[v0.22.3] feat(ebpf): restrict set_fs_pwd to (f)chdir syscall #4360
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This also refactors Dockerfile.alpine-tracee-make splitting it in stages to improve caching and reduce image size. Oportunistically, this also changes the previous and Dockerfile.alpine-tracee-container to use TARGETARCH docker arg instead of checking uname -m. commit: c717339 (main), cherry-pick
commit: 5583089 (main), cherry-pick
commit: 77d04ef (main), cherry-pick
commit: d1eaeef (main), cherry-pick
commit: 312a122 (main), backport [backport] - update go.mod and go.sum
- use the correct LRU (base events) - remove unused LRU commit: 5ba9087 (main), cherry-pick
commit: df0aa69 (main), cherry-pick
Kernels 6.7 and above does not have lookup_dcookie syscall anymore commit: 34238f1 (main), cherry-pick
In case enrichment is requested on a non container cgroup, return the metadata struct with an empty container id instead. User is responsible for handling this "not-found" case by themselves. Apply this in locations where enrichment is called (pipeline and control plane). commit: e4215bd (main), cherry-pick
Make the image info query in containerd enrichment more robust. Procedure now begins by first querying the containerd image service, and only then using the cri directly as a fallback. Additionally, fix a typo in the CRI query which appended the image name as its digest, even when found. commit: 126133a (main), cherry-pick
commit: 20a90dc (main), cherry-pick
commit: 3bd1c40 (main), cherry-pick
The expirable LRU cache is not intended to be used in the ProcessTree type since the TTL would impact its correctness on some scenarios. Despite TTL can be disabled by setting it to 0, it is not a good idea due to the potential performance impact of its implementation. See the comparison between the simple LRU and the expirable LRU below: | Benchmark | Exp LRU | Simple | % | | | TTL 0 | LRU | Impr. | | | (ns/op) | (ns/op) | * | |----------------------------------------|---------|---------|--------| | GetProcessByHash-Concurrency1 | 4.264 | 6.301 | -47.8% | | GetProcessByHash-Concurrency2 | 14.91 | 19.85 | -33.2% | | GetProcessByHash-Concurrency4 | 74.03 | 63.22 | 14.6% | | GetProcessByHash-Concurrency8 | 247.2 | 174.7 | 29.3% | | GetOrCreateProcessByHash-Concurrency1 | 37.02 | 8.370 | 77.4% | | GetOrCreateProcessByHash-Concurrency2 | 80.84 | 23.37 | 71.1% | | GetOrCreateProcessByHash-Concurrency4 | 181.6 | 75.67 | 58.4% | | GetOrCreateProcessByHash-Concurrency8 | 408.3 | 194.5 | 52.4% | | GetThreadByHash-Concurrency1 | 38.13 | 7.675 | 79.9% | | GetThreadByHash-Concurrency2 | 79.98 | 22.71 | 71.6% | | GetThreadByHash-Concurrency4 | 177.1 | 60.76 | 65.7% | | GetThreadByHash-Concurrency8 | 403.2 | 190.0 | 52.9% | | GetOrCreateThreadByHash-Concurrency1 | 38.16 | 7.996 | 79.0% | | GetOrCreateThreadByHash-Concurrency2 | 79.82 | 23.73 | 70.3% | | GetOrCreateThreadByHash-Concurrency4 | 177.1 | 67.13 | 62.1% | | GetOrCreateThreadByHash-Concurrency8 | 405.1 | 151.3 | 62.7% | Therefore, this commit reverts the ProcessTree to use the simple LRU cache until a better solution is designed. * Part of the performance improvement is also due to the removal of the outer lock done by 44e59d3. commit: 34be604 (main), cherry-pick
This is field for internal use which holds the zero value of ArgMeta.Type. commit: d40bc1f (main), cherry-pick
commit: 41eeb29 (main), backport [backport] - bump types using v0.22.0 branch
Some event arguments, such as "interpreter_*" from sched_process_exec, were not being populated because the kernel might not always provide them. This was causing errors during the gRPC proto conversion, as the values couldn't be asserted - they were nil. With this change, ArgMeta now holds the Zero value of the type, ensuring that assignment is always possible without requiring additional parsing in the pipeline. This also might help parsing since the Zero field will always have value, making it easier to assert its type instead of checking for Name field (string). commit: 4737625 (main), cherry-pick
'git log --grep old_old_uid_t' in Linux kernel code didn't return any results. commit: 2f31471 (main), cherry-pick
commit: ab6344f (main), cherry-pick
github-actions
bot
added
area/ebpf
area/signatures
kind/documentation
area/testing
area/UX
labels
github-actions
bot
added
area/kubernetes
area/events
area/build
area/flags
area/grpc
area/api
labels
|
wrong branch |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. Explain what the PR does
f0c672d feat(ebpf): restrict set_fs_pwd to (f)chdir syscall (#4359)
2. Explain how to test it
3. Other comments