tetragon: Adding support to store full binary path and arguments #116
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olsajiri
force-pushed
the
exec_path_fix
branch
4 times, most recently
from
1933f6d
to
443091f
Compare
|
I left in some of the static check 'failures', because I don't thik it's real issue |
olsajiri
changed the title
olsajiri
force-pushed
the
exec_path_fix
branch
3 times, most recently
from
ea8250b
to
967ce6d
Compare
|
Yeah let's add OPEN_ENDED_LINE to the ignore list... But what about PREFER_KERNEL_TYPES? |
I'd ignore PREFER_KERNEL_TYPES as well, kernel and our program use them a lot |
kkourt
approved these changes
Jun 8, 2022
Adding exec event test that runs observer, executes binary and checks we received proper exec/process event. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Currently we received mangled (not just shortened) binary path for big path binaries (over 1024). Adding test case for that, fix is coming in following changes. We create directory path under /tmp and copy tester-progs/nop in there. Each directory has maximum size. We can't test 'full path size' on kernels < v5.15 because the tracepoint won't trigger for data bigger that 2k. It's fixed with: e531e90b5ab0 tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding test for big size arguments (512) bytes that we do not support at the moment. The support is coming in following changes. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding test for big binary name together with big size arguments (512) bytes that we do not support at the moment. The support is coming in following changes. It's combination of 2 previous tests for big path and args. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Moving event_args_builder function to bpf_execve_event.c object, because it's not called from anywhere else and it will be more convenient in following changes to use new heap map directly instead of passing it as an argument. It's not pure copy I fixed some lint complains. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Moving event_filename_builder function to bpf_execve_event.c object, because it's not called from anywhere else and it will be more convenient in following changes to use new heap map directly instead of passing it as an argument. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
The probe_arg_read function skips the first argument, which is the binary's path, only up to the size of 255. If the pathname is longer, we will still skip just 255 bytes and screw up following argument retrieval. Using new heap map to skip maximum path size (4096). This way we can remove the PROBE_PAST_CMD macro. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Using heap map data for pathname instead of the stack as suggested in the comment. The probe_read_str will copy NULL terminated string, so we don't need to initialize it to zero. It should help with adding debug code which complains a lot about the program crossing the stack limit. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding support to receive extra data messages from sent bpf code. The data message is simple byte array with unique ID. The data is grouped by this ID and stored in map so it can be retrieved later by kprobe user side code. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding support to send extra data messages from bpf code.
The data_event_bytes function has following prototype:
data_event_bytes(void *ctx, struct data_event_desc *desc,
unsigned long uptr, size_t size,
struct bpf_map_def *heap)
The function sends data message to user space with data copied
from 'uptr' with size 'size'.
The 'out' argument is pointer where we write the result of the
data event copy/send operation in following struct:
struct data_event_desc {
__s32 error;
__u32 leftover;
struct data_event_id id;
} __attribute__((packed));
This will be received by the user side kprobe printers and they
can use the info to retrieve the data.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding data_event_str function that works in a same way as data_event_bytes but reads full string instead of data from pointer with size. The string is sent as data event the same way as for data_event_bytes interface. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Using processapi instead of api prefix in exec.go, so we don't mix with other api packages that are coming in following changes. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding support to send full binary path for exec event. We use the data_event_str function on bpf side and retrieve the data from data events with data.Get on the user space side. We can remove the size restriction in the test. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding support to send full args for exec event. We use the data_event_bytes function on bpf side and retrieve the data from data events with data.Get on the user space side. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
jrfastab
reviewed
Jun 9, 2022
| * filename so its redundant lets walk past it. Do we still need end check? | ||
| * Left for now until we analyze a bit. | ||
| */ | ||
| #define PROBE_PAST_CMD \ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding support to store full binary path and full arguments
for execve events.
Signed-off-by: Jiri Olsa jolsa@kernel.org