Remove stack addresses logic

The stack addresses feature is will be removed in the future with the introduction of full stack traces.
aquasecurity · Oct 10, 2024 · 6773cca · 6773cca
1 parent 47451f5
commit 6773cca
Show file tree

Hide file tree

Showing 5 changed files with 3 additions and 87 deletions.
diff --git a/pkg/ebpf/c/common/buffer.h b/pkg/ebpf/c/common/buffer.h
@@ -467,14 +467,6 @@ statfunc int events_perf_submit(program_data_t *p, long ret)
     // keep task_info updated
     bpf_probe_read_kernel(&p->task_info->context, sizeof(task_context_t), &p->event->context.task);
 
-    // Get Stack trace
-    if (p->config->options & OPT_CAPTURE_STACK_TRACES) {
-        int stack_id = bpf_get_stackid(p->ctx, &stack_addresses, BPF_F_USER_STACK);
-        if (stack_id >= 0) {
-            p->event->context.stack_id = stack_id;
-        }
-    }
-
     u32 size = sizeof(event_context_t) + sizeof(u8) +
                p->event->args_buf.offset; // context + argnum + arg buffer size
 

diff --git a/pkg/ebpf/c/maps.h b/pkg/ebpf/c/maps.h
@@ -265,18 +265,6 @@ struct sys_exit_init_tail {
 
 typedef struct sys_exit_init_tail sys_exit_init_tail_t;
 
-// store stack traces
-#define MAX_STACK_ADDRESSES 1024 // max amount of diff stack trace addrs to buffer
-
-struct stack_addresses {
-    __uint(type, BPF_MAP_TYPE_STACK_TRACE);
-    __uint(max_entries, MAX_STACK_ADDRESSES);
-    __type(key, u32);
-    __type(value, stack_trace_t); // 1 big byte array of the stack addresses
-} stack_addresses SEC(".maps");
-
-typedef struct stack_addresses stack_addresses_t;
-
 // store fds paths by timestamp
 struct fd_arg_path_map {
     __uint(type, BPF_MAP_TYPE_LRU_HASH);

diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -3,14 +3,10 @@ package ebpf
 import (
 	"bytes"
 	"context"
-	"encoding/binary"
 	"slices"
-	"strconv"
 	"sync"
-	"unsafe"
 
 	"github.com/aquasecurity/tracee/pkg/bufferdecoder"
-	"github.com/aquasecurity/tracee/pkg/capabilities"
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/logger"
@@ -191,12 +187,6 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch
 				continue
 			}
 
-			// Add stack trace if needed
-			var stackAddresses []uint64
-			if t.config.Output.StackAddresses {
-				stackAddresses = t.getStackAddresses(eCtx.StackID)
-			}
-
 			containerInfo := t.containers.GetCgroupInfo(eCtx.CgroupID).Container
 			containerData := trace.Container{
 				ID:          containerInfo.ContainerId,
@@ -262,7 +252,7 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch
 			evt.ArgsNum = int(argnum)
 			evt.ReturnValue = int(eCtx.Retval)
 			evt.Args = args
-			evt.StackAddresses = stackAddresses
+			evt.StackAddresses = nil
 			evt.ContextFlags = flags
 			evt.Syscall = syscall
 			evt.Metadata = nil
@@ -641,50 +631,6 @@ func (t *Tracee) sinkEvents(ctx context.Context, in <-chan *trace.Event) <-chan
 	return errc
 }
 
-// getStackAddresses returns the stack addresses for a given StackID
-func (t *Tracee) getStackAddresses(stackID uint32) []uint64 {
-	stackAddresses := make([]uint64, maxStackDepth)
-	stackFrameSize := (strconv.IntSize / 8)
-
-	// Lookup the StackID in the map
-	// The ID could have aged out of the Map, as it only holds a finite number of
-	// Stack IDs in it's Map
-	var stackBytes []byte
-	err := capabilities.GetInstance().EBPF(func() error {
-		bytes, e := t.StackAddressesMap.GetValue(unsafe.Pointer(&stackID))
-		if e != nil {
-			stackBytes = bytes
-		}
-		return e
-	})
-	if err != nil {
-		logger.Debugw("failed to get StackAddress", "error", err)
-		return stackAddresses[0:0]
-	}
-
-	stackCounter := 0
-	for i := 0; i < len(stackBytes); i += stackFrameSize {
-		stackAddresses[stackCounter] = 0
-		stackAddr := binary.LittleEndian.Uint64(stackBytes[i : i+stackFrameSize])
-		if stackAddr == 0 {
-			break
-		}
-		stackAddresses[stackCounter] = stackAddr
-		stackCounter++
-	}
-
-	// Attempt to remove the ID from the map so we don't fill it up
-	// But if this fails continue on
-	err = capabilities.GetInstance().EBPF(func() error {
-		return t.StackAddressesMap.DeleteKey(unsafe.Pointer(&stackID))
-	})
-	if err != nil {
-		logger.Debugw("failed to delete stack address from eBPF map", "error", err)
-	}
-
-	return stackAddresses[0:stackCounter]
-}
-
 // WaitForPipeline waits for results from all error channels.
 func (t *Tracee) WaitForPipeline(errs ...<-chan error) error {
 	errc := MergeErrors(errs...)

diff --git a/pkg/ebpf/processor_funcs.go b/pkg/ebpf/processor_funcs.go
@@ -463,7 +463,7 @@ func (t *Tracee) removeContext(event *trace.Event) error {
 	event.Container = trace.Container{}
 	event.Kubernetes = trace.Kubernetes{}
 	event.Syscall = ""
-	event.StackAddresses = []uint64{}
+	event.StackAddresses = nil
 	event.ContextFlags = trace.ContextFlags{}
 	event.ThreadEntityId = 0
 	event.ProcessEntityId = 0

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -84,8 +84,7 @@ type Tracee struct {
 	bpfModule *bpf.Module
 	probes    *probes.ProbeGroup
 	// BPF Maps
-	StackAddressesMap *bpf.BPFMap
-	FDArgPathMap      *bpf.BPFMap
+	FDArgPathMap *bpf.BPFMap
 	// Perf Buffers
 	eventsPerfMap  *bpf.PerfBuffer // perf buffer for events
 	fileWrPerfMap  *bpf.PerfBuffer // perf buffer for file writes
@@ -483,15 +482,6 @@ func (t *Tracee) Init(ctx gocontext.Context) error {
 		return errfmt.Errorf("error initializing network capture: %v", err)
 	}
 
-	// Get reference to stack trace addresses map
-
-	stackAddressesMap, err := t.bpfModule.GetMap("stack_addresses")
-	if err != nil {
-		t.Close()
-		return errfmt.Errorf("error getting access to 'stack_addresses' eBPF Map %v", err)
-	}
-	t.StackAddressesMap = stackAddressesMap
-
 	// Get reference to fd arg path map
 
 	fdArgPathMap, err := t.bpfModule.GetMap("fd_arg_path_map")