bpf: Improve publisher reliability by alessandrogario · Pull Request #7302 · osq...

I0908 16:45:09.437614 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall fork (20)
I0908 16:45:09.442298 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall vfork (28)
I0908 16:45:09.447696 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall clone (36)
I0908 16:45:09.451020 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall close (44)
I0908 16:45:09.454308 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall dup (50)
I0908 16:45:09.457621 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall dup2 (56)
I0908 16:45:09.460983 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall dup3 (62)
I0908 16:45:09.471495 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall creat (71)
I0908 16:45:09.475664 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall mknod (77)
I0908 16:45:09.479838 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall mknodat (83)
I0908 16:45:09.490257 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall open (91)
I0908 16:45:09.494812 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall openat (97)
I0908 16:45:09.494910 25867 bpfeventpublisher.cpp:243] Failed to load the BPF probe for syscall openat2: Failed to open the tracepoint descriptor file: /sys/kernel/debug/tracing/events/syscalls/sys_enter_openat2/id. This syscall may not be available on this system, continuing despite the error
I0908 16:45:09.504556 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall socket (105)
I0908 16:45:09.507974 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall fcntl (111)
I0908 16:45:09.512300 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall connect (117)
I0908 16:45:09.516983 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall accept (123)
I0908 16:45:09.521683 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall accept4 (129)
I0908 16:45:09.525904 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall bind (135)
I0908 16:45:09.529222 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall listen (141)
I0908 16:45:09.539371 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall chdir (149)
I0908 16:45:09.542677 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall fchdir (155)
I0908 16:45:09.547883 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall name_to_handle_at (161)
I0908 16:45:09.551900 25867 bpfeventpublisher.cpp:256] Initialized BPF probe for syscall open_by_handle_at (167)
I0908 16:45:09.674875 25867 bpfeventpublisher.cpp:243] Failed to load the BPF probe for syscall execve: The 'enter' program could not be loaded: The program could not be loaded: 0: (bf) r8 = r1

I0908 16:45:09.674875 25867 bpfeventpublisher.cpp:243] Failed to load the BPF probe for syscall execve: The 'enter' program could not be loaded: The program could not be loaded: 0: (bf) r8 = r1
1: (85) call bpf_get_current_pid_tgid#14
2: (77) r0 >>= 32
3: (55) if r0 != 0x650b goto pc+2
 R0_w=inv25867 R8_w=ctx(id=0,off=0,imm=0) R10=fp0
4: (b7) r0 = 0
5: (95) exit

from 3 to 6: R0_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=ctx(id=0,off=0,imm=0) R10=fp0
6: (b7) r7 = 0
7: (63) *(u32 *)(r10 -172) = r7
last_idx 7 first_idx 0
regs=80 stack=0 before 6: (b7) r7 = 0
8: (18) r1 = 0xffff901d8f2eae00
10: (bf) r2 = r10
11: (07) r2 += -172
12: (85) call bpf_map_lookup_elem#1
13: (bf) r6 = r0
14: (55) if r6 != 0x0 goto pc+2
 R0=inv0 R6_w=inv0 R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
15: (b7) r0 = 0
16: (95) exit

from 14 to 17: R0=map_value(id=0,off=0,ks=4,vs=92,imm=0) R6_w=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
17: (b7) r1 = 175
18: (7b) *(u64 *)(r6 +4) = r1
 R0=map_value(id=0,off=0,ks=4,vs=92,imm=0) R1_w=inv175 R6_w=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
19: (b7) r1 = 92
20: (63) *(u32 *)(r6 +0) = r1
 R0=map_value(id=0,off=0,ks=4,vs=92,imm=0) R1_w=inv92 R6_w=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
21: (85) call bpf_ktime_get_ns#5
22: (7b) *(u64 *)(r6 +12) = r0
 R0=inv(id=0) R6=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
23: (85) call bpf_get_current_pid_tgid#14
24: (7b) *(u64 *)(r6 +20) = r0
 R0_w=inv(id=0) R6=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
25: (85) call bpf_get_current_uid_gid#15
26: (7b) *(u64 *)(r6 +28) = r0
 R0_w=inv(id=0) R6=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
27: (85) call bpf_get_current_cgroup_id#80
28: (7b) *(u64 *)(r6 +36) = r0
 R0_w=inv(id=0) R6=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
29: (7b) *(u64 *)(r6 +60) = r7
 R0_w=inv(id=0) R6=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
30: (7b) *(u64 *)(r6 +52) = r7
 R0_w=inv(id=0) R6=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
31: (7b) *(u64 *)(r6 +44) = r7
 R0_w=inv(id=0) R6=map_value(id=0,off=0,ks=4,vs=92,imm=0) R7=invP0 R8=ctx(id=0,off=0,imm=0) R10=fp0 fp-176=mmmm????
32: (63) *(u32 *)(r10 -172) = r7
33: (18) r1 = 0xffff901d8f2eac00
35: (bf) r2 = r10
36: (07) r2 += -172
37: (85) call bpf_map_lookup_elem#1

osquery> select * from bpf_socket_events;
osquery>

[STD-DEV]19:53:43 zmackie@si-i-0fe66e9061a89d90d ~ $ uname -srm
Linux 5.4.0-1054-aws x86_64
[STD-DEV]19:53:45 zmackie@si-i-0fe66e9061a89d90d ~ $ cat /etc/issue
Ubuntu 18.04.5 LTS \n \l