Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

probes: improve probes by having specific getters #3710

Merged
merged 1 commit into from
Nov 27, 2023
Merged

probes: improve probes by having specific getters #3710

merged 1 commit into from
Nov 27, 2023

Conversation

rafaeldtinoco
Copy link
Contributor

@rafaeldtinoco rafaeldtinoco commented Nov 27, 2023
edited
Loading

One may debug self loaded function by using:

$ sudo ./dist/tracee --log debug --log filter:'msg=self loaded program' --output json --output option:parse-arguments --events do_init_module,ftrace_hook

For example:

{"L":"DEBUG","T":"2023-11-27T02:18:44.440-0300","M":"self loaded program","event":"do_init_module","program":"trace_do_init_module","origin":"ebpf:pkg/ebpf/tracee.go:1569","calls":"(*Tracee).getSelfLoadedPrograms.func1() < (*Tracee).getSelfLoadedPrograms() < (*Tracee).invokeInitEvents() < (*Tracee).processEvents()"}
{"L":"DEBUG","T":"2023-11-27T02:18:44.440-0300","M":"self loaded program","event":"do_init_module","program":"trace_ret_do_init_module","origin":"ebpf:pkg/ebpf/tracee.go:1569","calls":"(*Tracee).getSelfLoadedPrograms.func1() < (*Tracee).getSelfLoadedPrograms() < (*Tracee).invokeInitEvents() < (*Tracee).processEvents()"}

@rafaeldtinoco rafaeldtinoco marked this pull request as draft November 27, 2023 05:02
@rafaeldtinoco rafaeldtinoco marked this pull request as ready for review November 27, 2023 05:16
@rafaeldtinoco rafaeldtinoco added this to the v0.20.0 milestone Nov 27, 2023
rafaeldtinoco
rafaeldtinoco commented Nov 27, 2023
View reviewed changes
pkg/events/core.go Outdated Show resolved Hide resolved
rafaeldtinoco
rafaeldtinoco commented Nov 27, 2023
View reviewed changes
pkg/events/core.go Outdated Show resolved Hide resolved
geyslan
geyslan approved these changes Nov 27, 2023
View reviewed changes
Copy link
Member

@geyslan geyslan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, put some comments.

pkg/ebpf/tracee.go
currProbe := t.probes.GetProbeByHandle(depProbes.GetHandle())

name := ""
switch p := currProbe.(type) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps to assign and check the coercion for errors before the switch?

pkg/ebpf/tracee.go
// Only k[ret]probes may use ftrace
if kprobesOnly {
switch p.GetProbeType() {
case probes.KProbe, probes.KretProbe:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's a no-op case, perhaps a comment to make it evident?

@rafaeldtinoco rafaeldtinoco merged commit 91b1818 into aquasecurity:main Nov 27, 2023
10 of 30 checks passed
@rafaeldtinoco rafaeldtinoco deleted the add-getters-to-probes branch November 27, 2023 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geyslan geyslan geyslan approved these changes

@OriGlassman OriGlassman Awaiting requested review from OriGlassman

Assignees

@rafaeldtinoco rafaeldtinoco

Labels
area/ebpf
Projects
None yet
Milestone
v0.20.0
Development

Successfully merging this pull request may close these issues.
2 participants
@rafaeldtinoco @geyslan