tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

[REFAC] Optimize task_info initialization with a dedicated map

Open NDStrahilevitz opened this issue 3 years ago • 1 comments
trafficstars

Prerequisites

Select one OR another:

  • [x] I have discussed the refactoring idea with one (or another) maintainer.
  • [ ] I'll create a PR to implement this refactoring idea (assign to yourself).
  • [x] Someone else should implement this (describe it well).

Refactoring description

When initializing a task_info in bpf code, we use the submit buffer value in order to populate the map with junk values. This is done because of the eBPF stack limit, and allocating a task_info in the stack crosses that limit most of the time.

We can create a dedicated map of size 1 with value type of task_info_t as a template to initialize this map. Then, we can even initialize the template from userspace once, and remove the following lines in tracee.bpf.c:init_task_info:

        data->task_info->syscall_traced = false;
        data->task_info->new_task = false;
        data->task_info->follow = false;
        data->task_info->recompute_scope = true;
        data->task_info->container_state = CONTAINER_UNKNOWN;

Additional Information (feature drawings, files, logs, etc)

Originally posted by @yanivagman in https://github.com/aquasecurity/tracee/pull/2080#discussion_r958398068

NDStrahilevitz avatar Aug 30 '22 12:08 NDStrahilevitz

dont forgot to add 0.8.2 milestone if you want it merged on it (Which might be a good idea). thanks.

rafaeldtinoco avatar Aug 30 '22 13:08 rafaeldtinoco

Already done. We now use a percpu scratch_map to do this.

yanivagman avatar Jan 31 '23 08:01 yanivagman