chore(ebpf): optimize filldir64 program

The filldir64 program runs very frequently, and as such incurs great overhead. However, its usecase only requires the submission of events from non 0 process inodes. Since this filter is faster than scope evaluation, move this condition check before program data initialization and scope evaluation. Optimization reduces the average runtime to ~18% of the previous overhead. Note, that even for more run amounts, the overall runtime is now 27% from the previous version. Before: PROGRAM: filldir64 (type: kprobe, runtime: 61047110 ns, amount: 53135 times, average: 1148 ns) After: PROGRAM: filldir64 (type: kprobe, runtime: 16507056 ns, amount: 80350 times, average: 205 ns)
aquasecurity · Jul 10, 2024 · 0aa855c · 0aa855c
1 parent b5bb5d4
commit 0aa855c
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -1557,6 +1557,11 @@ int tracepoint__sched__sched_switch(struct bpf_raw_tracepoint_args *ctx)
 SEC("kprobe/filldir64")
 int BPF_KPROBE(trace_filldir64)
 {
+    // only inode=0 is relevant, simple filter prior to program run
+    unsigned long process_inode_number = (unsigned long) PT_REGS_PARM5(ctx);
+    if (process_inode_number != 0)
+        return 0;
+
     program_data_t p = {};
     if (!init_program_data(&p, ctx, HIDDEN_INODES))
         return 0;
@@ -1565,10 +1570,6 @@ int BPF_KPROBE(trace_filldir64)
         return 0;
 
     char *process_name = (char *) PT_REGS_PARM2(ctx);
-    unsigned long process_inode_number = (unsigned long) PT_REGS_PARM5(ctx);
-
-    if (process_inode_number != 0)
-        return 0;
 
     save_str_to_buf(&p.event->args_buf, process_name, 0);
     return events_perf_submit(&p, 0);