Skip to content

Commit

Permalink
bpf: rename EventDocker errors to EventErrorCgroup
Browse files Browse the repository at this point in the history
The EventDocker* errors are in reality related to cgroups, so rename
the flags to reflect that and improve their user space description too.

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
tixxdz authored and kkourt committed Jan 13, 2023
1 parent cefa85e commit acdfc94
Showing 4 changed files with 46 additions and 45 deletions.
52 changes: 26 additions & 26 deletions bpf/lib/process.h
Original file line number Diff line number Diff line change
@@ -106,32 +106,32 @@
#define MAXARGMASK (MAXARG - 1)

/* Msg flags */
#define EVENT_UNKNOWN 0x00
#define EVENT_EXECVE 0x01
#define EVENT_EXECVEAT 0x02
#define EVENT_PROCFS 0x04
#define EVENT_TRUNC_FILENAME 0x08
#define EVENT_TRUNC_ARGS 0x10
#define EVENT_TASK_WALK 0x20
#define EVENT_MISS 0x40
#define EVENT_NEEDS_AUID 0x80
#define EVENT_ERROR_FILENAME 0x100
#define EVENT_ERROR_ARGS 0x200
#define EVENT_NEEDS_CWD 0x400
#define EVENT_NO_CWD_SUPPORT 0x800
#define EVENT_ROOT_CWD 0x1000
#define EVENT_ERROR_CWD 0x2000
#define EVENT_CLONE 0x4000
#define EVENT_ERROR_SOCK 0x8000
#define EVENT_DOCKER_NAME_ERR 0x010000
#define EVENT_DOCKER_KN_ERR 0x020000
#define EVENT_DOCKER_SUBSYSCGRP_ERR 0x040000
#define EVENT_DOCKER_SUBSYS_ERR 0x080000
#define EVENT_DOCKER_CGROUPS_ERR 0x100000
#define EVENT_ERROR_CGROUP_ID 0x200000
#define EVENT_ERROR_PATH_COMPONENTS 0x400000
#define EVENT_DATA_FILENAME 0x800000
#define EVENT_DATA_ARGS 0x1000000
#define EVENT_UNKNOWN 0x00
#define EVENT_EXECVE 0x01
#define EVENT_EXECVEAT 0x02
#define EVENT_PROCFS 0x04
#define EVENT_TRUNC_FILENAME 0x08
#define EVENT_TRUNC_ARGS 0x10
#define EVENT_TASK_WALK 0x20
#define EVENT_MISS 0x40
#define EVENT_NEEDS_AUID 0x80
#define EVENT_ERROR_FILENAME 0x100
#define EVENT_ERROR_ARGS 0x200
#define EVENT_NEEDS_CWD 0x400
#define EVENT_NO_CWD_SUPPORT 0x800
#define EVENT_ROOT_CWD 0x1000
#define EVENT_ERROR_CWD 0x2000
#define EVENT_CLONE 0x4000
#define EVENT_ERROR_SOCK 0x8000
#define EVENT_ERROR_CGROUP_NAME 0x010000
#define EVENT_ERROR_CGROUP_KN 0x020000
#define EVENT_ERROR_CGROUP_SUBSYSCGRP 0x040000
#define EVENT_ERROR_CGROUP_SUBSYS 0x080000
#define EVENT_ERROR_CGROUPS 0x100000
#define EVENT_ERROR_CGROUP_ID 0x200000
#define EVENT_ERROR_PATH_COMPONENTS 0x400000
#define EVENT_DATA_FILENAME 0x800000
#define EVENT_DATA_ARGS 0x1000000

#define EVENT_COMMON_FLAG_CLONE 0x01

4 changes: 2 additions & 2 deletions bpf/process/bpf_process_event.h
Original file line number Diff line number Diff line change
@@ -526,7 +526,7 @@ __event_get_current_cgroup_name(struct msg_execve_event *msg,
if (name)
probe_read_str(msg->kube.docker_id, KN_NAME_LENGTH, name);
else
process->flags |= EVENT_DOCKER_NAME_ERR;
process->flags |= EVENT_ERROR_CGROUP_NAME;
}

/**
@@ -562,7 +562,7 @@ __event_get_cgroup_info(struct msg_execve_event *msg,

cgrp = get_task_cgroup(task, subsys_idx);
if (!cgrp) {
process->flags |= EVENT_DOCKER_SUBSYSCGRP_ERR;
process->flags |= EVENT_ERROR_CGROUP_SUBSYSCGRP;
return;
}

15 changes: 8 additions & 7 deletions pkg/api/flags.go
Original file line number Diff line number Diff line change
@@ -74,15 +74,16 @@ const (
// the old process and the newly exec'd process.
EventClone = 0x4000

// EventDocker*Err indicate the process containerID lookup failed in the
// EventCgroup*Err indicate the process cgroup information lookup failed in the
// kernel. The strings {Name|Kn|SubsysCgrp|Subsys|Cgroup} give us a hint
// at the specific read that failed so we can investigate the cause.
EventDockerNameErr = 0x010000
EventDockerKnErr = 0x020000
EventDockerSubsysCgrpErr = 0x040000
EventDockerSubsysErr = 0x080000
EventDockerCgroupsErr = 0x100000
EventErrorCgroupId = 0x200000
// The cgroup name is used to get the container ID or docker field.
EventErrorCgroupName = 0x010000
EventErrorCgroupKn = 0x020000
EventErrorCgroupSubsysCgrp = 0x040000
EventErrorCgroupSubsys = 0x080000
EventErrorCgroups = 0x100000
EventErrorCgroupId = 0x200000

EventErrorPathComponents = 0x400000

20 changes: 10 additions & 10 deletions pkg/reader/exec/exec.go
Original file line number Diff line number Diff line change
@@ -54,23 +54,23 @@ func DecodeCommonFlags(flags uint32) []string {
if (flags & api.EventClone) != 0 {
s = append(s, "clone")
}
if (flags & api.EventDockerNameErr) != 0 {
s = append(s, "errorDockerNameCwd")
if (flags & api.EventErrorCgroupName) != 0 {
s = append(s, "errorCgroupName")
}
if (flags & api.EventErrorCgroupId) != 0 {
s = append(s, "errorCgroupID")
}
if (flags & api.EventDockerKnErr) != 0 {
s = append(s, "errorDockerKn")
if (flags & api.EventErrorCgroupKn) != 0 {
s = append(s, "errorCgroupKn")
}
if (flags & api.EventDockerSubsysCgrpErr) != 0 {
s = append(s, "errorDockerSubsysCgrp")
if (flags & api.EventErrorCgroupSubsysCgrp) != 0 {
s = append(s, "errorCgroupSubsysCgrp")
}
if (flags & api.EventDockerSubsysErr) != 0 {
s = append(s, "errorDockerSubsys")
if (flags & api.EventErrorCgroupSubsys) != 0 {
s = append(s, "errorCgroupSubsys")
}
if (flags & api.EventDockerCgroupsErr) != 0 {
s = append(s, "errorDockerCgroups")
if (flags & api.EventErrorCgroups) != 0 {
s = append(s, "errorCgroups")
}
if (flags & api.EventErrorPathComponents) != 0 {
s = append(s, "errorPathResolutionCwd")

0 comments on commit acdfc94

Please sign in to comment.