new(modern_bpf): add support for open family syscalls

[Andreagit97]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area driver-modern-bpf

/area libpman

/area tests

Does this PR require a change in the driver versions?

What this PR does / why we need it:

This PR is part of a series #513, the final aim is to support the most important syscalls also in the new probe. This PR introduces:

• open
• openat
• openat2
• open_by_handle_at

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new(modern_bpf): add support for `open` family syscalls

[Andreagit97]

Still asking myself if it makes sense to assert these parameters also in the failure case... On one side we ensure that also in case of failure we have all the correct parameters, but right now the bpf code is shared apart from the return value which is obviously different in case of failure. It is quite redundant but it could be useful if we change something on the bpf side 🤔 WDYT? (Same for other syscalls where we have more than one test)

[FedeDP]

I think it is a great thing to test also failure cases, therefore big 👍 from me (even if it will increase verbosity...)

[Andreagit97]

Also here, this could be checked just in one test, it is not necessary to have it in all tests for this event... WDYT?

[gnosek]

If the tests can be self-sufficient, all the better IMHO.

[poiana]

@hbrueckner: changing LGTM is restricted to collaborators

In response to this:

Hi @Andreagit97 , excellent work!

Just tried c4f28b854 and all tests on s390 passed (running w/o mount-point :)

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gnosek]

Nice 👍 Some minor nits only

[gnosek]

If the tests can be self-sufficient, all the better IMHO.

[Andreagit97]

@FedeDP @hbrueckner sorry if bother you again but maybe I found a solution for the mount points, I took inspiration from the original kernel function obviously we cannot reproduce it in the same way :( Let me know if it looks good for you! I've tested it on ARM64 and x86 and all work smooth :)

[hbrueckner]

Hi @Andreagit97

I've tested it on ARM64 and x86 and all work smooth :)

Will try it this afternoon on s390 and will review you patches as well... ttyl then

Here are my test results on s390x:

# (cd /tmp/ && /root/git/falcosecurity/libs/build/test/modern_bpf/bpf_test)
[...]
[----------] Global test environment tear-down
[==========] 14 tests from 2 test suites ran. (0 ms total)
[  PASSED  ] 14 tests.

Running directly in /tmp worked fine. Running it locally it failed as well as in this scenario:

# mkdir /tmp/failing-test
(cd /tmp/failing-test && /root/git/falcosecurity/libs/build/test/modern_bpf/bpf_test)
[...]
[ RUN      ] SyscallExit.open_by_handle_atX_success
/root/git/falcosecurity/libs/test/modern_bpf/event_class/event_class.cpp:265: Failure
Expected equality of these values:
  size
    Which is: 44
  expected_size
    Which is: 18
>>>>> length of the param is not correct. Param id = 4

/root/git/falcosecurity/libs/test/modern_bpf/event_class/event_class.cpp:240: Failure
Expected equality of these values:
  m_event_params[m_current_param].valptr
    Which is: "///////////////////////////////failing-test"
  param
    Which is: "/tmp/failing-test"
>>>>> value of the param is not correct. Param id = 4

[  FAILED  ] SyscallExit.open_by_handle_atX_success (0 ms)

Some good news are that I could isolate this issue by creating an additional test that creates a temporary mount point in /tmp:

[ RUN      ] SyscallExit.open_by_handle_atX_success_mp
/root/git/falcosecurity/libs/test/modern_bpf/event_class/event_class.cpp:265: Failure
Expected equality of these values:
  size
    Which is: 79
  expected_size
    Which is: 53
>>>>> length of the param is not correct. Param id = 4

/root/git/falcosecurity/libs/test/modern_bpf/event_class/event_class.cpp:240: Failure
Expected equality of these values:
  m_event_params[m_current_param].valptr
    Which is: "///////////////////////////////modern.bpf.open_by_handle_atX_success_mp.EDysfg"
  param
    Which is: "/tmp/modern.bpf.open_by_handle_atX_success_mp.EDysfg"
>>>>> value of the param is not correct. Param id = 4

[  FAILED  ] SyscallExit.open_by_handle_atX_success_mp (2 ms)

See update(modern_bpf): add open_by_handle_at mount point test and feel free to try it out or cherry-pick.

[jasondellaluce]

This is fantastic Andrea!

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 6f8f0331e57bb342b41e3eaa70b8f13a75b6fc7a

[FedeDP]

Agree!

[hbrueckner]

Hi @Andreagit97 ,

I have tried with 12 which seems to have exactly 1 insn over the limit: BPF program is too large. Processed 1000001 insn processed 1000001 insns (limit 1000000) max_states_per_insn 17 total_states 36063 peak_states 185 mark_rea

Same here, 11 is ok, but to be honest I wouldn't push it to the limit, if we change a line there is the risk to break everything :/

Make sense.

Yeah, @hbrueckner I left a comment in the PR for the bpf_d_path helper (https://github.com/falcosecurity/libs/pull/503/files#diff-23e1e00c90562960e7e4110fcc5c62cd89d2ea8a8df3198d7c04512084c7c378R292-R299) and yes we can ask why this helper has been limited to this particular set of kernel functions :/

Thanks a lot!
@iii-i Could you help with the related kernel changes for bpf_d_path()?

@gnosek the problem is that we need also to change the bpf code according to the architecture, change the #define is not enough... maybe we can use a different version of the helper for the specific architecture but I would do it in another PR not here since this one is blocking all the following work.

That's true.. I have (not yet tested) version of the "workaround commit" excluding s390x: f30d50ed703

Just to summarize I would keep this version with max path components 8, I would add a comment to explain the choice, and going on we can think of something better to address it without blocking other PRs. Do you agree with me @FedeDP @hbrueckner @gnosek?

Agreed! And I think it is best to track it separately not holding back your pending other PRs. Thanks a lot!

[gnosek]

I'll admit I don't understand why we need different code for s390x, so I just defer to the smarter people in the room ;)

[Andreagit97]

I left all the commits just to keep the history of our choices and I've done what we agreed! Now we should be ready 🚀

Don't worry @gnosek i will open another PR/issue to explain better what is going on here and how we could solve it :)

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 076dc95a6e41f9639ddb387283eebaa02afbdcef

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, hbrueckner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[iii-i]

Here is a relevant thread where people discuss the first attempt to upstream a d_path() BPF helper: https://lore.kernel.org/bpf/cover.1574162990.git.ethercflow@gmail.com/

Apparently d_path() takes a bunch of locks and we need to be sure calling it doesn't cause deadlocks. Furthermore, calling it from an interrupt context will produce nonsensical results (since it accesses current). Finally, there are some TOCTOU concerns when it's applied for security checks.

[hbrueckner]

Hi @Andreagit97 , @FedeDP

Also, the CI job build-and-test-modern-bpf-x86 is successful, uhm, really strange thinking It would be amazing to have a CI job also for ARM64 and s390x, but we need external runners for doing this since GH doesn't support these architectures :/

Quick update on the some progress for self-hosted runner support on s390x. @uweigand just opened an issue and draft PR to start the discussion: actions/runner#2263

[FedeDP]

This is crazy! Thank you very much for your effort :)
Thanks @uweigand too!

[Andreagit97]

Thank you very much, guys!!