matchBinaries improvements #686
Merged
+306
−133
Commits on Feb 24, 2023
-
There are some issues regarding matchBinaries. In this patch we still support up to 4 values in matchBinaries. Increasing this will be a followup. For matchBinaries, we use names_map that has binary names to id translations. During exec events we check if the binary name exists in this map and if that is true we keep that id in the execve_map_value struct. Now we write in the matchBinaries selectors the value 1 everywhere. To fix that we introduce a single global variable that get a new unique ID for each binary specified. We cannot use a separate names_map for each kprobe as they should also be shared with the execve kprobe. We keep a single names_map for all kprobes. Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
-
Increase the number of values in matchBinaries
Before that we had a limit to 4 values in the matchBinaries selector. This patch uses a map per kprobe (sel_names_map) to remove this limitation. The current limit is 256 values (the size of the map) and should be enough for all cases. As a follow-up we can also clear entries from the (shared) names_map when we remove kprobes. For now we also increase the size of that map to 256 entries. This means that we can define up to 256 unique binary names among all matchBinaries selectors. Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
-
Add NotIn operator for matchBinaries
For now we only supported In operator in matchBinaries. This patch adds support for the NotIn operator. Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
-
Fix names_map update in generic tracepoints
After loading a tracepoint program we should update names_map with new enties in a similar way to kprobes. Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
-
Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
-
matchBinaries: Do not match the parent binary
Now, if the process binary does not match these that we have in matchBinaries selector, it will also check the parent binary name. This is not the desired behaviour and this patch removed that. Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
-
matchBinaries: Skip binary check for long binary names
In the case where the binary name is > 255 characters we simply skip the test. In order to support that we have to filter using data events that can be a follow-up. Generally, 255 characters for binary names should be enough in most cases. Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
-
Convert max binary size to a define
Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.