tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

tracee: non CO-RE execution in v4.19 kernels have libbpf errors/warnings

Open rafaeldtinoco opened this issue 3 years ago • 2 comments

Here is the output of a simple non CO-RE test:

$ ~/test-tracee.sh
 _   _  ___  _   _    ____ ___        ____  _____
| \ | |/ _ \| \ | |  / ___/ _ \      |  _ \| ____|
|  \| | | | |  \| | | |  | | | |_____| |_) |  _|
| |\  | |_| | |\  | | |__| |_| |_____|  _ <| |___
|_| \_|\___/|_| \_|  \____\___/      |_| \_\_____|

OSInfo: Security Lockdown is ''
OSInfo: ID: debian
OSInfo: KERNEL_RELEASE: 4.19.219
OSInfo: ARCH: x86_64
OSInfo: PRETTY_NAME: "Debian GNU/Linux bookworm/sid"
BTF: bpfenv = true, btfenv = false, vmlinux = false
BPF: using BPF object from environment: /tmp/tracee/tracee.bpf.4_19_219.v0_7_0-rc1-21-g9f3dd903.o
libbpf: Error in bpf_create_map_xattr(sys_enter_tails):ERROR: strerror_r(-524)=22(-524). Retrying without BTF.
libbpf: Error in bpf_create_map_xattr(sys_exit_tails):ERROR: strerror_r(-524)=22(-524). Retrying without BTF.
libbpf: Error in bpf_create_map_xattr(prog_array_tp):ERROR: strerror_r(-524)=22(-524). Retrying without BTF.
libbpf: Error in bpf_create_map_xattr(prog_array):ERROR: strerror_r(-524)=22(-524). Retrying without BTF.
Loaded 14 signature(s): [TRC-1 TRC-13 TRC-2 TRC-14 TRC-3 TRC-11 TRC-9 TRC-4 TRC-5 TRC-12 TRC-8 TRC-6 TRC-10 TRC-7]
libbpf: Error in bpf_create_map_xattr(sys_enter_tails):ERROR: strerror_r(-524)=22(-524). Retrying without BTF.
libbpf: Error in bpf_create_map_xattr(sys_exit_tails):ERROR: strerror_r(-524)=22(-524). Retrying without BTF.
libbpf: Error in bpf_create_map_xattr(prog_array_tp):ERROR: strerror_r(-524)=22(-524). Retrying without BTF.
libbpf: Error in bpf_create_map_xattr(prog_array):ERROR: strerror_r(-524)=22(-524). Retrying without BTF.

*** Detection ***
Time: 2022-03-28T11:40:35Z
Signature ID: TRC-2
Signature: Anti-Debugging
Data: map[]
Command: strace
Hostname: debian-419

rafaeldtinoco avatar Mar 28 '22 11:03 rafaeldtinoco

Might be related to the btf-defined maps we recently started using @grantseltzer

yanivagman avatar Mar 28 '22 11:03 yanivagman

We currently have issues with eBPF and v4.19 non CO-RE (https://github.com/aquasecurity/tracee/issues/1602) and CO-RE (https://github.com/aquasecurity/tracee/issues/1670).

rafaeldtinoco avatar Apr 18 '22 12:04 rafaeldtinoco