Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bpf: use CORE for execve hook #2399

Merged
merged 1 commit into from
May 3, 2024
Merged

bpf: use CORE for execve hook #2399

merged 1 commit into from
May 3, 2024

Conversation

kkourt
Copy link
Contributor

@kkourt kkourt commented Apr 29, 2024

Users reported an issue on RHEL 9 with binary names being wrong.

Looking at the sched/sched_process_exec tracepoint we hook into:

  $ cat /sys/kernel/debug/tracing/events/sched/sched_process_exec/format
  name: sched_process_exec
  ID: 310
  format:
          field:unsigned short common_type;       offset:0;       size:2; signed:0;
          field:unsigned char common_flags;       offset:2;       size:1; signed:0;
          field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
          field:int common_pid;   offset:4;       size:4; signed:1;
          field:unsigned char common_preempt_lazy_count;  offset:8;       size:1; signed:0;

          field:__data_loc char[] filename;       offset:12;      size:4; signed:1;
          field:pid_t pid;        offset:16;      size:4; signed:1;
          field:pid_t old_pid;    offset:20;      size:4; signed:1;

There is an additional argument: common_preempt_lazy_count, which means that the struct we use (sched_execve_args) is no longer valid.

This patch removes the above struct, and instead, uses CORE and the trace_event_raw_sched_process_exec struct.

Reproduced and patch tested locally on a Rocky Linux 5.3 with a 5.14.0-362.24.1.el9_3.0.1.x86_64 kernel.

Fixes: #1707

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
Users reported an issue on RHEL 9 with binary names being wrong.

Looking at the sched/sched_process_exec tracepoint we hook into:

  $ cat /sys/kernel/debug/tracing/events/sched/sched_process_exec/format
  name: sched_process_exec
  ID: 310
  format:
          field:unsigned short common_type;       offset:0;       size:2; signed:0;
          field:unsigned char common_flags;       offset:2;       size:1; signed:0;
          field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
          field:int common_pid;   offset:4;       size:4; signed:1;
          field:unsigned char common_preempt_lazy_count;  offset:8;       size:1; signed:0;

          field:__data_loc char[] filename;       offset:12;      size:4; signed:1;
          field:pid_t pid;        offset:16;      size:4; signed:1;
          field:pid_t old_pid;    offset:20;      size:4; signed:1;

There is an additional argument: common_preempt_lazy_count, which means
that the struct we use (sched_execve_args) is no longer valid.

This patch removes the above struct, and instead, uses CORE and the
trace_event_raw_sched_process_exec struct.

Reproduced and patch tested locally on a Rocky Linux 5.3 with a
5.14.0-362.24.1.el9_3.0.1.x86_64  kernel.

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
@kkourt kkourt added the release-note/bug This PR fixes an issue in a previous release of Tetragon. label Apr 29, 2024
@kkourt kkourt marked this pull request as ready for review April 29, 2024 20:45
@kkourt kkourt requested a review from a team as a code owner April 29, 2024 20:45
@kkourt kkourt requested a review from olsajiri April 29, 2024 20:45
Copy link
Contributor

@olsajiri olsajiri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch!

@jrfastab jrfastab merged commit 8100230 into main May 3, 2024
45 of 46 checks passed
@jrfastab jrfastab deleted the pr/kkourt/rhel9-execve branch May 3, 2024 19:07
@kkourt kkourt added the needs-backport/1.1 This PR needs backporting to 1.1 label May 4, 2024
@kkourt
Copy link
Contributor Author

kkourt commented May 4, 2024

Marked it for backporting

@mtardy
Copy link
Member

mtardy commented May 16, 2024

oh wow, nice catch indeed that could be the issue, and finally fixing this long-standing issue.

@inliquid
Copy link
Contributor

Is it in 1.1 already?

@kkourt
Copy link
Contributor Author

kkourt commented May 23, 2024

Is it in 1.1 already?

Not yet. Will do the backport soon.

@kkourt
Copy link
Contributor Author

kkourt commented May 24, 2024

backport: #2468

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-backport/1.1 This PR needs backporting to 1.1 release-note/bug This PR fixes an issue in a previous release of Tetragon.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

filename monitoring not recgonizing/printing out binary cmd correctly
5 participants