Closed jeffmahoney closed 8 months ago
I got this panic on updating the client monitoring table
[INFO] 2023-11-07T17:30:08Z Closing EventTable
[DEBUG] 2023-11-07T17:30:08Z audit: removing subscriber, total now 0
[DEBUG] 2023-11-07T17:30:08Z audit: listener event loop exited
[DEBUG] 2023-11-07T17:30:08Z audit: rules checker exited
[DEBUG] 2023-11-07T17:30:08Z audit: log event loop exited
[DEBUG] 2023-11-07T17:30:08Z audit: reassembler maintainer exited
[DEBUG] 2023-11-07T17:30:08Z audit: mainEventLoop exited
[INFO] 2023-11-07T17:30:08Z audit: Shut down audit service
[DEBUG] 2023-11-07T17:30:08Z audit: shutdown watcher exited
[INFO] 2023-11-07T17:30:08Z audit: Unsubscribed to audit service
[INFO] 2023-11-07T17:30:08Z File Ring Buffer: Enqueue {"header":"{\"ReadPointer\":50,\"WritePointer\":1363,\"MaxSize\":1073741874,\"AvailableBytes\":1305,\"LeasedBytes\":0}","leased_pointer":50}
[INFO] 2023-11-07T17:30:08Z Collection $fe8cda6603a0dd3fed8273c525401e4f604d9a4b92d19d9486ce90ae8c18edbb is done after 1m16.054502262s
[DEBUG] 2023-11-07T17:30:08Z Query Stats: {"RowsScanned":148,"PluginsCalled":5,"FunctionsCalled":50,"ProtocolSearch":4,"ScopeCopy":423}
[INFO] 2023-11-07T17:30:08Z Finished monitoring query $fe8cda6603a0dd3fed8273c525401e4f604d9a4b92d19d9486ce90ae8c18edbb
[INFO] 2023-11-07T17:30:08Z Starting monitoring query $fe8cda6603a0dd3fed8273c525401e4f604d9a4b92d19d9486ce90ae8c18edbb
[INFO] 2023-11-07T17:30:08Z Starting monitoring query $b41624017300041cdc59e8eb57aa5da9ab039586f4b6dfd68e9b1d32afbc259a
[INFO] 2023-11-07T17:30:08Z Starting query execution for $b41624017300041cdc59e8eb57aa5da9ab039586f4b6dfd68e9b1d32afbc259a.
[INFO] 2023-11-07T17:30:08Z Starting query execution for $fe8cda6603a0dd3fed8273c525401e4f604d9a4b92d19d9486ce90ae8c18edbb.
[INFO] 2023-11-07T17:30:08Z audit: starting audit service
panic: send on closed channel
panic: close of closed channel
panic: close of closed channel
goroutine 536 [running]:
www.velocidex.com/golang/velociraptor/vql/linux/audit.(*AuditListener).Open.func1({0x0?, 0xc000d73120?})
/root/linux-security-sensor-oct12/vql/linux/audit/audit_listener.go:135 +0x1ac
created by www.velocidex.com/golang/velociraptor/vql/linux/audit.(*AuditListener).Open in goroutine 534
/root/linux-security-sensor-oct12/vql/linux/audit/audit_listener.go:113 +0x27b
Thanks, @djoreilly. This commit should fix it.
I've updated the series to improve the commit messages and consolidated/moved some changes to make the history make sense. I added a few comments where I thought more clarity was needed.
Final diff:
index b2113b451..3376663fe 100644
--- a/vql/linux/audit/audit_service.go
+++ b/vql/linux/audit/audit_service.go
@@ -363,6 +363,8 @@ func (self *auditService) runService() error {
// No new messages will be generated, wait for the event processing loop
// and reassembler to exit
listenerWg.Wait()
+
+ // Closing will clean up any remaining incomplete messages
reassembler.Close()
close(self.eventChannel)
diff --git a/vql/linux/audit/audit_service_test.go b/vql/linux/audit/audit_service_test.go
index bfe686833..b2885694d 100644
--- a/vql/linux/audit/audit_service_test.go
+++ b/vql/linux/audit/audit_service_test.go
@@ -94,6 +94,7 @@ func (self *TestListener) Wait(ctx context.Context) error {
if !self.opened || self.failWait {
return syscall.ENOTCONN
}
+ // If we're out of events, just wait until we're canceled
if self.count >= len(self.events) {
<- self.ctx.Done()
}
@@ -104,6 +105,7 @@ func (self *TestListener) Receive(buf *auditBuf) error {
if !self.opened || self.failReceive {
return syscall.ENOTCONN
}
+ // No more events to receive
if self.count >= len(self.events) {
return syscall.EAGAIN
}
@@ -294,7 +296,6 @@ L:
if len(events) >= self.listener.real_count {
break L
}
-
}
}
This PR contains a variety of fixes:
go generate
portion of creating the bpf modulesThanks to @djoreilly for the reports and review.