8000 fix(pipeline): add ebpf caps in stack addres query by NDStrahilevitz · Pull Request #4169 · aquasecurity/tracee · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(pipeline): add ebpf caps in stack addres query #4169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 3, 2024
Merged

fix(pipeline): add ebpf caps in stack addres query #4169

merged 2 commits into from
Jul 3, 2024

Conversation

NDStrahilevitz
Copy link
Collaborator

1. Explain what the PR does

36f4eb1 fix(pipeline): add ebpf caps in stack addres query

2. Explain how to test it

  1. tracee -o option:stack-addresses -o json
  2. Confirm stack addresses field is filled with a non-empty array

3. Other comments

Fix #3964

@NDStrahilevitz NDStrahilevitz self-assigned this Jul 3, 2024
geyslan
geyslan reviewed Jul 3, 2024
View reviewed changes
geyslan
geyslan approved these changes Jul 3, 2024
View reviewed changes
Copy link
Member
@geyslan geyslan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Put only some doubts.

oshaked1
oshaked1 approved these changes Jul 3, 2024
View reviewed changes
Copy link
Contributor
@oshaked1 oshaked1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NDStrahilevitz @geyslan
Update pkg/ebpf/events_pipeline.go
510648b 
Co-authored-by: Geyslan Gregório <geyslan@gmail.com>
@NDStrahilevitz NDStrahilevitz merged commit 499c05b into aquasecurity:main Jul 3, 2024
32 checks passed
@yanivagman
Copy link
Collaborator

This change may have a serious impact on performance if stack-addresses is selected.
Now on every event it will be required to change the capabilities of the tracee process, meaning performing a syscall and context switch to kernel.
I think a better approach is to set the required capbility for the entire run in case stack-addresses was selected.

@NDStrahilevitz
Copy link
Collaborator Author

This change may have a serious impact on performance if stack-addresses is selected. Now on every event it will be required to change the capabilities of the tracee process, meaning performing a syscall and context switch to kernel. I think a better approach is to set the required capbility 8000 for the entire run in case stack-addresses was selected.

You're right, this wasn't taken into consideration. This is a hotpath so we should likely revert it until we solve it in a better way (probably the one you've suggested).

@geyslan
Copy link
Member
geyslan commented Jul 4, 2024

This is a hotpath so we should likely revert it until we solve it in a better way (probably the one you've suggested).

Perhaps not reverting, I think we should just move the cap setting to entire execution when the option is selected. I doubt we can run from this without further design.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geyslan geyslan geyslan approved these changes

@oshaked1 oshaked1 oshaked1 approved these changes

Assignees

@NDStrahilevitz NDStrahilevitz

Labels
area/ebpf kind/bug milestone/v0.22.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Missing capability for option:stack-addresses
4 participants
@NDStrahilevitz @yanivagman @geyslan @oshaked1
0