Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new: add setre*id syscall family #1871

Merged
merged 5 commits into from
Jun 25, 2024
Merged

new: add setre*id syscall family #1871

merged 5 commits into from
Jun 25, 2024

Conversation

therealbobo
Copy link
Contributor

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@poiana poiana requested review from hbrueckner and LucaGuerra May 16, 2024 11:11
@poiana poiana added the size/XL label May 16, 2024
@github-actions GitHub Actions
Copy link

Please double check driver/API_VERSION file. See versioning.

/hold

@therealbobo therealbobo force-pushed the add-missing-parsers branch from c70bc18 to df8f2aa Compare May 16, 2024 12:02
@FedeDP
Copy link
Contributor

FedeDP commented May 17, 2024

/milestone next-driver

@poiana poiana added this to the next-driver milestone May 17, 2024
@therealbobo therealbobo force-pushed the add-missing-parsers branch from df8f2aa to ec22f2e Compare June 19, 2024 10:13
Andreagit97
Andreagit97 reviewed Jun 21, 2024
View reviewed changes
driver/event_table.c Outdated Show resolved Hide resolved
@therealbobo therealbobo force-pushed the add-missing-parsers branch from ec22f2e to ffe53cb Compare June 21, 2024 08:39
@github-actions GitHub Actions
Copy link

Perf diff from master - unit tests

    12.80%     -1.78%  [.] sinsp_parser::reset
     0.67%     +1.37%  [.] scap_event_decode_params
     4.01%     -1.07%  [.] sinsp_thread_manager::get_thread_ref
     4.14%     +0.98%  [.] sinsp_parser::process_event
     4.21%     -0.86%  [.] gzfile_read
     9.09%     -0.73%  [.] sinsp_thread_manager::find_thread
     7.02%     +0.60%  [.] next
     2.34%     -0.59%  [.] libsinsp::sinsp_suppress::process_event
     0.54%     +0.58%  [.] sinsp_utils::concatenate_paths[abi:cxx11]
     1.01%     -0.56%  [.] sinsp_threadinfo::~sinsp_threadinfo

Perf diff from master - scap file

    15.88%     -6.35%  [.] libsinsp::runc::match_container_id
    11.85%     -5.91%  [.] gzfile_read
     4.10%     +3.94%  [.] sinsp_filter_check::tostring
    11.86%     -3.46%  [.] sinsp_filter_check_thread::extract_single
     8.08%     -3.11%  [.] sinsp_filter_check::rawval_to_string
    16.08%     +2.53%  [.] sinsp_filter_check::extract
    11.77%     +0.93%  [.] sinsp_evt_formatter::tostring_withformat
     4.09%     -0.81%  [.] std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, libsinsp::state::dynamic_struct::field_info>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, libsinsp::state::dynamic_struct::field_info> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::find
    12.22%     +0.69%  [.] sinsp_filter_check_event::extract_single
     4.09%     -0.51%  [.] sinsp_parser::process_event

Andreagit97
Andreagit97 reviewed Jun 21, 2024
View reviewed changes
Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing job, thank you!

driver/syscall_table.c Outdated Show resolved Hide resolved
userspace/libsinsp/parsers.cpp Outdated Show resolved Hide resolved
userspace/libsinsp/parsers.cpp Outdated
if(new_euid < std::numeric_limits<uint32_t>::max())
{
if (evt->get_thread_info()) {
evt->get_thread_info()->set_user(new_euid);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not related to this PR.
Looking inside set_user code, why are we copying all the user info inside each thread info? wouldn't it be better to just save a shared pointer to a user struct with all the info? Is there a particular reason why we are doing this? @FedeDP

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that's because if a process foo is started as user pippo but then user pippo is removed from the system (while the process runs), we should still be able to tell that process foo has user pippo even if it is not existing anymore, since that is the user it was started by.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that i think about it, perhaps a shared_ptr would do the trick too!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep the user info should be available until the last thread using it is dead

userspace/libsinsp/parsers.cpp Outdated Show resolved Hide resolved
@therealbobo therealbobo force-pushed the add-missing-parsers branch from ffe53cb to f093284 Compare June 21, 2024 10:03
@github-actions GitHub Actions
Copy link

Perf diff from master - unit tests

     2.00%     +1.44%  [.] sinsp_parser::event_cleanup
     7.03%     -1.42%  [.] next
    12.81%     -1.17%  [.] sinsp_parser::reset
     0.67%     +1.03%  [.] scap_event_decode_params
     9.10%     -0.89%  [.] sinsp_thread_manager::find_thread
     0.40%     +0.85%  [.] sinsp_threadinfo::get_fd
     0.87%     -0.63%  [.] sinsp_parser::parse_rw_exit
     0.86%     -0.62%  [.] sinsp_container_manager::resolve_container
     0.88%     -0.55%  [.] sinsp_filter_check::parse_field_name
     0.54%     +0.53%  [.] scap_event_encode_params_v

Perf diff from master - scap file

    16.14%     +6.29%  [.] sinsp_filter_check::extract
    11.81%     +6.23%  [.] sinsp_evt_formatter::tostring_withformat
    15.93%     -5.25%  [.] libsinsp::runc::match_container_id
    11.90%     -5.15%  [.] sinsp_filter_check_thread::extract_single
     3.99%     +3.01%  [.] sinsp_evt::get_param_as_str
     4.08%     +2.95%  [.] get_event
    11.89%     -2.52%  [.] gzfile_read
     8.10%     -2.49%  [.] sinsp_filter_check::rawval_to_string
     3.83%     +0.29%  [.] sinsp_utils::ts_to_string
     4.10%     +0.14%  [.] sinsp_parser::process_event

@therealbobo therealbobo force-pushed the add-missing-parsers branch from f093284 to a7fbbc8 Compare June 21, 2024 10:33
@github-actions GitHub Actions
Copy link

Perf diff from master - unit tests

     0.67%     +1.25%  [.] scap_event_decode_params
     9.05%     -1.24%  [.] sinsp_thread_manager::find_thread
     8.07%     -0.94%  [.] sinsp::next
     4.20%     +0.69%  [.] gzfile_read
     0.87%     -0.58%  [.] sinsp_filter_check::parse_field_name
     0.87%     -0.56%  [.] sinsp_parser::parse_rw_exit
     3.58%     -0.50%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release
     2.33%     -0.44%  [.] libsinsp::sinsp_suppress::process_event
     1.00%     +0.44%  [.] scap_next
     2.13%     +0.44%  [.] sinsp::fetch_next_event

Perf diff from master - scap file

    19.67%     +5.89%  [.] sinsp_evt_formatter::tostring_withformat
     6.85%     +4.04%  [.] sinsp_filter_check::tostring
    26.88%     +2.85%  [.] sinsp_filter_check::extract
    20.43%     -1.30%  [.] sinsp_filter_check_event::extract_single
     6.38%     +0.91%  [.] sinsp_utils::ts_to_string
     6.19%     +0.89%  [.] libsinsp::container_engine::bpm::resolve
     6.75%     +0.69%  [.] sinsp_thread_manager::get_thread_ref
     6.84%     +0.67%  [.] sinsp_parser::process_event

Andreagit97
Andreagit97 reviewed Jun 21, 2024
View reviewed changes
Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! it would be great to add a bunch of userspace tests for these new parsers https://github.com/falcosecurity/libs/tree/master/userspace/libsinsp/test/parsers just to check we are doing the right thing

@therealbobo therealbobo force-pushed the add-missing-parsers branch from a7fbbc8 to bb9f9ff Compare June 24, 2024 15:09
@poiana poiana added size/XXL and removed size/XL labels Jun 24, 2024
@therealbobo therealbobo force-pushed the add-missing-parsers branch from bb9f9ff to c0a45c2 Compare June 24, 2024 15:12
@github-actions GitHub Actions
Copy link

Perf diff from master - unit tests

    12.88%     -2.31%  [.] sinsp_parser::reset
     4.17%     +1.80%  [.] sinsp_parser::process_event
     9.15%     -1.33%  [.] sinsp_thread_manager::find_thread
     2.36%     -1.32%  [.] libsinsp::sinsp_suppress::process_event
     0.67%     +1.04%  [.] scap_event_decode_params
     0.54%     +1.03%  [.] scap_event_encode_params_v
     3.62%     -0.83%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release
     4.24%     -0.72%  [.] gzfile_read
     0.79%     +0.57%  [.] 0x00000000000e2a14
     0.88%     -0.54%  [.] sinsp_filter_check::parse_field_name

Perf diff from master - scap file

    15.23%     -8.49%  [.] libsinsp::runc::match_container_id
    11.65%     -6.13%  [.] sinsp::next
    15.43%     +3.74%  [.] sinsp_filter_check::extract
    11.38%     -3.69%  [.] sinsp_filter_check_thread::extract_single
    11.29%     +2.60%  [.] sinsp_evt_formatter::tostring_withformat
    11.73%     -1.92%  [.] sinsp_filter_check_event::extract_single
     3.88%     +1.47%  [.] sinsp_thread_manager::get_thread_ref
     3.93%     +1.45%  [.] sinsp_parser::reset
     3.93%     +1.45%  [.] sinsp_filter_check::tostring
     7.75%     -1.21%  [.] sinsp_filter_check::rawval_to_string

Andreagit97
Andreagit97 approved these changes Jun 25, 2024
View reviewed changes
Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Jun 25, 2024
@poiana
Copy link
Contributor

poiana commented Jun 25, 2024

LGTM label has been added.

Git tree hash: ca3c6dc541927fb5b23c34b0435d4481c3a079e7

FedeDP
FedeDP approved these changes Jun 25, 2024
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Jun 25, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, therealbobo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@FedeDP
Copy link
Contributor

FedeDP commented Jun 25, 2024

/unhold

@poiana poiana merged commit 1a7aeba into falcosecurity:master Jun 25, 2024
53 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Andreagit97 Andreagit97 Andreagit97 approved these changes

@FedeDP FedeDP FedeDP approved these changes

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

@LucaGuerra LucaGuerra Awaiting requested review from LucaGuerra

Assignees

@FedeDP FedeDP

@Andreagit97 Andreagit97

Labels
approved area/driver-bpf area/driver-kmod area/driver-modern-bpf area/libsinsp area/tests dco-signoff: yes kind/feature New feature or request lgtm release-note-none size/XXL
Projects
None yet
Milestone
7.3.0+driver
Development

Successfully merging this pull request may close these issues.
4 participants
@therealbobo @FedeDP @poiana @Andreagit97