tracexec icon indicating copy to clipboard operation
tracexec copied to clipboard
verified publisher icon kxxt

Stablize eBPF backend

Open kxxt opened this issue 1 year ago • 1 comments

This issue tracks blockers for the stabilization of the currently experimental eBPF backend.

Blockers

  • [x] Evaluate if the eBPF code handles all error cases correctly and reports back to userspace.
  • [ ] Make sure that the error handling part in userspace code covers all eBPF errors.
  • [ ] Refine the pseudo filesystem handling code to handle all possible cases.
  • [ ] Ensure that we do things correctly when there are lost event or OOO events
    • [ ] When exit events are lost, we risk leaking memory or re-using old process state due to PID reuse.
    • [ ] When we lose some fork events, the parent event might be wrong for some exec events. (We might also not handle this)
    • [ ] When events arrives out of order, ensure that we process the fork events in the right order (and before the corresponding exec events).

Wish List

  • [x] Remove dirty bpf_printk hack(d7f23b4b66f9846cb3ae4d73ee60b30741092516) that bypasses verifier. (Somehow this no longer reproduces)
  • [ ] Show detailed reason for errors occurred in eBPF

kxxt avatar Nov 09 '24 14:11 kxxt

Although what prevents stabilization of eBPF is error handling in userspace, perhaps we could rewrite the eBPF code in Zig to make it more resilient.

kxxt avatar Nov 23 '25 05:11 kxxt