disable (process) ebpf events when to many errors

if an invalid opensnitch-procs.o module was loaded, we were flooding the log with errors. In these cases stop processing events after 20 errors (random, we should have no errors). This may occur if the module is malformed (valid .o ebpf module but different structs, etc), or when loading modules from other versions. Closes: #1099 #1082
evilsocket · Apr 29, 2024 · 0a911ef · 0a911ef
1 parent 7442bec
commit 0a911ef
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/daemon/procmon/ebpf/events.go b/daemon/procmon/ebpf/events.go
@@ -158,6 +158,17 @@ func initPerfMap(mod *elf.Module) error {
 
 func streamEventsWorker(id int, chn chan []byte, lost chan uint64, kernelEvents chan interface{}) {
 	var event execEvent
+	errors := 0
+	maxErrors := 20 // we should have no errors.
+	tooManyErrors := func() bool {
+		errors++
+		if errors > maxErrors {
+			log.Error("[eBPF events] too many errors parsing events from kernel")
+			log.Error("verify that you're using the correct eBPF modules for this version (%s)", core.Version)
+			return true
+		}
+		return false
+	}
 	for {
 		select {
 		case <-ctxTasks.Done():
@@ -167,6 +178,10 @@ func streamEventsWorker(id int, chn chan []byte, lost chan uint64, kernelEvents
 		case d := <-chn:
 			if err := binary.Read(bytes.NewBuffer(d), hostByteOrder, &event); err != nil {
 				log.Debug("[eBPF events #%d] error: %s", id, err)
+				if tooManyErrors() {
+					goto Exit
+				}
+
 				continue
 			}