Skip to content

feat!: complete drop of enter events generation for cases not related to TOCTOU mitigation support #2627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
poiana merged 3 commits into from
Sep 15, 2025
Merged

feat!: complete drop of enter events generation for cases not related to TOCTOU mitigation support #2627

poiana merged 3 commits into from
Sep 15, 2025

Conversation

@ekoops
Copy link
Contributor

@ekoops ekoops commented Sep 12, 2025
edited by deepskyblue86
Loading

What type of PR is this?

/kind cleanup

/kind design

/kind test

Any specific area of the project related to this PR?

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libpman

Does this PR require a change in the driver versions?

What this PR does / why we need it:

This PR is related to the proposal approved in #2068.

It completes the removal of the logic related to enter events generation, in all 3 drivers, for cases not related to TOCTOU mitigation support. This is motivated by the fact that, for these cases, the corresponding exit events already contain the same kind of information. Practically speaking, this means keeping support only for connect, creat, open, openat and openat2 enter event generation.

To achieve this goal, this PR drops the modern probe sys_enter dispatcher and adapts the kmod syscall_enter registered probe and the legacy bpf probe sys_enter program to only allow fillers execution for the aforementioned 5 system calls.

These patches remove from the drivers fillers table all the disabled enter event entries. Moreover, it removes from drivers the code related to PPME_GENERIC_E event type, besides the remaining modern probe generic_e program and socketcall and generic enter events driver tests.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Not bumping the driver schema version is currently a practice we are following as we will bump it in a single shot once we are done with the #2068 proposal.

/milestone 0.22.0

Does this PR introduce a user-facing change?:

feat(driver/bpf)!: use `sys_enter` probe only for TOCTOU mitigation
feat(driver)!: use `syscall_enter` probe only for TOCTOU mitigation
feat!: drop modern probe `sys_enter` and remaining syscall enter progs

@poiana poiana added this to the 0.22.0 milestone Sep 12, 2025
@poiana poiana requested a review from hbrueckner September 12, 2025 12:52
@github-actions
Copy link

github-actions bot commented Sep 12, 2025
edited
Loading

Please double check driver/SCHEMA_VERSION file. See versioning.

/hold

@poiana poiana requested a review from irozzo-1A September 12, 2025 12:52
@codecov
Copy link

codecov bot commented Sep 12, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.25%. Comparing base (cdb3d6d) to head (fc865db).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2627   +/-   ##
=======================================
  Coverage   78.25%   78.25%           
=======================================
  Files         294      294           
  Lines       31826    31826           
  Branches     4667     4667           
=======================================
  Hits        24905    24905           
  Misses       6921     6921
Flag Coverage Δ
libsinsp 78.25% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

deepskyblue86
deepskyblue86 reviewed Sep 12, 2025
View reviewed changes
@github-actions
Copy link

github-actions bot commented Sep 12, 2025
edited
Loading

X64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-4.19 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2-5.10 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2023-6.1 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.0 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.7 🟢 🟢 🟢 🟢 🟢 🟢
centos-3.10 🟢 🟢 🟢 🟡 🟡 🟡
centos-4.18 🟢 🟢 🟢 🟢 🟢 🟢
centos-5.14 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.17 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.8 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-3.10 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-4.14 🟢 🟢 🟢 🟢 🟢 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-5.4 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-4.15 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-5.8 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

ARM64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-4.14 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

@ekoops
feat!: drop modern probe sys_enter and remaining syscall enter progs
6e693eb 
Drop modern probe `sys_enter` dispatcher, the syscall enter tail call
table and remaining enter event programs (i.e. `generic_e` and
`connect_e_raw_tp`) not generating events related to TOCTOU
mitigation. This is motivated by the fact that, in the current
implementation, enter events information are a subset of the one
exported by exit events.

As `PPME_GENERIC_E` and network enter events resulting from socketcall
invocations are not generated anymore by the modern probe, skip
`generic_e.cpp` and `socketcall_e.cpp` tests if the modern probe is
used as engine.

BREAKING CHANGE: drop non-TOCTOU syscall enter progs in modern probe

Signed-off-by: Leonardo Di Giovanna <[email protected]>
@ekoops
feat(driver)!: use syscall_enter probe only for TOCTOU mitigation
eb1e898 
In kmod probe, update `syscall_enter` probe to only allow execution of
fillers related to TOCTOU mitigation, disabling the generation of any
other enter event. This is motivated by the fact that, for all other
enter events, the corresponding exit events already contain the same
kind of information.
Contextually, update the fillers table by removing any filler
information related to enter events, excluding (1) the entries related
to TOCTOU mitigation and (2) the `PPME_GENERIC_E` entry (as it still
used by legacy bpf probe code).
Finally, remove any `PPME_GENERIC_E` event related code and skip
`generic_e.cpp` and `socketcall_e` tests when run while using the kmod
engine.

BREAKING CHANGE: update fillers table and drop non-TOCTOU syscall
  enter fillers in kmod probe

Signed-off-by: Leonardo Di Giovanna <[email protected]>
@ekoops
feat(driver/bpf)!: use sys_enter probe only for TOCTOU mitigation
fc865db 
In legacy bpf probe, update `sys_enter` probe to only allow execution
of fillers related to TOCTOU mitigation, disabling the generation of
any other enter event. This is motivated by the fact that, for all
other enter events, the corresponding exit events already contain the
same kind of information.
Contextually, update the fillers table by removing the entry related
to `PPME_GENERIC_E` enter event, as it is not anymore used by any
driver. any filler
information related to enter events, excluding the entries related to
TOCTOU mitigation.
Finally, remove any `PPME_GENERIC_E` event related code and delete
`generic_e.cpp` and `socketcall_e.cpp` files, as contained tests are
related to events not generated anymore by any engine.

BREAKING CHANGE: update fillers table and drop non-TOCTOU syscall
  enter fillers in legacy bpf probe

Signed-off-by: Leonardo Di Giovanna <[email protected]>
@ekoops ekoops force-pushed the ekoops/drop-sys-enter-disp branch from b9c10e4 to fc865db Compare September 12, 2025 14:14
@ekoops
Copy link
Contributor Author

ekoops commented Sep 12, 2025
edited
Loading

Hey @deepskyblue86 , thank you for your review. I applied your suggestions, and I fixed an issue related to modern probe programs loading which broke CI run. Let me know if there is any other issue you want me to fix.

@github-actions
Copy link

github-actions bot commented Sep 12, 2025

Perf diff from master - unit tests

     6.03%     +0.65%  [.] sinsp_evt::get_type
     3.11%     +0.50%  [.] gzfile_read
     5.75%     -0.49%  [.] sinsp_thread_manager::find_thread
     5.52%     -0.40%  [.] sinsp_parser::reset
     2.69%     -0.23%  [.] sinsp_thread_manager::get_thread_ref
     0.82%     -0.23%  [.] sinsp_evt::get_direction
     2.57%     -0.22%  [.] sinsp_parser::process_event
     3.02%     -0.20%  [.] is_conversion_needed
     0.74%     +0.19%  [.] sinsp_evt::get_ts
     8.21%     -0.16%  [.] sinsp::next

Heap diff from master - unit tests

peak heap memory consumption: 8.63K
peak RSS (including heaptrack overhead): 0B
total memory leaked: -893.09K

Heap diff from master - scap file

peak heap memory consumption: 8.63K
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            -0.0293         -0.0293           152           147           152           147
BM_sinsp_split_median                                          -0.0256         -0.0256           151           147           151           147
BM_sinsp_split_stddev                                          -0.6717         -0.6719             3             1             3             1
BM_sinsp_split_cv                                              -0.6618         -0.6621             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  +0.2313         +0.2313            54            66            54            66
BM_sinsp_concatenate_paths_relative_path_median                +0.2572         +0.2572            52            66            52            66
BM_sinsp_concatenate_paths_relative_path_stddev                -0.7909         -0.7907             2             0             2             0
BM_sinsp_concatenate_paths_relative_path_cv                    -0.8301         -0.8300             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     -0.0002         -0.0002            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_median                   -0.0010         -0.0010            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_stddev                   +1.0893         +1.0916             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       +1.0897         +1.0920             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  +0.0324         +0.0324            60            62            60            62
BM_sinsp_concatenate_paths_absolute_path_median                +0.0283         +0.0283            60            62            60            62
BM_sinsp_concatenate_paths_absolute_path_stddev                +0.8979         +0.8975             0             1             0             1
BM_sinsp_concatenate_paths_absolute_path_cv                    +0.8384         +0.8379             0             0             0             0

deepskyblue86
deepskyblue86 approved these changes Sep 12, 2025
View reviewed changes
Copy link
Member

@deepskyblue86 deepskyblue86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Sep 12, 2025
@poiana
Copy link
Contributor

poiana commented Sep 12, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepskyblue86, ekoops

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [deepskyblue86,ekoops]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap Sep 15, 2025
@ekoops
Copy link
Contributor Author

ekoops commented Sep 15, 2025

/hold cancel

@poiana poiana merged commit a32d88b into master Sep 15, 2025
59 of 60 checks passed
@poiana poiana deleted the ekoops/drop-sys-enter-disp branch September 15, 2025 10:18
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap Sep 15, 2025
@leogr leogr modified the milestones: 0.22.0, 9.0.0+driver Oct 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leogr leogr leogr approved these changes

@deepskyblue86 deepskyblue86 deepskyblue86 approved these changes

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

@irozzo-1A irozzo-1A Awaiting requested review from irozzo-1A

Assignees

@leogr leogr

@deepskyblue86 deepskyblue86

Labels

approved area/driver-bpf area/driver-kmod area/driver-modern-bpf area/libpman dco-signoff: yes kind/cleanup kind/design kind/test PRs increasing the test coverage without fixing any failing test lgtm release-note size/XXL

Projects

Falco Roadmap
Status: Done

Milestone

9.0.0+driver

Development

Successfully merging this pull request may close these issues.

5 participants

@ekoops @poiana @leogr @deepskyblue86