Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new: add setre*id syscall family #1871

Merged
merged 5 commits into from
Jun 25, 2024

Conversation

therealbobo
Copy link
Contributor

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Copy link

Please double check driver/API_VERSION file. See versioning.

/hold

@FedeDP
Copy link
Contributor

FedeDP commented May 17, 2024

/milestone next-driver

@poiana poiana added this to the next-driver milestone May 17, 2024
@therealbobo therealbobo force-pushed the add-missing-parsers branch from df8f2aa to ec22f2e Compare June 19, 2024 10:13
driver/event_table.c Outdated Show resolved Hide resolved
@therealbobo therealbobo force-pushed the add-missing-parsers branch from ec22f2e to ffe53cb Compare June 21, 2024 08:39
Copy link

Perf diff from master - unit tests

    12.80%     -1.78%  [.] sinsp_parser::reset
     0.67%     +1.37%  [.] scap_event_decode_params
     4.01%     -1.07%  [.] sinsp_thread_manager::get_thread_ref
     4.14%     +0.98%  [.] sinsp_parser::process_event
     4.21%     -0.86%  [.] gzfile_read
     9.09%     -0.73%  [.] sinsp_thread_manager::find_thread
     7.02%     +0.60%  [.] next
     2.34%     -0.59%  [.] libsinsp::sinsp_suppress::process_event
     0.54%     +0.58%  [.] sinsp_utils::concatenate_paths[abi:cxx11]
     1.01%     -0.56%  [.] sinsp_threadinfo::~sinsp_threadinfo

Perf diff from master - scap file

    15.88%     -6.35%  [.] libsinsp::runc::match_container_id
    11.85%     -5.91%  [.] gzfile_read
     4.10%     +3.94%  [.] sinsp_filter_check::tostring
    11.86%     -3.46%  [.] sinsp_filter_check_thread::extract_single
     8.08%     -3.11%  [.] sinsp_filter_check::rawval_to_string
    16.08%     +2.53%  [.] sinsp_filter_check::extract
    11.77%     +0.93%  [.] sinsp_evt_formatter::tostring_withformat
     4.09%     -0.81%  [.] std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, libsinsp::state::dynamic_struct::field_info>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, libsinsp::state::dynamic_struct::field_info> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::find
    12.22%     +0.69%  [.] sinsp_filter_check_event::extract_single
     4.09%     -0.51%  [.] sinsp_parser::process_event

Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing job, thank you!

driver/syscall_table.c Outdated Show resolved Hide resolved
userspace/libsinsp/parsers.cpp Outdated Show resolved Hide resolved
if(new_euid < std::numeric_limits<uint32_t>::max())
{
if (evt->get_thread_info()) {
evt->get_thread_info()->set_user(new_euid);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not related to this PR.
Looking inside set_user code, why are we copying all the user info inside each thread info? wouldn't it be better to just save a shared pointer to a user struct with all the info? Is there a particular reason why we are doing this? @FedeDP

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that's because if a process foo is started as user pippo but then user pippo is removed from the system (while the process runs), we should still be able to tell that process foo has user pippo even if it is not existing anymore, since that is the user it was started by.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that i think about it, perhaps a shared_ptr would do the trick too!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep the user info should be available until the last thread using it is dead

userspace/libsinsp/parsers.cpp Outdated Show resolved Hide resolved
@therealbobo therealbobo force-pushed the add-missing-parsers branch from ffe53cb to f093284 Compare June 21, 2024 10:03
Copy link

Perf diff from master - unit tests

     2.00%     +1.44%  [.] sinsp_parser::event_cleanup
     7.03%     -1.42%  [.] next
    12.81%     -1.17%  [.] sinsp_parser::reset
     0.67%     +1.03%  [.] scap_event_decode_params
     9.10%     -0.89%  [.] sinsp_thread_manager::find_thread
     0.40%     +0.85%  [.] sinsp_threadinfo::get_fd
     0.87%     -0.63%  [.] sinsp_parser::parse_rw_exit
     0.86%     -0.62%  [.] sinsp_container_manager::resolve_container
     0.88%     -0.55%  [.] sinsp_filter_check::parse_field_name
     0.54%     +0.53%  [.] scap_event_encode_params_v

Perf diff from master - scap file

    16.14%     +6.29%  [.] sinsp_filter_check::extract
    11.81%     +6.23%  [.] sinsp_evt_formatter::tostring_withformat
    15.93%     -5.25%  [.] libsinsp::runc::match_container_id
    11.90%     -5.15%  [.] sinsp_filter_check_thread::extract_single
     3.99%     +3.01%  [.] sinsp_evt::get_param_as_str
     4.08%     +2.95%  [.] get_event
    11.89%     -2.52%  [.] gzfile_read
     8.10%     -2.49%  [.] sinsp_filter_check::rawval_to_string
     3.83%     +0.29%  [.] sinsp_utils::ts_to_string
     4.10%     +0.14%  [.] sinsp_parser::process_event

@therealbobo therealbobo force-pushed the add-missing-parsers branch from f093284 to a7fbbc8 Compare June 21, 2024 10:33
Copy link

Perf diff from master - unit tests

     0.67%     +1.25%  [.] scap_event_decode_params
     9.05%     -1.24%  [.] sinsp_thread_manager::find_thread
     8.07%     -0.94%  [.] sinsp::next
     4.20%     +0.69%  [.] gzfile_read
     0.87%     -0.58%  [.] sinsp_filter_check::parse_field_name
     0.87%     -0.56%  [.] sinsp_parser::parse_rw_exit
     3.58%     -0.50%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release
     2.33%     -0.44%  [.] libsinsp::sinsp_suppress::process_event
     1.00%     +0.44%  [.] scap_next
     2.13%     +0.44%  [.] sinsp::fetch_next_event

Perf diff from master - scap file

    19.67%     +5.89%  [.] sinsp_evt_formatter::tostring_withformat
     6.85%     +4.04%  [.] sinsp_filter_check::tostring
    26.88%     +2.85%  [.] sinsp_filter_check::extract
    20.43%     -1.30%  [.] sinsp_filter_check_event::extract_single
     6.38%     +0.91%  [.] sinsp_utils::ts_to_string
     6.19%     +0.89%  [.] libsinsp::container_engine::bpm::resolve
     6.75%     +0.69%  [.] sinsp_thread_manager::get_thread_ref
     6.84%     +0.67%  [.] sinsp_parser::process_event

Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! it would be great to add a bunch of userspace tests for these new parsers https://github.com/falcosecurity/libs/tree/master/userspace/libsinsp/test/parsers just to check we are doing the right thing

@therealbobo therealbobo force-pushed the add-missing-parsers branch from a7fbbc8 to bb9f9ff Compare June 24, 2024 15:09
@poiana poiana added size/XXL and removed size/XL labels Jun 24, 2024
@therealbobo therealbobo force-pushed the add-missing-parsers branch from bb9f9ff to c0a45c2 Compare June 24, 2024 15:12
Copy link

Perf diff from master - unit tests

    12.88%     -2.31%  [.] sinsp_parser::reset
     4.17%     +1.80%  [.] sinsp_parser::process_event
     9.15%     -1.33%  [.] sinsp_thread_manager::find_thread
     2.36%     -1.32%  [.] libsinsp::sinsp_suppress::process_event
     0.67%     +1.04%  [.] scap_event_decode_params
     0.54%     +1.03%  [.] scap_event_encode_params_v
     3.62%     -0.83%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release
     4.24%     -0.72%  [.] gzfile_read
     0.79%     +0.57%  [.] 0x00000000000e2a14
     0.88%     -0.54%  [.] sinsp_filter_check::parse_field_name

Perf diff from master - scap file

    15.23%     -8.49%  [.] libsinsp::runc::match_container_id
    11.65%     -6.13%  [.] sinsp::next
    15.43%     +3.74%  [.] sinsp_filter_check::extract
    11.38%     -3.69%  [.] sinsp_filter_check_thread::extract_single
    11.29%     +2.60%  [.] sinsp_evt_formatter::tostring_withformat
    11.73%     -1.92%  [.] sinsp_filter_check_event::extract_single
     3.88%     +1.47%  [.] sinsp_thread_manager::get_thread_ref
     3.93%     +1.45%  [.] sinsp_parser::reset
     3.93%     +1.45%  [.] sinsp_filter_check::tostring
     7.75%     -1.21%  [.] sinsp_filter_check::rawval_to_string

Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Jun 25, 2024

LGTM label has been added.

Git tree hash: ca3c6dc541927fb5b23c34b0435d4481c3a079e7

Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Jun 25, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, therealbobo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@FedeDP
Copy link
Contributor

FedeDP commented Jun 25, 2024

/unhold

@poiana poiana merged commit 1a7aeba into falcosecurity:master Jun 25, 2024
53 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants