Skip to content
This repository was archived by the owner on Dec 15, 2022. It is now read-only.

Options For Redesign of BPF Message Structs - One potential way #36

Open
Open
Options For Redesign of BPF Message Structs - One potential way#36
Labels
enhancementNew feature or requestquestionFurther information is requested
@jrmwooldridge

Description

@jrmwooldridge
jrmwooldridge
opened on Oct 20, 2020

The current struct data_t has quite a few problems is fairly primitive, disorganized and wasn't designed for expansion.

  • Make structures return less unused bytes
  • Allow event contexts to be expandable
  • Investigate struct alignments and potential padding issues.

Ideally it would be easiest to split up struct data_t union into multiple structs based on the event context objects or event types.

// BPF message unique identifier
struct msg_hdr_ctx {
    uint64_t   ts;
    uint32_t   tid;
    uint8_t     event;
    uint8_t     flags;
};

struct ino_dev {
    uint64_t ino;
    uint32_t dev;
};

struct task_ctx_msg {
     struct msg_hdr_ctx; // embed hdr
     uint32_t tgid;
     uint32_t ppid;
     uint32_t mnt_ns;
     struct inode_dev exe;

//    ... Maybe include pid namespace values of pids
};

// Change this to handle BTF filepaths
// when BTF d_path enabled.
struct pathbuf {
    int16_t len; // Probably helpful for `bpf_read_str`
     char buf[255];
};

// roughly 272 bytes
struct filepath_ctx {
    struct msg_hdr_ctx;
    struct pathbuf dname;
};

struct file_open_ctx {
    struct task_ctx_msg;
    struct ino_dev;
    uint64_t fmode;
};

// Example new usage that would make total BPF message payload
// 255 bytes and the 

int on_security_file_open(struct file *file)
{
   struct __file_open_ctx_max {
       union {
            struct file_open_ctx entry;
            struct filepath_ctx path; // roughly send 272 max bytes but less with bpf_read_str enabled distros
       };
    };
    struct __file_open_ctx_max blob = {};
    struct file_open_ctx *entry = &blob.entry;
    // Fill in hdr
   
    // Fill in file open ctx data
    ...
    // Submit event context
    perf_submit(ctx, entry, sizeof(*entry));

    ...
    // Provide do_file_path with max payload sized buffer
    // 
    __do_file_path(ctx, &blob.path, file);
   ...
}

struct raw_exe_args {
    int16_t len;
    uint8_t buf[<perf buffer maxpayload>];
};

struct clone_entry_ctx {
    struct msg_hdr_ctx;
    struct task_ctx_msg;
    struct task_ctx_msg parent;
};

struct exec_entry_ctx {
    struct clone_entry_ctx;
};

struct exec_file_ctx {
    struct exec_entry_ctx;
    struct ino_dev exe;
};

...

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestquestionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions