tracee
tracee copied to clipboard
aquasecurity
[BUG] support dirty_pipe_splice in unexploited kernels (final fix)
Prerequisites
- [x] This affects latest released version.
- [x] This affects current development tree (origin/HEAD).
- [x] There isn't an issue describing the bug.
Select one OR another:
- [ ] I'm going to create a PR to solve this (assign to yourself).
- [x] Someone else should solve this.
Bug description
This is a continuation of https://github.com/aquasecurity/tracee/pull/1663 and Alon is compromised in fixing it after we implement the kernel versioning dependency (per event) support.
Steps to reproduce
Steps to reproduce the issue:
docker run --rm --privileged -v $(pwd):/tracee:rw -e kvm_accel="kvm" -e kern_version=5.4.166-ubuntu+ -e test_name=TRC-2 -e is_noncore=1 -t rafaeldtinoco/tracee-test-kernels:latest
...
llc \
-march=bpf -mcpu=v2 \
-filetype=obj \
-o dist/tracee.bpf.5_4_166-ubuntu+..o \
dist/tracee.bpf.5_4_166-ubuntu+..ll
rm dist/tracee.bpf.5_4_166-ubuntu+..ll
./pkg/ebpf/c/tracee.bpf.c:4946:39: error: use of undeclared identifier 'PIPE_BUF_FLAG_CAN_MERGE'
if ((out_pipe_last_buffer_flags & PIPE_BUF_FLAG_CAN_MERGE) == 0) {
^
1 error generated.
llc: error: llc: dist/tracee.bpf.5_4_166-ubuntu+..ll: error: Could not open input file: No such file or directory
rm: cannot remove 'dist/tracee.bpf.5_4_166-ubuntu+..ll': No such file or directory
This error will be fixed, but in a hacky way as commented at: https://github.com/aquasecurity/tracee/pull/1663#issuecomment-1099092194
Context
Relevant information about my setup:
- Linux version: tracee-test-kernels
- Linux kernel version: 5.4.166-ubuntu+
- Tracee version (or commit id of your tree): 0f28a2cc
- LLVM version: 12
- Golang version: 1.17
