Support for MicroOS ?

[strowi]

Motivation

Trying to get falco working on OpenSuse's Immutable MicroOS. Similar to Talos (i guess).

Feature

Update falco-driver-loader to support MicroOS.

Alternatives

Additional context

[FedeDP]

Hi! Thanks for opening this feature request! PRs to support Talos are opened; microOS might as well gets its support too! We recently shared a blog post about integrating support for a new OS: https://falco.org/blog/falco-prebuilt-drivers-new-distro/ As you can see, there are multiple areas to be touched. Can you point me to a mirror for the kernel-headers package for microos? I am not able to find any.

Finally, is worth mentioning that given the steadily increasing number of these new tiny security-aimed OSes, i think we will always lag behind; hopefully the modern bpf probe with its CO-RE approach will soon become the standard way of deploying Falco and fix this issue since it doesn't require any artifact to be built neither downloaded.

[strowi]

Thanks @FedeDP for the link to the blogpost. Didn't think about checking there.;) As far as i know the kernel-headers are no longer a separate package, but now part of kernel-source, which should be available here for example: https://download.opensuse.org/tumbleweed/repo/src-oss/src/

I have been trying the modern-bpf on microos, but am currently still getting errors. But once that works without the artifacts we'll definitely be more happy. Thx for the work!

[Andreagit97]

I have been trying the modern-bpf on microos, but am currently still getting errors.

Could you share the error please :)?

[strowi]

Sure, wasn't sure yet if i made a mistake or not and wanted to check further, but here's what i did:

 podman run \
  --rm -it --privileged \
  -v /var/run/containerd/containerd.sock:/host/var/run/containerd/containerd.sock \
  -v /proc:/host/proc:ro \
  falcosecurity/falco-no-driver:latest falco --modern-bpf

2023-05-15T10:08:18+0000: Falco version: 0.34.1 (x86_64)
2023-05-15T10:08:18+0000: Falco initialized with configuration file: /etc/falco/falco.yaml
2023-05-15T10:08:18+0000: Loading rules from file /etc/falco/falco_rules.yaml
2023-05-15T10:08:18+0000: Loading rules from file /etc/falco/falco_rules.local.yaml
2023-05-15T10:08:19+0000: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
2023-05-15T10:08:19+0000: Starting health webserver with threadiness 2, listening on port 8765
2023-05-15T10:08:19+0000: Enabled event sources: syscall
2023-05-15T10:08:19+0000: Opening capture with modern BPF probe.
2023-05-15T10:08:19+0000: One ring buffer every '2' CPUs.
libbpf: prog 'clone_x': BPF program load failed: Invalid argument
libbpf: prog 'clone_x': -- BEGIN PROG LOAD LOG --
reg type unsupported for arg#0 function clone_x#884
0: R1=ctx(off=0,imm=0) R10=fp0
; int BPF_PROG(clone_x,
0: (bf) r8 = r1                       ; R1=ctx(off=0,imm=0) R8_w=ctx(off=0,imm=0)
; int BPF_PROG(clone_x,
1: (79) r6 = *(u64 *)(r8 +8)          ; R6_w=scalar() R8_w=ctx(off=0,imm=0)
; u32 cpu_id = (u32)bpf_get_smp_processor_id();
2: (85) call bpf_get_smp_processor_id#8       ; R0_w=scalar()
; u32 cpu_id = (u32)bpf_get_smp_processor_id();
3: (63) *(u32 *)(r10 -8) = r0         ; R0_w=scalar() R10=fp0 fp-8=????mmmm
4: (bf) r2 = r10                      ; R2_w=fp0 R10=fp0
; 
5: (07) r2 += -8                      ; R2_w=fp-8
; return (struct auxiliary_map *)bpf_map_lookup_elem(&auxiliary_maps, &cpu_id);
6: (18) r1 = 0xffffb383c5061000       ; R1_w=map_ptr(off=0,ks=4,vs=131088,imm=0)
8: (85) call bpf_map_lookup_elem#1    ; R0=map_value_or_null(id=1,off=0,ks=4,vs=131088,imm=0)
9: (bf) r7 = r0                       ; R0=map_value_or_null(id=1,off=0,ks=4,vs=131088,imm=0) R7_w=map_value_or_null(id=1,off=0,ks=4,vs=131088,imm=0)
; if(!auxmap)
10: (15) if r7 == 0x0 goto pc+626     ; R7_w=map_value(off=0,ks=4,vs=131088,imm=0)
11: (7b) *(u64 *)(r10 -72) = r8       ; R8=ctx(off=0,imm=0) R10=fp0 fp-72_w=ctx
; return g_event_params_table[event_id];
12: (18) r1 = 0xffffb383c50a4010      ; R1_w=map_value(off=16,ks=4,vs=122458,imm=0)
14: (71) r8 = *(u8 *)(r1 +223)        ; R1_w=map_value(off=16,ks=4,vs=122458,imm=0) R8_w=21
; return g_settings.boot_time;
15: (18) r1 = 0xffffb383c5045200      ; R1_w=map_value(off=512,ks=4,vs=45408,imm=0)
17: (79) r9 = *(u64 *)(r1 +0)         ; R1_w=map_value(off=512,ks=4,vs=45408,imm=0) R9_w=scalar()
; hdr->ts = maps__get_boot_time() + bpf_ktime_get_boot_ns();
18: (85) call bpf_ktime_get_boot_ns#125       ; R0=scalar()
; hdr->ts = maps__get_boot_time() + bpf_ktime_get_boot_ns();
19: (0f) r0 += r9                     ; R0_w=scalar() R9=scalar()
; hdr->ts = maps__get_boot_time() + bpf_ktime_get_boot_ns();
20: (bf) r1 = r0                      ; R0_w=scalar(id=2) R1_w=scalar(id=2)
21: (77) r1 >>= 56                    ; R1_w=scalar(umax=255,var_off=(0x0; 0xff))
22: (73) *(u8 *)(r7 +7) = r1          ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
23: (bf) r1 = r0                      ; R0_w=scalar(id=2) R1_w=scalar(id=2)
24: (77) r1 >>= 48                    ; R1_w=scalar(umax=65535,var_off=(0x0; 0xffff))
25: (73) *(u8 *)(r7 +6) = r1          ; R1_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
26: (bf) r1 = r0                      ; R0_w=scalar(id=2) R1_w=scalar(id=2)
27: (77) r1 >>= 40                    ; R1_w=scalar(umax=16777215,var_off=(0x0; 0xffffff))
28: (73) *(u8 *)(r7 +5) = r1          ; R1_w=scalar(umax=16777215,var_off=(0x0; 0xffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
29: (bf) r1 = r0                      ; R0_w=scalar(id=2) R1_w=scalar(id=2)
30: (77) r1 >>= 32                    ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff))
31: (73) *(u8 *)(r7 +4) = r1          ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
32: (bf) r1 = r0                      ; R0_w=scalar(id=2) R1_w=scalar(id=2)
33: (77) r1 >>= 24                    ; R1_w=scalar(umax=1099511627775,var_off=(0x0; 0xffffffffff))
34: (73) *(u8 *)(r7 +3) = r1          ; R1_w=scalar(umax=1099511627775,var_off=(0x0; 0xffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
35: (bf) r1 = r0                      ; R0_w=scalar(id=2) R1_w=scalar(id=2)
36: (77) r1 >>= 16                    ; R1_w=scalar(umax=281474976710655,var_off=(0x0; 0xffffffffffff))
37: (73) *(u8 *)(r7 +2) = r1          ; R1_w=scalar(umax=281474976710655,var_off=(0x0; 0xffffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
38: (73) *(u8 *)(r7 +0) = r0          ; R0_w=scalar(id=2) R7=map_value(off=0,ks=4,vs=131088,imm=0)
39: (77) r0 >>= 8                     ; R0_w=scalar(umax=72057594037927935,var_off=(0x0; 0xffffffffffffff))
40: (73) *(u8 *)(r7 +1) = r0          ; R0_w=scalar(umax=72057594037927935,var_off=(0x0; 0xffffffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
; hdr->tid = bpf_get_current_pid_tgid() & 0xffffffff;
41: (85) call bpf_get_current_pid_tgid#14     ; R0_w=scalar()
42: (b7) r1 = 223                     ; R1_w=223
; hdr->type = event_type;
43: (73) *(u8 *)(r7 +20) = r1         ; R1_w=223 R7=map_value(off=0,ks=4,vs=131088,imm=0)
44: (b7) r1 = 0                       ; R1_w=0
; hdr->nparams = nparams;
45: (73) *(u8 *)(r7 +25) = r1         ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
46: (73) *(u8 *)(r7 +24) = r1         ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
47: (73) *(u8 *)(r7 +23) = r1         ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
; hdr->type = event_type;
48: (73) *(u8 *)(r7 +21) = r1         ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
; hdr->tid = bpf_get_current_pid_tgid() & 0xffffffff;
49: (73) *(u8 *)(r7 +15) = r1         ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
50: (73) *(u8 *)(r7 +14) = r1         ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
51: (73) *(u8 *)(r7 +13) = r1         ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
52: (73) *(u8 *)(r7 +12) = r1         ; R1_w=0 R7=map_value(off=0,ks=4,vs=131088,imm=0)
53: (bf) r1 = r0                      ; R0_w=scalar(id=3) R1_w=scalar(id=3)
54: (77) r1 >>= 24                    ; R1_w=scalar(umax=1099511627775,var_off=(0x0; 0xffffffffff))
55: (73) *(u8 *)(r7 +11) = r1         ; R1_w=scalar(umax=1099511627775,var_off=(0x0; 0xffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
56: (bf) r1 = r0                      ; R0_w=scalar(id=3) R1_w=scalar(id=3)
57: (77) r1 >>= 16                    ; R1_w=scalar(umax=281474976710655,var_off=(0x0; 0xffffffffffff))
58: (73) *(u8 *)(r7 +10) = r1         ; R1_w=scalar(umax=281474976710655,var_off=(0x0; 0xffffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
59: (73) *(u8 *)(r7 +8) = r0          ; R0_w=scalar(id=3) R7=map_value(off=0,ks=4,vs=131088,imm=0)
60: (77) r0 >>= 8                     ; R0_w=scalar(umax=72057594037927935,var_off=(0x0; 0xffffffffffffff))
61: (73) *(u8 *)(r7 +9) = r0          ; R0_w=scalar(umax=72057594037927935,var_off=(0x0; 0xffffffffffffff)) R7=map_value(off=0,ks=4,vs=131088,imm=0)
; hdr->nparams = nparams;
62: (73) *(u8 *)(r7 +22) = r8         ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8=21
; auxmap->payload_pos = sizeof(struct ppm_evt_hdr) + nparams * sizeof(u16);
63: (67) r8 <<= 1                     ; R8_w=42
; auxmap->payload_pos = sizeof(struct ppm_evt_hdr) + nparams * sizeof(u16);
64: (bf) r1 = r8                      ; R1_w=42 R8_w=42
65: (0f) r1 += r7                     ; R1_w=map_value(off=42,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
66: (7b) *(u64 *)(r1 +26) = r6        ; R1_w=map_value(off=42,ks=4,vs=131088,imm=0) R6=scalar()
; auxmap->lengths_pos = sizeof(struct ppm_evt_hdr);
67: (bf) r1 = r7                      ; R1_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
68: (07) r1 += 131080                 ; R1_w=map_value(off=131080,ks=4,vs=131088,imm=0)
69: (b7) r2 = 28                      ; R2_w=28
; *lengths_pos += sizeof(u16);
70: (73) *(u8 *)(r1 +0) = r2          ; R1_w=map_value(off=131080,ks=4,vs=131088,imm=0) R2_w=28
71: (b7) r1 = 8                       ; R1_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
72: (6b) *(u16 *)(r7 +26) = r1        ; R1_w=8 R7=map_value(off=0,ks=4,vs=131088,imm=0)
; auxmap->payload_pos = sizeof(struct ppm_evt_hdr) + nparams * sizeof(u16);
73: (bf) r1 = r7                      ; R1_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
74: (07) r1 += 131072                 ; R1_w=map_value(off=131072,ks=4,vs=131088,imm=0)
; *payload_pos += sizeof(s64);
75: (07) r8 += 34                     ; R8_w=76
76: (7b) *(u64 *)(r1 +0) = r8         ; R1_w=map_value(off=131072,ks=4,vs=131088,imm=0) R8_w=76
77: (18) r1 = 0x1                     ; R1_w=1
; && (bpf_core_enum_value(enum bpf_func_id, BPF_FUNC_get_current_task_btf) == BPF_FUNC_get_current_task_btf))
79: (15) if r1 == 0x0 goto pc+5       ; R1_w=1
80: (18) r1 = 0x9e                    ; R1=158
; if(bpf_core_enum_value_exists(enum bpf_func_id, BPF_FUNC_get_current_task_btf)
82: (55) if r1 != 0x9e goto pc+2      ; R1=158
; return (struct task_struct *)bpf_get_current_task_btf();
83: (85) call bpf_get_current_task_btf#158    ; R0_w=trusted_ptr_task_struct(off=0,imm=0)
84: (05) goto pc+1
; 
86: (bf) r8 = r0                      ; R0_w=trusted_ptr_task_struct(off=0,imm=0) R8_w=trusted_ptr_task_struct(off=0,imm=0)
87: (b7) r2 = 0                       ; R2_w=0
88: (7b) *(u64 *)(r10 -64) = r8       ; R8_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0 fp-64_w=trusted_ptr_
; if(ret >= 0)
89: (6d) if r2 s> r6 goto pc+112      ; R2_w=0 R6=scalar(umax=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff))
; unsigned long arg_start_pointer = 0;
90: (7b) *(u64 *)(r10 -8) = r2        ; R2_w=0 R10=fp0 fp-8_w=00000000
; unsigned long arg_end_pointer = 0;
91: (7b) *(u64 *)(r10 -16) = r2       ; R2_w=0 R10=fp0 fp-16_w=00000000
92: (18) r6 = 0x1                     ; R6=1
; READ_TASK_FIELD_INTO(&arg_start_pointer, task, mm, arg_start);
94: (15) if r6 == 0x0 goto pc+24      ; R6=1
95: (18) r1 = 0x9e                    ; R1_w=158
; READ_TASK_FIELD_INTO(&arg_start_pointer, task, mm, arg_start);
97: (55) if r1 != 0x9e goto pc+21     ; R1_w=158
; READ_TASK_FIELD_INTO(&arg_start_pointer, task, mm, arg_start);
98: (79) r1 = *(u64 *)(r8 +2336)      ; R1_w=ptr_mm_struct(off=0,imm=0) R8=trusted_ptr_task_struct(off=0,imm=0)
99: (79) r1 = *(u64 *)(r1 +304)       ; R1_w=scalar()
100: (7b) *(u64 *)(r10 -8) = r1       ; R1_w=scalar() R10=fp0 fp-8_w=mmmmmmmm
; READ_TASK_FIELD_INTO(&arg_end_pointer, task, mm, arg_end);
101: (15) if r6 == 0x0 goto pc+1      ; R6=1
102: (05) goto pc+31
; READ_TASK_FIELD_INTO(&arg_end_pointer, task, mm, arg_end);
134: (18) r1 = 0x9e                   ; R1_w=158
; READ_TASK_FIELD_INTO(&arg_end_pointer, task, mm, arg_end);
136: (55) if r1 != 0x9e goto pc-34    ; R1_w=158
; READ_TASK_FIELD_INTO(&arg_end_pointer, task, mm, arg_end);
137: (79) r1 = *(u64 *)(r8 +2336)     ; R1_w=ptr_mm_struct(off=0,imm=0) R8=trusted_ptr_task_struct(off=0,imm=0)
138: (79) r9 = *(u64 *)(r1 +312)      ; R1_w=ptr_mm_struct(off=0,imm=0) R9_w=scalar()
139: (7b) *(u64 *)(r10 -16) = r9      ; R9_w=scalar() R10=fp0 fp-16_w=mmmmmmmm
140: (b7) r1 = 0                      ; R1_w=0
; unsigned long total_args_len = arg_end_pointer - arg_start_pointer;
141: (7b) *(u64 *)(r10 -80) = r1      ; R1_w=0 R10=fp0 fp-80_w=00000000
142: (79) r6 = *(u64 *)(r10 -8)       ; R6_w=scalar() R10=fp0
143: (b7) r1 = 0                      ; R1_w=0
; if(charbuf_pointer)
144: (15) if r6 == 0x0 goto pc+19     ; R6_w=scalar()
; 
145: (bf) r8 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
146: (07) r8 += 131072                ; R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
147: (79) r2 = *(u64 *)(r8 +0)        ; R2_w=scalar() R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
148: (57) r2 &= 65535                 ; R2_w=scalar(umax=65535,var_off=(0x0; 0xffff))
149: (bf) r1 = r7                     ; R1_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
150: (0f) r1 += r2                    ; R1_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff)) R2_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; written_bytes = bpf_probe_read_user_str(&data[SAFE_ACCESS(*payload_pos)],
151: (b7) r2 = 4096                   ; R2_w=4096
152: (bf) r3 = r6                     ; R3_w=scalar(id=5) R6_w=scalar(id=5)
153: (85) call bpf_probe_read_user_str#114    ; R0=scalar(smin=-4095,smax=4096)
; 
154: (bf) r2 = r0                     ; R0=scalar(id=6,smin=-4095,smax=4096) R2_w=scalar(id=6,smin=-4095,smax=4096)
155: (67) r2 <<= 32                   ; R2_w=scalar(smax=17592186044416,umax=18446744069414584320,var_off=(0x0; 0xffffffff00000000),s32_min=0,s32_max=0,u32_max=0)
156: (c7) r2 s>>= 32                  ; R2_w=scalar(smin=-2147483648,smax=4096)
157: (b7) r3 = 1                      ; R3_w=1
158: (b7) r1 = 0                      ; R1_w=0
; if(written_bytes <= 0)
159: (6d) if r3 s> r2 goto pc+4       ; R2_w=scalar(umin=1,umax=4096,var_off=(0x0; 0x1fff)) R3_w=1
; *payload_pos += written_bytes;
160: (79) r1 = *(u64 *)(r8 +0)        ; R1_w=scalar() R8=map_value(off=131072,ks=4,vs=131088,imm=0)
161: (0f) r1 += r2                    ; R1_w=scalar() R2_w=scalar(umin=1,umax=4096,var_off=(0x0; 0x1fff))
162: (7b) *(u64 *)(r8 +0) = r1        ; R1_w=scalar() R8=map_value(off=131072,ks=4,vs=131088,imm=0)
163: (bf) r1 = r0                     ; R0=scalar(id=6,smin=-4095,smax=4096) R1_w=scalar(id=6,smin=-4095,smax=4096)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
164: (bf) r8 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
165: (07) r8 += 131080                ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
166: (71) r2 = *(u8 *)(r8 +0)         ; R2_w=scalar(umax=255,var_off=(0x0; 0xff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
167: (bf) r3 = r7                     ; R3_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
168: (0f) r3 += r2                    ; R2_w=scalar(umax=255,var_off=(0x0; 0xff)) R3_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
169: (6b) *(u16 *)(r3 +0) = r1        ; R1_w=scalar(id=6,smin=-4095,smax=4096) R3_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
170: (07) r2 += 2                     ; R2_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff))
171: (73) *(u8 *)(r8 +0) = r2         ; R2_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, (total_args_len - exe_arg_len) & (MAX_PROC_ARG_ENV - 1), USER);
172: (0f) r6 += r1                    ; R1_w=scalar(id=6,smin=-4095,smax=4096) R6_w=scalar()
173: (1f) r9 -= r6                    ; R6_w=scalar() R9_w=scalar()
; auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, (total_args_len - exe_arg_len) & (MAX_PROC_ARG_ENV - 1), USER);
174: (57) r9 &= 4095                  ; R9_w=scalar(umax=4095,var_off=(0x0; 0xfff))
; if(bytebuf_pointer && len_to_read > 0)
175: (15) if r9 == 0x0 goto pc+17     ; R9_w=scalar(umax=4095,var_off=(0x0; 0xfff))
; 
176: (57) r1 &= 65535                 ; R1_w=scalar(umax=65535,var_off=(0x0; 0xffff))
177: (79) r3 = *(u64 *)(r10 -8)       ; R3_w=scalar() R10=fp0
178: (0f) r3 += r1                    ; R1=scalar(umax=65535,var_off=(0x0; 0xffff)) R3=scalar()
; if(bytebuf_pointer && len_to_read > 0)
179: (15) if r3 == 0x0 goto pc+13     ; R3=scalar()
; if(bpf_probe_read_user(&data[SAFE_ACCESS(*payload_pos)],
180: (bf) r6 = r7                     ; R6_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
181: (07) r6 += 131072                ; R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
182: (79) r2 = *(u64 *)(r6 +0)        ; R2_w=scalar() R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
183: (57) r2 &= 65535                 ; R2_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; if(bpf_probe_read_user(&data[SAFE_ACCESS(*payload_pos)],
184: (bf) r1 = r7                     ; R1_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
185: (0f) r1 += r2                    ; R1_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff)) R2_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; if(bpf_probe_read_user(&data[SAFE_ACCESS(*payload_pos)],
186: (bf) r2 = r9                     ; R2_w=scalar(id=7,umax=4095,var_off=(0x0; 0xfff)) R9=scalar(id=7,umax=4095,var_off=(0x0; 0xfff))
187: (85) call bpf_probe_read_user#112        ; R0=scalar()
; if(bpf_probe_read_user(&data[SAFE_ACCESS(*payload_pos)],
188: (55) if r0 != 0x0 goto pc+4      ; R0=0
; *payload_pos += len_to_read;
189: (79) r1 = *(u64 *)(r6 +0)        ; R1_w=scalar() R6=map_value(off=131072,ks=4,vs=131088,imm=0)
190: (0f) r1 += r9                    ; R1_w=scalar() R9=scalar(id=7,umax=4095,var_off=(0x0; 0xfff))
191: (7b) *(u64 *)(r6 +0) = r1        ; R1_w=scalar() R6=map_value(off=131072,ks=4,vs=131088,imm=0)
192: (7b) *(u64 *)(r10 -80) = r9      ; R9=scalar(id=7,umax=4095,var_off=(0x0; 0xfff)) R10=fp0 fp-80_w=
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
193: (71) r1 = *(u8 *)(r8 +0)         ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R8=map_value(off=131080,ks=4,vs=131088,imm=0)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
194: (bf) r2 = r7                     ; R2_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
195: (0f) r2 += r1                    ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R2_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
196: (79) r3 = *(u64 *)(r10 -80)      ; R3_w=scalar(id=7,umax=4095,var_off=(0x0; 0xfff)) R10=fp0
197: (6b) *(u16 *)(r2 +0) = r3        ; R2_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff)) R3_w=scalar(id=7,umax=4095,var_off=(0x0; 0xfff))
; *lengths_pos += sizeof(u16);
198: (07) r1 += 2                     ; R1_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff))
199: (73) *(u8 *)(r8 +0) = r1         ; R1_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff)) R8=map_value(off=131080,ks=4,vs=131088,imm=0)
200: (79) r8 = *(u64 *)(r10 -64)      ; R8_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0
201: (05) goto pc+14
; *lengths_pos += sizeof(u16);
216: (18) r2 = 0x1                    ; R2_w=1
; return READ_TASK_FIELD(task, pid);
218: (15) if r2 == 0x0 goto pc+7      ; R2_w=1
219: (18) r2 = 0x9e                   ; R2_w=158
; return READ_TASK_FIELD(task, pid);
221: (55) if r2 != 0x9e goto pc+4     ; R2_w=158
222: (b7) r2 = 2456                   ; R2_w=2456
223: (bf) r6 = r8                     ; R6_w=trusted_ptr_task_struct(off=0,imm=0) R8=trusted_ptr_task_struct(off=0,imm=0)
224: (0f) r6 += r2                    ; R2_w=2456 R6_w=trusted_ptr_task_struct(off=2456,imm=0)
225: (05) goto pc+11
; return READ_TASK_FIELD(task, pid);
237: (61) r3 = *(u32 *)(r6 +0)        ; R3_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R6=trusted_ptr_task_struct(off=2456,imm=0)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
238: (bf) r8 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
239: (07) r8 += 131072                ; R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
240: (79) r2 = *(u64 *)(r8 +0)        ; R2_w=scalar() R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
241: (bf) r4 = r2                     ; R2_w=scalar(id=8) R4_w=scalar(id=8)
242: (57) r4 &= 65535                 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
243: (bf) r5 = r7                     ; R5_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
244: (0f) r5 += r4                    ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; return READ_TASK_FIELD(task, pid);
245: (67) r3 <<= 32                   ; R3_w=scalar(smax=9223372032559808512,umax=18446744069414584320,var_off=(0x0; 0xffffffff00000000),s32_min=0,s32_max=0,u32_max=0)
246: (c7) r3 s>>= 32                  ; R3_w=scalar(smin=-2147483648,smax=2147483647)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
247: (7b) *(u64 *)(r5 +0) = r3        ; R3_w=scalar(smin=-2147483648,smax=2147483647) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(s64);
248: (07) r2 += 8                     ; R2_w=scalar()
249: (7b) *(u64 *)(r8 +0) = r2        ; R2_w=scalar() R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
250: (bf) r3 = r1                     ; R1=scalar(id=9,umin=2,umax=257,var_off=(0x0; 0x1ff)) R3_w=scalar(id=9,umin=2,umax=257,var_off=(0x0; 0x1ff))
251: (57) r3 &= 255                   ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
252: (bf) r4 = r7                     ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
253: (0f) r4 += r3                    ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
254: (b7) r3 = 8                      ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
255: (6b) *(u16 *)(r4 +0) = r3        ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
256: (bf) r9 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R9_w=map_value(off=0,ks=4,vs=131088,imm=0)
257: (07) r9 += 131080                ; R9_w=map_value(off=131080,ks=4,vs=131088,imm=0)
258: (07) r1 += 2                     ; R1_w=scalar(umin=4,umax=259,var_off=(0x0; 0x1ff))
259: (73) *(u8 *)(r9 +0) = r1         ; R1_w=scalar(umin=4,umax=259,var_off=(0x0; 0x1ff)) R9_w=map_value(off=131080,ks=4,vs=131088,imm=0)
260: (18) r3 = 0x1                    ; R3_w=1
; return READ_TASK_FIELD(task, tgid);
262: (15) if r3 == 0x0 goto pc+7      ; R3_w=1
263: (18) r3 = 0x9e                   ; R3_w=158
; return READ_TASK_FIELD(task, tgid);
265: (55) if r3 != 0x9e goto pc+4     ; R3_w=158
266: (b7) r3 = 2460                   ; R3_w=2460
267: (79) r6 = *(u64 *)(r10 -64)      ; R6_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0
268: (0f) r6 += r3                    ; R3_w=2460 R6_w=trusted_ptr_task_struct(off=2460,imm=0)
269: (05) goto pc+10
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
280: (bf) r3 = r2                     ; R2=scalar(id=10) R3_w=scalar(id=10)
281: (57) r3 &= 65535                 ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
282: (bf) r4 = r7                     ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
283: (0f) r4 += r3                    ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; return READ_TASK_FIELD(task, tgid);
284: (61) r3 = *(u32 *)(r6 +0)        ; R3_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R6=trusted_ptr_task_struct(off=2460,imm=0)
285: (67) r3 <<= 32                   ; R3_w=scalar(smax=9223372032559808512,umax=18446744069414584320,var_off=(0x0; 0xffffffff00000000),s32_min=0,s32_max=0,u32_max=0)
286: (c7) r3 s>>= 32                  ; R3_w=scalar(smin=-2147483648,smax=2147483647)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
287: (7b) *(u64 *)(r4 +0) = r3        ; R3_w=scalar(smin=-2147483648,smax=2147483647) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(s64);
288: (07) r2 += 8                     ; R2_w=scalar()
289: (bf) r8 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
290: (07) r8 += 131072                ; R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
291: (7b) *(u64 *)(r8 +0) = r2        ; R2_w=scalar() R8_w=map_value(off=131072,ks=4,vs=131088,imm=0)
292: (bf) r3 = r1                     ; R1=scalar(id=11,umin=4,umax=259,var_off=(0x0; 0x1ff)) R3_w=scalar(id=11,umin=4,umax=259,var_off=(0x0; 0x1ff))
293: (57) r3 &= 255                   ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
294: (bf) r4 = r7                     ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
295: (0f) r4 += r3                    ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
296: (b7) r3 = 8                      ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
297: (6b) *(u16 *)(r4 +0) = r3        ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
298: (bf) r9 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R9_w=map_value(off=0,ks=4,vs=131088,imm=0)
299: (07) r9 += 131080                ; R9_w=map_value(off=131080,ks=4,vs=131088,imm=0)
300: (07) r1 += 2                     ; R1_w=scalar(umin=6,umax=261,var_off=(0x0; 0x1ff))
301: (73) *(u8 *)(r9 +0) = r1         ; R1_w=scalar(umin=6,umax=261,var_off=(0x0; 0x1ff)) R9_w=map_value(off=131080,ks=4,vs=131088,imm=0)
302: (18) r3 = 0x1                    ; R3_w=1
; return READ_TASK_FIELD(task, real_parent, pid);
304: (15) if r3 == 0x0 goto pc+8      ; R3_w=1
305: (18) r3 = 0x9e                   ; R3_w=158
; return READ_TASK_FIELD(task, real_parent, pid);
307: (55) if r3 != 0x9e goto pc+5     ; R3_w=158
; return READ_TASK_FIELD(task, real_parent, pid);
308: (79) r3 = *(u64 *)(r10 -64)      ; R3_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0
309: (79) r6 = *(u64 *)(r3 +2472)     ; R3_w=trusted_ptr_task_struct(off=0,imm=0) R6_w=ptr_task_struct(off=0,imm=0)
310: (b7) r3 = 2456                   ; R3_w=2456
311: (0f) r6 += r3                    ; R3_w=2456 R6_w=ptr_task_struct(off=2456,imm=0)
312: (05) goto pc+17
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
330: (bf) r3 = r2                     ; R2=scalar(id=12) R3_w=scalar(id=12)
331: (57) r3 &= 65535                 ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
332: (bf) r4 = r7                     ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
333: (0f) r4 += r3                    ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; return READ_TASK_FIELD(task, real_parent, pid);
334: (61) r3 = *(u32 *)(r6 +0)        ; R3_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R6=ptr_task_struct(off=2456,imm=0)
335: (67) r3 <<= 32                   ; R3_w=scalar(smax=9223372032559808512,umax=18446744069414584320,var_off=(0x0; 0xffffffff00000000),s32_min=0,s32_max=0,u32_max=0)
336: (c7) r3 s>>= 32                  ; R3_w=scalar(smin=-2147483648,smax=2147483647)
; *((s64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
337: (7b) *(u64 *)(r4 +0) = r3        ; R3_w=scalar(smin=-2147483648,smax=2147483647) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(s64);
338: (07) r2 += 8                     ; R2_w=scalar()
339: (bf) r6 = r7                     ; R6_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
340: (07) r6 += 131072                ; R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
341: (7b) *(u64 *)(r6 +0) = r2        ; R2_w=scalar() R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
342: (bf) r3 = r1                     ; R1=scalar(id=13,umin=6,umax=261,var_off=(0x0; 0x1ff)) R3_w=scalar(id=13,umin=6,umax=261,var_off=(0x0; 0x1ff))
343: (57) r3 &= 255                   ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
344: (bf) r4 = r7                     ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
345: (0f) r4 += r3                    ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
346: (b7) r3 = 8                      ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
347: (6b) *(u16 *)(r4 +0) = r3        ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
348: (bf) r3 = r1                     ; R1=scalar(id=13,umin=6,umax=261,var_off=(0x0; 0x1ff)) R3_w=scalar(id=13,umin=6,umax=261,var_off=(0x0; 0x1ff))
349: (07) r3 += 2                     ; R3_w=scalar(umin=8,umax=263,var_off=(0x0; 0x1ff))
350: (57) r3 &= 255                   ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
351: (bf) r4 = r7                     ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
352: (0f) r4 += r3                    ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
353: (b7) r3 = 0                      ; R3_w=0
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
354: (6b) *(u16 *)(r4 +0) = r3        ; R3_w=0 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
355: (bf) r8 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
356: (07) r8 += 131080                ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
357: (07) r1 += 4                     ; R1_w=scalar(umin=10,umax=265,var_off=(0x0; 0x1ff))
358: (73) *(u8 *)(r8 +0) = r1         ; R1_w=scalar(umin=10,umax=265,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; unsigned long fdlimit = 0;
359: (7b) *(u64 *)(r10 -32) = r3      ; R3_w=0 R10=fp0 fp-32_w=00000000
360: (18) r3 = 0x1                    ; R3_w=1
; READ_TASK_FIELD_INTO(fdlimit, task, signal, rlim[RLIMIT_NOFILE].rlim_cur);
362: (15) if r3 == 0x0 goto pc+8      ; R3_w=1
363: (18) r3 = 0x9e                   ; R3_w=158
; READ_TASK_FIELD_INTO(fdlimit, task, signal, rlim[RLIMIT_NOFILE].rlim_cur);
365: (55) if r3 != 0x9e goto pc+5     ; R3_w=158
366: (79) r9 = *(u64 *)(r10 -64)      ; R9_w=trusted_ptr_task_struct(off=0,imm=0) R10=fp0
; READ_TASK_FIELD_INTO(fdlimit, task, signal, rlim[RLIMIT_NOFILE].rlim_cur);
367: (79) r3 = *(u64 *)(r9 +3080)     ; R3_w=ptr_signal_struct(off=0,imm=0) R9_w=trusted_ptr_task_struct(off=0,imm=0)
368: (79) r3 = *(u64 *)(r3 +792)      ; R3_w=scalar()
369: (7b) *(u64 *)(r10 -32) = r3      ; R3_w=scalar() R10=fp0 fp-32_w=mmmmmmmm
370: (05) goto pc+18
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
389: (bf) r4 = r2                     ; R2=scalar(id=14) R4_w=scalar(id=14)
390: (57) r4 &= 65535                 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
391: (bf) r5 = r7                     ; R5_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
392: (0f) r5 += r4                    ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
393: (7b) *(u64 *)(r5 +0) = r3        ; R3=scalar() R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(u64);
394: (07) r2 += 8                     ; R2_w=scalar()
395: (bf) r6 = r7                     ; R6_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
396: (07) r6 += 131072                ; R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
397: (7b) *(u64 *)(r6 +0) = r2        ; R2_w=scalar() R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
398: (bf) r3 = r1                     ; R1=scalar(id=15,umin=10,umax=265,var_off=(0x0; 0x1ff)) R3_w=scalar(id=15,umin=10,umax=265,var_off=(0x0; 0x1ff))
399: (57) r3 &= 255                   ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
400: (bf) r4 = r7                     ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
401: (0f) r4 += r3                    ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
402: (b7) r3 = 8                      ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
403: (6b) *(u16 *)(r4 +0) = r3        ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
404: (bf) r8 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
405: (07) r8 += 131080                ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
406: (07) r1 += 2                     ; R1_w=scalar(umin=12,umax=267,var_off=(0x0; 0x1ff))
407: (73) *(u8 *)(r8 +0) = r1         ; R1_w=scalar(umin=12,umax=267,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
408: (b7) r3 = 0                      ; R3_w=0
; unsigned long pgft_maj = 0;
409: (7b) *(u64 *)(r10 -40) = r3      ; R3_w=0 R10=fp0 fp-40_w=00000000
410: (18) r3 = 0x1                    ; R3_w=1
; READ_TASK_FIELD_INTO(pgft_maj, task, maj_flt);
412: (15) if r3 == 0x0 goto pc+6      ; R3_w=1
413: (18) r3 = 0x9e                   ; R3_w=158
; READ_TASK_FIELD_INTO(pgft_maj, task, maj_flt);
415: (55) if r3 != 0x9e goto pc+3     ; R3_w=158
; READ_TASK_FIELD_INTO(pgft_maj, task, maj_flt);
416: (79) r3 = *(u64 *)(r9 +2840)     ; R3_w=scalar() R9=trusted_ptr_task_struct(off=0,imm=0)
417: (7b) *(u64 *)(r10 -40) = r3      ; R3_w=scalar() R10=fp0 fp-40_w=mmmmmmmm
418: (05) goto pc+10
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
429: (bf) r4 = r2                     ; R2=scalar(id=16) R4_w=scalar(id=16)
430: (57) r4 &= 65535                 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
431: (bf) r5 = r7                     ; R5_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
432: (0f) r5 += r4                    ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
433: (7b) *(u64 *)(r5 +0) = r3        ; R3=scalar() R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(u64);
434: (07) r2 += 8                     ; R2_w=scalar()
435: (bf) r6 = r7                     ; R6_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
436: (07) r6 += 131072                ; R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
437: (7b) *(u64 *)(r6 +0) = r2        ; R2_w=scalar() R6_w=map_value(off=131072,ks=4,vs=131088,imm=0)
438: (bf) r3 = r1                     ; R1=scalar(id=17,umin=12,umax=267,var_off=(0x0; 0x1ff)) R3_w=scalar(id=17,umin=12,umax=267,var_off=(0x0; 0x1ff))
439: (57) r3 &= 255                   ; R3_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
440: (bf) r4 = r7                     ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
441: (0f) r4 += r3                    ; R3_w=scalar(umax=255,var_off=(0x0; 0xff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
442: (b7) r3 = 8                      ; R3_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
443: (6b) *(u16 *)(r4 +0) = r3        ; R3_w=8 R4_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
444: (bf) r8 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
445: (07) r8 += 131080                ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
446: (07) r1 += 2                     ; R1_w=scalar(umin=14,umax=269,var_off=(0x0; 0x1ff))
447: (73) *(u8 *)(r8 +0) = r1         ; R1_w=scalar(umin=14,umax=269,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
448: (b7) r3 = 0                      ; R3_w=0
; unsigned long pgft_min = 0;
449: (7b) *(u64 *)(r10 -48) = r3      ; R3_w=0 R10=fp0 fp-48_w=00000000
450: (18) r3 = 0x1                    ; R3_w=1
; READ_TASK_FIELD_INTO(pgft_min, task, min_flt);
452: (15) if r3 == 0x0 goto pc+6      ; R3_w=1
453: (18) r3 = 0x9e                   ; R3_w=158
; READ_TASK_FIELD_INTO(pgft_min, task, min_flt);
455: (55) if r3 != 0x9e goto pc+3     ; R3_w=158
; READ_TASK_FIELD_INTO(pgft_min, task, min_flt);
456: (79) r3 = *(u64 *)(r9 +2832)     ; R3_w=scalar() R9=trusted_ptr_task_struct(off=0,imm=0)
457: (7b) *(u64 *)(r10 -48) = r3      ; R3_w=scalar() R10=fp0 fp-48_w=mmmmmmmm
458: (05) goto pc+10
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
469: (bf) r4 = r2                     ; R2=scalar(id=18) R4_w=scalar(id=18)
470: (57) r4 &= 65535                 ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
471: (bf) r5 = r7                     ; R5_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
472: (0f) r5 += r4                    ; R4_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *((u64 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
473: (7b) *(u64 *)(r5 +0) = r3        ; R3=scalar() R5_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(u64);
474: (07) r2 += 8                     ; R2_w=scalar()
475: (bf) r3 = r7                     ; R3_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
476: (07) r3 += 131072                ; R3_w=map_value(off=131072,ks=4,vs=131088,imm=0)
477: (7b) *(u64 *)(r3 +0) = r2        ; R2_w=scalar() R3_w=map_value(off=131072,ks=4,vs=131088,imm=0)
478: (bf) r2 = r1                     ; R1=scalar(id=19,umin=14,umax=269,var_off=(0x0; 0x1ff)) R2_w=scalar(id=19,umin=14,umax=269,var_off=(0x0; 0x1ff))
479: (57) r2 &= 255                   ; R2_w=scalar(umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
480: (bf) r3 = r7                     ; R3_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
481: (0f) r3 += r2                    ; R2_w=scalar(umax=255,var_off=(0x0; 0xff)) R3_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
482: (b7) r2 = 8                      ; R2_w=8
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
483: (6b) *(u16 *)(r3 +0) = r2        ; R2_w=8 R3_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *lengths_pos += sizeof(u16);
484: (bf) r2 = r7                     ; R2_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
485: (07) r2 += 131080                ; R2_w=map_value(off=131080,ks=4,vs=131088,imm=0)
486: (07) r1 += 2                     ; R1_w=scalar(umin=16,umax=271,var_off=(0x0; 0x1ff))
487: (73) *(u8 *)(r2 +0) = r1         ; R1_w=scalar(umin=16,umax=271,var_off=(0x0; 0x1ff)) R2_w=map_value(off=131080,ks=4,vs=131088,imm=0)
488: (18) r1 = 0x1                    ; R1_w=1
; READ_TASK_FIELD_INTO(&mm, task, mm);
490: (15) if r1 == 0x0 goto pc+6      ; R1_w=1
491: (18) r1 = 0x9e                   ; R1_w=158
; READ_TASK_FIELD_INTO(&mm, task, mm);
493: (55) if r1 != 0x9e goto pc+3     ; R1_w=158
; READ_TASK_FIELD_INTO(&mm, task, mm);
494: (79) r3 = *(u64 *)(r9 +2336)     ; R3_w=ptr_mm_struct(off=0,imm=0) R9=trusted_ptr_task_struct(off=0,imm=0)
495: (7b) *(u64 *)(r10 -56) = r3      ; R3_w=ptr_mm_struct(off=0,imm=0) R10=fp0 fp-56_w=ptr_
496: (05) goto pc+8
; u32 vm_size = extract__vm_size(mm);
505: (b7) r1 = 184                    ; R1_w=184
506: (0f) r3 += r1                    ; R1_w=184 R3_w=ptr_mm_struct(off=184,imm=0)
507: (b7) r1 = 0                      ; R1_w=0
; unsigned long vm_pages = 0;
508: (7b) *(u64 *)(r10 -8) = r1       ; R1_w=0 R10=fp0 fp-8_w=00000000
509: (bf) r1 = r10                    ; R1_w=fp0 R10=fp0
; 
510: (07) r1 += -8                    ; R1_w=fp-8
; BPF_CORE_READ_INTO(&vm_pages, mm, total_vm);
511: (b7) r2 = 8                      ; R2_w=8
512: (85) call bpf_probe_read_kernel#113      ; R0_w=scalar() fp-8_w=mmmmmmmm
; return DO_PAGE_SHIFT(vm_pages);
513: (79) r1 = *(u64 *)(r10 -8)       ; R1_w=scalar() R10=fp0
; *((u32 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
514: (bf) r9 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R9_w=map_value(off=0,ks=4,vs=131088,imm=0)
515: (07) r9 += 131072                ; R9_w=map_value(off=131072,ks=4,vs=131088,imm=0)
516: (79) r2 = *(u64 *)(r9 +0)        ; R2_w=scalar() R9_w=map_value(off=131072,ks=4,vs=131088,imm=0)
517: (bf) r3 = r2                     ; R2_w=scalar(id=20) R3_w=scalar(id=20)
518: (57) r3 &= 65535                 ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff))
; *((u32 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
519: (bf) r4 = r7                     ; R4_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
520: (0f) r4 += r3                    ; R3_w=scalar(umax=65535,var_off=(0x0; 0xffff)) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; u32 vm_size = extract__vm_size(mm);
521: (67) r1 <<= 2                    ; R1_w=scalar(smax=9223372036854775804,umax=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc),s32_max=2147483644,u32_max=-4)
; *((u32 *)&data[SAFE_ACCESS(*payload_pos)]) = param;
522: (63) *(u32 *)(r4 +0) = r1        ; R1_w=scalar(smax=9223372036854775804,umax=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc),s32_max=2147483644,u32_max=-4) R4_w=map_value(off=0,ks=4,vs=131088,umax=65535,var_off=(0x0; 0xffff))
; *payload_pos += sizeof(u32);
523: (07) r2 += 4                     ; R2_w=scalar()
524: (7b) *(u64 *)(r9 +0) = r2        ; R2_w=scalar() R9_w=map_value(off=131072,ks=4,vs=131088,imm=0)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
525: (bf) r8 = r7                     ; R7=map_value(off=0,ks=4,vs=131088,imm=0) R8_w=map_value(off=0,ks=4,vs=131088,imm=0)
526: (07) r8 += 131080                ; R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
527: (b7) r3 = 4                      ; R3_w=4
528: (71) r1 = *(u8 *)(r8 +0)         ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
529: (bf) r2 = r7                     ; R2_w=map_value(off=0,ks=4,vs=131088,imm=0) R7=map_value(off=0,ks=4,vs=131088,imm=0)
530: (0f) r2 += r1                    ; R1_w=scalar(umax=255,var_off=(0x0; 0xff)) R2_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff))
; *((u16 *)&data[SAFE_ACCESS(*lengths_pos)]) = len;
531: (6b) *(u16 *)(r2 +0) = r3        ; R2_w=map_value(off=0,ks=4,vs=131088,umax=255,var_off=(0x0; 0xff)) R3_w=4
; *lengths_pos += sizeof(u16);
532: (07) r1 += 2                     ; R1_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff))
533: (73) *(u8 *)(r8 +0) = r1         ; R1_w=scalar(umin=2,umax=257,var_off=(0x0; 0x1ff)) R8_w=map_value(off=131080,ks=4,vs=131088,imm=0)
; u32 vm_rss = extract__vm_rss(mm);
534: (79) r6 = *(u64 *)(r10 -56)      ; R6_w=ptr_mm_struct(off=0,imm=0) R10=fp0
535: (b7) r1 = 0                      ; R1_w=0
; unsigned long file_pages = 0;
536: (7b) *(u64 *)(r10 -8) = r1       ; R1_w=0 R10=fp0 fp-8_w=00000000
; unsigned long anon_pages = 0;
537: (7b) *(u64 *)(r10 -16) = r1      ; R1_w=0 R10=fp0 fp-16_w=00000000
; unsigned long shmem_pages = 0;
538: (7b) *(u64 *)(r10 -24) = r1      ; R1_w=0 R10=fp0 fp-24_w=00000000
539: <invalid CO-RE relocation>
failed to resolve CO-RE relocation <byte_off> [429] struct mm_struct.rss_stat.count[0].counter (0:0:43:0:0:0 @ offset 720)
processed 388 insns (limit 1000000) max_states_per_insn 0 total_states 16 peak_states 16 mark_read 5
-- END PROG LOAD LOG --
libbpf: prog 'clone_x': failed to load: -22
libbpf: failed to load object 'bpf_probe'
libbpf: failed to load BPF skeleton 'bpf_probe': -22
libpman: failed to load BPF object (errno: 22 | message: Invalid argument)
2023-05-15T10:08:19+0000: An error occurred in an event source, forcing termination...
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Error: 

Same when i try it with kubernetes in a privileged container mounting /host .

[FedeDP]

Oh nice, you are running a 6.x kernel right? Our 4.0.0+driver tag was released before your kernel was tagged therefore we don't support it. Next driver version, released together with Falco 0.35, will support it!

[FedeDP]

Our 4.0.0+driver tag was released before your kernel was tagged therefore we don't support it.

Note, please, this is not an absolute truth; but lately kernel is breaking internal APIs pretty quickly (ie: every new release), therefore we need to adapt our code to build on newer kernels when they get released. This is what happened in your case; of course, a driver tagged before kernel 6.1 was released could not support kernel 6.1 :)

Sure, wasn't sure yet if i made a mistake or not and wanted to check further, but here's what i did:

Btw no mistake, just bad luck!

[strowi]

All understandable points. After all i just started fiddling with falco on microos after leaving the old job where we were running ubuntu. ;) And good to know it wasn't directly my fault. (Could've probably checked more about supported kernels).

PS: Kernel is 6.2.10-1-default #1 SMP PREEMPT_DYNAMIC Thu Apr 6 10:36:55 UTC 2023 (ba7816e) x86_64 x86_64 x86_64 GNU/Linux

[FedeDP]

Btw can you share your /etc/os-release file from MicroOS?

[strowi]

Sure:

~> cat /etc/os-release
NAME="openSUSE MicroOS"
# VERSION="20230415"
ID="opensuse-microos"
ID_LIKE="suse opensuse opensuse-tumbleweed"
VERSION_ID="20230415"
PRETTY_NAME="openSUSE MicroOS"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:microos:20230415"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:MicroOS"
LOGO="distributor-logo-MicroOS"

[FedeDP]

Thank you! Since i am not able to find any micro kernel headers, i assume microOS uses same kernel-headers as openSuse right? (http://download.opensuse.org/distribution/leap-micro/)

EDIT: can you post content of file /etc/zypp/repos.d/repo-oss.repo? Thank you!

[strowi]

You're welcome! As far is i know "MicroOS is based on Tumbleweed" so i would say yes.

~> cat /etc/zypp/repos.d/repo-oss.repo
[repo-oss]
name=openSUSE-Tumbleweed-Oss
enabled=1
autorefresh=1
baseurl=http://download.opensuse.org/tumbleweed/repo/oss/

[FedeDP]

That's great! Then to support it we just need a small patch for falco-driver-loader, so that opensuse-microos is managed like opensuse (here: https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader#L129) and then we need to add support on test-infra to build opensuse drivers (that were never requested until today!) kernel-crawler and driverkit already supports it! I will work on that later this week!

[FedeDP]

Can you share your currently runing kernel? uname -a output!

[strowi]

I did above:

PS: Kernel is 6.2.10-1-default #1 SMP PREEMPT_DYNAMIC Thu Apr 6 10:36:55 UTC 2023 (ba7816e) x86_64 x86_64 x86_64 GNU/Linux

I was not sure how the "immutable" part is being handled by the falco-driver-loader. That's why i initially thought it would be more like talos.

[FedeDP]

Oh yep sorry i totally forgot you already posted it!

I was not sure how the "immutable" part is being handled by the falco-driver-loader

This is a nice question; have you tried asking it to the microos devs? There must surely be a way to inject eBPF probes, not just for Falco. But yes, this is part of the issue, you are right!

[strowi]

Hey just got back to this and retried with helm-chart v3.2.1 and it seemed to work. Just for anyone else stumbling over this:

~> helm upgrade -i  falco -n falco --set tty=true --set driver.kind=modern-bpf falcosecurity/falco
...
~> kubectl run -ti --image=alpine test -- sh -c "uptime"
~> kubectl logs ...
...
[falco-ttbkq falco] 08:47:10.359068769: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=<NA> k8s.pod=<NA> container=b63bb11ad4fb shell=sh parent=<NA> cmdline=sh -c uptime pid=16380 terminal=34816 container_id=b63bb11ad4fb image=<NA>)
...

Not that important, but i guess i am still missing some configuration to make the <NA> get replaced by actual values.

Yay, and thanks! ;)

PS: I think the documentation has a small error here exec won't work since the pod doesn't exist. Should be run, or not?

[Andreagit97]

Not that important, but i guess i am still missing some configuration to make the get replaced by actual values.

I would suggest you disable the -k option at least for now, it doesn't scale well on big clusters, we will come out with a new fresh k8s client in Falco 0.37 (:crossed_fingers:)

PS: I think the documentation has a small error here exec won't work since the pod doesn't exist. Should be run, or not?

It should be fixed, thanks :)