You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If an event fails during attachment stage, it will be cancelled by removing it from the eventsState map:
// cancelEventFromEventState cancels an event and all its dependencies from the eventsState map.func (t*Tracee) cancelEventFromEventState(evtID events.ID) {
delete(t.eventsState, evtID)
evtDef:=events.Core.GetDefinitionByID(evtID)
for_, evtDeps:=rangeevtDef.GetDependencies().GetIDs() {
t.cancelEventFromEventState(evtDeps)
}
}
However, this is hardly enough.
If the event has other probes that were attached already, there is no effort to detach them (if no other event depends on these probes).
Moreover, the policies maps are not affected from this cancellation, resulting that the should_trace function for the cancelled event in the eBPF code will still return true. This means that we will still get the event from the eBPF code. This is a huge waste of resources, and might also result bugs if the event's other probes should clean or do some other logic with the failed probe.
Output of tracee version:
(paste your output here)
Output of uname -a:
(paste your output here)
Additional details
The text was updated successfully, but these errors were encountered:
Description
If an event fails during attachment stage, it will be cancelled by removing it from the
eventsStatemap:However, this is hardly enough.
If the event has other probes that were attached already, there is no effort to detach them (if no other event depends on these probes).
Moreover, the policies maps are not affected from this cancellation, resulting that the
should_tracefunction for the cancelled event in the eBPF code will still return true. This means that we will still get the event from the eBPF code. This is a huge waste of resources, and might also result bugs if the event's other probes should clean or do some other logic with the failed probe.Output of
tracee version:Output of
uname -a:Additional details
The text was updated successfully, but these errors were encountered: