Support for MicroOS ? #2548
Labels
Milestone
Comments
|
Hi! Thanks for opening this feature request! Finally, is worth mentioning that given the steadily increasing number of these new tiny security-aimed OSes, i think we will always lag behind; hopefully the modern bpf probe with its CO-RE approach will soon become the standard way of deploying Falco and fix this issue since it doesn't require any artifact to be built neither downloaded. |
|
Thanks @FedeDP for the link to the blogpost. Didn't think about checking there.;) I have been trying the modern-bpf on microos, but am currently still getting errors. But once that works without the artifacts we'll definitely be more happy. Thx for the work! |
Could you share the error please :)? |
|
Sure, wasn't sure yet if i made a mistake or not and wanted to check further, but here's what i did: podman run \
--rm -it --privileged \
-v /var/run/containerd/containerd.sock:/host/var/run/containerd/containerd.sock \
-v /proc:/host/proc:ro \
falcosecurity/falco-no-driver:latest falco --modern-bpf
2023-05-15T10:08:18+0000: Falco version: 0.34.1 (x86_64)
2023-05-15T10:08:18+0000: Falco initialized with configuration file: /etc/falco/falco.yaml
2023-05-15T10:08:18+0000: Loading rules from file /etc/falco/falco_rules.yaml
2023-05-15T10:08:18+0000: Loading rules from file /etc/falco/falco_rules.local.yaml
2023-05-15T10:08:19+0000: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
2023-05-15T10:08:19+0000: Starting health webserver with threadiness 2, listening on port 8765
2023-05-15T10:08:19+0000: Enabled event sources: syscall
2023-05-15T10:08:19+0000: Opening capture with modern BPF probe.
2023-05-15T10:08:19+0000: One ring buffer every '2' CPUs.
libbpf: prog 'clone_x': BPF program load failed: Invalid argument
libbpf: prog 'clone_x': -- BEGIN PROG LOAD LOG --
reg type unsupported for arg#0 function clone_x#884
0: R1=ctx(off=0,imm=0) R10=fp0
; int BPF_PROG(clone_x,
0: (bf) r8 = r1 ; R1=ctx(off=0,imm=0) R8_w=ctx(off=0,imm=0)
; int BPF_PROG(clone_x,
1: (79) r6 = *(u64 *)(r8 +8) ; R6_w=scalar() R8_w=ctx(off=0,imm=0)
; u32 cpu_id = (u32)bpf_get_smp_processor_id();
2: (85) call bpf_get_smp_processor_id#8 ; R0_w=scalar()
; u32 cpu_id = (u32)bpf_get_smp_processor_id();
3: (63) *(u32 *)(r10 -8) = r0 ; R0_w=scalar() R10=fp0 fp-8=????mmmm
4: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
;
5: (07) r2 += -8 ; R2_w=fp-8
; return (struct auxiliary_map *)bpf_map_lookup_elem(&auxiliary_maps, &cpu_id);
6: (18) r1 = 0xffffb383c5061000 ; R1_w=map_ptr(off=0,ks=4,vs=131088,imm=0)
8: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=1,off=0,ks=4,vs=131088,imm=0)
9: (bf) r7 = r0 ; R0=map_value_or_null(id=1,off=0,ks=4,vs=131088,imm=0) R7_w=map_value_or_null(id=1,off=0,ks=4,vs=131088,imm=0)
; if(!auxmap)
10: (15) if r7 == 0x0 goto pc+626 ; R7_w=map_value(off=0,ks=4,vs=131088,imm=0)
11: (7b) *(u64 *)(r10 -72) = r8 ; R8=ctx(off=0,imm=0) R10=fp0 fp-72_w=ctx
; return g_event_params_table[event_id];
12: (18) r1 = 0xffffb383c50a4010 ; R1_w=map_value(off=16,ks=4,vs=122458,imm=0)
14: (71) r8 = *(u8 *)(r1 +223) ; R1_w=map_value(off=16,ks=4,vs=122458,imm=0) R8_w=21
; return g_settings.boot_time;
15: (18) r1 = 0xffffb383c5045200 ; R1_w=map_value(off=512,ks=4,vs=45408,imm=0)
17: (79) r9 = *(u64 *)(r1 +0) ; R1_w=map_value(off=512,ks=4,vs=45408,imm=0) R9_w=scalar()
; hdr->ts = maps__get_boot_time() + bpf_ktime_get_boot_ns();
18: (85) call bpf_ktime_get_boot_ns#125 ; R0=scalar()
; hdr->ts = maps__get_boot_time() + bpf_ktime_get_boot_ns();
19: (0f) r0 += r9 ; R0_w=scalar() R9=scalar()
; hdr->ts = maps__get_boot_time() + bpf_ktime_get_boot_ns();
20: (bf) r1 = r0 ; R0_w=scalar(id=2) R1_w=scalar(id=2)
21: (77) r1 >>= 56 ; R1_w=scalar(umax=255,var_off=(0x0; 0xff))
22: (73) *(u8 *)(r7 +7) = r1 ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
23: (bf) r1 = r0 ; R0_w=scalar(id=2) R1_w=scalar(id=2)
24: (77) r1 >>= 48 ; R1_w=scalar(umax=65535,var_off=(0x0; 0xffff))
25: (73) *(u8 *)(r7 +6) = r1 ; R1_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
26: (bf) r1 = r0 ; R0_w=scalar(id=2) R1_w=scalar(id=2)
27: (77) r1 >>= 40 ; R1_w=scalar(umax=16777215,var_off=(0x0; 0xffffff))
28: (73) *(u8 *)(r7 +5) = r1 ; R1_w=scalar(umax=16777215,var_off=(0x0; 0xffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
29: (bf) r1 = r0 ; R0_w=scalar(id=2) R1_w=scalar(id=2)
30: (77) r1 >>= 32 ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff))
31: (73) *(u8 *)(r7 +4) = r1 ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
32: (bf) r1 = r0 ; R0_w=scalar(id=2) R1_w=scalar(id=2)
33: (77) r1 >>= 24 ; R1_w=scalar(umax=1099511627775,var_off=(0x0; 0xffffffffff))
34: (73) *(u8 *)(r7 +3) = r1 ; R1_w=scalar(umax=1099511627775,var_off=(0x0; 0xffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
35: (bf) r1 = r0 ; R0_w=scalar(id=2) R1_w=scalar(id=2)
36: (77) r1 >>= 16 ; R1_w=scalar(umax=281474976710655,var_off=(0x0; 0xffffffffffff))
37: (73) *(u8 *)(r7 +2) = r1 ; R1_w=scalar(umax=281474976710655,var_off=(0x0; 0xffffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
38: (73) *(u8 *)(r7 +0) = r0 ; R0_w=scalar(id=2) R7=map_value(off=0,ks=4,vs=131088,imm=0)
39: (77) r0 >>= 8 ; R0_w=scalar(umax=72057594037927935,var_off=(0x0; 0xffffffffffffff))
40: (73) *(u8 *)(r7 +1) = r0 ; R0_w=scalar(umax=72057594037927935,var_off=(0x0; 0xffffffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
; hdr->tid = bpf_get_current_pid_tgid() & 0xffffffff;
41: (85) call bpf_get_current_pid_tgid#14 ; R0_w=scalar()
42: (b7) r1 = 223 ; R1_w=223
; hdr->type = event_type;
43: (73) *(u8 *)(r7 +20) = r1 ; R1_w=223 R7=map_value(off=0,ks=4,vs=131088,imm=0)
44: (b7) r1 = 0 ; R1_w=0
; hdr->nparams = nparams;
45: (73) *(u8 *)(r7 +25) = r1 ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
46: (73) *(u8 *)(r7 +24) = r1 ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
47: (73) *(u8 *)(r7 +23) = r1 ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
; hdr->type = event_type;
48: (73) *(u8 *)(r7 +21) = r1 ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
; hdr->tid = bpf_get_current_pid_tgid() & 0xffffffff;
49: (73) *(u8 *)(r7 +15) = r1 ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
50: (73) *(u8 *)(r7 +14) = r1 ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
51: (73) *(u8 *)(r7 +13) = r1 ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
52: (73) *(u8 *)(r7 +12) = r1 ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
53: (bf) r1 = r0 ; R0_w=scalar(id=3) R1_w=scalar(id=3)
54: (77) r1 >>= 24 ; R1_w=scalar(umax=1099511627775,var_off=(0x0; 0xffffffffff))
55: (73) *(u8 *)(r7 +11) = r1 ; R1_w=scalar(umax=1099511627775,var_off=(0x0; 0xffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
56: (bf) r1 = r0 ; R0_w=scalar(id=3) R1_w=scalar(id=3)
57: (77) r1 >>= 16 ; R1_w=scalar(umax=281474976710655,var_off=(0x0; 0xffffffffffff))
58: (73) *(u8 *)(r7 +10) = r1 ; R1_w=scalar(umax=281474976710655,var_off=(0x0; 0xffffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
59: (73) *(u8 *)(r7 +8) = r0 ; R0_w=scalar(id=3) R7=map_value(off=0,ks=4,vs=131088,imm=0)
60: (77) r0 >>= 8 ; R0_w=scalar(umax=72057594037927935,var_off=(0x0; 0xffffffffffffff))
61: (73) *(u8 *)(r7 +9) = r0 ; R0_w=scalar(umax=72057594037927935,var_off=(0x0; 0xffffffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
; hdr->nparams = nparams;
62: (73) *(u8 *)(r7 +22) = r8 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8=21
; auxmap->payload_pos = sizeof(struct ppm_evt_hdr) + nparams * sizeof(u16);
63: (67) r8 <<= 1 ; R8_w=42
; auxmap->payload_pos = sizeof(struct ppm_evt_hdr) + nparams * sizeof(u16);
64: (bf) r1 = r8 ; R1_w=42 R8_w=42
65: (0f) r1 += r7 ; R1_w=map_value(off=42,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
66: (7b) *(u64 *)(r1 +26) = r6 ; R1_w=map_value(off=42,ks=4,vs=131088,imm=0) R6=scalar()
; auxmap->lengths_pos = sizeof(struct ppm_evt_hdr);
67: (bf) r1 = r7 ; R1_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
68: (07) r1 += 131080 ; R1_w=map_value(off=131080,ks=4,vs=131088,imm=0)
69: (b7) r2 = 28 ; R2_w=28
; *lengths_pos += sizeof(u16);
70: (73) *(u8 *)(r1 +0) = r2 ; R1_w=map_value(off=131080,ks=4,vs=131088,imm=0) R2_w=28
71: (b7) r1 = 8 ; R1_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
72: (6b) *(u16 *)(r7 +26) = r1 ; R1_w=8 R7=map_value(off=0,ks=4,vs=131088,imm=0)
; auxmap->payload_pos = sizeof(struct ppm_evt_hdr) + nparams * sizeof(u16);
73: (bf) r1 = r7 ; R1_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
74: (07) r1 += 131072 ; R1_w=map_value(off=131072,ks=4,vs=131088,imm=0)
; *payload_pos += sizeof(s64);
75: (07) r8 += 34 ; R8_w=76
76: (7b) *(u64 *)(r1 +0) = r8 ; R1_w=map_value(off=131072,ks=4,vs=131088,imm=0) R8_w=76
77: (18) r1 = 0x1 ; R1_w=1
; && (bpf_core_enum_value(enum bpf_func_id, BPF_FUNC_get_current_task_btf) == BPF_FUNC_get_current_task_btf))
79: (15) if r1 == 0x0 goto pc+5 ; R1_w=1
80: (18) r1 = 0x9e ; R1=158
; if(bpf_core_enum_value_exists(enum bpf_func_id, BPF_FUNC_get_current_task_btf)
82: (55) if r1 != 0x9e goto pc+2 ; R1=158
; return (struct task_struct *)bpf_get_current_task_btf();
83: (85) call bpf_get_current_task_btf#158 ; R0_w=trusted_ptr_task_struct(off=0,imm=0)
84: (05) goto pc+1
;
86: (bf) r8 = r0 ; R0_w=trusted_ptr_task_struct(off=0,imm=0) R8_w=trusted_ptr_task_struct(off=0,imm=0)
87: (b7) r2 = 0 ; R2_w=0
88: (7b) *(u64 *)(r10 -64) = r8 ; R8_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0 fp-64_w=trusted_ptr_
; if(ret >= 0)
89: (6d) if r2 s> r6 goto pc+112 ; R2_w=0 R6=scalar(umax=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff))
; unsigned long arg_start_pointer = 0;
90: (7b) *(u64 *)(r10 -8) = r2 ; R2_w=0 R10=fp0 fp-8_w=00000000
; unsigned long arg_end_pointer = 0;
91: (7b) *(u64 *)(r10 -16) = r2 ; R2_w=0 R10=fp0 fp-16_w=00000000
92: (18) r6 = 0x1 ; R6=1
; READ_TASK_FIELD_INTO(&arg_start_pointer, task, mm, arg_start);
94: (15) if r6 == 0x0 goto pc+24 ; R6=1
95: (18) r1 = 0x9e ; R1_w=158
; READ_TASK_FIELD_INTO(&arg_start_pointer, task, mm, arg_start);
97: (55) if r1 != 0x9e goto pc+21 ; R1_w=158
; READ_TASK_FIELD_INTO(&arg_start_pointer, task, mm, arg_start);
98: (79) r1 = *(u64 *)(r8 +2336) ; R1_w=ptr_mm_struct(off=0,imm=0) R8=trusted_ptr_task_struct(off=0,imm=0)
99: (79) r1 = *(u64 *)(r1 +304) ; R1_w=scalar()
100: (7b) *(u64 *)(r10 -8) = r1 ; R1_w=scalar() R10=fp0 fp-8_w=mmmmmmmm
; READ_TASK_FIELD_INTO(&arg_end_pointer, task, mm, arg_end);
101: (15) if r6 == 0x0 goto pc+1 ; R6=1
102: (05) goto pc+31
; READ_TASK_FIELD_INTO(&arg_end_pointer, task, mm, arg_end);
134: (18) r1 = 0x9e ; R1_w=158
; READ_TASK_FIELD_INTO(&arg_end_pointer, task, mm, arg_end);
136: (55) if r1 != 0x9e goto pc-34 ; R1_w=158
; READ_TASK_FIELD_INTO(&arg_end_pointer, task, mm, arg_end);
137: (79) r1 = *(u64 *)(r8 +2336) ; R1_w=ptr_mm_struct(off=0,imm=0) R8=trusted_ptr_task_struct(off=0,imm=0)
138: (79) r9 = *(u64 *)(r1 +312) ; R1_w=ptr_mm_struct(off=0,imm=0) R9_w=scalar()
139: (7b) *(u64 *)(r10 -16) = r9 ; R9_w=scalar() R10=fp0 fp-16_w=mmmmmmmm
140: (b7) r1 = 0 ; R1_w=0
; unsigned long total_args_len = arg_end_pointer - arg_start_pointer;
141: (7b) *(u64 *)(r10 -80) = r1 ; R1_w=0 R10=fp0 fp-80_w=00000000
142: (79) r6 = *(u64 *)(r10 -8) ; R6_w=scalar() R10=fp0
143: (b7) r1 = 0 ; R1_w=0
; if(charbuf_pointer)
144: (15) if r6 == 0x0 goto pc+19 ; R6_w=scalar()
;
145: (bf) r8 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
146: (07) r8 += 131072 ; R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
147: (79) r2 = *(u64 *)(r8 +0) ; R2_w=scalar() R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
148: (57) r2 &= 65535 ; R2_w=scalar(umax=65535,var_off=(0x0; 0xffff))
149: (bf) r1 = r7 ; R1_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
150: (0f) r1 += r2 ; R1_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff)) R2_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; written_bytes = bpf_probe_read_user_str(&data[SAFE_ACCESS(*payload_pos)],
151: (b7) r2 = 4096 ; R2_w=4096
152: (bf) r3 = r6 ; R3_w=scalar(id=5) R6_w=scalar(id=5)
153: (85) call bpf_probe_read_user_str#114 ; R0=scalar(smin=-4095,smax=4096)
;
154: (bf) r2 = r0 ; R0=scalar(id=6,smin=-4095,smax=4096) R2_w=scalar(id=6,smin=-4095,smax=4096)
155: (67) r2 <<= 32 ; R2_w=scalar(smax=17592186044416,umax=18446744069414584320,var_off=(0x0; 0xffffffff00000000),s32_min=0,s32_max=0,u32_max=0)
156: (c7) r2 s>>= 32 ; R2_w=scalar(smin=-2147483648,smax=4096)
157: (b7) r3 = 1 ; R3_w=1
158: (b7) r1 = 0 ; R1_w=0
; if(written_bytes <= 0)
159: (6d) if r3 s> r2 goto pc+4 ; R2_w=scalar(umin=1,umax=4096,var_off=(0x0; 0x1fff)) R3_w=1
; *payload_pos += written_bytes;
160: (79) r1 = *(u64 *)(r8 +0) ; R1_w=scalar() R8=map_value(off=131072,ks=4,vs=131088,imm=0)
161: (0f) r1 += r2 ; R1_w=scalar() R2_w=scalar(umin=1,umax=4096,var_off=(0x0; 0x1fff))
162: (7b) *(u64 *)(r8 +0) = r1 ; R1_w=scalar() R8=map_value(off=131072,ks=4,vs=131088,imm=0)
163: (bf) r1 = r0 ; R0=scalar(id=6,smin=-4095,smax=4096) R1_w=scalar(id=6,smin=-4095,smax=4096)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
164: (bf) r8 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
165: (07) r8 += 131080 ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
166: (71) r2 = *(u8 *)(r8 +0) ; R2_w=scalar(umax=255,var_off=(0x0; 0xff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
167: (bf) r3 = r7 ; R3_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
168: (0f) r3 += r2 ; R2_w=scalar(umax=255,var_off=(0x0; 0xff)) R3_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
169: (6b) *(u16 *)(r3 +0) = r1 ; R1_w=scalar(id=6,smin=-4095,smax=4096) R3_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
170: (07) r2 += 2 ; R2_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff))
171: (73) *(u8 *)(r8 +0) = r2 ; R2_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, (total_args_len - exe_arg_len) & (MAX_PROC_ARG_ENV - 1), USER);
172: (0f) r6 += r1 ; R1_w=scalar(id=6,smin=-4095,smax=4096) R6_w=scalar()
173: (1f) r9 -= r6 ; R6_w=scalar() R9_w=scalar()
; auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, (total_args_len - exe_arg_len) & (MAX_PROC_ARG_ENV - 1), USER);
174: (57) r9 &= 4095 ; R9_w=scalar(umax=4095,var_off=(0x0; 0xfff))
; if(bytebuf_pointer && len_to_read > 0)
175: (15) if r9 == 0x0 goto pc+17 ; R9_w=scalar(umax=4095,var_off=(0x0; 0xfff))
;
176: (57) r1 &= 65535 ; R1_w=scalar(umax=65535,var_off=(0x0; 0xffff))
177: (79) r3 = *(u64 *)(r10 -8) ; R3_w=scalar() R10=fp0
178: (0f) r3 += r1 ; R1=scalar(umax=65535,var_off=(0x0; 0xffff)) R3=scalar()
; if(bytebuf_pointer && len_to_read > 0)
179: (15) if r3 == 0x0 goto pc+13 ; R3=scalar()
; if(bpf_probe_read_user(&data[SAFE_ACCESS(*payload_pos)],
180: (bf) r6 = r7 ; R6_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
181: (07) r6 += 131072 ; R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
182: (79) r2 = *(u64 *)(r6 +0) ; R2_w=scalar() R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
183: (57) r2 &= 65535 ; R2_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; if(bpf_probe_read_user(&data[SAFE_ACCESS(*payload_pos)],
184: (bf) r1 = r7 ; R1_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
185: (0f) r1 += r2 ; R1_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff)) R2_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; if(bpf_probe_read_user(&data[SAFE_ACCESS(*payload_pos)],
186: (bf) r2 = r9 ; R2_w=scalar(id=7,umax=4095,var_off=(0x0; 0xfff)) R9=scalar(id=7,umax=4095,var_off=(0x0; 0xfff))
187: (85) call bpf_probe_read_user#112 ; R0=scalar()
; if(bpf_probe_read_user(&data[SAFE_ACCESS(*payload_pos)],
188: (55) if r0 != 0x0 goto pc+4 ; R0=0
; *payload_pos += len_to_read;
189: (79) r1 = *(u64 *)(r6 +0) ; R1_w=scalar() R6=map_value(off=131072,ks=4,vs=131088,imm=0)
190: (0f) r1 += r9 ; R1_w=scalar() R9=scalar(id=7,umax=4095,var_off=(0x0; 0xfff))
191: (7b) *(u64 *)(r6 +0) = r1 ; R1_w=scalar() R6=map_value(off=131072,ks=4,vs=131088,imm=0)
192: (7b) *(u64 *)(r10 -80) = r9 ; R9=scalar(id=7,umax=4095,var_off=(0x0; 0xfff)) R10=fp0 fp-80_w=
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
193: (71) r1 = *(u8 *)(r8 +0) ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R8=map_value(off=131080,ks=4,vs=131088,imm=0)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
194: (bf) r2 = r7 ; R2_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
195: (0f) r2 += r1 ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R2_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
196: (79) r3 = *(u64 *)(r10 -80) ; R3_w=scalar(id=7,umax=4095,var_off=(0x0; 0xfff)) R10=fp0
197: (6b) *(u16 *)(r2 +0) = r3 ; R2_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff)) R3_w=scalar(id=7,umax=4095,var_off=(0x0; 0xfff))
; *lengths_pos += sizeof(u16);
198: (07) r1 += 2 ; R1_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff))
199: (73) *(u8 *)(r8 +0) = r1 ; R1_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff)) R8=map_value(off=131080,ks=4,vs=131088,imm=0)
200: (79) r8 = *(u64 *)(r10 -64) ; R8_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0
201: (05) goto pc+14
; *lengths_pos += sizeof(u16);
216: (18) r2 = 0x1 ; R2_w=1
; return READ_TASK_FIELD(task, pid);
218: (15) if r2 == 0x0 goto pc+7 ; R2_w=1
219: (18) r2 = 0x9e ; R2_w=158
; return READ_TASK_FIELD(task, pid);
221: (55) if r2 != 0x9e goto pc+4 ; R2_w=158
222: (b7) r2 = 2456 ; R2_w=2456
223: (bf) r6 = r8 ; R6_w=trusted_ptr_task_struct(off=0,imm=0) R8=trusted_ptr_task_struct(off=0,imm=0)
224: (0f) r6 += r2 ; R2_w=2456 R6_w=trusted_ptr_task_struct(off=2456,imm=0)
225: (05) goto pc+11
; return READ_TASK_FIELD(task, pid);
237: (61) r3 = *(u32 *)(r6 +0) ; R3_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R6=trusted_ptr_task_struct(off=2456,imm=0)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
238: (bf) r8 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
239: (07) r8 += 131072 ; R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
240: (79) r2 = *(u64 *)(r8 +0) ; R2_w=scalar() R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
241: (bf) r4 = r2 ; R2_w=scalar(id=8) R4_w=scalar(id=8)
242: (57) r4 &= 65535 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
243: (bf) r5 = r7 ; R5_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
244: (0f) r5 += r4 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; return READ_TASK_FIELD(task, pid);
245: (67) r3 <<= 32 ; R3_w=scalar(smax=9223372032559808512,umax=18446744069414584320,var_off=(0x0; 0xffffffff00000000),s32_min=0,s32_max=0,u32_max=0)
246: (c7) r3 s>>= 32 ; R3_w=scalar(smin=-2147483648,smax=2147483647)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
247: (7b) *(u64 *)(r5 +0) = r3 ; R3_w=scalar(smin=-2147483648,smax=2147483647) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(s64);
248: (07) r2 += 8 ; R2_w=scalar()
249: (7b) *(u64 *)(r8 +0) = r2 ; R2_w=scalar() R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
250: (bf) r3 = r1 ; R1=scalar(id=9,umin=2,umax=257,var_off=(0x0; 0x1ff)) R3_w=scalar(id=9,umin=2,umax=257,var_off=(0x0; 0x1ff))
251: (57) r3 &= 255 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
252: (bf) r4 = r7 ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
253: (0f) r4 += r3 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
254: (b7) r3 = 8 ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
255: (6b) *(u16 *)(r4 +0) = r3 ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
256: (bf) r9 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R9_w=map_value(off=0,ks=4,vs=131088,imm=0)
257: (07) r9 += 131080 ; R9_w=map_value(off=131080,ks=4,vs=131088,imm=0)
258: (07) r1 += 2 ; R1_w=scalar(umin=4,umax=259,var_off=(0x0; 0x1ff))
259: (73) *(u8 *)(r9 +0) = r1 ; R1_w=scalar(umin=4,umax=259,var_off=(0x0; 0x1ff)) R9_w=map_value(off=131080,ks=4,vs=131088,imm=0)
260: (18) r3 = 0x1 ; R3_w=1
; return READ_TASK_FIELD(task, tgid);
262: (15) if r3 == 0x0 goto pc+7 ; R3_w=1
263: (18) r3 = 0x9e ; R3_w=158
; return READ_TASK_FIELD(task, tgid);
265: (55) if r3 != 0x9e goto pc+4 ; R3_w=158
266: (b7) r3 = 2460 ; R3_w=2460
267: (79) r6 = *(u64 *)(r10 -64) ; R6_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0
268: (0f) r6 += r3 ; R3_w=2460 R6_w=trusted_ptr_task_struct(off=2460,imm=0)
269: (05) goto pc+10
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
280: (bf) r3 = r2 ; R2=scalar(id=10) R3_w=scalar(id=10)
281: (57) r3 &= 65535 ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
282: (bf) r4 = r7 ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
283: (0f) r4 += r3 ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; return READ_TASK_FIELD(task, tgid);
284: (61) r3 = *(u32 *)(r6 +0) ; R3_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R6=trusted_ptr_task_struct(off=2460,imm=0)
285: (67) r3 <<= 32 ; R3_w=scalar(smax=9223372032559808512,umax=18446744069414584320,var_off=(0x0; 0xffffffff00000000),s32_min=0,s32_max=0,u32_max=0)
286: (c7) r3 s>>= 32 ; R3_w=scalar(smin=-2147483648,smax=2147483647)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
287: (7b) *(u64 *)(r4 +0) = r3 ; R3_w=scalar(smin=-2147483648,smax=2147483647) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(s64);
288: (07) r2 += 8 ; R2_w=scalar()
289: (bf) r8 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
290: (07) r8 += 131072 ; R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
291: (7b) *(u64 *)(r8 +0) = r2 ; R2_w=scalar() R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
292: (bf) r3 = r1 ; R1=scalar(id=11,umin=4,umax=259,var_off=(0x0; 0x1ff)) R3_w=scalar(id=11,umin=4,umax=259,var_off=(0x0; 0x1ff))
293: (57) r3 &= 255 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
294: (bf) r4 = r7 ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
295: (0f) r4 += r3 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
296: (b7) r3 = 8 ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
297: (6b) *(u16 *)(r4 +0) = r3 ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
298: (bf) r9 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R9_w=map_value(off=0,ks=4,vs=131088,imm=0)
299: (07) r9 += 131080 ; R9_w=map_value(off=131080,ks=4,vs=131088,imm=0)
300: (07) r1 += 2 ; R1_w=scalar(umin=6,umax=261,var_off=(0x0; 0x1ff))
301: (73) *(u8 *)(r9 +0) = r1 ; R1_w=scalar(umin=6,umax=261,var_off=(0x0; 0x1ff)) R9_w=map_value(off=131080,ks=4,vs=131088,imm=0)
302: (18) r3 = 0x1 ; R3_w=1
; return READ_TASK_FIELD(task, real_parent, pid);
304: (15) if r3 == 0x0 goto pc+8 ; R3_w=1
305: (18) r3 = 0x9e ; R3_w=158
; return READ_TASK_FIELD(task, real_parent, pid);
307: (55) if r3 != 0x9e goto pc+5 ; R3_w=158
; return READ_TASK_FIELD(task, real_parent, pid);
308: (79) r3 = *(u64 *)(r10 -64) ; R3_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0
309: (79) r6 = *(u64 *)(r3 +2472) ; R3_w=trusted_ptr_task_struct(off=0,imm=0) R6_w=ptr_task_struct(off=0,imm=0)
310: (b7) r3 = 2456 ; R3_w=2456
311: (0f) r6 += r3 ; R3_w=2456 R6_w=ptr_task_struct(off=2456,imm=0)
312: (05) goto pc+17
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
330: (bf) r3 = r2 ; R2=scalar(id=12) R3_w=scalar(id=12)
331: (57) r3 &= 65535 ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
332: (bf) r4 = r7 ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
333: (0f) r4 += r3 ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; return READ_TASK_FIELD(task, real_parent, pid);
334: (61) r3 = *(u32 *)(r6 +0) ; R3_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R6=ptr_task_struct(off=2456,imm=0)
335: (67) r3 <<= 32 ; R3_w=scalar(smax=9223372032559808512,umax=18446744069414584320,var_off=(0x0; 0xffffffff00000000),s32_min=0,s32_max=0,u32_max=0)
336: (c7) r3 s>>= 32 ; R3_w=scalar(smin=-2147483648,smax=2147483647)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
337: (7b) *(u64 *)(r4 +0) = r3 ; R3_w=scalar(smin=-2147483648,smax=2147483647) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(s64);
338: (07) r2 += 8 ; R2_w=scalar()
339: (bf) r6 = r7 ; R6_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
340: (07) r6 += 131072 ; R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
341: (7b) *(u64 *)(r6 +0) = r2 ; R2_w=scalar() R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
342: (bf) r3 = r1 ; R1=scalar(id=13,umin=6,umax=261,var_off=(0x0; 0x1ff)) R3_w=scalar(id=13,umin=6,umax=261,var_off=(0x0; 0x1ff))
343: (57) r3 &= 255 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
344: (bf) r4 = r7 ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
345: (0f) r4 += r3 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
346: (b7) r3 = 8 ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
347: (6b) *(u16 *)(r4 +0) = r3 ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
348: (bf) r3 = r1 ; R1=scalar(id=13,umin=6,umax=261,var_off=(0x0; 0x1ff)) R3_w=scalar(id=13,umin=6,umax=261,var_off=(0x0; 0x1ff))
349: (07) r3 += 2 ; R3_w=scalar(umin=8,umax=263,var_off=(0x0; 0x1ff))
350: (57) r3 &= 255 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
351: (bf) r4 = r7 ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
352: (0f) r4 += r3 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
353: (b7) r3 = 0 ; R3_w=0
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
354: (6b) *(u16 *)(r4 +0) = r3 ; R3_w=0 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
355: (bf) r8 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
356: (07) r8 += 131080 ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
357: (07) r1 += 4 ; R1_w=scalar(umin=10,umax=265,var_off=(0x0; 0x1ff))
358: (73) *(u8 *)(r8 +0) = r1 ; R1_w=scalar(umin=10,umax=265,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; unsigned long fdlimit = 0;
359: (7b) *(u64 *)(r10 -32) = r3 ; R3_w=0 R10=fp0 fp-32_w=00000000
360: (18) r3 = 0x1 ; R3_w=1
; READ_TASK_FIELD_INTO(fdlimit, task, signal, rlim[RLIMIT_NOFILE].rlim_cur);
362: (15) if r3 == 0x0 goto pc+8 ; R3_w=1
363: (18) r3 = 0x9e ; R3_w=158
; READ_TASK_FIELD_INTO(fdlimit, task, signal, rlim[RLIMIT_NOFILE].rlim_cur);
365: (55) if r3 != 0x9e goto pc+5 ; R3_w=158
366: (79) r9 = *(u64 *)(r10 -64) ; R9_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0
; READ_TASK_FIELD_INTO(fdlimit, task, signal, rlim[RLIMIT_NOFILE].rlim_cur);
367: (79) r3 = *(u64 *)(r9 +3080) ; R3_w=ptr_signal_struct(off=0,imm=0) R9_w=trusted_ptr_task_struct(off=0,imm=0)
368: (79) r3 = *(u64 *)(r3 +792) ; R3_w=scalar()
369: (7b) *(u64 *)(r10 -32) = r3 ; R3_w=scalar() R10=fp0 fp-32_w=mmmmmmmm
370: (05) goto pc+18
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
389: (bf) r4 = r2 ; R2=scalar(id=14) R4_w=scalar(id=14)
390: (57) r4 &= 65535 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
391: (bf) r5 = r7 ; R5_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
392: (0f) r5 += r4 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
393: (7b) *(u64 *)(r5 +0) = r3 ; R3=scalar() R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(u64);
394: (07) r2 += 8 ; R2_w=scalar()
395: (bf) r6 = r7 ; R6_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
396: (07) r6 += 131072 ; R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
397: (7b) *(u64 *)(r6 +0) = r2 ; R2_w=scalar() R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
398: (bf) r3 = r1 ; R1=scalar(id=15,umin=10,umax=265,var_off=(0x0; 0x1ff)) R3_w=scalar(id=15,umin=10,umax=265,var_off=(0x0; 0x1ff))
399: (57) r3 &= 255 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
400: (bf) r4 = r7 ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
401: (0f) r4 += r3 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
402: (b7) r3 = 8 ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
403: (6b) *(u16 *)(r4 +0) = r3 ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
404: (bf) r8 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
405: (07) r8 += 131080 ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
406: (07) r1 += 2 ; R1_w=scalar(umin=12,umax=267,var_off=(0x0; 0x1ff))
407: (73) *(u8 *)(r8 +0) = r1 ; R1_w=scalar(umin=12,umax=267,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
408: (b7) r3 = 0 ; R3_w=0
; unsigned long pgft_maj = 0;
409: (7b) *(u64 *)(r10 -40) = r3 ; R3_w=0 R10=fp0 fp-40_w=00000000
410: (18) r3 = 0x1 ; R3_w=1
; READ_TASK_FIELD_INTO(pgft_maj, task, maj_flt);
412: (15) if r3 == 0x0 goto pc+6 ; R3_w=1
413: (18) r3 = 0x9e ; R3_w=158
; READ_TASK_FIELD_INTO(pgft_maj, task, maj_flt);
415: (55) if r3 != 0x9e goto pc+3 ; R3_w=158
; READ_TASK_FIELD_INTO(pgft_maj, task, maj_flt);
416: (79) r3 = *(u64 *)(r9 +2840) ; R3_w=scalar() R9=trusted_ptr_task_struct(off=0,imm=0)
417: (7b) *(u64 *)(r10 -40) = r3 ; R3_w=scalar() R10=fp0 fp-40_w=mmmmmmmm
418: (05) goto pc+10
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
429: (bf) r4 = r2 ; R2=scalar(id=16) R4_w=scalar(id=16)
430: (57) r4 &= 65535 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
431: (bf) r5 = r7 ; R5_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
432: (0f) r5 += r4 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
433: (7b) *(u64 *)(r5 +0) = r3 ; R3=scalar() R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(u64);
434: (07) r2 += 8 ; R2_w=scalar()
435: (bf) r6 = r7 ; R6_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
436: (07) r6 += 131072 ; R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
437: (7b) *(u64 *)(r6 +0) = r2 ; R2_w=scalar() R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
438: (bf) r3 = r1 ; R1=scalar(id=17,umin=12,umax=267,var_off=(0x0; 0x1ff)) R3_w=scalar(id=17,umin=12,umax=267,var_off=(0x0; 0x1ff))
439: (57) r3 &= 255 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
440: (bf) r4 = r7 ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
441: (0f) r4 += r3 ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
442: (b7) r3 = 8 ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
443: (6b) *(u16 *)(r4 +0) = r3 ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
444: (bf) r8 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
445: (07) r8 += 131080 ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
446: (07) r1 += 2 ; R1_w=scalar(umin=14,umax=269,var_off=(0x0; 0x1ff))
447: (73) *(u8 *)(r8 +0) = r1 ; R1_w=scalar(umin=14,umax=269,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
448: (b7) r3 = 0 ; R3_w=0
; unsigned long pgft_min = 0;
449: (7b) *(u64 *)(r10 -48) = r3 ; R3_w=0 R10=fp0 fp-48_w=00000000
450: (18) r3 = 0x1 ; R3_w=1
; READ_TASK_FIELD_INTO(pgft_min, task, min_flt);
452: (15) if r3 == 0x0 goto pc+6 ; R3_w=1
453: (18) r3 = 0x9e ; R3_w=158
; READ_TASK_FIELD_INTO(pgft_min, task, min_flt);
455: (55) if r3 != 0x9e goto pc+3 ; R3_w=158
; READ_TASK_FIELD_INTO(pgft_min, task, min_flt);
456: (79) r3 = *(u64 *)(r9 +2832) ; R3_w=scalar() R9=trusted_ptr_task_struct(off=0,imm=0)
457: (7b) *(u64 *)(r10 -48) = r3 ; R3_w=scalar() R10=fp0 fp-48_w=mmmmmmmm
458: (05) goto pc+10
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
469: (bf) r4 = r2 ; R2=scalar(id=18) R4_w=scalar(id=18)
470: (57) r4 &= 65535 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
471: (bf) r5 = r7 ; R5_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
472: (0f) r5 += r4 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
473: (7b) *(u64 *)(r5 +0) = r3 ; R3=scalar() R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(u64);
474: (07) r2 += 8 ; R2_w=scalar()
475: (bf) r3 = r7 ; R3_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
476: (07) r3 += 131072 ; R3_w=map_value(off=131072,ks=4,vs=131088,imm=0)
477: (7b) *(u64 *)(r3 +0) = r2 ; R2_w=scalar() R3_w=map_value(off=131072,ks=4,vs=131088,imm=0)
478: (bf) r2 = r1 ; R1=scalar(id=19,umin=14,umax=269,var_off=(0x0; 0x1ff)) R2_w=scalar(id=19,umin=14,umax=269,var_off=(0x0; 0x1ff))
479: (57) r2 &= 255 ; R2_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
480: (bf) r3 = r7 ; R3_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
481: (0f) r3 += r2 ; R2_w=scalar(umax=255,var_off=(0x0; 0xff)) R3_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
482: (b7) r2 = 8 ; R2_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
483: (6b) *(u16 *)(r3 +0) = r2 ; R2_w=8 R3_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
484: (bf) r2 = r7 ; R2_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
485: (07) r2 += 131080 ; R2_w=map_value(off=131080,ks=4,vs=131088,imm=0)
486: (07) r1 += 2 ; R1_w=scalar(umin=16,umax=271,var_off=(0x0; 0x1ff))
487: (73) *(u8 *)(r2 +0) = r1 ; R1_w=scalar(umin=16,umax=271,var_off=(0x0; 0x1ff)) R2_w=map_value(off=131080,ks=4,vs=131088,imm=0)
488: (18) r1 = 0x1 ; R1_w=1
; READ_TASK_FIELD_INTO(&mm, task, mm);
490: (15) if r1 == 0x0 goto pc+6 ; R1_w=1
491: (18) r1 = 0x9e ; R1_w=158
; READ_TASK_FIELD_INTO(&mm, task, mm);
493: (55) if r1 != 0x9e goto pc+3 ; R1_w=158
; READ_TASK_FIELD_INTO(&mm, task, mm);
494: (79) r3 = *(u64 *)(r9 +2336) ; R3_w=ptr_mm_struct(off=0,imm=0) R9=trusted_ptr_task_struct(off=0,imm=0)
495: (7b) *(u64 *)(r10 -56) = r3 ; R3_w=ptr_mm_struct(off=0,imm=0) R10=fp0 fp-56_w=ptr_
496: (05) goto pc+8
; u32 vm_size = extract__vm_size(mm);
505: (b7) r1 = 184 ; R1_w=184
506: (0f) r3 += r1 ; R1_w=184 R3_w=ptr_mm_struct(off=184,imm=0)
507: (b7) r1 = 0 ; R1_w=0
; unsigned long vm_pages = 0;
508: (7b) *(u64 *)(r10 -8) = r1 ; R1_w=0 R10=fp0 fp-8_w=00000000
509: (bf) r1 = r10 ; R1_w=fp0 R10=fp0
;
510: (07) r1 += -8 ; R1_w=fp-8
; BPF_CORE_READ_INTO(&vm_pages, mm, total_vm);
511: (b7) r2 = 8 ; R2_w=8
512: (85) call bpf_probe_read_kernel#113 ; R0_w=scalar() fp-8_w=mmmmmmmm
; return DO_PAGE_SHIFT(vm_pages);
513: (79) r1 = *(u64 *)(r10 -8) ; R1_w=scalar() R10=fp0
; *((u32 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
514: (bf) r9 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R9_w=map_value(off=0,ks=4,vs=131088,imm=0)
515: (07) r9 += 131072 ; R9_w=map_value(off=131072,ks=4,vs=131088,imm=0)
516: (79) r2 = *(u64 *)(r9 +0) ; R2_w=scalar() R9_w=map_value(off=131072,ks=4,vs=131088,imm=0)
517: (bf) r3 = r2 ; R2_w=scalar(id=20) R3_w=scalar(id=20)
518: (57) r3 &= 65535 ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((u32 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
519: (bf) r4 = r7 ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
520: (0f) r4 += r3 ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; u32 vm_size = extract__vm_size(mm);
521: (67) r1 <<= 2 ; R1_w=scalar(smax=9223372036854775804,umax=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc),s32_max=2147483644,u32_max=-4)
; *((u32 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
522: (63) *(u32 *)(r4 +0) = r1 ; R1_w=scalar(smax=9223372036854775804,umax=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc),s32_max=2147483644,u32_max=-4) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(u32);
523: (07) r2 += 4 ; R2_w=scalar()
524: (7b) *(u64 *)(r9 +0) = r2 ; R2_w=scalar() R9_w=map_value(off=131072,ks=4,vs=131088,imm=0)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
525: (bf) r8 = r7 ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
526: (07) r8 += 131080 ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
527: (b7) r3 = 4 ; R3_w=4
528: (71) r1 = *(u8 *)(r8 +0) ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
529: (bf) r2 = r7 ; R2_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
530: (0f) r2 += r1 ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R2_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
531: (6b) *(u16 *)(r2 +0) = r3 ; R2_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff)) R3_w=4
; *lengths_pos += sizeof(u16);
532: (07) r1 += 2 ; R1_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff))
533: (73) *(u8 *)(r8 +0) = r1 ; R1_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; u32 vm_rss = extract__vm_rss(mm);
534: (79) r6 = *(u64 *)(r10 -56) ; R6_w=ptr_mm_struct(off=0,imm=0) R10=fp0
535: (b7) r1 = 0 ; R1_w=0
; unsigned long file_pages = 0;
536: (7b) *(u64 *)(r10 -8) = r1 ; R1_w=0 R10=fp0 fp-8_w=00000000
; unsigned long anon_pages = 0;
537: (7b) *(u64 *)(r10 -16) = r1 ; R1_w=0 R10=fp0 fp-16_w=00000000
; unsigned long shmem_pages = 0;
538: (7b) *(u64 *)(r10 -24) = r1 ; R1_w=0 R10=fp0 fp-24_w=00000000
539: <invalid CO-RE relocation>
failed to resolve CO-RE relocation <byte_off> [429] struct mm_struct.rss_stat.count[0].counter (0:0:43:0:0:0 @ offset 720)
processed 388 insns (limit 1000000) max_states_per_insn 0 total_states 16 peak_states 16 mark_read 5
-- END PROG LOAD LOG --
libbpf: prog 'clone_x': failed to load: -22
libbpf: failed to load object 'bpf_probe'
libbpf: failed to load BPF skeleton 'bpf_probe': -22
libpman: failed to load BPF object (errno: 22 | message: Invalid argument)
2023-05-15T10:08:19+0000: An error occurred in an event source, forcing termination...
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Error: Same when i try it with kubernetes in a privileged container mounting /host . |
|
Oh nice, you are running a 6.x kernel right? Our 4.0.0+driver tag was released before your kernel was tagged therefore we don't support it. |
Note, please, this is not an absolute truth; but lately kernel is breaking internal APIs pretty quickly (ie: every new release), therefore we need to adapt our code to build on newer kernels when they get released.
Btw no mistake, just bad luck! |
|
All understandable points. After all i just started fiddling with falco on microos after leaving the old job where we were running ubuntu. ;) PS: Kernel is |
|
Btw can you share your |
|
Sure: ~> cat /etc/os-release
NAME="openSUSE MicroOS"
# VERSION="20230415"
ID="opensuse-microos"
ID_LIKE="suse opensuse opensuse-tumbleweed"
VERSION_ID="20230415"
PRETTY_NAME="openSUSE MicroOS"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:microos:20230415"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:MicroOS"
LOGO="distributor-logo-MicroOS"
|
|
Thank you! EDIT: can you post content of file |
|
You're welcome! ~> cat /etc/zypp/repos.d/repo-oss.repo
[repo-oss]
name=openSUSE-Tumbleweed-Oss
enabled=1
autorefresh=1
baseurl=http://download.opensuse.org/tumbleweed/repo/oss/ |
|
That's great! Then to support it we just need a small patch for falco-driver-loader, so that |
|
Can you share your currently runing kernel? |
|
I did above:
I was not sure how the "immutable" part is being handled by the falco-driver-loader. That's why i initially thought it would be more like talos. |
|
Oh yep sorry i totally forgot you already posted it!
This is a nice question; have you tried asking it to the microos devs? There must surely be a way to inject eBPF probes, not just for Falco. But yes, this is part of the issue, you are right! |
|
Hey just got back to this and retried with helm-chart v3.2.1 and it seemed to work. Just for anyone else stumbling over this: ~> helm upgrade -i falco -n falco --set tty=true --set driver.kind=modern-bpf falcosecurity/falco
...
~> kubectl run -ti --image=alpine test -- sh -c "uptime"
~> kubectl logs ...
...
[falco-ttbkq falco] 08:47:10.359068769: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=<NA> k8s.pod=<NA> container=b63bb11ad4fb shell=sh parent=<NA> cmdline=sh -c uptime pid=16380 terminal=34816 container_id=b63bb11ad4fb image=<NA>)
...
Not that important, but i guess i am still missing some configuration to make the Yay, and thanks! ;) PS: I think the documentation has a small error here |
I would suggest you disable the
It should be fixed, thanks :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Motivation
Trying to get falco working on OpenSuse's Immutable MicroOS.
Similar to Talos (i guess).
Feature
Update falco-driver-loader to support MicroOS.
Alternatives
Additional context
The text was updated successfully, but these errors were encountered: