Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tetragon: Separate execve sensor into taill called programs #456

Merged
merged 3 commits into from
Oct 7, 2022
Merged

tetragon: Separate execve sensor into taill called programs #456

merged 3 commits into from
Oct 7, 2022

Conversation

olsajiri
Copy link
Contributor

The execve is getting more complex and on 4.19 it's reaching
the maximum program size.

Splitting execve sensor into 2 (so far) tail called programs and
adjusting TestLoad* tests.

Signed-off-by: Jiri Olsa [email protected]

@olsajiri olsajiri force-pushed the execve_split branch 3 times, most recently from b9dd8aa to d0094ef Compare October 3, 2022 07:41
@olsajiri olsajiri marked this pull request as ready for review October 3, 2022 11:07
@olsajiri olsajiri requested a review from a team as a code owner October 3, 2022 11:07
@olsajiri olsajiri requested a review from sharlns October 3, 2022 11:07
@olsajiri olsajiri self-assigned this Oct 3, 2022
kkourt
kkourt reviewed Oct 4, 2022
View reviewed changes
pkg/testutils/sensors/load.go Outdated Show resolved Hide resolved
pkg/testutils/sensors/load.go Outdated Show resolved Hide resolved
pkg/testutils/sensors/load.go Show resolved Hide resolved
@olsajiri
tetragon: Add mergeSensorMaps function
14d3cd6 
Adding mergeSensorMaps function that merges sensor
maps together.

Signed-off-by: Jiri Olsa <[email protected]>
@olsajiri
tetragon: Merge in base sensors for TestLoad* tests
e6a3f62 
Signed-off-by: Jiri Olsa <[email protected]>
@olsajiri
tetragon: Separate execve sensor into taill calls
bc0df86 
Separating execve sensor into 2 programs:
  1) event_execve
  2) execve_send

The 1) does the data retrieval and 2) sends event to the user space.

This separation simplifies the code and allows us to move to clang 14,
which generates un-verifiable code without the split.

We can split 1) even further in future if needed, so far separating 2)
simplified the code enough.

Signed-off-by: Jiri Olsa <[email protected]>
@kkourt kkourt mentioned this pull request Oct 7, 2022
Closed
tixxdz
tixxdz approved these changes Oct 7, 2022
View reviewed changes
Copy link
Member

@tixxdz tixxdz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @olsajiri this solves my problems too for 4.19 and cgroups ;-)

Approved!

jrfastab
jrfastab reviewed Oct 7, 2022
View reviewed changes
bpf/process/bpf_execve_event.c
@@ -185,10 +188,37 @@ event_execve(struct sched_execve_args *ctx)
fileoff = ctx->filename & 0xFFFF;
binary = event_filename_builder(ctx, execve, pid, EVENT_EXECVE, binary,
(char *)ctx + fileoff);
event->binary = binary;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this reads a bit strange I'm not sure why

event->binary = event_filename_builder(...)

is not used.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ugh, will fix that in another PR, thanks

@jrfastab jrfastab merged commit 3944160 into cilium:main Oct 7, 2022
@kkourt kkourt mentioned this pull request Oct 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tixxdz tixxdz tixxdz approved these changes

@jrfastab jrfastab jrfastab left review comments

@kkourt kkourt kkourt approved these changes

@sharlns sharlns Awaiting requested review from sharlns sharlns is a code owner automatically assigned from cilium/tetragon

Assignees

@olsajiri olsajiri

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@olsajiri @kkourt @jrfastab @tixxdz