[REFACTOR] Separate probes and add new required field for probe dependencies

[NDStrahilevitz]

Initial Checklist

• There is an issue describing the need for this PR.
• Git log contains summary of the change.
• Git log contains motivation and context of the change.
• If part of an EPIC, PR git log contains EPIC number.
• If part of an EPIC, PR was added to EPIC description.

Description (git log)

This replaces the fix proposed in #1707

Author: Nadav Strahilevitz <[email protected]>
Date:   Thu Jun 2 12:41:49 2022 +0000

    probes: add required dependency field
    
    This is done through the following steps:
    1. Split the probes into a separate module
    2. Probes are handled implicitly through handles
    3. Events have probe dependencies which includes
    a handle and a required field
    4. Attaching failure is handled according to the required field
   

Fixes: #1622

Type of change

• Code refactor (code improvement and/or code removal)

How Has This Been Tested?

Testing is done through the TRC-9 test in a tracee-tester image running on GKE. Some PR jobs were temporarily removed in this PR to test it faster. They will be added back.

• Tests passed

When the tests are passed this checkbox will be filled. This PR shouldn't be merged until then.

Final Checklist:

Pick "Bug Fix" or "Feature", delete the other and mark appropriate checks.

• I have made corresponding changes to the documentation.
• My code follows the style guidelines (C and Go) of this project.
• I have performed a self-review of my own code.
• I have commented all functions/methods created explaining what they do.
• I have commented my code, particularly in hard-to-understand areas.
• My changes generate no new warnings.
• I have added tests that prove my fix, or feature, is effective.
• New and existing unit tests pass locally with my changes.
• Any dependent changes have been merged and published before.

Git Log Checklist:

My commits logs have:

• Subject starts with "subsystem|file: description".
• Do not end the subject line with a period.
• Limit the subject line to 50 characters.
• Separate subject from body with a blank line.
• Use the imperative mood in the subject line.
• Wrap the body at 72 characters.
• Use the body to explain what and why instead of how.

[rafaeldtinoco]

I'm +1 on this if @yanivagman is (as his team will have a bigger impact on this change, by having the probes declared in another file).

[yanivagman]

I like this change.
I think the probes package should be under the ebpf package.
Also see some other comments I have.

[yanivagman]

I wonder if we should now move this to Dependencies, WDYT?

[NDStrahilevitz]

I actually had the same thought initially as well, but when I wrote it out it quickly got too nested for my taste, so I opted to keep it this way.
And since almost all events besides the syscall ones have at least one probe, I think probes can get their own special category.

[yanivagman]

So why not just keeping it "probe"?

[NDStrahilevitz]

I still thought the name fits more, but it looked worse inside the Dependencies struct. I can rename it back if you find it important that it shouldn't be named xDependency if it's not inside Dependencies.

[yanivagman]

We can keep it outside of dependencies, but I would keep it probe (no hard feelings about that though)

[NDStrahilevitz]

I like this change. I think the probes package should be under the ebpf package. Also see some other comments I have.

I moved the package since it made the naming less cumbersome. Otherwise it would be namespaced with the events, and some of them have almost the same name.

[yanivagman]

I like this change. I think the probes package should be under the ebpf package. Also see some other comments I have.

I moved the package since it made the naming less cumbersome. Otherwise it would be namespaced with the events, and some of them have almost the same name.

Can you give an example?

[NDStrahilevitz]

I like this change. I think the probes package should be under the ebpf package. Also see some other comments I have.

I moved the package since it made the naming less cumbersome. Otherwise it would be namespaced with the events, and some of them have almost the same name.

Can you give an example?

Most of the probes have an event equivalent (I was considering writing a quick probe -> event transformation function but it seemed overkill). So as for example i'll list the exceptions:

1. Filldir64
2. SecurityFilePermission

There may be a couple more but these are probes that do not have an equivalent event. The other probes have at least one "equivalent" event, and sometimes other events which can depend on them (For example SchedProccessExecEvent depends on both the SchedProcessExec probe and the LoadElfPhdrs probe(sidenote to that: perhaps this probe should be optional for that event)).

[yanivagman]

I like this change. I think the probes package should be under the ebpf package. Also see some other comments I have.

I moved the package since it made the naming less cumbersome. Otherwise it would be namespaced with the events, and some of them have almost the same name.

Can you give an example?

Most of the probes have an event equivalent (I was considering writing a quick probe -> event transformation function but it seemed overkill). So as for example i'll list the exceptions:

1. Filldir64
2. SecurityFilePermission

There may be a couple more but these are probes that do not have an equivalent event. The other probes have at least one "equivalent" event, and sometimes other events which can depend on them (For example SchedProccessExecEvent depends on both the SchedProcessExec probe and the LoadElfPhdrs probe(sidenote to that: perhaps this probe should be optional for that event)).

But how will this make naming cumbersome if we put the probes package under the ebpf package?

[NDStrahilevitz]

I like this change. I think the probes package should be under the ebpf package. Also see some other comments I have.

I moved the package since it made the naming less cumbersome. Otherwise it would be namespaced with the events, and some of them have almost the same name.

Can you give an example?

Most of the probes have an event equivalent (I was considering writing a quick probe -> event transformation function but it seemed overkill). So as for example i'll list the exceptions:

1. Filldir64
2. SecurityFilePermission

There may be a couple more but these are probes that do not have an equivalent event. The other probes have at least one "equivalent" event, and sometimes other events which can depend on them (For example SchedProccessExecEvent depends on both the SchedProcessExec probe and the LoadElfPhdrs probe(sidenote to that: perhaps this probe should be optional for that event)).

But how will this make naming cumbersome if we put the probes package under the ebpf package?

Because then we would have many probes and events named almost the same for exmaple

VfsWriteEventID <-> VfsWriteProbe
CgroupMkdirEventID <-> CgroupMkdirProbe

and so on...

IMO, the events should also be split from the ebpf package and so we could remove the whole EventID from all of them, but this isn't in the scope of this PR.

[yanivagman]

Because then we would have many probes and events named almost the same for exmaple

WriteEventID <-> WriteProbe CgroupMkdirEventID <-> CgroupMkdirProbe

and so on...

I don't think it's a problem that we have many probes and events named almost the same.

IMO, the events should also be split from the ebpf package and so we could remove the whole EventID from all of them, but this isn't in the scope of this PR.

Agree.

[NDStrahilevitz]

I don't think it's a problem that we have many probes and events named almost the same.>

It's not breaking or anything, but I think it makes the code less orderly and readable and the namespace more cluttered.

I also think there's some functional merit to having the probes in their own package, for example in PR #1804 there is some trigger mechanism introduced for the uprobes, this kind of functionality could (and IMO should) be defined in this package.

If we had the event definitions also inside the events package we could have the clear separation like so:

events.VfsWrite and probes.VfsWrite.

Agree.

I'm willing to take this next refactor PR on myself to justify this decision. I think the ebpf package, while an improvement from before is still very cluttered and it could use the cleanup, keeping the probes there doesn't do it any good in that regards. But - maybe for now it could be a subpackage like so ebpf/probes, WDYT?

[yanivagman]

But - maybe for now it could be a subpackage like so ebpf/probes, WDYT?

This is exactly what I suggested :-)

I think the probes package should be under the ebpf package.

Maybe I wasn't clear that I meant a subpackage in that sentence

[NDStrahilevitz]

But - maybe for now it could be a subpackage like so ebpf/probes, WDYT?

This is exactly what I suggested :-)

I think the probes package should be under the ebpf package.

Maybe I wasn't clear that I meant a subpackage in that sentence

Haha, no I didn't get that from what you said initially. Alright i'll make that change.

[yanivagman]

LGTM!