-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tracingpolicy: add BPF operations support #2943
Conversation
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
152045b
to
1c50078
Compare
1c50078
to
d72fdf0
Compare
so IIUC you want the event to show the bpf command numbers ... IMO the types should be just for kernel objects could we do that without changing the ebpf code? we just need to get the int value from kernel (which we already have support for, no need to add new) and transform that number into bpf command enum value I think we could factor the printer code to do that.. to have kernel type and user side type.. so you'd configure the rinter and argument to have int type value for kernel code and 'bpf_cmd' type for user space processing code |
Signed-off-by: Djalal Harouni <[email protected]>
d72fdf0
to
6c4bd3d
Compare
Signed-off-by: Djalal Harouni <[email protected]>
6c4bd3d
to
944c6e5
Compare
Yes makes sense, can you please check again Jiri, thank you! |
Suggested by Jiri. Introduce userspace types that will be used for pretty printing. This allows to add different enum types into proto definition, have a high level representation that allows to pretty print data to users without propagating those same types into bpf part. We define the bpfCmd enum in proto, add its type in userspace, but we do not propagate this into kernel, we just keep using int types for kernel and we do the translation back into userspace where it makes sense. Suggested-by: Jiri Olsa <[email protected]> Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
944c6e5
to
f1a4175
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
protobuf changes LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, LGTM.
@@ -6970,3 +6970,67 @@ tetragon_missed_prog_probes_total{attach="wake_up_new_task",policy="__base__"} 0 | |||
prometheus.BuildFQName(consts.MetricsNamespace, "", "missed_prog_probes_total"))) | |||
|
|||
} | |||
|
|||
func TestKprobeBpfCmd(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I guess the idea of the test is to detect the tetragon bpf program / map loading?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes kept it small, but it can be used to detect all bpf commands.
Description
Add BPF operations support.
Changelog