tracee-ebpf: don't send argument type

Instead of sending the type of every argument in an event, we can use the argument index to figure out the type. This saves sending an extra 1 byte per each argument of any given event.
aquasecurity · Sep 20, 2021 · 08cab83 · 08cab83
1 parent 1629071
commit 08cab83
Show file tree

Hide file tree

Showing 6 changed files with 221 additions and 229 deletions.
diff --git a/tracee-ebpf/tracee/consts.go b/tracee-ebpf/tracee/consts.go
@@ -926,7 +926,7 @@ var EventsIDToParams = map[int32][]external.ArgMeta{
 	SysEnterEventID:               {{Type: "int", Name: "syscall"}},
 	SysExitEventID:                {{Type: "int", Name: "syscall"}},
 	SchedProcessForkEventID:       {{Type: "int", Name: "parent_tid"}, {Type: "int", Name: "parent_ns_tid"}, {Type: "int", Name: "child_tid"}, {Type: "int", Name: "child_ns_tid"}},
-	SchedProcessExecEventID:       {{Type: "const char *", Name: "cmdpath"}, {Type: "const char *", Name: "pathname"}, {Type: "const char*const*", Name: "argv"}, {Type: "const char*const*", Name: "env"}, {Type: "dev_t", Name: "dev"}, {Type: "unsigned long", Name: "inode"}, {Type: "int", Name: "invoked_from_kernel"}},
+	SchedProcessExecEventID:       {{Type: "const char*", Name: "cmdpath"}, {Type: "const char*", Name: "pathname"}, {Type: "const char*const*", Name: "argv"}, {Type: "const char*const*", Name: "env"}, {Type: "dev_t", Name: "dev"}, {Type: "unsigned long", Name: "inode"}, {Type: "int", Name: "invoked_from_kernel"}},
 	SchedProcessExitEventID:       {},
 	SchedSwitchEventID:            {{Type: "int", Name: "cpu"}, {Type: "int", Name: "prev_tid"}, {Type: "const char*", Name: "prev_comm"}, {Type: "int", Name: "next_tid"}, {Type: "const char*", Name: "next_comm"}},
 	DoExitEventID:                 {},
@@ -950,6 +950,6 @@ var EventsIDToParams = map[int32][]external.ArgMeta{
 	SecurityBPFEventID:            {{Type: "int", Name: "cmd"}},
 	SecurityBPFMapEventID:         {{Type: "unsigned int", Name: "map_id"}, {Type: "const char*", Name: "map_name"}},
 	SecurityKernelReadFileEventID: {{Type: "const char*", Name: "pathname"}, {Type: "dev_t", Name: "dev"}, {Type: "unsigned long", Name: "inode"}, {Type: "const char*", Name: "type"}},
-	SecurityInodeMknodEventID:     {{Type: "const char*", Name: "file_name"}, {Type: "mode_t", Name: "mode"}, {Type: "dev_t", Name: "dev"}},
+	SecurityInodeMknodEventID:     {{Type: "const char*", Name: "file_name"}, {Type: "umode_t", Name: "mode"}, {Type: "dev_t", Name: "dev"}},
 	InitNamespacesEventID:         {{Type: "u32", Name: "cgroup"}, {Type: "u32", Name: "ipc"}, {Type: "u32", Name: "mnt"}, {Type: "u32", Name: "net"}, {Type: "u32", Name: "pid"}, {Type: "u32", Name: "pid_for_children"}, {Type: "u32", Name: "time"}, {Type: "u32", Name: "time_for_children"}, {Type: "u32", Name: "user"}, {Type: "u32", Name: "uts"}},
 }
diff --git a/tracee-ebpf/tracee/events_decoder.go b/tracee-ebpf/tracee/events_decoder.go
@@ -19,19 +19,22 @@ type alert struct {
 	Payload uint8
 }
 
-func readArgFromBuff(dataBuff io.Reader) (uint8, interface{}, error) {
+func readArgFromBuff(dataBuff io.Reader, params []external.ArgMeta) (external.ArgMeta, interface{}, error) {
 	var err error
 	var res interface{}
 	var argIdx uint8
-	var argType argType
-	err = binary.Read(dataBuff, binary.LittleEndian, &argType)
-	if err != nil {
-		return argIdx, nil, fmt.Errorf("error reading arg type: %v", err)
-	}
+	var argMeta external.ArgMeta
+
 	err = binary.Read(dataBuff, binary.LittleEndian, &argIdx)
 	if err != nil {
-		return argIdx, nil, fmt.Errorf("error reading arg index: %v", err)
+		return argMeta, nil, fmt.Errorf("error reading arg index: %v", err)
+	}
+	if int(argIdx) >= len(params) {
+		return argMeta, nil, fmt.Errorf("invalid arg index %d", argIdx)
 	}
+	argMeta = params[argIdx]
+	argType := getParamType(argMeta.Type)
+
 	switch argType {
 	case u16T:
 		var data uint16
@@ -74,12 +77,12 @@ func readArgFromBuff(dataBuff io.Reader) (uint8, interface{}, error) {
 		var arrLen uint8
 		err = binary.Read(dataBuff, binary.LittleEndian, &arrLen)
 		if err != nil {
-			return argIdx, nil, fmt.Errorf("error reading string array number of elements: %v", err)
+			return argMeta, nil, fmt.Errorf("error reading string array number of elements: %v", err)
 		}
 		for i := 0; i < int(arrLen); i++ {
 			s, err := readStringFromBuff(dataBuff)
 			if err != nil {
-				return argIdx, nil, fmt.Errorf("error reading string element: %v", err)
+				return argMeta, nil, fmt.Errorf("error reading string element: %v", err)
 			}
 			ss = append(ss, s)
 		}
@@ -88,29 +91,27 @@ func readArgFromBuff(dataBuff io.Reader) (uint8, interface{}, error) {
 		var size uint32
 		err = binary.Read(dataBuff, binary.LittleEndian, &size)
 		if err != nil {
-			return argIdx, nil, fmt.Errorf("error reading byte array size: %v", err)
+			return argMeta, nil, fmt.Errorf("error reading byte array size: %v", err)
 		}
 		if size > 4096 {
-			return argIdx, nil, fmt.Errorf("byte array size too big: %d", size)
+			return argMeta, nil, fmt.Errorf("byte array size too big: %d", size)
 		}
 		res, err = readByteSliceFromBuff(dataBuff, int(size))
 	case intArr2T:
 		var intArray [2]int32
-
 		err = binary.Read(dataBuff, binary.LittleEndian, &intArray)
 		if err != nil {
-			return argIdx, nil, fmt.Errorf("error reading int elements: %v", err)
+			return argMeta, nil, fmt.Errorf("error reading int elements: %v", err)
 		}
-
 		res = intArray
 	default:
 		// if we don't recognize the arg type, we can't parse the rest of the buffer
-		return argIdx, nil, fmt.Errorf("error unknown arg type %v", argType)
+		return argMeta, nil, fmt.Errorf("error unknown arg type %v", argType)
 	}
 	if err != nil {
-		return argIdx, nil, err
+		return argMeta, nil, err
 	}
-	return argIdx, res, nil
+	return argMeta, res, nil
 }
 
 func readSockaddrFromBuff(buff io.Reader) (map[string]string, error) {

diff --git a/tracee-ebpf/tracee/events_pipeline.go b/tracee-ebpf/tracee/events_pipeline.go
@@ -89,26 +89,21 @@ func (t *Tracee) decodeRawEvent(done <-chan struct{}) (<-chan RawEvent, <-chan e
 				ArgMetas: make([]external.ArgMeta, ctx.Argnum),
 			}
 
+			params := EventsIDToParams[ctx.EventID]
+			if params == nil {
+				errc <- fmt.Errorf("failed to get parameters of event %d", ctx.EventID)
+				continue
+			}
+
 			for i := 0; i < int(ctx.Argnum); i++ {
-				argIdx, argVal, err := readArgFromBuff(dataBuff)
+				argMeta, argVal, err := readArgFromBuff(dataBuff, params)
 				if err != nil {
-					errc <- err
+					errc <- fmt.Errorf("failed to read argument %d of event %d: %v", i, ctx.EventID, err)
 					continue
 				}
 
-				if int(argIdx) >= len(EventsIDToParams[ctx.EventID]) {
-					errc <- fmt.Errorf("invalid arg index %d of event %d", argIdx, ctx.EventID)
-					continue
-				}
-				argName := EventsIDToParams[ctx.EventID][argIdx].Name
-				argType, ok := t.ParamTypes[ctx.EventID][argName]
-				if !ok {
-					errc <- fmt.Errorf("invalid arg type for arg name %s of event %d", argName, ctx.EventID)
-					continue
-				}
-				rawEvent.Args[argName] = argVal
-				rawEvent.ArgMetas[i].Name = argName
-				rawEvent.ArgMetas[i].Type = argType
+				rawEvent.Args[argMeta.Name] = argVal
+				rawEvent.ArgMetas[i] = argMeta
 			}
 
 			select {