Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(userspace/libscap): give name to bpf programs #559

Merged
merged 1 commit into from Aug 26, 2022
Merged

chore(userspace/libscap): give name to bpf programs #559

merged 1 commit into from Aug 26, 2022

Conversation

alban
Copy link
Contributor

@alban alban commented Aug 24, 2022

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap-engine-udig

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This patch helps to distinguish Falco's bpf programs in bpftool or in kubectl gadget top ebpf.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@poiana poiana added the size/S label Aug 24, 2022
FedeDP
FedeDP reviewed Aug 25, 2022
View reviewed changes
userspace/libscap/engine/bpf/scap_bpf.c Outdated
/* 'event' looks like "raw_tracepoint/raw_syscalls/sys_enter". Skip
* two '/' to find the last word, if possible.
*/
prog_name = strstr(event, "/");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd use strrchr instead, that automatically fetches last occurrence of '/'.
Then, if anything is found, we can use just prog_name++.

Andreagit97
Andreagit97 reviewed Aug 25, 2022
View reviewed changes
userspace/libscap/engine/bpf/scap_bpf.c Outdated
@@ -513,6 +517,7 @@ static int32_t load_tracepoint(struct bpf_engine* handle, const char *event, str
int err;
int fd;
int id;
const char *prog_name;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know it is super useless but it is future-proof 😆!

Suggested change
const char *prog_name;
const char *prog_name = NULL;

@alban
chore(userspace/libscap): give name to bpf programs
38ba7bd 
This patch helps to distinguish Falco's bpf programs in bpftool or in
'kubectl gadget top ebpf'.

Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
@alban
Copy link
Contributor Author

alban commented Aug 25, 2022

Tested in Falco (on branch falcosecurity/falco#2177) with the following:

mkdir -p build
cd build
cmake -DFALCOSECURITY_LIBS_SOURCE_DIR=$PWD/../../libs -DBUILD_BPF=ON -DUSE_BUNDLED_DEPS=ON ..
make
cd ..
FALCO_BPF_PROBE=$PWD/build/driver/bpf/probe.o sudo -E ./build/userspace/falco/falco -c ./falco.yaml -r ./rules/falco_rules.yaml

And in another terminal:

$ sudo bpftool prog|grep raw_tracepoint
1177: raw_tracepoint  name terminate_fille  tag 0cfced50ac2422ad  gpl
1178: raw_tracepoint  name sys_empty  tag 8bb294d18d5e1ab7  gpl
1179: raw_tracepoint  name sys_single  tag ec3c250076e5a5ab  gpl
1180: raw_tracepoint  name sys_single_x  tag 296719d3c7e566cf  gpl
1181: raw_tracepoint  name sys_open_e  tag ff5efe61577951cb  gpl
1182: raw_tracepoint  name sys_open_x  tag cc89bd9b3f316992  gpl
1183: raw_tracepoint  name sys_read_x  tag 23fdc5e22820c458  gpl
1184: raw_tracepoint  name sys_write_x  tag d636998153105565  gpl
1185: raw_tracepoint  name sys_poll_e  tag f4cbf0393c75aa41  gpl
1186: raw_tracepoint  name sys_poll_x  tag 6b03b1f5cea2bfa0  gpl
1187: raw_tracepoint  name sys_readv_pread  tag 7817e31271701f87  gpl
1188: raw_tracepoint  name sys_writev_e  tag 5c5e6d5ab0e8b344  gpl
1189: raw_tracepoint  name sys_writev_pwri  tag 8d02ce8cf7b481fe  gpl
1190: raw_tracepoint  name sys_nanosleep_e  tag 4e3494a871764c8e  gpl
1191: raw_tracepoint  name sys_futex_e  tag 23d1fc9357f377eb  gpl
1192: raw_tracepoint  name sys_brk_munmap_  tag fb18c3496604407d  gpl
1193: raw_tracepoint  name sys_mmap_e  tag 16513cdcc174498d  gpl
1194: raw_tracepoint  name sys_mprotect_e  tag 2abf82fb232ec904  gpl
1195: raw_tracepoint  name sys_mprotect_x  tag 296719d3c7e566cf  gpl
1196: raw_tracepoint  name sys_fcntl_e  tag c2d19e87b1fa23d9  gpl
1197: raw_tracepoint  name sys_access_e  tag eafeb92eb24a54de  gpl
1198: raw_tracepoint  name sys_getrlimit_s  tag efb6c04bf2f63f99  gpl
1199: raw_tracepoint  name sys_getrlimit_s  tag e04e6374534d75af  gpl
1200: raw_tracepoint  name sys_connect_e  tag a2fb4fa3a1fdb767  gpl
1201: raw_tracepoint  name sys_connect_x  tag 36b15c62dafad38b  gpl
1202: raw_tracepoint  name sys_socketpair_  tag fdf36a200d3a81fc  gpl
1203: raw_tracepoint  name sys_setsockopt_  tag c75190869f034150  gpl
1204: raw_tracepoint  name sys_getsockopt_  tag d63edc31e981e4be  gpl
1205: raw_tracepoint  name sys_send_e  tag 132a1a6c921b11a6  gpl
1206: raw_tracepoint  name sys_sendto_e  tag 9d756cbfe7853d53  gpl
1207: raw_tracepoint  name sys_send_x  tag cc0e07eb11be6a57  gpl
1208: raw_tracepoint  name sys_execve_e  tag ec3c250076e5a5ab  gpl
1209: raw_tracepoint  name sys_execveat_e  tag 16efab8af69a7687  gpl
1210: raw_tracepoint  name proc_startupdat  tag 99e41399d0a8b488  gpl
1211: raw_tracepoint  name proc_startupdat  tag 0410f64266910086  gpl
1212: raw_tracepoint  name proc_startupdat  tag 8ec124b34993fd39  gpl
1213: raw_tracepoint  name execve_family_f  tag e848febd58498b49  gpl
1214: raw_tracepoint  name sys_accept4_e  tag 2daa3ef7163afe10  gpl
1215: raw_tracepoint  name sys_accept_x  tag 6f9e923d74b0db38  gpl
1216: raw_tracepoint  name sys_setns_e  tag 353578a621a02a66  gpl
1217: raw_tracepoint  name sys_unshare_e  tag fae27e041db98031  gpl
1218: raw_tracepoint  name sys_generic  tag 2061767bcab0409e  gpl
1219: raw_tracepoint  name sys_openat_e  tag 497b495f59a80b69  gpl
1220: raw_tracepoint  name sys_openat_x  tag f6c58c10027a1ca1  gpl
1221: raw_tracepoint  name sys_openat2_e  tag e2bef0d65eb9bdf2  gpl
1222: raw_tracepoint  name sys_openat2_x  tag 16feae95c1877758  gpl
1223: raw_tracepoint  name sys_open_by_han  tag 9d97aad6f2e56e8f  gpl
1224: raw_tracepoint  name sys_io_uring_se  tag 2ed96bf1bbad6767  gpl
1225: raw_tracepoint  name sys_io_uring_en  tag 8bb5bf6b82f22cf0  gpl
1226: raw_tracepoint  name sys_io_uring_re  tag c77908bed9122933  gpl
1227: raw_tracepoint  name sys_mlock_x  tag 5ea06ec1da3363e5  gpl
1228: raw_tracepoint  name sys_mlock2_x  tag 67b5814badc0a4e9  gpl
1229: raw_tracepoint  name sys_munlock_x  tag 5ea06ec1da3363e5  gpl
1230: raw_tracepoint  name sys_mlockall_x  tag d146de45e3ff2e41  gpl
1231: raw_tracepoint  name sys_munlockall_  tag 296719d3c7e566cf  gpl
1232: raw_tracepoint  name sys_sendfile_e  tag 599ba9e3481ee702  gpl
1233: raw_tracepoint  name sys_sendfile_x  tag 504b38c20ce03ce1  gpl
1234: raw_tracepoint  name sys_prlimit_e  tag f2ba3604073eb207  gpl
1235: raw_tracepoint  name sys_prlimit_x  tag 267efaf97720c097  gpl
1236: raw_tracepoint  name sys_pwritev_e  tag 85346c7dc5446fc3  gpl
1237: raw_tracepoint  name sys_getresuid_a  tag 3e075ef16b52905d  gpl
1238: raw_tracepoint  name sys_socket_bind  tag d2921b5a9e12bf03  gpl
1239: raw_tracepoint  name sys_recv_x  tag cc0e07eb11be6a57  gpl
1240: raw_tracepoint  name sys_recvfrom_x  tag e0fcde29456e0e16  gpl
1241: raw_tracepoint  name sys_shutdown_e  tag 318044b92477d96b  gpl
1242: raw_tracepoint  name sys_recvmsg_x  tag 34599cfa94e28263  gpl
1243: raw_tracepoint  name sys_recvmsg_x_2  tag f550310e8d7f626d  gpl
1244: raw_tracepoint  name sys_sendmsg_e  tag fc6b881842fefe37  gpl
1245: raw_tracepoint  name sys_sendmsg_x  tag c86e8439620c9b5d  gpl
1246: raw_tracepoint  name sys_creat_e  tag 5d45f0f60b7881d7  gpl
1247: raw_tracepoint  name sys_creat_x  tag 85c8483c7ac34b5a  gpl
1248: raw_tracepoint  name sys_pipe_x  tag f3050cbfbb4dabe8  gpl
1249: raw_tracepoint  name sys_lseek_e  tag e4871c2c2a0ef509  gpl
1250: raw_tracepoint  name sys_llseek_e  tag a6e04cf6bbfbd4d9  gpl
1251: raw_tracepoint  name sys_eventfd_e  tag b8786d45cfab3692  gpl
1252: raw_tracepoint  name sys_mount_e  tag 65bee0cbb05285f5  gpl
1253: raw_tracepoint  name sys_ppoll_e  tag 98c98d251a474cfb  gpl
1254: raw_tracepoint  name sys_semop_x  tag 0f4e8b539e0abb45  gpl
1255: raw_tracepoint  name sys_socket_x  tag 95f7c6af787f8f84  gpl
1256: raw_tracepoint  name sys_flock_e  tag a13dcb7a0cb46a00  gpl
1257: raw_tracepoint  name sys_pread64_e  tag 98b82509b2b37ae8  gpl
1258: raw_tracepoint  name sys_preadv64_e  tag 98b82509b2b37ae8  gpl
1259: raw_tracepoint  name sys_pwrite64_e  tag 98b82509b2b37ae8  gpl
1260: raw_tracepoint  name sys_renameat_x  tag 5c95ce15ed79aa7b  gpl
1261: raw_tracepoint  name sys_renameat2_x  tag dfb9ad375e1b845b  gpl
1262: raw_tracepoint  name sys_symlinkat_x  tag 46c7c2cbcaa5fc9b  gpl
1263: raw_tracepoint  name sys_scapevent_e  tag 98b82509b2b37ae8  gpl
1264: raw_tracepoint  name cpu_hotplug_e  tag d0746cdd05b6eedc  gpl
1265: raw_tracepoint  name sched_drop  tag 501ff6709702a5e2  gpl
1266: raw_tracepoint  name sys_procexit_e  tag 669ca2509b4dc67a  gpl
1267: raw_tracepoint  name sched_switch_e  tag 63976674b4ac8c84  gpl
1268: raw_tracepoint  name sys_pagefault_e  tag 2403eb510277d5b2  gpl
1269: raw_tracepoint  name sys_signaldeliv  tag 03f20c25df1b522c  gpl
1270: raw_tracepoint  name sys_quotactl_e  tag dc3bc943035867e3  gpl
1271: raw_tracepoint  name sys_quotactl_x  tag 715d26096d11652b  gpl
1272: raw_tracepoint  name sys_semget_e  tag fe4c780c42184d71  gpl
1273: raw_tracepoint  name sys_semctl_e  tag 0be4f5ee17d21334  gpl
1274: raw_tracepoint  name sys_ptrace_e  tag 0e87f3a66207fae9  gpl
1275: raw_tracepoint  name sys_ptrace_x  tag f37bd01c25a14cd7  gpl
1276: raw_tracepoint  name sys_bpf_x  tag 296719d3c7e566cf  gpl
1277: raw_tracepoint  name sys_unlinkat_x  tag 58bbdab3ad4b7646  gpl
1278: raw_tracepoint  name sys_mkdirat_x  tag 9b027a8381cc316b  gpl
1279: raw_tracepoint  name sys_linkat_x  tag 86fd3c59d997af17  gpl
1280: raw_tracepoint  name sys_autofill  tag 93f40bcdfbe5bc32  gpl
1281: raw_tracepoint  name sys_fchmodat_x  tag eda719308a42d58b  gpl
1282: raw_tracepoint  name sys_chmod_x  tag 5ea06ec1da3363e5  gpl
1283: raw_tracepoint  name sys_fchmod_x  tag 5ea06ec1da3363e5  gpl
1284: raw_tracepoint  name sys_copy_file_r  tag 14fc775fa36e8080  gpl
1285: raw_tracepoint  name sys_copy_file_r  tag 455eea8a849c793c  gpl
1286: raw_tracepoint  name sys_capset_x  tag 295dd5d92af168f3  gpl
1287: raw_tracepoint  name sys_dup_e  tag ec3c250076e5a5ab  gpl
1288: raw_tracepoint  name sys_dup_x  tag e5e60f7ae1d55669  gpl
1289: raw_tracepoint  name sys_dup2_e  tag ec3c250076e5a5ab  gpl
1290: raw_tracepoint  name sys_dup2_x  tag 5ea06ec1da3363e5  gpl
1291: raw_tracepoint  name sys_dup3_e  tag ec3c250076e5a5ab  gpl
1292: raw_tracepoint  name sys_dup3_x  tag f8466c1c9de2a642  gpl
1293: raw_tracepoint  name sys_enter  tag 205348d960a3417f  gpl
1294: raw_tracepoint  name sys_exit  tag a45660e806c1bec0  gpl
1295: raw_tracepoint  name sched_process_e  tag b15c58c2747dae1d  gpl
1296: raw_tracepoint  name sched_switch  tag 0c25bdd89be23b27  gpl
1297: raw_tracepoint  name page_fault_user  tag bf9436112e8009d0  gpl
1298: raw_tracepoint  name page_fault_kern  tag bf9436112e8009d0  gpl
1299: raw_tracepoint  name signal_deliver  tag fc852720132c0880  gpl

@alban alban marked this pull request as ready for review August 25, 2022 15:28
@FedeDP
Copy link
Contributor

FedeDP commented Aug 25, 2022

Very nice! Thanks!

Andreagit97
Andreagit97 approved these changes Aug 25, 2022
View reviewed changes
Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Aug 25, 2022
@poiana
Copy link
Contributor

poiana commented Aug 25, 2022

LGTM label has been added.

Git tree hash: 8598634c444118075ad30f625a0359f18f860bd0

FedeDP
FedeDP approved these changes Aug 26, 2022
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Thank you very much!

@poiana
Copy link
Contributor

poiana commented Aug 26, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alban, Andreagit97, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 6dec285 into falcosecurity:master Aug 26, 2022
@alban alban deleted the alban_bpf_prog_name branch August 29, 2022 16:35
@alban
Copy link
Contributor Author

alban commented Aug 29, 2022

Tested with Falco, the bpf programs names are now visible in Inspektor Gadget's top-ebpf tool:

$ ./kubectl-gadget top ebpf -o custom-columns=progid,type,name,comm,cumulruncount,cumulruntime --sort cumulruntime --timeout 30
PROGID   TYPE             NAME             COMM                 CUMULRUNCOUNT CUMULRUNTIME 
495      RawTracepoint    sys_exit         falco                      1221143   627.1735ms 
494      RawTracepoint    sys_enter        falco                      1220662     575.95ms 
497      RawTracepoint    sched_switch     falco                       208993   282.2234ms 
498      RawTracepoint    page_fault_user  falco                       234467    19.8807ms 
496      RawTracepoint    sched_process_e  falco                          912     1.8596ms 
500      RawTracepoint    signal_deliver   falco                         1608      992.8µs 
499      RawTracepoint    page_fault_kern  falco                         3972      714.5µs 
382      RawTracepoint    sys_open_e       falco                            0           0s 
380      RawTracepoint    sys_single       falco                            0           0s 
381      RawTracepoint    sys_single_x     falco                            0           0s 
164      CGroupSKB                         systemd                          0           0s 
383      RawTracepoint    sys_open_x       falco                            0           0s 
384      RawTracepoint    sys_read_x       falco                            0           0s 
385      RawTracepoint    sys_write_x      falco                            0           0s 
386      RawTracepoint    sys_poll_e       falco                            0           0s 
387      RawTracepoint    sys_poll_x       falco                            0           0s 
388      RawTracepoint    sys_readv_pread  falco                            0           0s 
389      RawTracepoint    sys_writev_e     falco                            0           0s 
390      RawTracepoint    sys_writev_pwri  falco                            0           0s 
391      RawTracepoint    sys_nanosleep_e  falco                            0           0s

@FedeDP
Copy link
Contributor

FedeDP commented Aug 29, 2022

Wow this is super useful, thank you!

@Andreagit97 Andreagit97 added this to the 0.9.0 milestone Aug 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FedeDP FedeDP FedeDP approved these changes

@Andreagit97 Andreagit97 Andreagit97 approved these changes

@leogr leogr Awaiting requested review from leogr

@LucaGuerra LucaGuerra Awaiting requested review from LucaGuerra

@gnosek gnosek Awaiting requested review from gnosek

Assignees

@FedeDP FedeDP

@Andreagit97 Andreagit97

Labels
approved area/libscap-engine-bpf dco-signoff: yes kind/feature New feature or request lgtm release-note-none size/S
Projects
None yet
Milestone
0.9.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@alban @FedeDP @poiana @Andreagit97