[DO NOT MERGE] testing s390x branches #1170
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Install the sched/ tracepoints only if the respective capture symbolic constant is defined. Also w/o BPF_SUPPORTS_RAW_TRACEPOINTS, the `schred_process_fork` tracepoint cannot be used and, hence, disable it. Signed-off-by: Hendrik Brueckner <[email protected]>
The Falco libs BPF driver is designed to catch all syscalls through the sys_enter and sys_exit tracepoints. The collector custom probe attaches to particular system calls only. In that case, the tracepoint context depends on the syscall with a syscall-specific format (structure). This commit converts the syscall-specific format into the format sys enter format expected by Falco's BPF driver and filler programs. Previously, the custom probe copied data from beyond the tracepoint context. This resulted in offset check failure and a permission denied when attaching BPF probe (see also notes in the custom probe). This is the sys enter path. For the sys exit path, the syscall-specific exit format (which is identical for direct attached syscalls) needs to be aligned (wrt. to offsets) with the 'catch-all' sys exit format. Signed-off-by: Hendrik Brueckner <[email protected]>
Introduce a symbolic constant to determine if custom collector probe or the legacy collector probe (RHEL-7 / "catch-all") is used. Note that this is also required to align the syscall tracepoint formats on the exit event of direct vs. generic syscall exit. Signed-off-by: Hendrik Brueckner <[email protected]>
For s390x, glibc, Golang use the "socketcall" syscall to multiplex socket calls (e.g. connect, accept, ...). This commit provides the necessary entry/exit path to handle socketcalls. Respective socketcall handling is also required in the Falco BPF driver. For the collector custom probe, additional changes are required because BPF_SUPPORTS_RAW_TRACEPOINTS is not used. Also the socketcall implementation filters socket calls according to the defined collector syscalls (on enter and exit syscall path). For the syscall enter, also do pre-filtering in the custom probe because of direct access to the socketcall arguments. Signed-off-by: Hendrik Brueckner <[email protected]>
Co-authored-by: Giles Hutton <[email protected]> Signed-off-by: Hendrik Brueckner <[email protected]>
Signed-off-by: Hendrik Brueckner <[email protected]>
Suggested-by: Hendrik Brueckner <[email protected]> Signed-off-by: Mauro Ezequiel Moltrasio <[email protected]>
Co-authored-by: Hendrik Brueckner <[email protected]> Signed-off-by: Mauro Ezequiel Moltrasio <[email protected]>
Signed-off-by: Hendrik Brueckner <[email protected]>
Signed-off-by: Hendrik Brueckner <[email protected]>
This reverts commit 3e21636.
…events/syscalls/sys_enter_setgid/format
…rebase-2023-03-23
|
Skipping CI for Draft Pull Request. |
|
Stringy
force-pushed
the
giles/testing-s390x-changes
branch
from
35d7d4d to
209d73d
Compare
|
Closing, as original PR is now merged |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Running CI for #1072