You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This means that unless the probes it depends on are loaded by other event, it won't be triggered.
It depends on the security_file_mprotect kprobe, so it should be added.
Moreover, the security_file_mprotect is using the should_trace function, which means that only if a policy chose the scope it will capture it. This does not match our current capture logic, which should only use its own filters.
SEC("kprobe/security_file_mprotect")
intBPF_KPROBE(trace_security_file_mprotect)
{
bin_args_tbin_args= {};
program_data_tp= {};
if (!init_program_data(&p, ctx))
return0;
if (!should_trace(&p))
return0;
Output of tracee version:
f3fa64f0d3bd8c8203dd8199c182375f78d295ec
Output of uname -a:
(paste your output here)
Additional details
The text was updated successfully, but these errors were encountered:
Moreover, the security_file_mprotect is using the should_trace function, which means that only if a policy chose the scope it will capture it. This does not match our current capture logic, which should only use its own filters.
There are plans to bring capture into policies entirely, isn't right @yanivagman?
Moreover, the security_file_mprotect is using the should_trace function, which means that only if a policy chose the scope it will capture it. This does not match our current capture logic, which should only use its own filters.
There are plans to bring capture into policies entirely, isn't right @yanivagman?
Yes. We will need to fully revisit the capture code when we will do that
Description
Went over the captures code, and noticed that the
capture_mem
event has no dependencies other thansend_bin
.This means that unless the probes it depends on are loaded by other event, it won't be triggered.
It depends on the
security_file_mprotect
kprobe, so it should be added.Moreover, the
security_file_mprotect
is using theshould_trace
function, which means that only if a policy chose the scope it will capture it. This does not match our current capture logic, which should only use its own filters.Output of
tracee version
:Output of
uname -a
:Additional details
The text was updated successfully, but these errors were encountered: