Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEAT] add new bpf_attach event #2003

Closed
1 of 4 tasks
roikol opened this issue Jul 21, 2022 · 0 comments · Fixed by #2079
Closed
1 of 4 tasks

[FEAT] add new bpf_attach event #2003

roikol opened this issue Jul 21, 2022 · 0 comments · Fixed by #2079
Labels
kind/feature
Milestone
v0.9.0-rc1

Comments

@roikol
Copy link
Contributor

roikol commented Jul 21, 2022
edited
Loading

Prerequisites

  • This issue is an EPIC issue (add label: EPIC).
  • This issue is an EPIC TASK (add issue to EPIC description).

Select one OR another:

  • I'll create a PR to implement this feature (assign to yourself).
  • Someone else should implement this (describe it well).

Feature description

This feature is about adding bpf_attach event.
This event will indicate bpf program being attached to a system event (kprobe, tracepoint, etc.).

This event will be then used in signatures.
@roikol roikol mentioned this issue Jul 21, 2022
Open
@roikol roikol mentioned this issue Aug 21, 2022
Merged
26 tasks
@roikol roikol added this to the v0.9.0-rc1 milestone Oct 12, 2022
rafaeldtinoco pushed a commit that referenced this issue Oct 19, 2022
@roikol
events: add bpf_attach event (#2079)
fe7cbbb 
The bpf_attach_event indicates when an eBPF program is attached to a perf
event. The event includes arguments describing the eBPF program AND arguments
describing the perf event the program was attached to.

Fixes: #2003

eBPF programs can be attached to a perf event by 2 different means:

1. calling ioctl syscall w/ PERF_EVENT_IOC_SET_BPF command.
2. calling bpf syscall w/ BPF_LINK_CREATE command (newer kernels).

In both cases, the attachment happens in between an already loaded eBPF program
and an already created perf event.

NOTE:

  The "prog_write_user" argument: this argument indicates whether or not the
  bpf program uses the "bpf_probe_write_user" helper (to be used in
  signatures).

  This information comes from some kprobes added to the eBPF verifier logic,
  requiring some temporary eBPF maps for the logic to work: check_helper_call,
  check_map_func_compatibility and security_bpf_prog use information from a
  temporary map because they're all executed in the same syscall context.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
v0.9.0-rc1
Development

Successfully merging a pull request may close this issue.

events: add bpf_attach event roikol/tracee
1 participant
@roikol