perf: Use kprobe for dup,dup2,dup3,socket_dup

aquasecurity · yanivagman · Aug 22, 2024 · Aug 18, 2024 · Aug 19, 2024 · Aug 18, 2024
commit 642f3f4212645efc98f7317c2599e203e93e46fd
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -362,6 +362,9 @@ int trace_sys_exit(struct bpf_raw_tracepoint_args *ctx)
 TRACE_SYSCALL(ptrace, SYSCALL_PTRACE)
 TRACE_SYSCALL(process_vm_writev, SYSCALL_PROCESS_VM_WRITEV)
 TRACE_SYSCALL(arch_prctl, SYSCALL_ARCH_PRCTL)
+TRACE_SYSCALL(dup, SYSCALL_DUP)
+TRACE_SYSCALL(dup2, SYSCALL_DUP2)
+TRACE_SYSCALL(dup3, SYSCALL_DUP3)
 
 SEC("raw_tracepoint/sys_execve")
 int syscall__execve_enter(void *ctx)
@@ -536,7 +539,7 @@ statfunc int send_socket_dup(program_data_t *p, u64 oldfd, u64 newfd)
     return events_perf_submit(p, 0);
 }
 
-SEC("raw_tracepoint/sys_dup")
+SEC("kprobe/sys_dup")
 int sys_dup_exit_tail(void *ctx)
 {
     program_data_t p = {};

diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go
@@ -230,6 +230,12 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
 		ProcessVmWritevRet:         NewTraceProbe(SyscallExit, "process_vm_writev", "trace_ret_process_vm_writev"),
 		ArchPrctl:                  NewTraceProbe(SyscallEnter, "arch_prctl", "trace_arch_prctl"),
 		ArchPrctlRet:               NewTraceProbe(SyscallExit, "arch_prctl", "trace_ret_arch_prctl"),
+		Dup:                        NewTraceProbe(SyscallEnter, "dup", "trace_dup"),
+		DupRet:                     NewTraceProbe(SyscallExit, "dup", "trace_ret_dup"),
+		Dup2:                       NewTraceProbe(SyscallEnter, "dup2", "trace_dup2"),
+		Dup2Ret:                    NewTraceProbe(SyscallExit, "dup2", "trace_ret_dup2"),
+		Dup3:                       NewTraceProbe(SyscallEnter, "dup3", "trace_dup3"),
+		Dup3Ret:                    NewTraceProbe(SyscallExit, "dup3", "trace_ret_dup3"),
 
 		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
 		ExecTest:            NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),

diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go
@@ -156,6 +156,12 @@ const (
 	ProcessVmWritevRet
 	ArchPrctl
 	ArchPrctlRet
+	Dup
+	DupRet
+	Dup2
+	Dup2Ret
+	Dup3
+	Dup3Ret
 )
 
 // Test probe handles

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -1006,14 +1006,8 @@ var CoreEvents = map[ID]Definition{
 		},
 		dependencies: Dependencies{
 			probes: []Probe{
-				{handle: probes.SyscallEnter__Internal, required: true},
-				{handle: probes.SyscallExit__Internal, required: true},
-			},
-			tailCalls: []TailCall{
-				{"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Dup)}},
-				{"sys_enter_submit_tail", "sys_enter_submit", []uint32{uint32(Dup)}},
-				{"sys_exit_init_tail", "sys_exit_init", []uint32{uint32(Dup)}},
-				{"sys_exit_submit_tail", "sys_exit_submit", []uint32{uint32(Dup)}},
+				{handle: probes.Dup, required: true},
+				{handle: probes.DupRet, required: true},
 			},
 		},
 	},
@@ -1030,14 +1024,8 @@ var CoreEvents = map[ID]Definition{
 		},
 		dependencies: Dependencies{
 			probes: []Probe{
-				{handle: probes.SyscallEnter__Internal, required: true},
-				{handle: probes.SyscallExit__Internal, required: true},
-			},
-			tailCalls: []TailCall{
-				{"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Dup2)}},
-				{"sys_enter_submit_tail", "sys_enter_submit", []uint32{uint32(Dup2)}},
-				{"sys_exit_init_tail", "sys_exit_init", []uint32{uint32(Dup2)}},
-				{"sys_exit_submit_tail", "sys_exit_submit", []uint32{uint32(Dup2)}},
+				{handle: probes.Dup2, required: true},
+				{handle: probes.Dup2Ret, required: true},
 			},
 		},
 	},
@@ -7325,14 +7313,8 @@ var CoreEvents = map[ID]Definition{
 		},
 		dependencies: Dependencies{
 			probes: []Probe{
-				{handle: probes.SyscallEnter__Internal, required: true},
-				{handle: probes.SyscallExit__Internal, required: true},
-			},
-			tailCalls: []TailCall{
-				{"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Dup3)}},
-				{"sys_enter_submit_tail", "sys_enter_submit", []uint32{uint32(Dup3)}},
-				{"sys_exit_init_tail", "sys_exit_init", []uint32{uint32(Dup3)}},
-				{"sys_exit_submit_tail", "sys_exit_submit", []uint32{uint32(Dup3)}},
+				{handle: probes.Dup3, required: true},
+				{handle: probes.Dup3Ret, required: true},
 			},
 		},
 	},
@@ -11884,13 +11866,15 @@ var CoreEvents = map[ID]Definition{
 		version: NewVersion(1, 0, 0),
 		dependencies: Dependencies{
 			probes: []Probe{
-				{handle: probes.SyscallEnter__Internal, required: true},
-				{handle: probes.SyscallExit__Internal, required: true},
+				{handle: probes.Dup, required: true},
+				{handle: probes.DupRet, required: true},
+				{handle: probes.Dup2, required: false},
+				{handle: probes.Dup2Ret, required: false},
+				{handle: probes.Dup3, required: true},
+				{handle: probes.Dup3Ret, required: true},
 			},
 			tailCalls: []TailCall{
-				{"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}},
-				{"sys_exit_init_tail", "sys_exit_init", []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}},
-				{"sys_exit_tails", "sys_dup_exit_tail", []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}},
+				{"generic_sys_exit_tails", "sys_dup_exit_tail", []uint32{uint32(Dup), uint32(Dup2), uint32(Dup3)}},
 			},
 		},
 		sets: []string{},