Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support raw_syscalls tracepoint #160

Merged
merged 13 commits into from
Jun 14, 2022
Merged

support raw_syscalls tracepoint #160

merged 13 commits into from
Jun 14, 2022

Conversation

kkourt
Copy link
Contributor

@kkourt kkourt commented Jun 14, 2022
edited
Loading

This PR adds support for the raw_syscalls/sys_enter tracepoint. We need two things for doing so:

  • support for long arguments
  • support for arrays

For the second, we add a constant buffer type, where its size is passed as the metadata argument. Please see individual commits.

@kkourt kkourt requested a review from a team as a code owner June 14, 2022 08:57
@kkourt kkourt requested a review from kevsecurity June 14, 2022 08:57
kkourt added 5 commits June 14, 2022 11:12
@kkourt
jsonchecker: add DebugError
c07cf48 
in some cases, we do not want an error in validation to be printed by
the json checker (e.g., when there are many events that will not match).

For these cases, introduce a DebugError that, when encountered by
JsonCheck, is logged at the Debug (rather than the Info) level.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
pkg/sensors: remove /sys/fs/bpf/testObserver after tests
3e88d54 
Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
api/v1: generic args: add long
c035be0 
This patch adds a long type for generic kprobe arguments.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
generictracepoint: add support for long arg type
85fe4c3 
Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
generictracepoint: rename metaTpIndex to metaTp
7c88f10 
Currently, the meta argument is used as an index to existing arguments.
Subsequent patches will change this to other uses, so rename metaTpIndex
to metaTp. (No functional changes.)

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt kkourt force-pushed the pr/kkourt/raw_syscalls branch 7 times, most recently from b65fd09 to 65c6ae9 Compare June 14, 2022 10:32
kkourt added 6 commits June 14, 2022 13:47
@kkourt
update clang-format to properly handle enums
067e885 
It seems that our clang-format is incompatible with checkpatch.

Here's why: the next patch wants to add a new entry to an enum in
bpf/process/types/basic.h.

Specifically, adding the following lines:

>       /* const_buf_type is a type for buffers with static size that is passed
>        * in the meta argument
>        */
>       const_buf_type = 18,
>

By doing so, checkpatch complains with the following error:
 Error: ERROR:CODE_INDENT: code indent should use tabs where possible
  #36: FILE: bpf/process/types/basic.h:33:
  +        * in the meta argument$

I tried to just switch the modified line to use tabs but this made
clang-format unhappy.

Why clang-format uses spaces even if we have specified to alwyas use
tabs?  (UseTab: Always)

Good question! I think it's because clang-format thinks it's OK to add
the first enum value into the first line.

To avoid the above problem, we can fix clang-format and update the files
so that enums are indented with tabs. To do this we need to specify:

AllowShortEnumsOnASingleLine: false

The above was introduced in clang-format-11, so we need to bump the version.

But bumping it to clang-format-11, will not work due to this bug:
https://reviews.llvm.org/D99840. So we need to use clang-format-14 that
fixes this bug.

Above means we need to base our docker image on a later ubuntu version.

NB: The new clang-format results in updates in some assembly code as
well, but this seems minimal, so I think is fine.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
generictracepoint: add const_buf_type
b6cd1a0 
This patch adds a new generic type: const_buf_type. This type represents
a constant-sized buffer. Its size is passed directly into the meta
argument. It will be used in susbsequent patches.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
generictracepoint: support array types
fc5a2ed 
This patch adds support for array types. The idea is to copy all data
from the bpf side, and let user-space figure things out. To this end,
we use the GenericConstBuffer type introduced in the previous patch, and
pass the size of the buffer as the metadata argument.

Currently, only arrays of longs are supported. Support for other types
will be added as needed.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
tracepoint_test: test raw syscall tracepoint
0451789 
Previous patches added support for longs and arrays as a generic
argument type. This means that we now have all the support needed for
the raw_syscalls tracepoint. This patch adds a simpe test for it.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
pkg/syscallinfo: move syscalll info to new package
22ebf3b 
This patch moves the functionality for getting syscall information from
pkg/btf to its own package. It also adds some additional functionality
for getting the syscall name from the syscall id.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
encoder: add handler for raw_syscalls
f56c0f5 
This patch adds a raw_syscalls handler in the encoder. The code
retrieves static syscall information and tries to recreate the syscall
arguments from the raw_syscalls/sys_enter tracepoint.

Sample output:
☎  syscall  /home/kkourt/src/tetragon/tetra sched_yield
☎  syscall  /home/kkourt/src/tetragon/tetra futex(u32 *uaddr=0xea3278, int op=128, u32 val=2, struct __kernel_timespec *utime=0x0, u32 *uaddr2=0x0, u32 val3=0)
☎  syscall  /home/kkourt/src/tetragon/tetra futex(u32 *uaddr=0xea3370, int op=129, u32 val=1, struct __kernel_timespec *utime=0x0, u32 *uaddr2=0x0, u32 val3=0)
☎  syscall  /home/kkourt/src/tetragon/tetra futex(u32 *uaddr=0xea3278, int op=129, u32 val=1, struct __kernel_timespec *utime=0x0, u32 *uaddr2=0x0, u32 val3=0)
☎  syscall  /home/kkourt/src/tetragon/tetra futex(u32 *uaddr=0xc000100148, int op=129, u32 val=1, struct __kernel_timespec *utime=0x0, u32 *uaddr2=0x0, u32 val3=0)
☎  syscall  /home/kkourt/src/tetragon/tetra write(unsigned int fd=1, const char *buf=0xc0006d0780, size_t count=174)
☎  syscall  /home/kkourt/src/tetragon/tetra write(unsigned int fd=1, const char *buf=0xc0006d0780, size_t count=174)

The commit also adds a sample CRD to enable the above tracepoint.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt kkourt force-pushed the pr/kkourt/raw_syscalls branch from 65c6ae9 to f56c0f5 Compare June 14, 2022 11:49
@jrfastab
Copy link
Contributor

LGTM lets ship it.

@jrfastab jrfastab merged commit 94cb9c2 into main Jun 14, 2022
@jrfastab jrfastab deleted the pr/kkourt/raw_syscalls branch June 14, 2022 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrfastab jrfastab jrfastab approved these changes

@kevsecurity kevsecurity Awaiting requested review from kevsecurity kevsecurity is a code owner automatically assigned from cilium/tetragon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kkourt @jrfastab