feat(proctree): control procfs query by config

Allow the procfs scanning and querying to be configured by the user. For now Tracee only enable to disable the procfs querying upon lost events. This should help to improve performance on high-load systems.
aquasecurity · Apr 30, 2024 · 78acee7 · 78acee7
1 parent 99bc47e
commit 78acee7
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 20 deletions.
diff --git a/pkg/cmd/flags/proctree.go b/pkg/cmd/flags/proctree.go
@@ -31,9 +31,11 @@ func PrepareProcTree(cacheSlice []string) (proctree.ProcTreeConfig, error) {
 	var err error
 
 	config := proctree.ProcTreeConfig{
-		Source:           proctree.SourceNone, // disabled by default
-		ProcessCacheSize: proctree.DefaultProcessCacheSize,
-		ThreadCacheSize:  proctree.DefaultThreadCacheSize,
+		Source:               proctree.SourceNone, // disabled by default
+		ProcessCacheSize:     proctree.DefaultProcessCacheSize,
+		ThreadCacheSize:      proctree.DefaultThreadCacheSize,
+		ProcfsInitialization: true,
+		ProcfsQuerying:       true,
 	}
 
 	cacheSet := false
@@ -90,6 +92,10 @@ func PrepareProcTree(cacheSlice []string) (proctree.ProcTreeConfig, error) {
 				cacheSet = true
 				continue
 			}
+			if strings.HasPrefix(value, "disable-procfs-query") {
+				config.ProcfsQuerying = false
+				continue
+			}
 			err = fmt.Errorf("unrecognized proctree option format: %v", value)
 		}
 	}

diff --git a/pkg/proctree/proctree.go b/pkg/proctree/proctree.go
@@ -63,19 +63,22 @@ func (s SourceType) String() string {
 }
 
 type ProcTreeConfig struct {
-	Source           SourceType
-	ProcessCacheSize int
-	ThreadCacheSize  int
+	Source               SourceType
+	ProcessCacheSize     int
+	ThreadCacheSize      int
+	ProcfsInitialization bool // Determine whether to scan procfs data for process tree initialization
+	ProcfsQuerying       bool // Determine whether to query procfs for missing information during runtime
 }
 
 // ProcessTree is a tree of processes and threads.
 type ProcessTree struct {
-	processes  *lru.Cache[uint32, *Process] // hash -> process
-	threads    *lru.Cache[uint32, *Thread]  // hash -> threads
-	procfsChan chan int                     // channel of pids to read from procfs
-	procfsOnce *sync.Once                   // busy loop debug message throttling
-	ctx        context.Context              // context for the process tree
-	mutex      *sync.RWMutex                // mutex for the process tree
+	processes   *lru.Cache[uint32, *Process] // hash -> process
+	threads     *lru.Cache[uint32, *Thread]  // hash -> threads
+	procfsChan  chan int                     // channel of pids to read from procfs
+	procfsOnce  *sync.Once                   // busy loop debug message throttling
+	ctx         context.Context              // context for the process tree
+	mutex       *sync.RWMutex                // mutex for the process tree
+	procfsQuery bool
 }
 
 // NewProcessTree creates a new process tree.
@@ -133,14 +136,17 @@ func NewProcessTree(ctx context.Context, config ProcTreeConfig) (*ProcessTree, e
 	}()
 
 	procTree := &ProcessTree{
-		processes: processes,
-		threads:   threads,
-		ctx:       ctx,
-		mutex:     &sync.RWMutex{},
+		processes:   processes,
+		threads:     threads,
+		ctx:         ctx,
+		mutex:       &sync.RWMutex{},
+		procfsQuery: config.ProcfsQuerying,
 	}
 
-	// Walk procfs and feed the process tree with data.
-	procTree.FeedFromProcFSAsync(AllPIDs)
+	if config.ProcfsInitialization {
+		// Walk procfs and feed the process tree with data.
+		procTree.FeedFromProcFSAsync(AllPIDs)
+	}
 
 	return procTree, nil
 }

diff --git a/pkg/proctree/proctree_feed.go b/pkg/proctree/proctree_feed.go
@@ -63,7 +63,9 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
 			},
 			utils.NsSinceBootTimeToTime(feed.TimeStamp),
 		)
-		pt.FeedFromProcFSAsync(int(feed.ParentPid)) // try to enrich ppid and name from procfs
+		if pt.procfsQuery {
+			pt.FeedFromProcFSAsync(int(feed.ParentPid)) // try to enrich ppid and name from procfs
+		}
 	}
 
 	parent, found := pt.GetProcessByHash(feed.ParentHash) // always a real process
@@ -99,7 +101,9 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
 			},
 			utils.NsSinceBootTimeToTime(feed.TimeStamp),
 		)
-		pt.FeedFromProcFSAsync(int(feed.LeaderPid)) // try to enrich name from procfs if needed
+		if pt.procfsQuery {
+			pt.FeedFromProcFSAsync(int(feed.LeaderPid)) // try to enrich name from procfs if needed
+		}
 	}
 
 	leader, found := pt.GetProcessByHash(feed.LeaderHash)