Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix missing parent issue in clone events #1708

Merged
merged 3 commits into from
Nov 9, 2023
Merged

Fix missing parent issue in clone events #1708

merged 3 commits into from
Nov 9, 2023

Conversation

tpapagian
Copy link
Member

@tpapagian tpapagian commented Nov 3, 2023
edited

Clone events are handled in the event_wake_up_new_task program. In the case of __event_find_parent failure, we do not send an event to the user. On the other hand, execve_map_get has already added a new entry in execve_map. This causes an inconsistency between execve_map and the user space process cache that may lead events to go through the event cache and wait for a process that never arrives.

To solve this, we try to find our parent at the beginning of the program. If we fail to do so, we simply stop the execution of this program (and do not add any entries in the execve_map). This commit also does some refactoring to clean up the code.

The last commit checks for kernel threads during clone events and avoid searching for parent early during the process.

Do not add a new entry in the execve_map during clone events that we cannot find our parent. Additionally, return early on kernel threads.

@tpapagian tpapagian added the release-note/bug This PR fixes an issue in a previous release of Tetragon. label Nov 3, 2023
@tpapagian
ebpf: Remove unused error_flags in event_wake_up_new_task
6b4d4dc 
Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
@tpapagian tpapagian changed the title Cleanup execve_map entry on clone failure Fix missing parent issue in clone events Nov 3, 2023
@netlify Netlify
Copy link

netlify bot commented Nov 3, 2023

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 41ca507
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/6545078b9c579a0008217bdc
😎 Deploy Preview https://deploy-preview-1708--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@tpapagian tpapagian force-pushed the pr/apapag/clone_fix branch 2 times, most recently from cc6f6c5 to f38b799 Compare November 4, 2023 13:53
@tpapagian
ebpf: Fix missing parent issue in clone events
9b82c3f 
Clone events are handled in event_wake_up_new_task program. In the
case of __event_find_parent failure, we do not send an event to the
user. On the other hand, execve_map_get has already added a new
entry in execve_map. This causes an inconsistency between execve_map
and the user space process cache that may lead for events to go through
the eventcache and waing of a process that never arrives.

To solve this, we try to find our parent in the beginning of the
program. If we fail to do so, we simply stop the execution of this
program (and do not add any entries in the execve_map). This commit
also does some refactoring to cleanup the code.

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
@tpapagian
ebpf: Ignore kernel threads during clone events
05d0638 
In Tetragon we do not report process_exec and process_exit events for
kernel threads. When searching for the parent of a kernel thread, we
failed to do so and we simply ignore that.

This patch optimizes that path as we abort early by checking the
task_struct's flags.

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
@tpapagian tpapagian marked this pull request as ready for review November 6, 2023 13:42
@tpapagian tpapagian requested a review from a team as a code owner November 6, 2023 13:42
@kkourt kkourt self-requested a review November 6, 2023 13:49
olsajiri
olsajiri approved these changes Nov 6, 2023
View reviewed changes
Copy link
Contributor

@olsajiri olsajiri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch!

kkourt
kkourt approved these changes Nov 8, 2023
View reviewed changes
Copy link
Contributor

@kkourt kkourt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

bpf/process/bpf_fork.c
* cannot find it's parent in the execve_map.
*/
parent = __event_find_parent(task);
if (!parent)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice to have a counter for this! I'm curious if it will ever happen, when the second patch is also applied.
That being said, since we are not sending an event if we don't find the parent, there is no point in adding an entry to the map. So this patch makes sense to me as is.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I have in mind to add a counter for that (and other cases in exec/exit events) to check if this happens in a follow-up PR.

@tpapagian tpapagian merged commit 63c854f into main Nov 9, 2023
31 checks passed
@tpapagian tpapagian deleted the pr/apapag/clone_fix branch November 9, 2023 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kkourt kkourt kkourt approved these changes

@olsajiri olsajiri olsajiri approved these changes

@jrfastab jrfastab Awaiting requested review from jrfastab jrfastab is a code owner automatically assigned from cilium/tetragon

Assignees
No one assigned
Labels
release-note/bug This PR fixes an issue in a previous release of Tetragon.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tpapagian @kkourt @olsajiri