fix(events): fix hooked_syscall for RHEL 8.x kernels

aquasecurity · Oct 28, 2023 · 7d6a7c4 · 7d6a7c4
1 parent 9c04d29
commit 7d6a7c4
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/pkg/ebpf/hooked_syscall_table.go b/pkg/ebpf/hooked_syscall_table.go
@@ -161,7 +161,13 @@ func (t *Tracee) populateExpectedSyscallTableArray(tableMap *bpf.BPFMap) error {
 	// Get address to the function that defines the not implemented sys call
 	niSyscallSymbol, err := t.kernelSymbols.GetSymbolByName("system", events.SyscallPrefix+"ni_syscall")
 	if err != nil {
-		return err
+		e := err
+		// RHEL 8.x uses sys_ni_syscall instead of __arch_ni_syscall
+		niSyscallSymbol, err = t.kernelSymbols.GetSymbolByName("system", "sys_ni_syscall")
+		if err != nil {
+			logger.Debugw("hooked_syscall: syscall symbol not found", "name", "sys_ni_syscall")
+			return e
+		}
 	}
 	niSyscallAddress := niSyscallSymbol.Address
 

diff --git a/pkg/events/core_amd64.go b/pkg/events/core_amd64.go
@@ -1349,8 +1349,8 @@ var SyscallSymbolNames = map[ID][]KernelRestrictions{
 	431: {{Name: "fsconfig"}},
 	432: {{Name: "fsmount"}},
 	433: {{Name: "fspick"}},
-	434: {{Name: "pidfd_open"}},
-	435: {{Name: "clone3"}},
+	434: {{Above: "5.2", Name: "pidfd_open"}},
+	435: {{Above: "5.2", Name: "clone3"}},
 	436: {{Above: "5.9", Name: "close_range"}},
 	437: {{Above: "5.6", Name: "openat2"}},
 	438: {{Above: "5.6", Name: "pidfd_getfd"}},

diff --git a/pkg/events/core_arm64.go b/pkg/events/core_arm64.go
@@ -1408,8 +1408,8 @@ var SyscallSymbolNames = map[ID][]KernelRestrictions{
 	431: {{Name: "fsconfig"}},
 	432: {{Name: "fsmount"}},
 	433: {{Name: "fspick"}},
-	434: {{Name: "pidfd_open"}},
-	435: {{Name: "clone3"}},
+	434: {{Above: "5.2", Name: "pidfd_open"}},
+	435: {{Above: "5.2", Name: "clone3"}},
 	436: {{Above: "5.9", Name: "close_range"}},
 	437: {{Above: "5.7", Name: "openat2"}},
 	438: {{Above: "5.7", Name: "pidfd_getfd"}},