Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(driver): fix dynamic snaplen logic (SCAP_FULLCAPTURE_PORT_RANGE and SCAP_STATSD_PORT) #2006

Merged

Conversation

Andreagit97
Copy link
Member

@Andreagit97 Andreagit97 commented Aug 14, 2024

What type of PR is this?

/kind bug

/kind cleanup

Any specific area of the project related to this PR?

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area tests

Does this PR require a change in the driver versions?

What this PR does / why we need it:

This PR tries to fix some dynamic snaplen logics (SCAP_FULLCAPTURE_PORT_RANGE and SCAP_STATSD_PORT). More in detail:

  • Rewrite the compute_snaplen logic for the legacy ebpf and kernel module. We now use the local kernel socket when available, if not, we fallback to the userspace structs.
  • Adapt the modern ebpf logic to other drivers.
  • write ~40 tests to assert this new logic for read,write,sendto,sendmsg,recvfrom,recvmsg

Which issue(s) this PR fixes:

Special notes for your reviewer:

The PR seems huge but apart from the snaplen rework there are only tests.

Working on this I noticed some other warring failures on the old drivers (legacy ebpf and kmod). They are now treated as skipped tests, but we need to fix them at a certain point. More in detail:

[  SKIPPED ] SyscallExit.recvmsgX_ipv4_tcp_message_shorter_than_snaplen

We are in the exit event and we rely on the sockaddr, more in detail on addrlen != 0, but in the exit tracepoint we will always obtain addrlen=0. I verified it with bpftrace, the kernel seems to clear the msg_namelen before returning from recvmsg

[  SKIPPED ] SyscallExit.recvmsgX_ipv4_tcp_NULL_sockaddr
[  SKIPPED ] SyscallExit.recvmsgX_ipv4_udp_NULL_sockaddr

Our code checks for if (usrsockaddr != NULL && addrlen != 0) so if the sockaddr is NULL we will send an empty tuple. In the modern ebpf we try to recover the info from the kernel if available, we should do the same thing...

[  SKIPPED ] SyscallEnter.connectE_INET
[  SKIPPED ] SyscallEnter.connectE_INET6
[  SKIPPED ] SyscallEnter.connectE_UNIX
[  SKIPPED ] SyscallEnter.connectE_UNIX_max_path

In case of negative fd (failure) in the enter event, we don't send sockaddr.

[  SKIPPED ] SyscallEnter.sendmsgE_ipv4_tcp_NULL_sockaddr
[  SKIPPED ] SyscallEnter.sendtoE_ipv4_tcp_NULL_sockaddr

We don't send the tuple if the sockaddr is NULL

The pain point is that to fix these we probably need to completely rewrite the tuple collection logic in the old drivers :/

Our userspace seems able to handle these missing data relying on previous data like the connect/accept once. But for sure here there is room for improvement. Again these issues are only related to the legacy ebpf and the kmod

Does this PR introduce a user-facing change?:

fix(driver): fix dynamic snaplen logic (SCAP_FULLCAPTURE_PORT_RANGE and SCAP_STATSD_PORT)

Copy link

github-actions bot commented Aug 14, 2024

Perf diff from master - unit tests

     7.97%     -1.77%  [.] sinsp_evt::get_type
     1.15%     +0.88%  [.] sinsp::fetch_next_event
    11.04%     -0.77%  [.] sinsp_parser::reset
     7.76%     -0.68%  [.] sinsp::next
     1.57%     +0.55%  [.] scap_event_decode_params
     0.73%     +0.53%  [.] std::_Hashtable<long, std::pair<long const, std::shared_ptr<sinsp_threadinfo> >, std::allocator<std::pair<long const, std::shared_ptr<sinsp_threadinfo> > >, std::__detail::_Select1st, std::equal_to<long>, std::hash<long>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::find
     4.22%     -0.51%  [.] sinsp_parser::process_event
     1.02%     +0.47%  [.] 0x00000000000e83d4
     0.37%     +0.46%  [.] scap_event_has_large_payload
     1.51%     +0.46%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release

Heap diff from master - unit tests

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Copy link

codecov bot commented Aug 14, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.21%. Comparing base (839efec) to head (10b7a96).
Report is 37 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #2006      +/-   ##
==========================================
+ Coverage   74.14%   74.21%   +0.07%     
==========================================
  Files         253      253              
  Lines       30834    30845      +11     
  Branches     5404     5419      +15     
==========================================
+ Hits        22863    22893      +30     
- Misses       7946     7952       +6     
+ Partials       25        0      -25     
Flag Coverage Δ
libsinsp 74.21% <ø> (+0.07%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
fallback logic to extract remote port with UDP

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97 Andreagit97 force-pushed the improve_fullport_range_detection branch from da541a6 to 8e5d1a8 Compare August 22, 2024 14:55
@poiana poiana added size/XXL and removed size/XL labels Aug 22, 2024
Copy link

Please double check driver/SCHEMA_VERSION file. See versioning.

/hold

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97 Andreagit97 changed the title [WIP] Improve enrichment on UDP connections fix(driver): fix dynamic snaplen logic (SCAP_FULLCAPTURE_PORT_RANGE and SCAP_STATSD_PORT) Aug 26, 2024
@Andreagit97 Andreagit97 marked this pull request as ready for review August 26, 2024 13:28
@poiana poiana requested a review from incertum August 26, 2024 13:30
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
Copy link
Member Author

kernel testing results: https://github.com/falcosecurity/libs/actions/runs/10562104486/job/29259687424

x86

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-4.19 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2-5.10 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2023-6.1 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.0 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.7 🟢 🟢 🟢 🟢 🟢 🟢
centos-3.10 🟢 🟢 🟢 🟡 🟡 🟡
centos-4.18 🟢 🟢 🟢 🟢 🟢 🟢
centos-5.14 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.17 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.8 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-3.10 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-4.14 🟢 🟢 🟢 🟢 🟢 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-5.4 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-4.15 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-5.8 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

arm64

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-4.14 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

@FedeDP
Copy link
Contributor

FedeDP commented Aug 27, 2024

/milestone next-driver

@poiana poiana added this to the next-driver milestone Aug 27, 2024
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Aug 27, 2024

LGTM label has been added.

Git tree hash: 2c14369473911ada817e3cc21efee1ebaf2598ad

@poiana
Copy link
Contributor

poiana commented Aug 27, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@FedeDP
Copy link
Contributor

FedeDP commented Aug 28, 2024

/unhold

@poiana poiana merged commit 02732d6 into falcosecurity:master Aug 28, 2024
53 of 58 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants