ROX-5597 Collect subset of system calls under eBPF (#363)

- Change eBPF probe to short-circuit and drop events similar to kernel module syscall dropping. - At runtime, set syscall_evt_pair struct without UF_USED flag for dropped syscalls in the eBPF map of syscall ids to sysdig event ids. - Remove eBPF tracepoint programs for switch, page fault, and signal events - New probe driver version: sysdig changes: stackrox/sysdig#18
stackrox · Nov 11, 2020 · bafb0d2 · bafb0d2
1 parent cde2282
commit bafb0d2
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 6 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -381,6 +381,7 @@ jobs:
         name: Download missing modules for current version from gcloud bucket
         command: |
           mkdir -p "${WORKSPACE_ROOT}/ko-build/cached-probes/${MODULE_VERSION}"
+          [[ ! -f pr-metadata/labels/no-cache ]] || exit 0
           gsutil -m rsync -r \
             "${COLLECTOR_MODULES_BUCKET}/${MODULE_VERSION}/" \
             "${WORKSPACE_ROOT}/ko-build/cached-probes/${MODULE_VERSION}/" \
@@ -752,7 +753,7 @@ jobs:
         command: |
           gsutil -m cp -n \
               "${COLLECTOR_MODULES_BUCKET}/${MODULE_VERSION}/*.gz" \
-              "${SOURCE_ROOT}/kernel-modules/container/kernel-modules"
+              "${SOURCE_ROOT}/kernel-modules/container/kernel-modules" || true
 
     - run:
         name: Sanity check

diff --git a/collector/collector.cpp b/collector/collector.cpp
@@ -63,6 +63,8 @@ extern "C" {
 #define finit_module(fd, opts, flags) syscall(__NR_finit_module, fd, opts, flags)
 #define delete_module(name, flags) syscall(__NR_delete_module, name, flags)
 
+extern unsigned char g_bpf_drop_syscalls[];  // defined in libscap
+
 using namespace collector;
 
 static std::atomic<CollectorService::ControlValue> g_control(CollectorService::RUN);
@@ -128,7 +130,7 @@ int InsertModule(int fd, const std::unordered_map<std::string, std::string>& arg
 // Method to insert the kernel module. The options to the module are computed
 // from the collector configuration. Specifically, the syscalls that we should
 // extract
-void insertModule(std::vector<std::string> syscall_list) {
+void insertModule(const std::vector<std::string>& syscall_list) {
     std::unordered_map<std::string, std::string> module_args;
 
     std::string& syscall_ids = module_args["s_syscallIds"];
@@ -187,6 +189,22 @@ bool verifyProbeConfiguration() {
     return true;
 }
 
+void setBPFDropSyscalls(const std::vector<std::string>& syscall_list) {
+  // Initialize bpf syscall drop table to drop all
+  for (int i = 0; i < SYSCALL_TABLE_SIZE; i++) {
+    g_bpf_drop_syscalls[i] = 1;
+  }
+  // Do not drop syscalls from given list
+  const EventNames& event_names = EventNames::GetInstance();
+  for (const auto& syscall_str : syscall_list) {
+    for (ppm_event_type event_id : event_names.GetEventIDs(syscall_str)) {
+      uint16_t syscall_id = event_names.GetEventSyscallID(event_id);
+      if (!syscall_id) continue;
+      g_bpf_drop_syscalls[syscall_id] = 0;
+    }
+  }
+}
+
 int main(int argc, char **argv) {
   if (!g_control.is_lock_free()) {
     CLOG(FATAL) << "Could not create a lock-free control variable!";
@@ -225,6 +243,7 @@ int main(int argc, char **argv) {
     if (!verifyProbeConfiguration()) {
       CLOG(FATAL) << "Error verifying ebpf configuration. Aborting...";
     }
+    setBPFDropSyscalls(config.Syscalls());
   } else {
     // First action: drop all capabilities except for SYS_MODULE (inserting the module), SYS_PTRACE (reading from /proc),
     // and DAC_OVERRIDE (opening the device files with O_RDWR regardless of actual permissions).

diff --git a/collector/lib/EventMap.h b/collector/lib/EventMap.h
@@ -31,6 +31,7 @@ You should have received a copy of the GNU General Public License along with thi
 #include "ppm_events_public.h"
 
 #include "EventNames.h"
+#include "Utility.h"
 
 namespace collector {
 
@@ -49,14 +50,14 @@ class EventMap {
 
   T& operator[](uint16_t id) {
     if (id < 0 || id >= values_.size()) {
-      throw CollectorException("Invalid event id " + std::to_string(id));
+      throw CollectorException(Str("Invalid event id ", id));
     }
     return values_[id];
   }
 
   const T& operator[](uint16_t id) const {
     if (id < 0 || id >= values_.size()) {
-      throw CollectorException("Invalid event id " + std::to_string(id));
+      throw CollectorException(Str("Invalid event id ", id));
     }
     return values_[id];
   }

diff --git a/collector/lib/EventNames.cpp b/collector/lib/EventNames.cpp
@@ -22,8 +22,10 @@ You should have received a copy of the GNU General Public License along with thi
 */
 
 #include "EventNames.h"
+#include "Utility.h"
 
 extern const struct ppm_event_info g_event_info[];  // defined in libscap
+extern const struct syscall_evt_pair g_syscall_table[];  // defined in libscap
 
 namespace collector {
 
@@ -35,6 +37,7 @@ const EventNames& EventNames::GetInstance() {
 EventNames::EventNames() {
   for (int i = 0; i < PPM_EVENT_MAX; i++) {
     std::string name(g_event_info[i].name);
+    syscall_by_id_[i] = 0;
     names_by_id_[i] = name;
     ppm_event_type event_type(static_cast<ppm_event_type>(i));
     events_by_name_[name].push_back(event_type);
@@ -44,6 +47,19 @@ EventNames::EventNames() {
       events_by_name_[name + "<"].push_back(event_type);
     }
   }
+  for (int i = 0; i < SYSCALL_TABLE_SIZE; i++) {
+    ppm_event_type enter_evt = g_syscall_table[i].enter_event_type;
+    if (enter_evt < 0 || enter_evt >= syscall_by_id_.size()) {
+      throw CollectorException(Str("Invalid syscall event id ", enter_evt));
+    }
+    syscall_by_id_[enter_evt] = i;
+
+    ppm_event_type exit_evt = g_syscall_table[i].exit_event_type;
+    if (exit_evt < 0 || exit_evt >= syscall_by_id_.size()) {
+      throw CollectorException(Str("Invalid syscall event id ", exit_evt));
+    }
+    syscall_by_id_[exit_evt] = i;
+  }
 }
 
 }  // namespace collector
diff --git a/collector/lib/EventNames.h b/collector/lib/EventNames.h
@@ -32,6 +32,7 @@ You should have received a copy of the GNU General Public License along with thi
 #include "ppm_events_public.h"
 
 #include "CollectorException.h"
+#include "Utility.h"
 
 namespace collector {
 
@@ -49,18 +50,28 @@ class EventNames {
     return it->second;
   }
 
+  // Return event name for given event id
   const std::string& GetEventName(uint16_t id) const {
     if (id < 0 || id >= names_by_id_.size()) {
-      throw CollectorException("Invalid event id " + std::to_string(id));
+      throw CollectorException(Str("Invalid event id ", id));
     }
     return names_by_id_[id];
   }
 
+  // Return associated syscall id for given event id
+  uint16_t GetEventSyscallID(uint16_t id) const {
+    if (id < 0 || id >= syscall_by_id_.size()) {
+      throw CollectorException(Str("Invalid event id ", id));
+    }
+    return syscall_by_id_[id];
+  }
+
  private:
   EventNames();
 
   std::unordered_map<std::string, EventIDVector> events_by_name_;
   std::array<std::string, PPM_EVENT_MAX> names_by_id_;
+  std::array<uint16_t, PPM_EVENT_MAX> syscall_by_id_;
 };
 
 }  // namespace collector

diff --git a/sysdig/src b/sysdig/src