From acdfc942d9ab3fe65dd76b50a51ff871528bc139 Mon Sep 17 00:00:00 2001 From: Djalal Harouni Date: Wed, 14 Dec 2022 13:21:01 +0100 Subject: [PATCH] bpf: rename EventDocker errors to EventErrorCgroup The EventDocker* errors are in reality related to cgroups, so rename the flags to reflect that and improve their user space description too. Signed-off-by: Djalal Harouni --- bpf/lib/process.h | 52 ++++++++++++++++----------------- bpf/process/bpf_process_event.h | 4 +-- pkg/api/flags.go | 15 +++++----- pkg/reader/exec/exec.go | 20 ++++++------- 4 files changed, 46 insertions(+), 45 deletions(-) diff --git a/bpf/lib/process.h b/bpf/lib/process.h index 9e7fdcbd415..60d1ce3f169 100644 --- a/bpf/lib/process.h +++ b/bpf/lib/process.h @@ -106,32 +106,32 @@ #define MAXARGMASK (MAXARG - 1) /* Msg flags */ -#define EVENT_UNKNOWN 0x00 -#define EVENT_EXECVE 0x01 -#define EVENT_EXECVEAT 0x02 -#define EVENT_PROCFS 0x04 -#define EVENT_TRUNC_FILENAME 0x08 -#define EVENT_TRUNC_ARGS 0x10 -#define EVENT_TASK_WALK 0x20 -#define EVENT_MISS 0x40 -#define EVENT_NEEDS_AUID 0x80 -#define EVENT_ERROR_FILENAME 0x100 -#define EVENT_ERROR_ARGS 0x200 -#define EVENT_NEEDS_CWD 0x400 -#define EVENT_NO_CWD_SUPPORT 0x800 -#define EVENT_ROOT_CWD 0x1000 -#define EVENT_ERROR_CWD 0x2000 -#define EVENT_CLONE 0x4000 -#define EVENT_ERROR_SOCK 0x8000 -#define EVENT_DOCKER_NAME_ERR 0x010000 -#define EVENT_DOCKER_KN_ERR 0x020000 -#define EVENT_DOCKER_SUBSYSCGRP_ERR 0x040000 -#define EVENT_DOCKER_SUBSYS_ERR 0x080000 -#define EVENT_DOCKER_CGROUPS_ERR 0x100000 -#define EVENT_ERROR_CGROUP_ID 0x200000 -#define EVENT_ERROR_PATH_COMPONENTS 0x400000 -#define EVENT_DATA_FILENAME 0x800000 -#define EVENT_DATA_ARGS 0x1000000 +#define EVENT_UNKNOWN 0x00 +#define EVENT_EXECVE 0x01 +#define EVENT_EXECVEAT 0x02 +#define EVENT_PROCFS 0x04 +#define EVENT_TRUNC_FILENAME 0x08 +#define EVENT_TRUNC_ARGS 0x10 +#define EVENT_TASK_WALK 0x20 +#define EVENT_MISS 0x40 +#define EVENT_NEEDS_AUID 0x80 +#define EVENT_ERROR_FILENAME 0x100 +#define EVENT_ERROR_ARGS 0x200 +#define EVENT_NEEDS_CWD 0x400 +#define EVENT_NO_CWD_SUPPORT 0x800 +#define EVENT_ROOT_CWD 0x1000 +#define EVENT_ERROR_CWD 0x2000 +#define EVENT_CLONE 0x4000 +#define EVENT_ERROR_SOCK 0x8000 +#define EVENT_ERROR_CGROUP_NAME 0x010000 +#define EVENT_ERROR_CGROUP_KN 0x020000 +#define EVENT_ERROR_CGROUP_SUBSYSCGRP 0x040000 +#define EVENT_ERROR_CGROUP_SUBSYS 0x080000 +#define EVENT_ERROR_CGROUPS 0x100000 +#define EVENT_ERROR_CGROUP_ID 0x200000 +#define EVENT_ERROR_PATH_COMPONENTS 0x400000 +#define EVENT_DATA_FILENAME 0x800000 +#define EVENT_DATA_ARGS 0x1000000 #define EVENT_COMMON_FLAG_CLONE 0x01 diff --git a/bpf/process/bpf_process_event.h b/bpf/process/bpf_process_event.h index 0032751de0f..c4209852bc5 100644 --- a/bpf/process/bpf_process_event.h +++ b/bpf/process/bpf_process_event.h @@ -526,7 +526,7 @@ __event_get_current_cgroup_name(struct msg_execve_event *msg, if (name) probe_read_str(msg->kube.docker_id, KN_NAME_LENGTH, name); else - process->flags |= EVENT_DOCKER_NAME_ERR; + process->flags |= EVENT_ERROR_CGROUP_NAME; } /** @@ -562,7 +562,7 @@ __event_get_cgroup_info(struct msg_execve_event *msg, cgrp = get_task_cgroup(task, subsys_idx); if (!cgrp) { - process->flags |= EVENT_DOCKER_SUBSYSCGRP_ERR; + process->flags |= EVENT_ERROR_CGROUP_SUBSYSCGRP; return; } diff --git a/pkg/api/flags.go b/pkg/api/flags.go index 1bf46dcbbe8..57a94f26f45 100644 --- a/pkg/api/flags.go +++ b/pkg/api/flags.go @@ -74,15 +74,16 @@ const ( // the old process and the newly exec'd process. EventClone = 0x4000 - // EventDocker*Err indicate the process containerID lookup failed in the + // EventCgroup*Err indicate the process cgroup information lookup failed in the // kernel. The strings {Name|Kn|SubsysCgrp|Subsys|Cgroup} give us a hint // at the specific read that failed so we can investigate the cause. - EventDockerNameErr = 0x010000 - EventDockerKnErr = 0x020000 - EventDockerSubsysCgrpErr = 0x040000 - EventDockerSubsysErr = 0x080000 - EventDockerCgroupsErr = 0x100000 - EventErrorCgroupId = 0x200000 + // The cgroup name is used to get the container ID or docker field. + EventErrorCgroupName = 0x010000 + EventErrorCgroupKn = 0x020000 + EventErrorCgroupSubsysCgrp = 0x040000 + EventErrorCgroupSubsys = 0x080000 + EventErrorCgroups = 0x100000 + EventErrorCgroupId = 0x200000 EventErrorPathComponents = 0x400000 diff --git a/pkg/reader/exec/exec.go b/pkg/reader/exec/exec.go index a3a121d6af5..96c423992cf 100644 --- a/pkg/reader/exec/exec.go +++ b/pkg/reader/exec/exec.go @@ -54,23 +54,23 @@ func DecodeCommonFlags(flags uint32) []string { if (flags & api.EventClone) != 0 { s = append(s, "clone") } - if (flags & api.EventDockerNameErr) != 0 { - s = append(s, "errorDockerNameCwd") + if (flags & api.EventErrorCgroupName) != 0 { + s = append(s, "errorCgroupName") } if (flags & api.EventErrorCgroupId) != 0 { s = append(s, "errorCgroupID") } - if (flags & api.EventDockerKnErr) != 0 { - s = append(s, "errorDockerKn") + if (flags & api.EventErrorCgroupKn) != 0 { + s = append(s, "errorCgroupKn") } - if (flags & api.EventDockerSubsysCgrpErr) != 0 { - s = append(s, "errorDockerSubsysCgrp") + if (flags & api.EventErrorCgroupSubsysCgrp) != 0 { + s = append(s, "errorCgroupSubsysCgrp") } - if (flags & api.EventDockerSubsysErr) != 0 { - s = append(s, "errorDockerSubsys") + if (flags & api.EventErrorCgroupSubsys) != 0 { + s = append(s, "errorCgroupSubsys") } - if (flags & api.EventDockerCgroupsErr) != 0 { - s = append(s, "errorDockerCgroups") + if (flags & api.EventErrorCgroups) != 0 { + s = append(s, "errorCgroups") } if (flags & api.EventErrorPathComponents) != 0 { s = append(s, "errorPathResolutionCwd")