cleanup(driver,userspace/libscap): let kmod use syscalls mask instead of events mask, like bpf and modern bpf

[FedeDP]

What type of PR is this?

/kind cleanup

Any specific area of the project related to this PR?

/area driver-kmod
/area libscap-engine-kmod

Does this PR require a change in the driver versions?

/version driver-API-version-major

But we already bumped major in #709

What this PR does / why we need it:

Both bpf and modern bpf use a syscalls of interest concept; kmod was instead using an event of interest concept.
I ported kmod to use same concept of bpf and modern bpf.
NOTE: using event of interest also carried bugs, because when an user enforce certain ppm_sc through the scap/sinsp APIs, we would also lose all other non-syscalls event types generated by kmod (ie: signals, drops...), because kmod internally zeroed the event mask.

Which issue(s) this PR fixes:

Described above.

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

cleanup(driver)!: port kmod to use syscalls mask instead of events mask.

[FedeDP]

/cc @gnosek @Andreagit97

[Andreagit97]

/milestone 0.10.0

[Andreagit97]

Just one minor question

[Andreagit97]

Why do we need to enable all the syscalls here?

[FedeDP]

Yep this is a default; i don't think it is necessary given that scap_kmod will set all the interesting syscalls at startup time.

[FedeDP]

I'd leave it there for now :)

[gnosek]

This needs an API version bump, and ideally a new ioctl name/number instead of changing the behavior of existing ones

EDIT:

But we already bumped major in #709

I still disagree about this but I know I'm outnumbered so 🤷‍♂️ 🙃

[Andreagit97]

I agree with the rename but do we really need the old feature on events_mask? do we have to disable events that are not syscalls?

[gnosek]

do we have to disable events that are not syscalls?
We probably have to do this via tracepoints now.

In any case, we cannot just change the ioctl behavior and use the same number (there's tons of fun to be had if you e.g. use an ancient consumer with a new driver). IMO:

• introduce a completely new ioctl for this
• make the old ioctl return -ENOTTY or something so that we can't mess up by accidentally mismatching versions

[Andreagit97]

We probably have to do this via tracepoints now.

The tracepoint events shouldn't be masked, they should be always available, we just directly attach and detach the tracepoints 🤔 if the tracepoint is not there it cannot generate any event (probably this is exactly what you said 😆 )

In any case, we cannot just change the ioctl behavior and use the same number (there's tons of fun to be had if you e.g. use an ancient consumer with a new driver). IMO:

introduce a completely new ioctl for this
make the old ioctl return -ENOTTY or something so that we can't mess up by accidentally mismatching versions

Absolutely agree with that!

[gnosek]

The tracepoint events shouldn't be masked, they should be always available, we just directly attach and detach the tracepoints 🤔 if the tracepoint is not there it cannot generate any event

yeah, this is what I mean

[FedeDP]

This needs an API version bump, and ideally a new ioctl name/number instead of changing the behavior of existing ones

Api version bump, as said in the op, was already done in this release cycle for #709; no more changes are required.
For the ioctl: note that an old client is not expected to work, given the api maj version bump; that is the reason we added those semver checks!

[FedeDP]

I still disagree about this but I know I'm outnumbered so man_shrugging upside_down_face

We are going to reach chromium version in a couple of weeks if we bump every time we break 😆

[FedeDP]

@gnosek everything should be ok now :) I dropped the old ioctls and added new ones.

[dwindsor]

Both bpf and modern bpf use a syscalls of interest concept; kmod was instead using an event of interest concept.
I ported kmod to use same concept of bpf and modern bpf.

Where does this leave the non-syscall kmod tracepoints (sched_process_exit, page_fault_user et al)?

[FedeDP]

Where does this leave the non-syscall kmod tracepoints (sched_process_exit, page_fault_user et al)?

Well, the ppm_sc API is for disabling syscalls (while leaving sys_enter and sys_exit tracepoints attached). You can still disable tracepoints too.
Basically, we have events that maps 1:1 with tracepoints for all tracepoints except sys_enter and sys_exit.
These latter tracepoints map 1:N with events (ie: each tracepoints manages all syscall related enter/exit events).

[dwindsor]

Makes sense. I guess what I was getting at was this:

// #define PPM_IOCTL_DISABLE_SIGNAL_DELIVER _IO(PPM_IOCTL_MAGIC, 14) Support dropped
// #define PPM_IOCTL_ENABLE_SIGNAL_DELIVER _IO(PPM_IOCTL_MAGIC, 15) Support dropped

☝️this change (96aa1686) seems fairly recent, does it mean that we can no longer disable these tracepoints (there are others that were disabled as well).

[FedeDP]

Of course you can :) but there is now a proper Scap API for that and a TPMASK ioctl! (A bit lower in that very same file)

[leogr]

SGTM, however, we should also bump the DRIVER API version, shouldn't we?
cc @gnosek @FedeDP @Andreagit97

[FedeDP]

Answered above to grzeg with the same question! 😄
See the OP of this PR !
We already bumped API version a week ago when #709 was merged!

[Andreagit97]

/approve

[poiana]

LGTM label has been added.

Details

Git tree hash: 17ca6765b5bdac9f93e80b7f231108ce36d4c3a8

[FedeDP]

@gnosek mind to approve if you are ok?

[hbrueckner]

/lgtm

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, gnosek, hbrueckner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP,gnosek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment