tracee icon indicating copy to clipboard operation
tracee copied to clipboard
verified publisher icon aquasecurity

Add io_uring tracepoints

Open yanivagman opened this issue 5 years ago • 3 comments

io_uring is a relatively new and interesting interface between the user space and the kernel. It is built around a ring buffer in memory shared between user space and the kernel, that allows the submission of operations (and collecting the results) without the need to call into the kernel in many cases.

With io_uring, a program doesn't have to call system calls to performs operations like open, close, read, write and more (for more info: https://lwn.net/Articles/810414/). For this reason, it is also interesting from a security perspective.

We should add support in tracee for the relevant io_uring tracepoints, as defined in: https://github.com/torvalds/linux/blob/master/include/trace/events/io_uring.h

yanivagman avatar Nov 15 '20 21:11 yanivagman

@AsafEitani @idanr1986 @roikol @AlonZivony any plans to add these events? I think they are a blind spot we might have in newer kernels

yanivagman avatar Jan 30 '23 07:01 yanivagman

I'm afraid that is also true for aio_writes/aio_reads, no ? One could use async I/O instead of regular I/O as a blind spot I believe.

io_submit() -> aio_read/aio_write() -> call_read/write_iter() -> file_operations "write_iter" implementation (all kinds of backing drivers such as block, char, net, vhost, ext4, fat, fuse, nfs, overlays, ...).

rafaeldtinoco avatar Feb 08 '23 18:02 rafaeldtinoco

libuv is starting to use io_uring now, which means it might get wide adoption soon https://github.com/libuv/libuv/pull/3952

itaysk avatar May 29 '23 12:05 itaysk