
-			err := t.kernelSymbols.Refresh()
+			err := t.kernelSymbols.Update()
 			if err != nil {
 				return errfmt.WrapError(err)
 			}
@@ -281,7 +281,7 @@ func (t *Tracee) processHookedProcFops(event *trace.Event) error {
 		if addr == 0 { // address is in text segment, marked as 0
 			continue
 		}
-		hookingFunction := utils.ParseSymbol(addr, t.kernelSymbols)
+		hookingFunction := t.kernelSymbols.GetPotentiallyHiddenSymbolByAddr(addr)[0]
 		if hookingFunction.Owner == "system" {
 			continue
 		}
@@ -326,7 +326,7 @@ func (t *Tracee) processPrintMemDump(event *trace.Event) error {
 	}
 
 	addressUint64 := uint64(address)
-	symbol := utils.ParseSymbol(addressUint64, t.kernelSymbols)
+	symbol := t.kernelSymbols.GetPotentiallyHiddenSymbolByAddr(addressUint64)[0]
 	var utsName unix.Utsname
 	arch := ""
 	if err := unix.Uname(&utsName); err != nil {

pkg/ebpf/tracee.go

@@ -362,12 +362,16 @@ func (t *Tracee) Init(ctx gocontext.Context) error {
 
 	err = capabilities.GetInstance().Specific(
 		func() error {
-			t.kernelSymbols, err = environment.NewKernelSymbolTable(
-				environment.WithRequiredSymbols(t.requiredKsyms),
-			)
+			t.kernelSymbols = environment.NewKernelSymbolTable(true, true)
+			// t.requiredKsyms may contain non-data symbols, but it doesn't affect the validity of this call
+			t.kernelSymbols.AddRequiredDataSymbols(t.requiredKsyms)
+			err := t.kernelSymbols.Update()
+			if err != nil {
+				return err
+			}
 			// Cleanup memory in list
 			t.requiredKsyms = []string{}
-			return err
+			return nil
 		},
 		cap.SYSLOG,
 	)
@@ -913,18 +917,12 @@ func getUnavailbaleKsymbols(ksymbols []events.KSymbol, kernelSymbols *environmen
 	var unavailableSymbols []events.KSymbol
 
 	for _, ksymbol := range ksymbols {
-		sym, err := kernelSymbols.GetSymbolByName(ksymbol.GetSymbolName())
+		_, err := kernelSymbols.GetSymbolByName(ksymbol.GetSymbolName())
 		if err != nil {
 			// If the symbol is not found, it means it's unavailable.
 			unavailableSymbols = append(unavailableSymbols, ksymbol)
 			continue
 		}
-		for _, s := range sym {
-			if s.Address == 0 {
-				// Same if the symbol is found but its address is 0.
-				unavailableSymbols = append(unavailableSymbols, ksymbol)
-			}
-		}
 	}
 	return unavailableSymbols
 }

pkg/events/derive/hooked_seq_ops.go

@@ -4,7 +4,6 @@ import (
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/events/parse"
-	"github.com/aquasecurity/tracee/pkg/utils"
 	"github.com/aquasecurity/tracee/pkg/utils/environment"
 	"github.com/aquasecurity/tracee/types/trace"
 )
@@ -43,7 +42,7 @@ func deriveHookedSeqOpsArgs(kernelSymbols *environment.KernelSymbolTable) derive
 			if addr == 0 {
 				continue
 			}
-			hookingFunction := utils.ParseSymbol(addr, kernelSymbols)
+			hookingFunction := kernelSymbols.GetPotentiallyHiddenSymbolByAddr(addr)[0]
 			seqOpsStruct := NetSeqOps[i/4]
 			seqOpsFunc := NetSeqOpsFuncs[i%4]
 			hookedSeqOps[seqOpsStruct+"_"+seqOpsFunc] =