libs icon indicating copy to clipboard operation
libs copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

wip: feature(scap): allow custom tracepoints on ebpf probe

Open Molter73 opened this issue 2 years ago • 8 comments

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area libscap

Does this PR require a change in the driver versions?

What this PR does / why we need it:

This change allows eBPF probes created with tracepoints other than the ones used by Falco to be directly attached and detached. This is useful for adopters that might want to go through the additional effort of attaching directly to the syscalls they care about, excluding sys_enter and sys_exit which could add extra computing effort, even for ignored syscalls. Because adopters need to go the extra mile to compile a probe from their own source code, I don't think a separate mechanism for controlling whether the custom tracepoints are attached or not is needed, simply finding such a tracepoint means we want it attached.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Molter73 avatar Oct 03 '23 10:10 Molter73

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Molter73

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar Oct 03 '23 10:10 poiana

I'll open an issue for discussing this in a minute, wanted to have the draft PR so I could point to it as a possible implementation that could work for our use case.

Molter73 avatar Oct 03 '23 10:10 Molter73

Suggestions:

  • Approval of these changes is contingent upon the majority of libs maintainers being in favor https://github.com/falcosecurity/libs/issues/1527.
  • Implement custom name prefixes in the form of custom/<...> to address some concerns raised in https://github.com/falcosecurity/libs/issues/1376#issuecomment-1767977016 (@erthalion implement your suggestion basically).
  • Add comments throughout the code to emphasize that the custom program loading mechanisms may undergo refactors and are primarily intended for custom libs adoption, and not (yet) for the Falco use case.
  • Related to above, consider linking to or describing example use cases and considerations to be aware of (essentially, as outlined by @stringy in https://github.com/falcosecurity/libs/issues/1376#issuecomment-1822777817 aka emphasizing importance of following the libscap event schema).
  • General Note: Defer modern_bpf until libpman has been removed.

incertum avatar Nov 30 '23 06:11 incertum

@gnosek made some great suggestions here https://github.com/falcosecurity/libs/issues/1527#issuecomment-1845012162

incertum avatar Dec 07 '23 17:12 incertum

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Mar 06 '24 21:03 poiana

/remove-lifecycle stale

FedeDP avatar Mar 06 '24 22:03 FedeDP