Skip to content

feat: add PPME_SYSCALL_CONNECT_E params to PPME_SYSCALL_CONNECT_X #2529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
poiana merged 1 commit into from
Jul 10, 2025
Merged

feat: add PPME_SYSCALL_CONNECT_E params to PPME_SYSCALL_CONNECT_X #2529

poiana merged 1 commit into from
Jul 10, 2025

Conversation

@ekoops
Copy link
Contributor

@ekoops ekoops commented Jul 7, 2025
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This PR is part of #2427.

It:

  • adds PPME_SYSCALL_CONNECT_E parameters to PPME_SYSCALL_CONNECT_X event definition and aligns all 3 kernel drivers to it
  • adds new rules to scap file converter table to convert events in old scap files to the new layout
  • adds/updates connect-related drivers, scap converter and sinsp parser tests to account the new layout.

For the moment, this patch does not touch userspace connect "enter event"-related logic as it requires additional work to be done on driver's tuple generation logic.

However, I changed the default value set for PT_SOCKADDR to a single-byte containing PPM_AF_UNSPEC: this is needed in order to not break the old expected behaviour, but I hope to remove this custom logic as the discussion on how to mitigate TOCTTOU once we drop the enter events reaches some conclusion.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

/milestone 0.22.0

Does this PR introduce a user-facing change?:

NONE

@poiana poiana added this to the 0.22.0 milestone Jul 7, 2025
@poiana
Copy link
Contributor

poiana commented Jul 7, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana added the approved label Jul 7, 2025
@poiana poiana requested review from Andreagit97 and hbrueckner July 7, 2025 13:05
@ekoops ekoops mentioned this pull request Jul 7, 2025
Closed
@github-actions
Copy link

github-actions bot commented Jul 7, 2025
edited
Loading

Perf diff from master - unit tests

   100.00%    -99.74%  [.] 0x000000000007ce90

Heap diff from master - unit tests

peak heap memory consumption: -1.43K
peak RSS (including heaptrack overhead): 0B
total memory leaked: 3.26M

Heap diff from master - scap file

peak heap memory consumption: -456B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            +0.0190         +0.0191           146           149           146           149
BM_sinsp_split_median                                          +0.0162         +0.0163           146           148           146           148
BM_sinsp_split_stddev                                          +0.8845         +0.8851             1             1             1             1
BM_sinsp_split_cv                                              +0.8493         +0.8498             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  +0.0527         +0.0528            60            63            60            63
BM_sinsp_concatenate_paths_relative_path_median                +0.0452         +0.0453            60            63            60            63
BM_sinsp_concatenate_paths_relative_path_stddev                -0.2916         -0.2905             1             1             1             1
BM_sinsp_concatenate_paths_relative_path_cv                    -0.3271         -0.3261             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     -0.0340         -0.0339            25            24            25            24
BM_sinsp_concatenate_paths_empty_path_median                   -0.0317         -0.0316            25            24            25            24
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.1878         -0.1905             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       -0.1592         -0.1621             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  +0.1846         +0.1847            56            66            56            66
BM_sinsp_concatenate_paths_absolute_path_median                +0.1907         +0.1908            56            67            56            67
BM_sinsp_concatenate_paths_absolute_path_stddev                -0.6445         -0.6443             1             0             1             0
BM_sinsp_concatenate_paths_absolute_path_cv                    -0.6999         -0.6997             0             0             0             0

@codecov
Copy link

codecov bot commented Jul 7, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 91.48936% with 8 lines in your changes missing coverage. Please review.

Project coverage is 78.41%. Comparing base (0f6ea5c) to head (8ad48da).
Report is 4 commits behind head on master.

Files with missing lines Patch % Lines
userspace/libsinsp/parsers.cpp 84.00% 8 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2529      +/-   ##
==========================================
- Coverage   78.42%   78.41%   -0.01%     
==========================================
  Files         292      292              
  Lines       32001    31990      -11     
  Branches     4653     4649       -4     
==========================================
- Hits        25096    25085      -11     
  Misses       6905     6905
Flag Coverage Δ
libsinsp 78.41% <91.48%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions
Copy link

github-actions bot commented Jul 7, 2025
edited
Loading

X64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-4.19 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2-5.10 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2023-6.1 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.0 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.7 🟢 🟢 🟢 🟢 🟢 🟢
centos-3.10 🟢 🟢 🟢 🟡 🟡 🟡
centos-4.18 🟢 🟢 🟢 🟢 🟢 🟢
centos-5.14 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.17 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.8 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-3.10 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-4.14 🟢 🟢 🟢 🟢 🟢 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-5.4 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-4.15 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-5.8 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

ARM64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-4.14 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

@ekoops ekoops force-pushed the ekoops/convert-connect branch 3 times, most recently from 3344955 to 92ae386 Compare July 8, 2025 07:46
ekoops
ekoops commented Jul 8, 2025
View reviewed changes
userspace/libsinsp/parsers.cpp
Comment on lines -2717 to -2733
if(evt.get_num_params() < 2) {
switch(evt.get_fd_info()->m_type) {
case SCAP_FD_IPV4_SOCK:
evt.get_fd_info()->m_sockinfo.m_ipv4info.m_fields.m_dip = 0;
evt.get_fd_info()->m_sockinfo.m_ipv4info.m_fields.m_dport = 0;
break;
case SCAP_FD_IPV6_SOCK:
evt.get_fd_info()->m_sockinfo.m_ipv6info.m_fields.m_dip = ipv6addr::empty_address;
evt.get_fd_info()->m_sockinfo.m_ipv6info.m_fields.m_dport = 0;
break;
default:
break;
}
sinsp_utils::sockinfo_to_str(&evt.get_fd_info()->m_sockinfo,
evt.get_fd_info()->m_type,
&evt.get_paramstr_storage()[0],
(uint32_t)evt.get_paramstr_storage().size(),
m_hostname_and_port_resolution_enabled);

evt.get_fd_info()->m_name = &evt.get_paramstr_storage()[0];
return;
}
Copy link
Contributor Author

@ekoops ekoops Jul 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a special parsing logic handling old scap files' connect enter events not containing any addr parameter. Receiving a 1-parameter connect event event is no longer possible, as I updated the scap converter table to add a default addr parameter value to them. The default addr parameter is now a single-byte containing a PPM_AF_UNSPEC family value, to distinguish it from a 0-length PT_SOCKADDR parameter. Hope to remove this custom logic soon, as we move forwarding and clean the connect event handling. For the moment, we need to keep it, as some tests still rely on this peculiar behaviour in a non-obvious way.

@ekoops ekoops mentioned this pull request Jul 8, 2025
Closed
mstemm
mstemm requested changes Jul 9, 2025
View reviewed changes
Copy link
Contributor

@mstemm mstemm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one question about a value pushed in one of the tests.

@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap Jul 9, 2025
@ekoops ekoops force-pushed the ekoops/convert-connect branch from 92ae386 to 5f3cb7c Compare July 9, 2025 15:42
@ekoops
feat: add PPME_SYSCALL_CONNECT_E params to PPME_SYSCALL_CONNECT_X
8ad48da 
Add `PPME_SYSCALL_CONNECT_E` parameters to` PPME_SYSCALL_CONNECT_X`
event definition and align all 3 kernel drivers to it.

Add new rules to scap file converter table to convert events in old
scap files to the new layout.

Add/update connect-related drivers, scap converter and sinsp parser
tests to account the new layout.

For the moment, do not touch userspace connect "enter event"-related
logic as it requires additional work to be done on driver's tuple
generation logic.

Signed-off-by: Leonardo Di Giovanna <[email protected]>
@ekoops ekoops force-pushed the ekoops/convert-connect branch from 5f3cb7c to 8ad48da Compare July 9, 2025 15:43
@ekoops ekoops requested a review from mstemm July 9, 2025 16:43
@poiana poiana added the lgtm label Jul 9, 2025
@poiana
Copy link
Contributor

poiana commented Jul 9, 2025

LGTM label has been added.

DetailsGit tree hash: 782858bcf07261b082d5a47683d659207715ca2a

@poiana poiana merged commit 25159de into master Jul 10, 2025
69 of 70 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap Jul 10, 2025
@poiana poiana deleted the ekoops/convert-connect branch July 10, 2025 10:08
@leogr leogr modified the milestones: 0.22.0, 9.0.0+driver Oct 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leogr leogr leogr approved these changes

@mstemm mstemm mstemm approved these changes

@Andreagit97 Andreagit97 Awaiting requested review from Andreagit97

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

Assignees

@leogr leogr

@mstemm mstemm

Labels

approved area/driver-bpf area/driver-kmod area/driver-modern-bpf area/libscap area/libscap-engine-gvisor area/libscap-engine-savefile area/libsinsp area/tests dco-signoff: yes kind/feature New feature or request kind/test PRs increasing the test coverage without fixing any failing test lgtm release-note-none size/XXL

Projects

Falco Roadmap
Status: Done

Milestone

9.0.0+driver

Development

Successfully merging this pull request may close these issues.

5 participants

@ekoops @poiana @leogr @mstemm