Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic syscall kprobes #4256

Merged
merged 7 commits into from
Aug 22, 2024
Merged

Generic syscall kprobes #4256

merged 7 commits into from
Aug 22, 2024

Conversation

yanivagman
Copy link
Collaborator

@yanivagman yanivagman commented Aug 18, 2024
edited
Loading

1. Explain what the PR does

feat: Add syscall kprobe support

We currently use sys_enter/sys_exit tracepoints to trace syscalls.
These impact performance on hot paths.

This change introduces BPF program attachment to syscall entry/exit using kprobes,
offering a more efficient mechanism.
It handles varying symbol prefixes across architectures and includes 32-bit compat support.

2. Explain how to test it

3. Other comments

Close #4211

@yanivagman yanivagman requested a review from OriGlassman August 18, 2024 15:45
@yanivagman yanivagman force-pushed the generic_syscall_kprobes branch 2 times, most recently from 5c17a8d to fabd491 Compare August 19, 2024 09:26
@yanivagman
feat: Add syscall kprobe support
72bc472 
We currently use sys_enter/sys_exit tracepoints to trace syscalls.
These impact performance on hot paths.

This change introduces BPF program attachment to syscall entry/exit
using kprobes, offering a more efficient mechanism. It handles
varying symbol prefixes across architectures and includes 32-bit
compat support.
@yanivagman
chore: Sort arm64 syscalls by id
b57ce07
@yanivagman
perf: Use kprobe for ptrace
62b1dbf
@yanivagman
pref: Use kprobe for process_vm_writev
ed64efa
@yanivagman
pref: Use kprobe for arch_prctl
30447d4
@yanivagman yanivagman force-pushed the generic_syscall_kprobes branch from fabd491 to 30447d4 Compare August 19, 2024 15:20
@yanivagman
Copy link
Collaborator Author

yanivagman commented Aug 19, 2024
edited
Loading

This PR implements a generic way to add probes for system calls using kprobes.
It replaces PRs #4229 #4231 #4232 #4210

This was referenced Aug 19, 2024
Closed
Closed
Closed
@yanivagman
feat: add support for generic syscall tailcalls
ff26d07 
Same as we have for sys_enter/sys_exit probes, this will allow us to add
new events or logic for specific syscalls.
@yanivagman
perf: Use kprobe for dup,dup2,dup3,socket_dup
642f3f4
@yanivagman yanivagman mentioned this pull request Aug 20, 2024
Closed
@geyslan geyslan self-requested a review August 20, 2024 14:55
@yanivagman yanivagman force-pushed the generic_syscall_kprobes branch from f06178b to c2af27b Compare August 20, 2024 20:50
@yanivagman yanivagman mentioned this pull request Aug 20, 2024
Merged
@yanivagman yanivagman force-pushed the generic_syscall_kprobes branch 2 times, most recently from a5376be to 642f3f4 Compare August 22, 2024 13:39
geyslan
geyslan reviewed Aug 22, 2024
View reviewed changes
pkg/ebpf/c/common/context.h
@@ -191,6 +191,7 @@ statfunc int init_program_data(program_data_t *p, void *ctx, u32 event_id)
p->event->config.submit_for_policies = ~0ULL;

if (event_id != NO_EVENT_SUBMIT) {
p->event->config.submit_for_policies = 0;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

silent bug?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep

geyslan
geyslan approved these changes Aug 22, 2024
View reviewed changes
Copy link
Member

@geyslan geyslan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yanivagman yanivagman merged commit 90e14ad into aquasecurity:main Aug 22, 2024
30 checks passed
@yanivagman yanivagman deleted the generic_syscall_kprobes branch August 22, 2024 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geyslan geyslan geyslan approved these changes

@OriGlassman OriGlassman Awaiting requested review from OriGlassman

@NDStrahilevitz NDStrahilevitz Awaiting requested review from NDStrahilevitz

Assignees

@yanivagman yanivagman

Labels
area/ebpf area/events
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

change socket_dup to not rely on sys_enter/exit
2 participants
@yanivagman @geyslan