-
Notifications
You must be signed in to change notification settings - Fork 431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kernel symbols are updated without required capabilities #4325
Comments
I was able to reproduce it:
@oshaked1 are you working on solving this? LMK. |
I could solve it by acquiring the capability in the |
I think we opted to not acquire caps in inner functions since they can be called from other outers acquires, is that correct @NDStrahilevitz? |
I'm sorry @geyslan, I'm not sure I got what you mean. Could you rephrase? Anyway, AFAIK events that require continuous use of ksyms declare the CAP_SYSLOG in their dependency such that it is included in the base ring. So before adding the capability inside the struct (which I would rather not do so that it is not coupled to the capabilities mechanism) we should:
|
@oshaked1 as for the usecase you've described, searching the symbol of a kprobe attachment), I find it likely that we can add a capability ring increase around that code as it has a clearly defined scope. |
Acquiring caps in between caps calls. But I believe you already answered with:
|
Yes it should be straightforward to do so. We should also add a disclaimer in the docstrings of the lookup functions because the capability requirement is unintuitive considering the symbol table was created prior to performing lookups. |
@oshaked1 Assigned you as your PR closes this. |
Description
The kernel symbol table utility relies on
CAP_SYSLOG
in order to be able to read from/proc/kallsyms
and get actual addresses (otherwise addresses are zeroed-out).When
NewKernelSymbolTable
is called when initializing tracee, the correct capability is held. But later calls to helpers likeGetSymbolByName
do not acquireCAP_SYSLOG
, even though the helper may end up reading/proc/kallsyms
again.This causes lookups for symbols that were not initially added to
t.requiredKsyms
to produce unusable results (and no error is generated). An example for such a lookup occurs when fetching the address for attaching a kprobe belonging to an event that is needed as a dependency (and not selected directly).The simplest way to reproduce this error is by deleting
dist/signatures/builtin.so
(because some signatures select events that listCAP_SYSLOG
as a dependency), and running tracee without any arguments:As can be seen, this program which is an (unrequired) dependency of
sched_process_exec
, is being loaded to address 0 and fails.The text was updated successfully, but these errors were encountered: