Skip to content

Commit

Permalink
fix #61: issue with kretprobe not surviving to suspend/resume cycle
Browse files Browse the repository at this point in the history
Signed-off-by: qjerome <qjerome@rawsec.lu>
  • Loading branch information
qjerome committed May 23, 2024
1 parent cc1665e commit f8dec76
Show file tree
Hide file tree
Showing 8 changed files with 311 additions and 83 deletions.
2 changes: 2 additions & 0 deletions kunai-common/src/bpf_events.rs
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,8 @@ pub enum Type {
CacheHash,
#[str("error")]
Error,
#[str("syscore_resume")]
SyscoreResume,

// !!! all new event types must be put before max
#[str("max")]
Expand Down
3 changes: 3 additions & 0 deletions kunai-common/src/bpf_events/events.rs
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ mod prctl;
pub use prctl::*;
pub mod error;
pub use error::{ErrorData, ErrorEvent};
pub mod syscore_resume;
pub use syscore_resume::*;

// prevent using correlation event in bpf code
not_bpf_target_code! {
Expand Down Expand Up @@ -76,6 +78,7 @@ const fn max_bpf_event_size() -> usize {
Type::FileUnlink => UnlinkEvent::size_of(),
Type::Unknown | Type::EndEvents | Type::Correlation | Type::CacheHash | Type::Max => 0,
Type::Error => ErrorEvent::size_of(),
Type::SyscoreResume => SysCoreResumeEvent::size_of(),
// never handle _ pattern otherwise this function loses all interest
};
if size > max {
Expand Down
6 changes: 6 additions & 0 deletions kunai-common/src/bpf_events/events/syscore_resume.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
use crate::bpf_events::Event;

pub type SysCoreResumeEvent = Event<SysCoreResumeData>;

#[repr(C)]
pub struct SysCoreResumeData {}
1 change: 1 addition & 0 deletions kunai-ebpf/src/probes.rs
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ mod mprotect;
mod prctl;
mod schedule;
mod send_data;
mod syscore_resume;

/// macro to track ignored results
macro_rules! ignore_result {
Expand Down
27 changes: 27 additions & 0 deletions kunai-ebpf/src/probes/syscore_resume.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
use aya_ebpf::programs::ProbeContext;

use super::*;

// this probe is hit when the system is resumed, it is a way to
// create a trigger for program reload as a bug has been identified
// for some kretprobes not surviving to a suspend/resume cycle
// https://bugzilla.kernel.org/show_bug.cgi?id=218775
#[kprobe(function = "syscore_resume")]
pub fn enter_syscore_resume(ctx: ProbeContext) -> u32 {
match unsafe { try_syscore_resume(&ctx) } {
Ok(_) => errors::BPF_PROG_SUCCESS,
Err(s) => {
error!(&ctx, s);
errors::BPF_PROG_FAILURE
}
}
}

unsafe fn try_syscore_resume(ctx: &ProbeContext) -> ProbeResult<()> {
let evt = alloc::alloc_zero::<SysCoreResumeEvent>()?;

evt.init_from_current_task(Type::SyscoreResume)?;

pipe_event(ctx, evt);
Ok(())
}
Loading

0 comments on commit f8dec76

Please sign in to comment.