Stack traces: add stack trace pseudo event

oshaked1 · oshaked1 · commit 920ded7dcbcc · 2025-02-02T11:21:43.000+02:00
This event allows the user to control which events stack traces should be produced for (via a parameter) and in which scopes.
The list of events that stack traces should be produced for is populated in a BPF map to be used later.
diff --git a/pkg/ebpf/c/stack_unwind/maps.h b/pkg/ebpf/c/stack_unwind/maps.h
@@ -0,0 +1,13 @@
+#ifndef __STACK_UNWIND_MAPS_H__
+#define __STACK_UNWIND_MAPS_H__
+
+#include <maps.h>
+
+struct stack_unwind_enabled_events {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, MAX_EVENT_ID);
+    __type(key, u32);
+    __type(value, u32);
+} su_enabled_evts SEC(".maps");
+
+#endif /* __STACK_UNWIND_MAPS_H__ */
diff --git a/pkg/ebpf/c/stack_unwind/unwind.h b/pkg/ebpf/c/stack_unwind/unwind.h
@@ -0,0 +1,11 @@
+#ifndef __STACK_UNWIND_H__
+#define __STACK_UNWIND_H__
+
+#include "maps.h"
+
+statfunc bool stack_trace_enabled_for_event(u32 event_id)
+{
+    return bpf_map_lookup_elem(&su_enabled_evts, &event_id) != NULL;
+}
+
+#endif /* __STACK_UNWIND_H__ */
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -39,6 +39,8 @@
 #include <common/probes.h>
 #include <common/signal.h>
 
+#include <stack_unwind/unwind.h>
+
 char LICENSE[] SEC("license") = "GPL";
 
 // trace/events/syscalls.h: TP_PROTO(struct pt_regs *regs, long id)
diff --git a/pkg/ebpf/event_parameters.go b/pkg/ebpf/event_parameters.go
@@ -18,6 +18,7 @@ type eventParameterHandler func(t *Tracee, eventParams []map[string]filters.Filt
 var eventParameterHandlers = map[events.ID]eventParameterHandler{
 	events.SuspiciousSyscallSource: prepareSuspiciousSyscallSource,
 	events.StackPivot:              prepareStackPivot,
+	events.StackTrace:              populateMapsStackTrace,
 }
 
 // handleEventParameters performs initialization actions according to event parameters,
@@ -157,3 +158,48 @@ func prepareSuspiciousSyscallSource(t *Tracee, eventParams []map[string]filters.
 func prepareStackPivot(t *Tracee, eventParams []map[string]filters.Filter[*filters.StringFilter]) error {
 	return registerSyscallChecker(t, eventParams, "syscall", "stack_pivot_syscalls")
 }
+
+func populateMapsStackTrace(t *Tracee, eventParams []map[string]filters.Filter[*filters.StringFilter]) error {
+	// Get events to produce stack traces for
+	selectedEvents := map[string]struct{}{}
+	for _, policyParams := range eventParams {
+		eventNamesParam, ok := policyParams["events"].(*filters.StringFilter)
+		if !ok {
+			return errfmt.Errorf("invalid argument name 'events'")
+		}
+		for _, eventName := range eventNamesParam.Equal() {
+			selectedEvents[eventName] = struct{}{}
+		}
+	}
+
+	// If "all" was specified, add all events to selectedEvents
+	if _, found := selectedEvents["all"]; found {
+		selectedEvents = make(map[string]struct{}, events.MaxCommonID)
+		for id := range events.MaxCommonID {
+			d := events.Core.GetDefinitionByID(id)
+			if d.Valid() {
+				selectedEvents[d.GetName()] = struct{}{}
+			}
+		}
+	}
+
+	logger.Debugw("stack traces are enabled", "selected events", selectedEvents)
+
+	// Update selected events map
+	eventsMap, err := t.bpfModule.GetMap("su_enabled_evts")
+	if err != nil {
+		return errfmt.Errorf("could not get BPF map 'su_enabled_evts': %v", err)
+	}
+	for event := range selectedEvents {
+		eventID, found := events.Core.GetDefinitionIDByName(event)
+		if !found {
+			return errfmt.Errorf("invalid event %s", event)
+		}
+		val := uint32(1)
+		if err = eventsMap.Update(unsafe.Pointer(&eventID), unsafe.Pointer(&val)); err != nil {
+			return errfmt.Errorf("failed updating stack unwind events map: %v", err)
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -116,6 +116,7 @@ const (
 	SecurityTaskSetrlimit
 	SecuritySettime64
 	ChmodCommon
+	StackTrace // stack trace pseudo event
 	MaxCommonID
 )
 
@@ -13094,6 +13095,20 @@ var CoreEvents = map[ID]Definition{
 			{Type: "unsigned long", Name: "vma_flags"},
 		},
 	},
+	// Stack trace pseudo event
+	// While this event is not internal (it needs to be selected by the user),
+	// it is never submitted to userspace.
+	// It's only used as a convenience method to select which events (and scopes)
+	// stack traces should be produced for and to manage its dependencies.
+	StackTrace: {
+		id:      StackTrace,
+		id32Bit: Sys32Undefined,
+		name:    "stack_trace",
+		version: NewVersion(1, 0, 0),
+		fields: []trace.ArgMeta{
+			{Type: "string", Name: "events"}, // pseudo field, only used as a parameter
+		},
+	},
 	//
 	// Begin of Signal Events (Control Plane)
 	//
diff --git a/pkg/events/definition.go b/pkg/events/definition.go
@@ -118,3 +118,7 @@ func (d Definition) GetProperties() map[string]interface{} {
 func (d Definition) NotValid() bool {
 	return d.id == Undefined || d.id == Unsupported
 }
+
+func (d Definition) Valid() bool {
+	return !d.NotValid()
+}

Original file line number	Diff line number	Diff line change
`@@ -118,3 +118,7 @@ func (d Definition) GetProperties() map[string]interface{} {`
`118`	`118`	`func (d Definition) NotValid() bool {`
`119`	`119`	`return d.id == Undefined \|\| d.id == Unsupported`
`120`	`120`	`}`
	`121`	`+`
	`122`	`+func (d Definition) Valid() bool {`
	`123`	`+ return !d.NotValid()`
	`124`	`+}`