Skip to content

Commit

Permalink
[CWS] fix procfs lineage on eBPFLess (#24771)
Browse files Browse the repository at this point in the history
* [CWS] fix procfs lineage

* use len of selftests for the chan size
  • Loading branch information
safchain authored and CelianR committed Apr 26, 2024
1 parent 73da0b6 commit 0fba70f
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 13 deletions.
4 changes: 2 additions & 2 deletions cmd/cws-instrumentation/subcommands/tracecmd/trace.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ const (
// envDisableStats defines the environment variable to set to disable avoidable stats
envDisableStats = "DD_CWS_INSTRUMENTATION_DISABLE_STATS"
// envDisableProcScan defines the environment variable to disable procfs scan
// envDisableProcScan = "DD_CWS_INSTRUMENTATION_DISABLE_PROC_SCAN"
envDisableProcScan = "DD_CWS_INSTRUMENTATION_DISABLE_PROC_SCAN"
// envProcScanRate defines the rate of the prodfs scan
envProcScanRate = "DD_CWS_INSTRUMENTATION_PROC_SCAN_RATE"
)
Expand Down Expand Up @@ -103,7 +103,7 @@ func Command() []*cobra.Command {
traceCmd.Flags().Int32Var(&params.GID, gid, -1, "gid used to start the tracee")
traceCmd.Flags().BoolVar(&params.Async, async, false, "enable async GRPC connection")
traceCmd.Flags().BoolVar(&params.DisableStats, disableStats, os.Getenv(envDisableStats) != "", "disable use of stats")
traceCmd.Flags().BoolVar(&params.DisableProcScan, disableProcScan, true, "disable proc scan")
traceCmd.Flags().BoolVar(&params.DisableProcScan, disableProcScan, os.Getenv(envDisableProcScan) != "", "disable proc scan")
traceCmd.Flags().StringVar(&params.ScanProcEvery, scanProcEvery, os.Getenv(envProcScanRate), "proc scan rate")

traceCmd.AddCommand(selftestscmd.Command()...)
Expand Down
18 changes: 11 additions & 7 deletions pkg/security/probe/probe_ebpfless.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,16 +131,20 @@ func (p *EBPFLessProbe) handleSyscallMsg(cl *client, syscallMsg *ebpfless.Syscal
switch syscallMsg.Type {
case ebpfless.SyscallTypeExec:
event.Type = uint32(model.ExecEventType)
var source uint64

var entry *model.ProcessCacheEntry
if syscallMsg.Exec.FromProcFS {
source = model.ProcessCacheEntryFromProcFS
entry = p.Resolvers.ProcessResolver.AddProcFSEntry(
process.CacheResolverKey{Pid: syscallMsg.PID, NSID: cl.nsID}, syscallMsg.Exec.PPID, syscallMsg.Exec.File.Filename,
syscallMsg.Exec.Args, syscallMsg.Exec.ArgsTruncated, syscallMsg.Exec.Envs, syscallMsg.Exec.EnvsTruncated,
syscallMsg.ContainerID, syscallMsg.Timestamp, syscallMsg.Exec.TTY)
} else {
source = model.ProcessCacheEntryFromEvent
entry = p.Resolvers.ProcessResolver.AddExecEntry(
process.CacheResolverKey{Pid: syscallMsg.PID, NSID: cl.nsID}, syscallMsg.Exec.PPID, syscallMsg.Exec.File.Filename,
syscallMsg.Exec.Args, syscallMsg.Exec.ArgsTruncated, syscallMsg.Exec.Envs, syscallMsg.Exec.EnvsTruncated,
syscallMsg.ContainerID, syscallMsg.Timestamp, syscallMsg.Exec.TTY)
}
entry := p.Resolvers.ProcessResolver.AddExecEntry(
process.CacheResolverKey{Pid: syscallMsg.PID, NSID: cl.nsID}, syscallMsg.Exec.PPID, syscallMsg.Exec.File.Filename,
syscallMsg.Exec.Args, syscallMsg.Exec.ArgsTruncated, syscallMsg.Exec.Envs, syscallMsg.Exec.EnvsTruncated,
syscallMsg.ContainerID, syscallMsg.Timestamp, syscallMsg.Exec.TTY, source)

if syscallMsg.Exec.Credentials != nil {
entry.Credentials.UID = syscallMsg.Exec.Credentials.UID
entry.Credentials.EUID = syscallMsg.Exec.Credentials.EUID
Expand Down
2 changes: 1 addition & 1 deletion pkg/security/probe/selftests/tester.go
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,7 @@ func (t *SelfTester) IsExpectedEvent(rule *rules.Rule, event eval.Event, _ *prob
select {
case t.eventChan <- selfTestEvent:
default:
log.Errorf("self test channel is full, discarding event.\n")
log.Debug("self test channel is full, discarding event.")
}

return true
Expand Down
2 changes: 1 addition & 1 deletion pkg/security/probe/selftests/tester_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func NewSelfTester(cfg *config.RuntimeSecurityConfig, probe *probe.Probe) (*Self

s := &SelfTester{
waitingForEvent: atomic.NewBool(cfg.EBPFLessEnabled),
eventChan: make(chan selfTestEvent, 10),
eventChan: make(chan selfTestEvent, len(selfTests)),
selfTestRunning: make(chan time.Duration, 10),
probe: probe,
selfTests: selfTests,
Expand Down
3 changes: 3 additions & 0 deletions pkg/security/ptracer/cws.go
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,9 @@ func StartCWSPtracer(args []string, envs []string, probeAddr string, opts Opts)
go func() {
defer wg.Done()

// introduce a delay before starting to scan procfs to let the tracer event first
time.Sleep(2 * time.Second)

scanProcfs(ctx, tracer.PID, send, every, logger)
}()
}
Expand Down
34 changes: 32 additions & 2 deletions pkg/security/resolvers/process/resolver_ebpfless.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,10 @@ func (p *EBPFLessResolver) AddForkEntry(key CacheResolverKey, ppid uint32, ts ui
return entry
}

// AddExecEntry adds an entry to the local cache and returns the newly created entry
func (p *EBPFLessResolver) AddExecEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
// NewEntry returns a new entry
func (p *EBPFLessResolver) NewEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
envs []string, envsTruncated bool, ctrID string, ts uint64, tty string, source uint64) *model.ProcessCacheEntry {

entry := p.processCacheEntryPool.Get()
entry.PIDContext.Pid = key.Pid
entry.PPid = ppid
Expand Down Expand Up @@ -136,6 +137,14 @@ func (p *EBPFLessResolver) AddExecEntry(key CacheResolverKey, ppid uint32, file

entry.ExecTime = time.Unix(0, int64(ts))

return entry
}

// AddExecEntry adds an entry to the local cache and returns the newly created entry
func (p *EBPFLessResolver) AddExecEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
envs []string, envsTruncated bool, ctrID string, ts uint64, tty string) *model.ProcessCacheEntry {
entry := p.NewEntry(key, ppid, file, argv, argsTruncated, envs, envsTruncated, ctrID, ts, tty, model.ProcessCacheEntryFromEvent)

p.Lock()
defer p.Unlock()

Expand All @@ -144,6 +153,27 @@ func (p *EBPFLessResolver) AddExecEntry(key CacheResolverKey, ppid uint32, file
return entry
}

// AddProcFSEntry add a procfs entry
func (p *EBPFLessResolver) AddProcFSEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
envs []string, envsTruncated bool, ctrID string, ts uint64, tty string) *model.ProcessCacheEntry {
entry := p.NewEntry(key, ppid, file, argv, argsTruncated, envs, envsTruncated, ctrID, ts, tty, model.ProcessCacheEntryFromProcFS)

p.Lock()
defer p.Unlock()

parentKey := CacheResolverKey{NSID: key.NSID, Pid: ppid}
if parent := p.entryCache[parentKey]; parent != nil {
if parent.Equals(entry) {
entry.SetParentOfForkChild(parent)
} else {
entry.SetAncestor(parent)
}
}
p.insertEntry(key, entry, p.entryCache[key])

return entry
}

func (p *EBPFLessResolver) insertEntry(key CacheResolverKey, entry, prev *model.ProcessCacheEntry) {
p.entryCache[key] = entry
entry.Retain()
Expand Down

0 comments on commit 0fba70f

Please sign in to comment.