libs icon indicating copy to clipboard operation
libs copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Skip events for process and thread with PID in kernel

Open albe19029 opened this issue 1 year ago • 17 comments
trafficstars

When using scap library is is not possible to skip events for process, who started monitoring. There are a logic with suppressor, but it is too complicated, as if for some reason fork(clone) events will be lost, there are no 100% logic to not pass event to next user processing.

But checking pid in kernel is much simple. Maybe it is possible to add such a filter in kernel to simplify skipping events in user space and make lower cpu and ring buffer using.

albe19029 avatar Jul 05 '24 09:07 albe19029

Hi! Thanks for opening this feat request!

We already have a proposal opened for this: https://github.com/falcosecurity/libs/pull/1867, feel free to reach over there and add your suggestions/feedback over there :)

But checking pid in kernel is much simple.

That is of course simple, but how effective would that be? I mean, aside from eg: pid 0, how many other pids are constant in the system?

FedeDP avatar Jul 05 '24 10:07 FedeDP

In my ticket I only mean to skip events for the process who called scap_open as in our case we don't need information about ourselves.

albe19029 avatar Jul 05 '24 10:07 albe19029

It is normal that 2 sysdig processes will see each other. But we need a way to skip events for process for himself.

albe19029 avatar Jul 05 '24 10:07 albe19029

It is normal also to filter events by process comm name. In this case sysdig will not see events on other sysdig. But it is normal also.

albe19029 avatar Jul 05 '24 11:07 albe19029

As I can see for kmod driver we have consumer_id (task_struct) where we can get PID. And when pushing events to consumer ring buffer it can be checked that PIDs are equal, and skip if configured. For bpf - is is harder, as there are no ppm_open - open device method where thread information is stored, and ppm_close where it can be automatically released.

albe19029 avatar Jul 05 '24 11:07 albe19029

For bpf as I understand map is per load.

struct bpf_map_def SEC("maps") exclude_comm = { .type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(u32), .value_size = 16, .max_entries = 1, };

So map like this can be loaded on scap_open and they be used to filter events for this process.

albe19029 avatar Jul 05 '24 11:07 albe19029

Ei @albe19029 thank you for the feature request! This is something we are discussing in this period, and yes, one of the ideas is to move the suppression logic to the kernel space since it would allow us to drop the event before sending it to userspace. There is no ETA for this ATM but it is on our radar!

Andreagit97 avatar Jul 08 '24 08:07 Andreagit97

Is there are something we can help in this process? As skipping process which run scap_open reduce a lot of code and CPU for us. Thanks a lot.

albe19029 avatar Jul 11 '24 12:07 albe19029

I think the main blocker here is that none of us currently have enough capacity to try an implementation. If you feel enough confident you can try to propose an implementation of this :)!

Andreagit97 avatar Jul 15 '24 07:07 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Oct 13 '24 10:10 poiana

/remove-lifecycle stale

albe19029 avatar Oct 15 '24 07:10 albe19029

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jan 13 '25 10:01 poiana

/remove-lifecycle stale

FedeDP avatar Jan 13 '25 10:01 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Apr 13 '25 10:04 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar May 13 '25 10:05 poiana

/remove-lifecycle rotten

FedeDP avatar May 13 '25 10:05 FedeDP

/milestone TBD

FedeDP avatar May 13 '25 10:05 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Aug 11 '25 16:08 poiana

/remove-lifecycle stale

FedeDP avatar Aug 12 '25 07:08 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Nov 10 '25 10:11 poiana