tetragon: Allow to use data events for char_buf data#789
Conversation
|
static check fails on: can be ignored |
kkourt
left a comment
There was a problem hiding this comment.
Thanks!
Can we add a warning for the cases where the configuration will be ignored from bpf side?
882e71b to
24efc15
Compare
mtardy
left a comment
There was a problem hiding this comment.
Do you think you could document this new feature in the TracingPolicy reference, in the argument paragraph, where we already talk about char_buf and char_iovec: https://tetragon.cilium.io/docs/reference/tracing-policy/#arguments ? Like how this thing interacts with returnCopy maybe as well, what's the difference.
| name: "sys-write" | ||
| spec: | ||
| kprobes: | ||
| - call: "__x64_sys_write" |
There was a problem hiding this comment.
| - call: "__x64_sys_write" | |
| - call: "sys_write" |
Please can you use portable syscall symbols for testing to run on arm64
There was a problem hiding this comment.
sry for late response, I was out... yep, will fix
| name: "sys-write" | ||
| spec: | ||
| kprobes: | ||
| - call: "__x64_sys_write" |
There was a problem hiding this comment.
| - call: "__x64_sys_write" | |
| - call: "sys_write" |
| name: "sys-write" | ||
| spec: | ||
| kprobes: | ||
| - call: "__x64_sys_write" |
There was a problem hiding this comment.
| - call: "__x64_sys_write" | |
| - call: "sys_write" |
| description: This field is used only for char_buf and | ||
| char_iovec types. |
There was a problem hiding this comment.
Would it be possible in this description and all the following to explain what the max field does on top of the fact that you can only use it for char_buf and char_iovec? :)
There was a problem hiding this comment.
hum I copy pasted from previous flag.. need to remove the char_iovec for sure ;-) will add the description, thanks
yes, I will add that, thanks |
|
I rebased new version on top of #885 |
befd652 to
7c3b462
Compare
At the moment argument types like char_buf and cha_iovec will retrieve only certain amount of data dues to the event size limitations. Adding 'maxData' boolean flag that instructs the code to get as much as possible data of the argument. The actual implementation comes in following changes, this is just the tracing policy support. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding support to specify 'max: true' flag for char_buf argument
type to retrieve maximum data.
Using data events (same as for exec sensor) to retrieve and send
data to the user space from bpf program.
It's available for large kernels. Kernels < 5.3 won't load the
generic kprobe with data events due to verifier size limit.
It's possible to use the max flag like:
- call: "__x64_sys_write"
return: false
syscall: true
args:
- index: 0
type: "int"
- index: 1
type: "char_buf"
sizeArgIndex: 3
max: true
- index: 2
type: "size_t"
The data events are used only if the data won't fit into standard
event size.
There's no return kprobe support at the moment. I'm adding this
for terminal sniff, where it's not needed.
The maximum size for char_buf argument with max flag is 327360 bytes.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
The cnt value is passed directly to __copy_char_iovec, there's no need to read it with probe_read. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding tests for maxData flag used in char_buf arg, testing that: - we get truncated data if it's over 4096 bytes and maxData is not used (TestKprobeWriteMaxTrunc) - we get all data over 4096 and maxData is used (TestKprobeWriteMax) - we get maximum data size 327360 bytes (TestKprobeWriteMaxFull) Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding support to specify 'maxData: true' flag for char_buf argument
type to retrieve maximum data.
Using data events (same as for exec sensor) to retrieve and send
data to the user space from bpf program.
It's available for large kernels. Kernels < 5.3 won't load the
generic kprobe with data events due to verifier size limit.
It's possible to use the maxData flag like:
The data events are used only if the data won't fit into standard
event size.
There's no return kprobe support at the moment. I'm adding this
for terminal sniff, where it's not needed.
The maximum size for char_buf argument with maxData flag is 327360 bytes.