Apply Stackrox changes to falcosecurity libs#1
Conversation
misberner
left a comment
misberner
left a comment
There was a problem hiding this comment.
We definitely should do a more thorough audit of some of these to check if they are necessary, but for now this looks good!
CMakeLists.txt
Outdated
| set(SYSDIG_VERSION "0.1.1dev") | ||
| endif() | ||
|
|
||
| if(NOT DEFINED PROBE_NAME) |
There was a problem hiding this comment.
TBH, not sure if this is still needed. As it is guarded by a if(NOT DEFINED check, we should just be able to set it via -DPROBE_NAME=collector when invoking cmake.
There was a problem hiding this comment.
It's not necessary, but we would need to set it every time we need to build a probe, when using CI it's not a big deal, but if you are trying to build it manually it could feel like a nuisance if we need to add it to the CLI command. Maybe we can move it closer to the actual probe build so it doesn't clutter the main CMakeLists, let me take a look.
cmake/modules/CompilerFlags.cmake
Outdated
|
|
||
| set(SYSDIG_COMMON_FLAGS "-Wall -ggdb") | ||
| set(SYSDIG_DEBUG_FLAGS "-D_DEBUG") | ||
| set(SYSDIG_DEBUG_FLAGS "-D_DEBUG -g") |
There was a problem hiding this comment.
curious, do you have a sense of whether somebody might object to this upstream? It seems pretty natural to add -g for debug
There was a problem hiding this comment.
Actually, now that you point it out, 2 lines above this one -ggdb is being set as a common flag, this might be completely redundant.
There was a problem hiding this comment.
I think we can probably remove this change. -g adds debug symbols in OS native format and -ggdb adds gdb specific symbols. I would assume the latter is sufficient. https://gcc.gnu.org/onlinedocs/gcc/Debugging-Options.html#Debugging-Options
| elseif(NOT USE_BUNDLED_B64) | ||
| find_path(B64_INCLUDE NAMES b64/encode.h) | ||
| find_library(B64_LIB NAMES b64) | ||
| find_library(B64_LIB NAMES libb64.a b64) |
There was a problem hiding this comment.
We would need to go back look at when/why this was added, but I'd be curious if there is some "global" way to tell CMake's find_library to consider static libraries as well.
There was a problem hiding this comment.
My guess is this was done to have the static libraries prevail over the shared ones, still there might be a better way to do this, I'll take a look.
cmake/modules/libscap.cmake
Outdated
| set(PROBE_VERSION "${SYSDIG_VERSION}") | ||
| endif() | ||
| if(NOT DEFINED PROBE_NAME) | ||
| set(PROBE_NAME "sysdig-probe") |
There was a problem hiding this comment.
It's odd - why would we add this code? I wonder if something went wrong at an earlier time, when somebody (not you) cherrypicked an upstream change
|
|
||
| if(BUILD_USERSPACE) | ||
| add_subdirectory(${LIBSCAP_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/libscap) | ||
| elseif(((BUILD_DRIVER) OR (BUILD_BPF)) AND (CMAKE_SYSTEM_NAME MATCHES "Linux")) |
There was a problem hiding this comment.
This is a bit weird logic, it basically means we can only either build the driver, or the userspace probes, but not both. Might be good to revisit this if we need to upstream it
There was a problem hiding this comment.
I think that's the whole point, since we only ever build userspace (with collector) or the probes/modules (through CI usually). But I agree that it could potentially be annoying and should be handled differently.
There was a problem hiding this comment.
Actually, I've just gone through this one more time and the driver directory is added by libscap in the following line:
Meaning that the actual output of this is either:
BUILD_USERSPACE=ONwill configure libscap which in turn configures the driver too.BUILD_USERSPACE=OFFand eitherBUILD_DRIVERorBUILD_BPFset toONwill configure the driver directory only.
| # http://public.kitware.com/Bug/view.php?id=8438 | ||
| if(BUILD_DRIVER) | ||
| add_custom_target(driver ALL | ||
| COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${CMAKE_CURRENT_BINARY_DIR}/src/Makefile ${CMAKE_CURRENT_SOURCE_DIR}/Makefile |
There was a problem hiding this comment.
I actually just figured what these lines are for while working on RS-276. When we build kernel modules and eBPF probes we run the make command from the actual directory where the source is instead of running cmake on a separate build directory or storing the configured directory, these 2 lines provide bothe the needed Makefile as well as a driver_config.h header that is usually created by cmake.
| KBUILD_CPPFLAGS+= -DCOS_73_WORKAROUND | ||
| endif | ||
| # clang-7 does not support -fmacro-prefix-map | ||
| KBUILD_CPPFLAGS:=$(filter-out -fmacro-prefix-map=%,$(KBUILD_CPPFLAGS)) |
There was a problem hiding this comment.
Another weird thing: we filter this out unconditionally, regardless of clang version. This is unlikely to be behind the issues we are seeing, but if for some reason it is specified, we should probably pass it through whenever poossible.
| #else | ||
| int online_cpu; | ||
| int j; | ||
| /* Begin StackRox */ |
There was a problem hiding this comment.
This looks like a potentially universally useful change
| void sinsp_container_manager::notify_new_container(const sinsp_container_info& container_info) | ||
| { | ||
| sinsp_evt *evt = new sinsp_evt(); | ||
| auto cevt = std::make_shared<sinsp_evt>(); |
There was a problem hiding this comment.
This is a definitely upstreamable change. It's only a small improvement, but generally std::make_shared is preferred over creating a shared_ptr afterwards, as make_shared allows using a single allocation for storing both the object as well as the ref counter
Molter73
force-pushed
the
mauro/ROX-7482-migrate-sysdig-to-falco
branch
from
dd16bd7 to
0e3f2c0
Compare
Molter73
force-pushed
the
mauro/ROX-7482-migrate-sysdig-to-falco
branch
from
259de25 to
45ff474
Compare
0e7769a Apply all StackRox changes from before sysdig release 0.12.1 5d4b9d6 set ringbuffer to 16MB f7b262a fix off by one in stackrox modifications in driver c1c3260 use SYSDIG_HOST_ROOT env var for ebpf 27275de Add Makefile check for struct audit_task_info 9119d72 Only check hotplug online status of cpus if /sys/devices/system/cpu/hotplug/states exists 88191a8 Support running on RHEL 7.6 kernels with backported eBPF (#8) 5644dde add better error messages when proc scraping fails d212e8b Fix potential nullpointer issue 9af9a4b driver makefile changes 00e0e46 change ifdef from 3.11 to 3.15 0582a71 handle older kernels with ebpf support eda343d Remove unnecessary changes to CMakeLists.txt and conf/dev.conf and set PROBE_NAME to collector ce00a0e - Add static paths for non-bundled dependencies - Disable compilation of sysdig binary bc1577f memory usage fixes 59ce369 Changes in preparation for informatica e6b1a49 Rename SYSDIG_HOST_ROOT env to COLLECTOR_HOST_ROOT b4397fd Log error and continue instead of throwing exception when /proc scrape fails (#16) 696852d Allow omitting gRPC libraries from linking (#17) 941bb18 ROX-5597 Collect subset of system calls under eBPF (#18) cbbe5d4 Free memory allocated if fd read fails during proc scrape in libscap (#19) f53b6bb ROX-6200 Remove image label and env var parsing (#20) e32e5e5 ROX-5396 - Fix probe compilation on 5.7-5.10 kernels (#21) a723117 Change libsinsp binary directory to project b47a0ad Configure BPF driver only when being built 8661537 Ensure driver is configured without userspace 56a3d6f Move some kobject definitions 0e8b65e remove invalid PATH 74f0ec4 Trying to add -g to sysdig/src/CMakeList.txt 65694d7 Fix potential segfault 95a283f Add extra checks to prevent memory leak 7389e5e Remove duplicated probe name definition ef283bb Apply upstream fixes to eBPF probes dd16bd7 Remove unneeded include
Molter73
force-pushed
the
mauro/ROX-7482-migrate-sysdig-to-falco
branch
from
45ff474 to
a80e0b7
Compare
Signed-off-by: Lovel Rishi <lovelworks@gmail.com> Address review comments #1: 1. Remove extra lookup for exe file 2. Directive to unroll loops 3. Fix compilation issues in modern bpf probe Signed-off-by: Lovel Rishi <lovelworks@gmail.com>
glibc-2.42 added __inet_ntop_chk fortification, which started to fail: *** buffer overflow detected ***: terminated Program received signal SIGABRT, Aborted. 0x00007ffff629b0dc in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff629b0dc in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007ffff6242572 in raise () from /lib64/libc.so.6 #2 0x00007ffff6229f3b in abort () from /lib64/libc.so.6 #3 0x00007ffff622b148 in __libc_message_impl.cold () from /lib64/libc.so.6 #4 0x00007ffff6327337 in __fortify_fail () from /lib64/libc.so.6 #5 0x00007ffff6326c92 in __chk_fail () from /lib64/libc.so.6 #6 0x00007ffff6327a62 in __inet_ntop_chk () from /lib64/libc.so.6 #7 0x000055555569da3d in inet_ntop (__af=10, __src=0x555555ee0800, __dst=0x7fffffff4f90 "\260P\377\377\377\177", __dst_size=100) at /usr/include/bits/inet-fortified.h:36 #8 ipv6tuple_to_string[abi:cxx11](ipv6tuple*, bool) (tuple=0x555555ee0800, resolve=false) at /tmp/portage/dev-debug/sysdig-0.40.1/work/libs-0.20.0/userspace/libsinsp/utils.c Use INET6_ADDRSTRLEN as destination buffer size. Fixes: falcosecurity/libs#2573 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
3 participants
This PR applies the changes that were made by stackrox staff to the sysdig fork unto the falcosecurity-libs fork.
Some extra changes were needed in order to ensure collector plays nice with this new submodule: