diff --git a/pkg/security/ebpf/probes/event_types.go b/pkg/security/ebpf/probes/event_types.go index f20f3c5717c445..f460d9b443e1fe 100644 --- a/pkg/security/ebpf/probes/event_types.go +++ b/pkg/security/ebpf/probes/event_types.go @@ -75,8 +75,15 @@ func NetworkSelectors() []manager.ProbesSelector { } // SyscallMonitorSelectors is the list of probes that should be activated for the syscall monitor feature -var SyscallMonitorSelectors = []manager.ProbesSelector{ - &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFFuncName: "sys_enter"}}, +func SyscallMonitorSelectors() []manager.ProbesSelector { + return []manager.ProbesSelector{ + &manager.ProbeSelector{ + ProbeIdentificationPair: manager.ProbeIdentificationPair{ + UID: SecurityAgentUID, + EBPFFuncName: "sys_enter", + }, + }, + } } // SnapshotSelectors selectors required during the snapshot @@ -92,15 +99,9 @@ func SnapshotSelectors(fentry bool) []manager.ProbesSelector { } } -var selectorsPerEventTypeStore map[eval.EventType][]manager.ProbesSelector - // GetSelectorsPerEventType returns the list of probes that should be activated for each event func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSelector { - if selectorsPerEventTypeStore != nil { - return selectorsPerEventTypeStore - } - - selectorsPerEventTypeStore = map[eval.EventType][]manager.ProbesSelector{ + selectorsPerEventTypeStore := map[eval.EventType][]manager.ProbesSelector{ // The following probes will always be activated, regardless of the loaded rules "*": { // Exec probes diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go index 0a6e5ffc8c3d83..6bcbd64625f016 100644 --- a/pkg/security/probe/probe_ebpf.go +++ b/pkg/security/probe/probe_ebpf.go @@ -1537,13 +1537,13 @@ func (p *EBPFProbe) updateProbes(ruleEventTypes []eval.EventType, needRawSyscall } if needRawSyscalls { - activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...) + activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors()...) } else { // ActivityDumps if p.config.RuntimeSecurity.ActivityDumpEnabled { for _, e := range p.profileManagers.GetActivityDumpTracedEventTypes() { if e == model.SyscallsEventType { - activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...) + activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors()...) break } } @@ -1552,7 +1552,7 @@ func (p *EBPFProbe) updateProbes(ruleEventTypes []eval.EventType, needRawSyscall if p.config.RuntimeSecurity.AnomalyDetectionEnabled { for _, e := range p.profileManagers.GetAnomalyDetectionEventTypes() { if e == model.SyscallsEventType { - activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...) + activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors()...) break } } @@ -2178,7 +2178,7 @@ func (p *EBPFProbe) initManagerOptionsActivatedProbes(config *config.Config) { for _, e := range config.RuntimeSecurity.ActivityDumpTracedEventTypes { if e == model.SyscallsEventType { // Add syscall monitor probes - p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors...) + p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors()...) break } } @@ -2187,7 +2187,7 @@ func (p *EBPFProbe) initManagerOptionsActivatedProbes(config *config.Config) { for _, e := range config.RuntimeSecurity.AnomalyDetectionEventTypes { if e == model.SyscallsEventType { // Add syscall monitor probes - p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors...) + p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors()...) break } }