Add kernel stack traces to kprobes events #1429
Conversation
mtardy
added
kind/enhancement
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
mtardy
force-pushed
the
pr/mtardy/stack-traces
branch
from
f15b64f to
643e49c
Compare
mtardy
force-pushed
the
pr/mtardy/stack-traces
branch
3 times, most recently
from
426456e to
aad5d33
Compare
bit late to the discussion, so sorry if I missed something.. but seems like this kind of setup will trigger the filtering code even if it's not necessary, because the selector is empty and actions tail call does not need to be called could we perhaps instead add flag/bool to config_map and call get_stackid in generic_output? with spec like: spec:
kprobes:
- call: kfree_skb_reason
stackTrace: true |
+1 for @olsajiri suggestion, as this should apply to all actions or triggered probes anyway Another thing inside the doc please state clearly that this feature prints kernel addresses, so please ensure to use unix socket for the API when loading tracing policies.... The kernel has some protections to restrict unprivileged from printing kernel addresses... hmm we need to think about this |
This is already in the doc! 😄 |
|
About putting this thing out of selectors, indeed it makes sense. We had discussions offline about moving that thing from another action to a parameter to post with @kkourt and @tixxdz, but indeed moving it out of selectors makes sense. I think here we have a "UI" vs "how things work" clash a little bit. |
kkourt
added
the
needs-rebase
The downside of having it as a global option is that you don't get to have a different option for different selectors. I'd also expect the selector filtering code to be lightweight if there are nothing to match, but could be wrong on that. I'd prefer having it as a part of the selector. If performance is an issue, I think we can fix it by having a global option and pass it to bpf if all selectors have the stack trace enabled. |
|
That warning about the addrs I find a bit alarming. I don't actually think its as serious of an issue as the warning states however. How about just blinding the addresses for now by mask and hash? |
mtardy
force-pushed
the
pr/mtardy/stack-traces
branch
from
aad5d33 to
2abeb51
Compare
mtardy
removed
the
needs-rebase
do we want to use the same hash as the kernel or we don't care? I think the kernel does something like: +/* Maps a pointer to a 32 bit unique identifier. */
+static char *ptr_to_id(char *buf, char *end, void *ptr, struct printf_spec spec)
+{
+ unsigned long hashval;
+ const int default_width = 2 * sizeof(void *);
+
+ if (unlikely(!have_filled_random_ptr_key)) {
+ spec.field_width = default_width;
+ /* string length must be less than default_width */
+ return string(buf, end, "(ptrval)", spec);
+ }
+
+#ifdef CONFIG_64BIT
+ hashval = (unsigned long)siphash_1u64((u64)ptr, &ptr_key);
+ /*
+ * Mask off the first 32 bits, this makes explicit that we have
+ * modified the address (and 32 bits is plenty for a unique ID).
+ */
+ hashval = hashval & 0xffffffff;
+#else
+ hashval = (unsigned long)siphash_1u32((u32)ptr, &ptr_key);
+#endif
+
+ spec.flags |= SMALL;
+ if (spec.field_width == -1) {
+ spec.field_width = default_width;
+ spec.flags |= ZEROPAD;
+ }
+ spec.base = 16;
+
+ return number(buf, end, hashval, spec);
+} |
mtardy
force-pushed
the
pr/mtardy/stack-traces
branch
from
2abeb51 to
8812d66
Compare
Since there was only one flag value, userspace was checking for values superior to 0 naively. Fixed this using a bitwise flag in order to extend that flag in next commit for stack traces. Signed-off-by: Mahe Tardy <[email protected]>
With this new field for the post action, you can add "stackTrace: true"
in your selector's matchActions like that, for "kfree_skb_reason":
kprobes:
- call: kfree_skb_reason
selectors:
- matchActions:
- action: post
stackTrace: true
This will add a new "stack_trace" field on the "process_kprobe"
event, the output will be similar to this:
{
"address": "18446670264256120896",
"offset": "272",
"symbol": "skb_release_head_state"
},
{
"address": "18446670264257081512",
"offset": "88",
"symbol": "ip_protocol_deliver_rcu"
},
{
"address": "18446670264257082152",
"offset": "88",
"symbol": "ip_local_deliver_finish"
},
[...]
Signed-off-by: Mahe Tardy <[email protected]>
Signed-off-by: Mahe Tardy <[email protected]>
It looks similar to this with the new stack trace encoder: syscall /usr/bin/curl kfree_skb_reason 0xffffbcdee5bf4840: skb_release_head_state+0x110 0xffffbcdee5be3678: __sys_connect_file+0x88 0xffffbcdee5be376c: __sys_connect+0xbc 0xffffbcdee5be37bc: __arm64_sys_connect+0x28 0xffffbcdee4dfcd68: invoke_syscall+0x78 0xffffbcdee4dfcf70: el0_svc_common.constprop.0+0x180 0xffffbcdee4dfcfa4: do_el0_svc+0x30 0xffffbcdee5e861e8: el0_svc+0x48 0xffffbcdee5e881b4: el0t_64_sync_handler+0xa4 0xffffbcdee4de1e38: el0t_64_sync+0x1a4 Signed-off-by: Mahe Tardy <[email protected]>
The feature was changed in 92a7652 to only work on the Post action which was not reflected in the doc. This commit changes that. Signed-off-by: Mahe Tardy <[email protected]>
Signed-off-by: Mahe Tardy <[email protected]>
A non correctly initizalized ksym could lead to a panic if we try to retrieve an offset from it. Signed-off-by: Mahe Tardy <[email protected]>
mtardy
force-pushed
the
pr/mtardy/stack-traces
branch
from
8812d66 to
8958dbc
Compare
|
|
mtardy
force-pushed
the
pr/mtardy/stack-traces
branch
from
8958dbc to
c769668
Compare
Kernel addresses might not be exposed in stack traces by default for security reasons and this add a flag `--expose-kernel-addresses` to opt-in for that behavior. Signed-off-by: Mahe Tardy <[email protected]>
Signed-off-by: Mahe Tardy <[email protected]>
This test makes sure this feature is not broken and continues working. Signed-off-by: Mahe Tardy <[email protected]>
Here is the issue, for example: - In the case of simple kprobe: map name is: gkp-sensor-1-gkp-0-name_map with gk.pinPathPrefix = gkp-sensor-1-gkp-0 - In the case of multi kprobe: map name is gkp-sensor-1-multi_kprobe-name_map with gk.pinPathPrefix = gkp-sensor-1 in the second. In the case of multi kprobe, the pinPathPrefix is wrong, it should be gk.pinPathPrefix = gkp-sensor-1-multi_kprobe. Signed-off-by: Mahe Tardy <[email protected]>
mtardy
force-pushed
the
pr/mtardy/stack-traces
branch
from
c769668 to
8c8c274
Compare
|
Merging this, the only CI fails is because https://www.virtualbox.org/ is, as often, down. I need to add to the link checker ignore list. |
kkourt
added
release-note/major
See individual commits for info.
See related documentation preview.
Preview
Looks like this with the following tracing policy:
And doing
With
The output looks like this (with color):