perf: use kprobe for ptrace

yanivagman · yanivagman · commit 5c17a8d43efd · 2024-08-19T10:42:33.000+03:00
diff --git a/pkg/ebpf/c/common/arch.h b/pkg/ebpf/c/common/arch.h
@@ -127,6 +127,7 @@ statfunc struct pt_regs *get_current_task_pt_regs(void)
     #define SYSCALL_FCHDIR                 81
     #define SYSCALL_FCHMOD                 91
     #define SYSCALL_FCHOWN                 93
+    #define SYSCALL_PTRACE                 101
     #define SYSCALL_FSTATFS                138
     #define SYSCALL_READAHEAD              187
     #define SYSCALL_FSETXATTR              190
@@ -275,6 +276,7 @@ statfunc struct pt_regs *get_current_task_pt_regs(void)
     #define SYSCALL_DUP3                   24
     #define SYSCALL_PREADV                 69
     #define SYSCALL_PWRITEV                70
+    #define SYSCALL_PTRACE                 117
     #define SYSCALL_PERF_EVENT_OPEN        241
     #define SYSCALL_RECVMMSG               243
     #define SYSCALL_NAME_TO_HANDLE_AT      264
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -358,6 +358,9 @@ int trace_sys_exit(struct bpf_raw_tracepoint_args *ctx)
     return 0;
 }
 
+// macros for syscall kprobes
+TRACE_SYSCALL(ptrace, SYSCALL_PTRACE)
+
 SEC("raw_tracepoint/sys_execve")
 int syscall__execve_enter(void *ctx)
 {
diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go
@@ -224,6 +224,8 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
 		ExecuteAtFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execveat", "trace_execute_finished"),
 		SecurityTaskSetrlimit:      NewTraceProbe(KProbe, "security_task_setrlimit", "trace_security_task_setrlimit"),
 		SecuritySettime64:          NewTraceProbe(KProbe, "security_settime64", "trace_security_settime64"),
+		Ptrace:                     NewTraceProbe(SyscallEnter, "ptrace", "trace_ptrace"),
+		PtraceRet:                  NewTraceProbe(SyscallExit, "ptrace", "trace_ret_ptrace"),
 
 		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
 		ExecTest:            NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),
diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go
@@ -150,6 +150,8 @@ const (
 	ExecuteAtFinishedCompatARM
 	SecurityTaskSetrlimit
 	SecuritySettime64
+	Ptrace
+	PtraceRet
 )
 
 // Test probe handles
diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -2690,14 +2690,8 @@ var CoreEvents = map[ID]Definition{
 		},
 		dependencies: Dependencies{
 			probes: []Probe{
-				{handle: probes.SyscallEnter__Internal, required: true},
-				{handle: probes.SyscallExit__Internal, required: true},
-			},
-			tailCalls: []TailCall{
-				{"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Ptrace)}},
-				{"sys_enter_submit_tail", "sys_enter_submit", []uint32{uint32(Ptrace)}},
-				{"sys_exit_init_tail", "sys_exit_init", []uint32{uint32(Ptrace)}},
-				{"sys_exit_submit_tail", "sys_exit_submit", []uint32{uint32(Ptrace)}},
+				{handle: probes.Ptrace, required: true},
+				{handle: probes.PtraceRet, required: true},
 			},
 		},
 	},

Original file line number	Diff line number	Diff line change
`@@ -358,6 +358,9 @@ int trace_sys_exit(struct bpf_raw_tracepoint_args *ctx)`
`358`	`358`	`return 0;`
`359`	`359`	`}`
`360`	`360`
	`361`	`+// macros for syscall kprobes`
	`362`	`+TRACE_SYSCALL(ptrace, SYSCALL_PTRACE)`
	`363`	`+`
`361`	`364`	`SEC("raw_tracepoint/sys_execve")`
`362`	`365`	`int syscall__execve_enter(void *ctx)`
`363`	`366`	`{`
Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,8 @@ const (`
`150`	`150`	`ExecuteAtFinishedCompatARM`
`151`	`151`	`SecurityTaskSetrlimit`
`152`	`152`	`SecuritySettime64`
	`153`	`+ Ptrace`
	`154`	`+ PtraceRet`
`153`	`155`	`)`
`154`	`156`
`155`	`157`	`// Test probe handles`