aquasecurity · AlonZivony · Apr 7, 2024 · Apr 7, 2024 · Apr 7, 2024
diff --git a/pkg/cmd/initialize/sigs.go b/pkg/cmd/initialize/sigs.go
@@ -98,6 +98,7 @@ func CreateEventsFromSignatures(startId events.ID, sigs []detect.Signature) map[
  []events.Probe{},
  []events.TailCall{},
  events.Capabilities{},
+ []events.DependenciesFallback{},
  ),
  []trace.ArgMeta{},
  properties,

diff --git a/pkg/cmd/initialize/sigs_test.go b/pkg/cmd/initialize/sigs_test.go
@@ -48,6 +48,7 @@ func Test_CreateEventsFromSigs(t *testing.T) {
  []events.Probe{},
  []events.TailCall{},
  events.Capabilities{},
+ []events.DependenciesFallback{},
  ),
  []trace.ArgMeta{},
  nil,
@@ -84,6 +85,7 @@ func Test_CreateEventsFromSigs(t *testing.T) {
  []events.Probe{},
  []events.TailCall{},
  events.Capabilities{},
+ []events.DependenciesFallback{},
  ),
  []trace.ArgMeta{},
  nil,
@@ -107,6 +109,7 @@ func Test_CreateEventsFromSigs(t *testing.T) {
  []events.Probe{},
  []events.TailCall{},
  events.Capabilities{},
+ []events.DependenciesFallback{},
  ),
  []trace.ArgMeta{},
  nil,
@@ -145,6 +148,7 @@ func Test_CreateEventsFromSigs(t *testing.T) {
  []events.Probe{},
  []events.TailCall{},
  events.Capabilities{},
+ []events.DependenciesFallback{},
  ),
  []trace.ArgMeta{},
  nil,

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -211,6 +211,33 @@ func (t *Tracee) addDependencyEventToState(evtID events.ID, dependentEvts []even
  }
 }
 
+// updateDependenciesStateRecursive change all dependencies submit states to match
+// their submit states, and current submit state of their dependents.
+// This should be called in the case of a fallback dependencies, as the events
+// dependencies change, on the older dependencies.
+// This should make sure that their submit will match their new dependents and
+// emit state.
+func (t *Tracee) updateDependenciesStateRecursive(eventNode *dependencies.EventNode) {
+ for _, dependencyEventID := range eventNode.GetDependencies().GetIDs() {
+ dependencyNode, err := t.eventsDependencies.GetEvent(dependencyEventID)
+ if err != nil { // event does not exist anymore in dependencies
+ t.removeEventFromState(dependencyEventID)
+ continue
+ }
+ dependencyState := t.eventsState[dependencyEventID]
+ newState := events.EventState{
+ Emit: dependencyState.Emit,
+ Submit: dependencyState.Emit,
+ }
+ for _, dependantID := range dependencyNode.GetDependents() {
+ dependantState := t.eventsState[dependantID]
+ newState.Submit |= dependantState.Submit
+ }
+ t.eventsState[dependencyEventID] = newState
+ t.updateDependenciesStateRecursive(dependencyNode)
+ }
+}
+
 func (t *Tracee) removeEventFromState(evtID events.ID) {
  logger.Debugw("Remove event from state", "event", events.Core.GetDefinitionByID(evtID).GetName())
  delete(t.eventsState, evtID)
@@ -270,6 +297,23 @@ func New(cfg config.Config) (*Tracee, error) {
  t.removeEventFromState(eventNode.GetID())
  return nil
  })
+ t.eventsDependencies.SubscribeChange(
+ dependencies.EventNodeType,
+ func(oldNode interface{}, newNode interface{}) []dependencies.Action {
+ oldEventNode, ok := oldNode.(*dependencies.EventNode)
+ if !ok {
+ logger.Errorw("Got node from type not requested")
+ return nil
+ }
+ newEventNode, ok := newNode.(*dependencies.EventNode)
+ if !ok {
+ logger.Errorw("Got node from type not requested")
+ return nil
+ }
+ t.updateDependenciesStateRecursive(oldEventNode)
+ t.addDependenciesToStateRecursive(newEventNode)
+ return nil
+ })
 
  // Initialize capabilities rings soon
 
@@ -365,6 +409,18 @@ func New(cfg config.Config) (*Tracee, error) {
  if err != nil {
  return t, errfmt.WrapError(err)
  }
+ // Also add all capabilities required by fallbacks
+ for _, fallback := range deps.GetFallbacks() {
+ fallbackCaps := fallback.GetDependencies().GetCapabilities()
+ err = caps.BaseRingAdd(fallbackCaps.GetBase()...)
+ if err != nil {
+ return t, errfmt.WrapError(err)
+ }
+ err = caps.BaseRingAdd(fallbackCaps.GetEBPF()...)
+ if err != nil {
+ return t, errfmt.WrapError(err)
+ }
+ }
  }
  }
 
@@ -1076,7 +1132,7 @@ func (t *Tracee) validateKallsymsDependencies() {
  for eventId := range t.eventsState {
  if !validateEvent(eventId) {
  // Cancel the event, its dependencies and its dependent events
- err := t.eventsDependencies.RemoveEvent(eventId)
+ _, err := t.eventsDependencies.FailEvent(eventId)
  if err != nil {
  logger.Warnw("Failed to remove event from dependencies manager", "remove reason", "missing ksymbols", "error", err)
  }
@@ -1312,7 +1368,7 @@ func (t *Tracee) attachProbes() error {
  for eventID := range t.eventsState {
  err := t.attachEvent(eventID)
  if err != nil {
- err := t.eventsDependencies.RemoveEvent(eventID)
+ _, err = t.eventsDependencies.FailEvent(eventID)
  if err != nil {
  logger.Warnw("Failed to remove event from dependencies manager", "remove reason", "failed probes attachment", "error", err)
  }

diff --git a/pkg/events/definition_dependencies.go b/pkg/events/definition_dependencies.go
@@ -13,6 +13,7 @@ type Dependencies struct {
  probes []Probe
  tailCalls []TailCall
  capabilities Capabilities
+ fallbacks []DependenciesFallback
 }
 
 func NewDependencies(
@@ -21,13 +22,15 @@ func NewDependencies(
  givenProbes []Probe,
  givenTailCalls []TailCall,
  givenCapabilities Capabilities,
+ fallbacks []DependenciesFallback,
 ) Dependencies {
  return Dependencies{
  ids: givenIDs,
  kSymbols: givenkSymbols,
  probes: givenProbes,
  tailCalls: givenTailCalls,
  capabilities: givenCapabilities,
+ fallbacks: fallbacks,
  }
 }
 
@@ -73,6 +76,13 @@ func (d Dependencies) GetCapabilities() Capabilities {
  return d.capabilities
 }
 
+func (d Dependencies) GetFallbacks() []DependenciesFallback {
+ if d.fallbacks == nil {
+ return []DependenciesFallback{}
+ }
+ return d.fallbacks
+}
+
 // Probe
 
 type Probe struct {
@@ -176,3 +186,21 @@ func (tc TailCall) GetMapName() string {
 func (tc TailCall) GetProgName() string {
  return tc.progName
 }
+
+// DependenciesFallback is a struct representing a set of fallback dependencies
+// to be utilized in case of issues with the event's primary dependencies.
+// This struct envelopes the dependencies, providing the flexibility to incorporate
+// future logic for determining whether to employ the fallback or not
+type DependenciesFallback struct {
+ dependencies Dependencies
+}
+
+func NewDependenciesFallback(dependencies Dependencies) DependenciesFallback {
+ return DependenciesFallback{
+ dependencies: dependencies,
+ }
+}
+
+func (df DependenciesFallback) GetDependencies() Dependencies {
+ return df.dependencies
+}
diff --git a/pkg/events/dependencies/errors.go b/pkg/events/dependencies/errors.go
@@ -24,6 +24,11 @@ func (cancelErr *ErrNodeAddCancelled) Error() string {
  return fmt.Sprintf("node add was cancelled, reasons: \"%s\"", strings.Join(errorsStrings, "\", \""))
 }
 
+func (cancelErr *ErrNodeAddCancelled) Is(err error) bool {
+ _, ok := err.(*ErrNodeAddCancelled)
+ return ok
+}
+
 func (cancelErr *ErrNodeAddCancelled) AddReason(reason error) {
  cancelErr.Reasons = append(cancelErr.Reasons, reason)
 }

diff --git a/pkg/events/dependencies/event.go b/pkg/events/dependencies/event.go
@@ -14,7 +14,8 @@ type EventNode struct {
  dependencies events.Dependencies
  // There won't be more than a couple of dependents, so a slice is better for
  // both performance and supporting efficient thread-safe operation in the future
- dependents []events.ID
+ dependents []events.ID
+ currentFallback int // The index of current fallback dependencies
 }
 
 func newDependenciesNode(id events.ID, dependencies events.Dependencies, chosenDirectly bool) *EventNode {
@@ -23,6 +24,7 @@ func newDependenciesNode(id events.ID, dependencies events.Dependencies, chosenD
  explicitlySelected: chosenDirectly,
  dependencies: dependencies,
  dependents: make([]events.ID, 0),
+ currentFallback: -1,
  }
 }
 
@@ -31,7 +33,11 @@ func (en *EventNode) GetID() events.ID {
 }
 
 func (en *EventNode) GetDependencies() events.Dependencies {
- return en.dependencies
+ if en.currentFallback < 0 {
+ return en.dependencies
+ }
+ fallbacks := en.dependencies.GetFallbacks()
+ return fallbacks[en.currentFallback].GetDependencies()
 }
 
 func (en *EventNode) GetDependents() []events.ID {
@@ -71,3 +77,22 @@ func (en *EventNode) removeDependent(dependent events.ID) {
  }
  }
 }
+
+func (en *EventNode) fallback() bool {
+ fallbacks := en.dependencies.GetFallbacks()
+ if (en.currentFallback + 1) >= len(fallbacks) {
+ return false
+ }
+ en.currentFallback += 1
+ return true
+}
+
+func (en *EventNode) clone() *EventNode {
+ clone := &EventNode{
+ id: en.id,
+ explicitlySelected: en.explicitlySelected,
+ dependencies: en.dependencies,
+ dependents: slices.Clone[[]events.ID](en.dependents),
+ }
+ return clone
+}