Yaniv Agman
Yaniv Agman
> Being more specific, Tracee CAN'T win in the cat and mouse game against an attacker which controls the kernel. This includes a rootkit that was already installed before running...
We prefer not using the security_path_xxx hooks as these are not enabled in all distros (protected by an ifdef). This is why we use the security_inode_xxx instead
#1105
Closing this. Capabilities code was reimplemented by @rafaeldtinoco and fixed this
> > 1. change the fd argument type to string > > For that I suppose we would need to change all [syscall args](https://github.com/aquasecurity/tracee/blob/main/pkg/events/events.go#L202) `{Type: "int", Name: "fd"}` (and related)...
> Hmm, at least for me, if you consuming Tracee as a lib, you should set your own logger `logger.SetBase()` it will respect whatever your application is already using. One...
But should we close this? I mean, we still use the older libbpfgo version in tracee, don't we?
Regarding removing the `always_inline` attribute, please note that this doesn't play well with tail calls, as explained here: https://docs.cilium.io/en/stable/bpf/#bpf-to-bpf-calls
Also, there is this one (bounded loops since 5.3): https://github.com/aquasecurity/tracee/issues/474 (Not related to CO-RE but to new BPF features that we should support)
Might be related to the btf-defined maps we recently started using @grantseltzer