tetragon:api: support kprobes object #2206
Conversation
This adds KernelKprobe object to trace operations on kprobe objects. Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
tixxdz
added
the
release-note/minor
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
tixxdz
force-pushed
the
pr/tixxdz/kprobe-tracing-v1
branch
2 times, most recently
from
b84eacc
to
4f93357
Compare
tixxdz
force-pushed
the
pr/tixxdz/kprobe-tracing-v1
branch
from
4f93357
to
f34ad23
Compare
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
tixxdz
force-pushed
the
pr/tixxdz/kprobe-tracing-v1
branch
from
f34ad23
to
d48081f
Compare
|
Is the intent of this feature to provide observability into kprobe loads by non-Tetragon users? |
The feature is for our users! both load and unload of kprobes including bpf via kprobes. |
ah got you: yes a catch all ;-) |
| @@ -6580,3 +6581,249 @@ spec: | |||
| err = jsonchecker.JsonTestCheck(t, checker) | |||
| assert.NoError(t, err) | |||
| } | |||
|
|
|||
| func getArmKprobeSymb(kSymbols *ksyms.Ksyms) string { | |||
| if kSymbols.IsAvailable("arm_kprobe") == true { | |||
There was a problem hiding this comment.
a nit but you don't need an extra comparison here, as with all the if and else if with bool == true.
| if kSymbols.IsAvailable("arm_kprobe") == true { | |
| if kSymbols.IsAvailable("arm_kprobe") { |
| #define KSYM_NAME_LEN 128U | ||
| #endif | ||
|
|
||
| struct msg_kprobe { |
There was a problem hiding this comment.
We also may want to capture flags here, as it contains some useful state info:
/* Kprobe status flags */
#define KPROBE_FLAG_GONE 1 /* breakpoint has already gone */
#define KPROBE_FLAG_DISABLED 2 /* probe is temporarily disabled */
#define KPROBE_FLAG_OPTIMIZED 4 /*
* probe is really optimized.
* NOTE:
* this flag is only for optimized_kprobe.
*/
#define KPROBE_FLAG_FTRACE 8 /* probe is using ftrace */
#define KPROBE_FLAG_ON_FUNC_ENTRY 16 /* probe is on the function entry */
| u64 addr; | ||
| u32 offset; | ||
| u32 pad; | ||
| char symbol[KSYM_NAME_LEN]; |
There was a problem hiding this comment.
is it necessary to send the symbol? I'd think that the ksyms.KernelSymbols/kernelSymbols.GetFnOffset on user side that you already use should be fast enough
| description: "Detects kprobes operations" | ||
| spec: | ||
| kprobes: | ||
| - call: ` + arm_kprobe + ` |
There was a problem hiding this comment.
hum, so this should not work with kprobe multi, I'd think you need to add option like:
options:
- name: "disable-kprobe-multi"
value: "1"
|
not too much docs ;-) if the objective is to monitor kprobes/bpf-progs I think we should hook fprobe as well for kprobe multi probes |
kkourt
added
the
needs-rebase
No description provided.