-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trace exec: add exe path #1959
trace exec: add exe path #1959
Conversation
c37e192
to
fca718b
Compare
TBH I'm not sure we should be keeping these optional and big fields on the event. Perhaps we can update the logic to send multiple events on the perf ring buffer, one with the main information and one (or more) with additional fields. However image-based gadgets will be challenge. I think your approach is good for this PR, we need to think more about it for the image-based gadgets case. |
fca718b
to
60b7cce
Compare
0b87e3f
to
43e2272
Compare
I updated this PR with a single flag I'll think more about the image-based gadgets. |
43e2272
to
3dad5c1
Compare
Rebased again to fix new conflicts from recent changes on the main branch. |
This pull request has been automatically marked as stale because it has not had recent activity. |
I suppose we still need it. @alban would you mind rebasing one last time. I'll review it after. |
3dad5c1
to
f261406
Compare
I rebased and fixed the conflicts. Let's see if the CI accepts it. |
f261406
to
982eaa5
Compare
I also do not like increasing the size of event. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi!
Please, see my comment with regard to the event size.
However, this is a good addition for people needing it.
I tested it and it works fine:
$ sudo ./ig trace exec --paths alban_exec_long_paths % u=
RUNTIME.CONTAINER… PID PPID COMM PCOMM RET ARGS CWD EXE
eloquent_shirley 47511 47487 bash containe… 0 /usr/bin/bash / /usr/bin/bash
eloquent_shirley 47540 47511 ls bash 0 /usr/bin/ls / /usr/bin/ls
I have some comments nonetheless.
Best regards.
@@ -213,10 +214,11 @@ func (t *Tracer) run() { | |||
buf := []byte{} | |||
args := record.RawSample[unsafe.Offsetof(execsnoopEvent{}.Args):] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am wondering if we should else if
and set this properly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure what you suggest. I didn't change the logic of the if
below.
@@ -36,7 +36,8 @@ type Event struct { | |||
UpperLayer bool `json:"upperlayer" column:"upperlayer,width:10,fixed,hide"` | |||
LoginUid uint32 `json:"loginuid" column:"loginuid,template:uid,hide"` | |||
SessionId uint32 `json:"sessionid" column:"sessionid,minWidth:10,hide"` | |||
Cwd string `json:"cwd,omitempty" column:"cwd,width:40" columnTags:"param:cwd"` | |||
Cwd string `json:"cwd,omitempty" column:"cwd,width:40" columnTags:"param:paths"` | |||
Exe string `json:"exe,omitempty" column:"exe,width:40" columnTags:"param:paths"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not convinced about this name, what about BinPath
?
At least, this should make clear this is a path to something.
With Exe
, I am awaiting ELF
or stuff like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea. I suggest ExePath because it is similar to sysdig's proc.exepath
.
Sysdig has both exe and exepath:
proc.exe The first command line argument argv[0] (truncated after 4096 bytes) which is usually the
executable name but it could be also a custom string, it depends on what the user
specifies. [...]
proc.exepath The full executable path of the process [...]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one minor comment. LGTM once CI is green.
Thanks to this new field, we can distinguish the executable with its full path when it is not visible in the args, e.g. when executing via a symlink or via a procfs magic link such as /proc/self/exe. Example of output: ``` $ sudo ig trace exec RUNTIME.CONTAINERNAME PID PPID COMM RET ARGS test 644871 639225 mkdir 0 /usr/bin/mkdir -p /tmp/bar/foo/ test 644888 639225 cat 0 /usr/bin/cat /dev/null $ sudo ig trace exec --paths RUNTIME.CONTAINERN… PID PPID COMM RET ARGS CWD EXEPATH test 644377 639225 mkdir 0 /usr/bin/mkdir -p /tmp/… / /usr/bin/mkdir test 644497 639225 cat 0 /usr/bin/cat /dev/null / /usr/bin/cat ``` Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com>
982eaa5
to
4f47190
Compare
trace exec: add exe path
Thanks to this new field, we can distinguish the executable with its full path when it is not visible in the args, e.g. when executing via a symlink or via a procfs magic link such as /proc/self/exe.
How to use
Example of output:
TBD
Similar to the cwd option (#1700), I didn't enable it by default. This increases the event in the ring buffer by 4k. It would be nice to optimise the event size.
Testing done
...
cc @omriShneor
Fixes #1950