Conversation
| }; | ||
| #endif | ||
|
|
||
| struct bpf_map_def __bpf_section("maps") interesting_syscalls_table = { |
There was a problem hiding this comment.
New interesting syscalls map for bpf.
| SCAP_TMP_SCRATCH_MAP = 7, | ||
| SCAP_SETTINGS_MAP = 8, | ||
| SCAP_LOCAL_STATE_MAP = 9, | ||
| SCAP_INTERESTING_SYSCALLS_TABLE = 10, |
There was a problem hiding this comment.
SCAP_STASH_MAP should always stay last because it can be missing when BPF_SUPPORTS_RAW_TRACEPOINTS is enabled, therefore all below idx would be shifted by one.
There was a problem hiding this comment.
Hmm how didn't we have this table before?
There was a problem hiding this comment.
We passed a sentinel value while filling the syscall_table map instead; see old impl of populate_syscall_table_map() in scap_bpf.c
| /* | ||
| * While we're here, disable simple mode if it's active | ||
| */ | ||
| g_simple_mode_enabled = false; |
There was a problem hiding this comment.
Dropped simple mode for kmod.
| EF_SKIPPARSERESET = (1 << 8), /* This event shouldn't pollute the parser lastevent state tracker. */ | ||
| EF_OLD_VERSION = (1 << 9), /* This event is kept for backward compatibility */ | ||
| EF_DROP_SIMPLE_CONS = (1 << 10), /* This event can be skipped by consumers that privilege low overhead to full event capture */ | ||
| // EF_DROP_SIMPLE_CONS = (1 << 10), /* This event can be skipped by consumers that privilege low overhead to full event capture */ SUPPORT DROPPED |
There was a problem hiding this comment.
Didn't remove the flag to avoid having a weird jump between
1 << 9 and 1 << 11
| #define PPM_IOCTL_GET_PROCLIST _IO(PPM_IOCTL_MAGIC, 16) | ||
| #define PPM_IOCTL_SET_TRACERS_CAPTURE _IO(PPM_IOCTL_MAGIC, 17) | ||
| #define PPM_IOCTL_SET_SIMPLE_MODE _IO(PPM_IOCTL_MAGIC, 18) | ||
| // #define PPM_IOCTL_SET_SIMPLE_MODE _IO(PPM_IOCTL_MAGIC, 18) Support dropped |
There was a problem hiding this comment.
Didn't remove the flag to avoid having a weird jump between
(PPM_IOCTL_MAGIC, 17) and (PPM_IOCTL_MAGIC, 19)
| UF_NEVER_DROP = (1 << 1), | ||
| UF_ALWAYS_DROP = (1 << 2), | ||
| UF_SIMPLEDRIVER_KEEP = (1 << 3), ///< Mark a syscall to be kept in simpledriver mode, see scap_enable_simpledriver_mode() | ||
| // UF_SIMPLEDRIVER_KEEP = (1 << 3), ///< Mark a syscall to be kept in simpledriver mode, see scap_enable_simpledriver_mode() -> SUPPORT DROPPED |
There was a problem hiding this comment.
Didn't remove the flag to avoid having a weird jump between
1 << 2 and 1 << 4
| { | ||
| const struct syscall_evt_pair *p = &g_syscall_table[j]; | ||
| if (!handle->m_syscalls_of_interest[j]) | ||
| if(bpf_map_update_elem(handle->m_bpf_map_fds[SCAP_SYSCALL_TABLE], &j, p, BPF_ANY) != 0) |
There was a problem hiding this comment.
Syscall table map will now always have full info about syscalls, because we will use the new interesting_syscalls_map.
| } | ||
|
|
||
| if(bpf_map_update_elem(handle->m_bpf_map_fds[SCAP_SYSCALL_TABLE], &j, p, BPF_ANY) != 0) | ||
| return bpf_map_freeze(handle->m_bpf_map_fds[SCAP_SYSCALL_TABLE]); |
There was a problem hiding this comment.
Given it is start time constant, we can even freeze the map.
| #define MODERN_BPF_OPTION "--modern_bpf" | ||
| #endif | ||
| #define SCAP_FILE_OPTION "--scap_file" | ||
| #define SIMPLE_CONSUMER_OPTION "--simple_consumer" |
There was a problem hiding this comment.
No more simpleconsumer mode exists.
userspace/libscap/scap_engine_util.h
Outdated
| #pragma once | ||
|
|
||
| void fill_syscalls_of_interest(interesting_ppm_sc_set *ppm_sc_of_interest, bool (*syscalls_of_interest)[SYSCALL_TABLE_SIZE]); | ||
| void fill_syscalls_of_interest(interesting_ppm_sc_set *ppm_sc_of_interest, bool *syscalls_of_interest); |
There was a problem hiding this comment.
Avoid passing a weird double pointer here :)
Andreagit97
changed the title
FedeDP
force-pushed
the
cleanup/unify_simpleconsumer_simpledriver
branch
from
8e85033 to
95dce9e
Compare
|
/cc @gnosek |
|
❤️ Could we include a patch to Add summary of syscall events (or any event) in form of a set() showing distinct syscall ids seen (sanity check for perf studies). Also transform to human readable list of syscall names if possible. Edited: Perhaps also add start and end timestamp, duration of run and average event rate per second to |
FedeDP
force-pushed
the
cleanup/unify_simpleconsumer_simpledriver
branch
from
32a896c to
dc5f533
Compare
gnosek
left a comment
gnosek
left a comment
There was a problem hiding this comment.
Looks fine at a quick glance :)
| SCAP_TMP_SCRATCH_MAP = 7, | ||
| SCAP_SETTINGS_MAP = 8, | ||
| SCAP_LOCAL_STATE_MAP = 9, | ||
| SCAP_INTERESTING_SYSCALLS_TABLE = 10, |
There was a problem hiding this comment.
Hmm how didn't we have this table before?
FedeDP
force-pushed
the
cleanup/unify_simpleconsumer_simpledriver
branch
from
dc5f533 to
cf088ec
Compare
userspace/libscap/scap.c
Outdated
| { | ||
| if (g_syscall_table[j].exit_event_type == i || g_syscall_table[j].enter_event_type == i) | ||
| { | ||
| uint32_t ppm_sc_code = g_syscall_code_routing_table[i]; |
There was a problem hiding this comment.
As per conversations with @FedeDP this might need to be j instead of i since it iterates on SYSCALL_TABLE_SIZE
Moreover, give more meaningful names to idx. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Luca Guerra <luca@guerra.sh>
|
Pulled latest changes and simulated #521 (comment) in the |
|
/kind feature |
This is the same API we introduced for runtime ppm_sc management in #521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This is the same API we introduced for runtime ppm_sc management in #521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
leogr
left a comment
leogr
left a comment
There was a problem hiding this comment.
Approved again. I just left some minor comments (no blocker anyway).
| SCAP_INTERESTING_SYSCALLS_TABLE = 10, | ||
| #ifndef BPF_SUPPORTS_RAW_TRACEPOINTS | ||
| SCAP_STASH_MAP = 10, | ||
| SCAP_STASH_MAP = 11, |
There was a problem hiding this comment.
I'd remove the ifndef wrapping and always keep SCAP_STASH_MAP (even when unnecessary).
That would make the addition of other items easier.
There was a problem hiding this comment.
Indeed it is unused 😆 https://github.com/falcosecurity/libs/search?q=SCAP_STASH_MAP
| return 0; | ||
| } | ||
|
|
||
| /// TODO: we need to pass directly the system syscall number not the `ppm_sc` here. |
There was a problem hiding this comment.
| /// TODO: we need to pass directly the system syscall number not the `ppm_sc` here. | |
| // TODO: we need to pass directly the system syscall number not the `ppm_sc` here. |
Not sure I understood this comment 🤔
|
LGTM label has been added. DetailsGit tree hash: 6c59ae5cc9de6205a3ee4711110f3496cac7e098 |
LucaGuerra
left a comment
LucaGuerra
left a comment
There was a problem hiding this comment.
Great work! This will be instrumental to tune performance depending on the lib client's needs!
/approve
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, leogr, LucaGuerra The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This is the same API we introduced for runtime ppm_sc management in #521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This is the same API we introduced for runtime ppm_sc management in #521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This is the same API we introduced for runtime ppm_sc management in #521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This is the same API we introduced for runtime ppm_sc management in #521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This is the same API we introduced for runtime ppm_sc management in #521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This is the same API we introduced for runtime ppm_sc management in #521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This is the same API we introduced for runtime ppm_sc management in #521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This is the same API we introduced for runtime ppm_sc management in falcosecurity#521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This is the same API we introduced for runtime ppm_sc management in falcosecurity#521, but for tracepoints. It is implemented for kmod, bpf and modern_bpf. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
9 participants
What type of PR is this?
/kind cleanup
Any specific area of the project related to this PR?
/area driver-kmod
/area driver-bpf
/area libscap-engine-bpf
/area libscap-engine-kmod
Does this PR require a change in the driver versions?
We'd need to bump the API maj version, but it was already bumped during this release cycle.
What this PR does / why we need it:
Dropped simpleconsumer mode and simple driver concepts.
Instead, clients should always push interesting syscalls set using
opensinsp APIs for supported engines (kmod, bpf, modern_bpf) parameters.Clients can also dynamically switch on/off syscalls at runtime, by using:
Moreover, moved bpf interesting syscall check as soon as possible.
A new map was created to hold interesting syscalls for bpf.
Dropped EF_DROP_SIMPLE_CONS and UF_SIMPLEDRIVER_KEEP flags too.
Moreover, added a new
interesting_tp_setfield to scap_open_args, to allow scap clients to specify a set of tracepoints to be attached.When NULL, all tracepoints will be attached (default value). Updated interesting_ppm_sc_code
set to match same behavior when NULL. Libbscap scap-open example now has 2 more options:--tpand--ppm_sc`, that allow to:Note however that the new
interesting_tp_setis actually unused by sinsp, ie: it is only available to scap clients, not sinsp ones.IMHO this is a somewhat debug feature that should not be exposed to libs clients.
Example:
Where ppm_sc 27 and 28 are
mkdirandrmdir, and i've got another terminal that runsmkdir x; rmdir x.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: