diff --git a/pkg/ebpf/c/common/buffer.h b/pkg/ebpf/c/common/buffer.h index 742a277082e5..49ace64fed4f 100644 --- a/pkg/ebpf/c/common/buffer.h +++ b/pkg/ebpf/c/common/buffer.h @@ -467,14 +467,6 @@ statfunc int events_perf_submit(program_data_t *p, long ret) // keep task_info updated bpf_probe_read_kernel(&p->task_info->context, sizeof(task_context_t), &p->event->context.task); - // Get Stack trace - if (p->config->options & OPT_CAPTURE_STACK_TRACES) { - int stack_id = bpf_get_stackid(p->ctx, &stack_addresses, BPF_F_USER_STACK); - if (stack_id >= 0) { - p->event->context.stack_id = stack_id; - } - } - u32 size = sizeof(event_context_t) + sizeof(u8) + p->event->args_buf.offset; // context + argnum + arg buffer size diff --git a/pkg/ebpf/c/maps.h b/pkg/ebpf/c/maps.h index fe415e403484..e515cf81ed50 100644 --- a/pkg/ebpf/c/maps.h +++ b/pkg/ebpf/c/maps.h @@ -265,18 +265,6 @@ struct sys_exit_init_tail { typedef struct sys_exit_init_tail sys_exit_init_tail_t; -// store stack traces -#define MAX_STACK_ADDRESSES 1024 // max amount of diff stack trace addrs to buffer - -struct stack_addresses { - __uint(type, BPF_MAP_TYPE_STACK_TRACE); - __uint(max_entries, MAX_STACK_ADDRESSES); - __type(key, u32); - __type(value, stack_trace_t); // 1 big byte array of the stack addresses -} stack_addresses SEC(".maps"); - -typedef struct stack_addresses stack_addresses_t; - // store fds paths by timestamp struct fd_arg_path_map { __uint(type, BPF_MAP_TYPE_LRU_HASH); diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go index edfb72416627..909ad9e3c532 100644 --- a/pkg/ebpf/events_pipeline.go +++ b/pkg/ebpf/events_pipeline.go @@ -3,14 +3,10 @@ package ebpf import ( "bytes" "context" - "encoding/binary" "slices" - "strconv" "sync" - "unsafe" "github.com/aquasecurity/tracee/pkg/bufferdecoder" - "github.com/aquasecurity/tracee/pkg/capabilities" "github.com/aquasecurity/tracee/pkg/errfmt" "github.com/aquasecurity/tracee/pkg/events" "github.com/aquasecurity/tracee/pkg/logger" @@ -191,12 +187,6 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch continue } - // Add stack trace if needed - var stackAddresses []uint64 - if t.config.Output.StackAddresses { - stackAddresses = t.getStackAddresses(eCtx.StackID) - } - containerInfo := t.containers.GetCgroupInfo(eCtx.CgroupID).Container containerData := trace.Container{ ID: containerInfo.ContainerId, @@ -262,7 +252,7 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch evt.ArgsNum = int(argnum) evt.ReturnValue = int(eCtx.Retval) evt.Args = args - evt.StackAddresses = stackAddresses + evt.StackAddresses = nil evt.ContextFlags = flags evt.Syscall = syscall evt.Metadata = nil @@ -641,50 +631,6 @@ func (t *Tracee) sinkEvents(ctx context.Context, in <-chan *trace.Event) <-chan return errc } -// getStackAddresses returns the stack addresses for a given StackID -func (t *Tracee) getStackAddresses(stackID uint32) []uint64 { - stackAddresses := make([]uint64, maxStackDepth) - stackFrameSize := (strconv.IntSize / 8) - - // Lookup the StackID in the map - // The ID could have aged out of the Map, as it only holds a finite number of - // Stack IDs in it's Map - var stackBytes []byte - err := capabilities.GetInstance().EBPF(func() error { - bytes, e := t.StackAddressesMap.GetValue(unsafe.Pointer(&stackID)) - if e != nil { - stackBytes = bytes - } - return e - }) - if err != nil { - logger.Debugw("failed to get StackAddress", "error", err) - return stackAddresses[0:0] - } - - stackCounter := 0 - for i := 0; i < len(stackBytes); i += stackFrameSize { - stackAddresses[stackCounter] = 0 - stackAddr := binary.LittleEndian.Uint64(stackBytes[i : i+stackFrameSize]) - if stackAddr == 0 { - break - } - stackAddresses[stackCounter] = stackAddr - stackCounter++ - } - - // Attempt to remove the ID from the map so we don't fill it up - // But if this fails continue on - err = capabilities.GetInstance().EBPF(func() error { - return t.StackAddressesMap.DeleteKey(unsafe.Pointer(&stackID)) - }) - if err != nil { - logger.Debugw("failed to delete stack address from eBPF map", "error", err) - } - - return stackAddresses[0:stackCounter] -} - // WaitForPipeline waits for results from all error channels. func (t *Tracee) WaitForPipeline(errs ...<-chan error) error { errc := MergeErrors(errs...) diff --git a/pkg/ebpf/processor_funcs.go b/pkg/ebpf/processor_funcs.go index 32cd03db0772..c307c478b948 100644 --- a/pkg/ebpf/processor_funcs.go +++ b/pkg/ebpf/processor_funcs.go @@ -463,7 +463,7 @@ func (t *Tracee) removeContext(event *trace.Event) error { event.Container = trace.Container{} event.Kubernetes = trace.Kubernetes{} event.Syscall = "" - event.StackAddresses = []uint64{} + event.StackAddresses = nil event.ContextFlags = trace.ContextFlags{} event.ThreadEntityId = 0 event.ProcessEntityId = 0 diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go index 0945566e034e..c9f0a1ae52d0 100644 --- a/pkg/ebpf/tracee.go +++ b/pkg/ebpf/tracee.go @@ -84,8 +84,7 @@ type Tracee struct { bpfModule *bpf.Module probes *probes.ProbeGroup // BPF Maps - StackAddressesMap *bpf.BPFMap - FDArgPathMap *bpf.BPFMap + FDArgPathMap *bpf.BPFMap // Perf Buffers eventsPerfMap *bpf.PerfBuffer // perf buffer for events fileWrPerfMap *bpf.PerfBuffer // perf buffer for file writes @@ -483,15 +482,6 @@ func (t *Tracee) Init(ctx gocontext.Context) error { return errfmt.Errorf("error initializing network capture: %v", err) } - // Get reference to stack trace addresses map - - stackAddressesMap, err := t.bpfModule.GetMap("stack_addresses") - if err != nil { - t.Close() - return errfmt.Errorf("error getting access to 'stack_addresses' eBPF Map %v", err) - } - t.StackAddressesMap = stackAddressesMap - // Get reference to fd arg path map fdArgPathMap, err := t.bpfModule.GetMap("fd_arg_path_map")