[DRAFT] playing around process tree ideas #3363
Closed
Commits on Aug 4, 2023
-
feature(events): process unique identifier murmur hashing
By having a hash to represent each ever existent process, we can keep track of the relationship between processes and its childs using these identifiers instead of fragile PID/PPID relationship. The eBPF murmur hashing function is added, despite not being currently used, because it has been tested together with the userland portion, to make sure the hashes are exactly the same (so both sides are talking the same language). > This code will be used by the process tree implementation in next > commits.
-
feature(events): turn SchedProcessXXX control plane enabled
- ADD parent_start_time argument to event context (*) - move functions containing inline asm to the end of their files - create buffer_memcpy() for map-to-map buffer copy in ebpf - sched_process_fork: - create a signal handler for a SchedProcessFork signal event - only SUBMIT the SchedProcessFork event if picked by a policy - ALWAYS submit the SchedProcessFork signal event (args only) - sched_process_exec: - create a signal handler for a SchedProcessExec signal event - only SUBMIT the SchedProcessExec event if picked by a policy - ALWAYS submit the SchedProcessFork signal event (args only) - sched_process_exit: - create a signal handler for a SchedProcessExit signal event - only SUBMIT the SchedProcessExit event if picked by a policy - ALWAYS submit the SchedProcessExit signal event (args only) - The SchedProcessExit signal event has extra 2 arguments added, both will be needed for the process tree implementation. - create a list of essential events coming from the control plane package, instead of a function within Tracee type. - add a 'Control' boolean to EventState to control whether the event, and its dependant events, should only be configured because of the control plane. This is needed because some events are too complex to have duplicated probes (they involve having tailCalls and other dependencies), so the same event probes are used to submit the regular AND the signal events. (*) parent_start_time argument to event context: The reason to have parent start time argument added is to have an unique identifier, using 'host_tid' + 'process start time' (using the murmur3 hashing function), on each submitted event. This way, the process tree is able to identify process parent using the process hash (and each ever existing process node entry in the process tree is hashed and unique). => The reasoning will be cleared in next commits. NOTE: There are NO logical changes to eBPF code but to copy the scratch buffer and submit it into the signal events perfbuffer.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.