refactor: Improve API used by ebpf programs #3982
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yanivagman
force-pushed
the
refactor_ebpf_programs_api
branch
2 times, most recently
from
70ce608 to
bebf27e
Compare
Both mnt_ns_filter and pid_ns_filter maps had a key of 64 bits in size. This key size is wrong, and should be set to 32 bits.
yanivagman
force-pushed
the
refactor_ebpf_programs_api
branch
from
bebf27e to
2dab95a
Compare
|
I'll be on this today 👍🏼. |
geyslan
reviewed
Apr 18, 2024
Comment on lines
+242
to
+250
| event_config_t *event_config = get_event_config(event_id, event->context.policies_version); | ||
| if (event_config == NULL) | ||
| return false; |
There was a problem hiding this comment.
As this is the only point that reset_event can fail (and all callers return/abort when this returns false), shouldn't we anticipate its check in the beginning of the function?
There was a problem hiding this comment.
Not sure I understand what you mean here
There was a problem hiding this comment.
I meant: only touch event fields if there actually is a config for that event, like:
statfunc bool reset_event(event_data_t *event, u32 event_id)
{
// check first
event_config_t *event_config = get_event_config(event_id, event->context.policies_version);
if (event_config == NULL)
return false;
// reset if there's a config for it.
event->context.eventid = event_id;
reset_event_args_buf(event);
event->config.submit_for_policies = ~0ULL;
...There was a problem hiding this comment.
I don't know about this change.
These fields not depend on the event config, and cost almost nothing (just simple assignments).
In case the caller don't check the return value, returning from reset_event after doing these 4 assignments makes the reset valid, and matched_policies is set to match all policies.
yanivagman
force-pushed
the
refactor_ebpf_programs_api
branch
from
2dab95a to
d78f011
Compare
geyslan
reviewed
Apr 18, 2024
As preparation for migrating event scope filters into the kernel and matching filters by event id, we now save the event id in the program_data_t structure during initialization instead of when submitting the event to userspace. By knowing the event id during program init, we can also retrieve the bitmap of the policies that requested this event, removing the need to call should_submit() within the program. Next, should_trace() is renamed to evaluate_context_filters() to better represent its function and accommodate potential future argument filters. This function considers both event submit bits and matched context filters. Its return value is now boolean to hide the internal policy matching mechanism, ensuring future-proofing against changes in bitmap size or implementation. For programs with logic for multiple events, we introduce event_is_selected() to determine if the event is selected by any policies. We also add reset_event() to reset matched_policies and argument buffer for a new event id, and reset_event_args_buf() for cases where the same event is submitted multiple times from the same program, addressing a bug where submitting multiple events may yield incorrect matched_policies bitmap. Additionally, policies_matched() is added to return the result of matched_policies.
yanivagman
force-pushed
the
refactor_ebpf_programs_api
branch
from
d78f011 to
760570d
Compare
geyslan
approved these changes
Apr 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. Explain what the PR does
As preparation for migrating event scope filters into the kernel and matching filters by event id, we now save the event id in the program_data_t structure during initialization instead of when submitting the event to userspace.
By knowing the event id during program init, we can also retrieve the bitmap of the policies that requested this event, removing the need to call should_submit() within the program.
Next, should_trace() is renamed to evaluate_context_filters() to better represent its function and accommodate potential future argument filters. This function considers both event submit bits and matched context filters. Its return value is now boolean to hide the internal policy matching mechanism, ensuring future-proofing against changes in bitmap size or implementation.
For programs with logic for multiple events, we introduce event_is_selected() to determine if the event is selected by any policies. We also add reset_event() to reset matched_policies and argument buffer for a new event id, and reset_event_args_buf() for cases where the same event is submitted multiple times from the same program, addressing a bug where submitting multiple events may yield incorrect matched_policies bitmap.
Additionally, policies_matched() is added to return the result of matched_policies.
2. Explain how to test it
3. Other comments