[do-not-merge] Test latest changes to custom probe #1073
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Skipping CI for Draft Pull Request. |
|
Molter73
force-pushed
the
mauro/kcrane-collector-rebase
branch
from
af74ec6 to
b716355
Compare
Install the sched/ tracepoints only if the respective capture symbolic constant is defined. Also w/o BPF_SUPPORTS_RAW_TRACEPOINTS, the `schred_process_fork` tracepoint cannot be used and, hence, disable it. Signed-off-by: Hendrik Brueckner <[email protected]>
The Falco libs BPF driver is designed to catch all syscalls through the sys_enter and sys_exit tracepoints. The collector custom probe attaches to particular system calls only. In that case, the tracepoint context depends on the syscall with a syscall-specific format (structure). This commit converts the syscall-specific format into the format sys enter format expected by Falco's BPF driver and filler programs. Previously, the custom probe copied data from beyond the tracepoint context. This resulted in offset check failure and a permission denied when attaching BPF probe (see also notes in the custom probe). This is the sys enter path. For the sys exit path, the syscall-specific exit format (which is identical for direct attached syscalls) needs to be aligned (wrt. to offsets) with the 'catch-all' sys exit format. Signed-off-by: Hendrik Brueckner <[email protected]>
Introduce a symbolic constant to determine if custom collector probe or the legacy collector probe (RHEL-7 / "catch-all") is used. Note that this is also required to align the syscall tracepoint formats on the exit event of direct vs. generic syscall exit. Signed-off-by: Hendrik Brueckner <[email protected]>
For s390x, glibc, Golang use the "socketcall" syscall to multiplex socket calls (e.g. connect, accept, ...). This commit provides the necessary entry/exit path to handle socketcalls. Respective socketcall handling is also required in the Falco BPF driver. For the collector custom probe, additional changes are required because BPF_SUPPORTS_RAW_TRACEPOINTS is not used. Also the socketcall implementation filters socket calls according to the defined collector syscalls (on enter and exit syscall path). For the syscall enter, also do pre-filtering in the custom probe because of direct access to the socketcall arguments. Signed-off-by: Hendrik Brueckner <[email protected]>
Co-authored-by: Giles Hutton <[email protected]> Signed-off-by: Hendrik Brueckner <[email protected]>
Signed-off-by: Hendrik Brueckner <[email protected]>
Suggested-by: Hendrik Brueckner <[email protected]> Signed-off-by: Mauro Ezequiel Moltrasio <[email protected]>
Co-authored-by: Hendrik Brueckner <[email protected]> Signed-off-by: Mauro Ezequiel Moltrasio <[email protected]>
Signed-off-by: Hendrik Brueckner <[email protected]>
Signed-off-by: Hendrik Brueckner <[email protected]>
This reverts commit 3e21636.
…events/syscalls/sys_enter_setgid/format
Molter73
force-pushed
the
mauro/kcrane-collector-rebase
branch
from
3f6ffeb to
72e7eaa
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR is a mirror of #1072 meant for testing only. It will not be merged and reviews should be redirected to the previously mentioned PR.
Checklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
TODO(replace-me)
Use this space to explain how you tested your PR, or, if you didn't test it, why you did not do so. (Valid reasons include "CI is sufficient" or "No testable changes")
In addition to reviewing your code, reviewers must also review your testing instructions, and make sure they are sufficient.
For more details, ref the Confluence page about this section.