feat: add event enable/disable #3466
Conversation
There was a problem hiding this comment.
Not sure we need an event manager - can you please explain what other responsibilities will it have in the future other than enabling/disabling an event?
If we choose to keep the event manager, I think it should include all the state about the events:
- The events that were selected by the user
- The event configuration (submit/emit)
- The policies that have this event enabled (so this means moving the policy bitmap of an event from policy manager to the event manager).
One thing that I didn't see here is calling the existing API to unload/load a signature event - do you plan to add it as well?
|
@yanivagman I think in the future the event manager should be the one responsible for eventsState, which hold the events the user selected and also the the emit, submit mask. But I don't think it should have the policyBitmap, because disabling an event globably is different than disabling a rule in a policy, if I have a mask for the Also, not refactoring the Unloading/loading a signature should be done later, I want to first finish the API to have it ready in the case we want to release an RC, the unloading/loading can't be done without changing any public API. WDTY? |
The fact that we can keep the policy bitmap in the event state doesn't say we should modify it if the event was disable/enabled. Per each event, its state can be composed of:
Ok
I guess you meant CAN be done, right? If so then yes, I agree |
pkg/ebpf/events_pipeline.go
Outdated
| @@ -561,6 +561,13 @@ func (t *Tracee) sinkEvents(ctx context.Context, in <-chan *trace.Event) <-chan | |||
| continue // might happen during initialization (ctrl+c seg faults) | |||
| } | |||
|
|
|||
| // Is the event disabled? | |||
| if !t.eventManager.IsEventEnabled(events.ID(event.EventID)) { | |||
| logger.Debugw("event dropped because it is disabled", "event", event.EventName) | |||
There was a problem hiding this comment.
An idea for the future: instead of logging the drop (which is noisy, even in a debugging, in a huge submission of a disabled event), we could count them like we do with lost events.
There was a problem hiding this comment.
Nice! Will add a TODO/issue about it, should be part of the metrics.
Ah! Ok, so let's merge both policyManager and eventManager? I think I prefer the name policyManager, and it has both states inside a structure like eventState{policy.Bitmap, bool (for enabled/disabled which later becomes emit/subimt}, and we have one check only check if an event is enabled instead of checking first if the event is enabled, and then if the rule is enabled (later if the policy is enabled). WDYT? or you think two maps, one for each is best?
Yes, exactly, we do it after having the API working as an internal change. |
I also do prefer naming it After that type merge I'll start the relocation of the scattered Policies and EventState logic into the |
josedonizetti
force-pushed
the
add-event-manager
branch
3 times, most recently
from
a74f957
to
4da8a82
Compare
| } | ||
|
|
||
| return pm.isRuleEnabled(matchedPolicies, ruleId) |
There was a problem hiding this comment.
Should it be ruleId or eventId then?
Should it be isRuleEnabled or isEventEnabled?
There was a problem hiding this comment.
I'm using ruleId where in the future it is a rule, although now it is type events.ID and I'm using eventId where it is an event, rule depends on passing policy information, event doesn't
And we have both concepts, Rules can be enabled/disabled, and Events can be enabled/disable, so we are exposing synchronized methods to deal with it (specially good to test both concepts), but in the pipeline we want to do a single test, get the mutex only one time, so we use IsEnabled which in the future should also cover the case of Policies enabled/disabled
|
|
||
| // not synchronized, use IsEventEnabled instead | ||
| func (pm *policyManager) isEventEnabled(evenId events.ID) bool { | ||
| state, ok := pm.rules[evenId] |
There was a problem hiding this comment.
we use pm.rules once with eventId (typo: eventId) and above with ruleId - which one is correct?
Reminder that in the future rule id will be composed of event id and some index
There was a problem hiding this comment.
I'm using ruleId where in the future it is a rule, although now it is type events.ID and I'm using eventId where it is an event, rule depends on passing policy information, event doesn't
The event manager manages the state (disabled/enabled) of events globably on tracee.
josedonizetti
force-pushed
the
add-event-manager
branch
from
4da8a82
to
d75aad6
Compare
| pm.mutex.Lock() | ||
| defer pm.mutex.Unlock() | ||
|
|
||
| state, ok := pm.rules[eventId] |
There was a problem hiding this comment.
So how will this code look like in the future when we will have rule ids different than event id?
We will not be able to use pm.rules map anymore, right?
There was a problem hiding this comment.
Probably, but it is an internal structure we should be able to refactor it without affecting anything that is consuming it. Right? It is encapsulated.
The event manager manages the state (disabled/enabled) of events globably on tracee.
1. Explain what the PR does
This PR is part of the work to support a v1 for GRPC, it adds an enable/disable method to the policyManager, with a state struct to hold the information about the event that is enable/disbale globally as well as per policy, this struct in the future can hold the event emit/submit mask and also a policyMask to enable/disable policies globally.