-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* Move BPF support-detection logic from endpoint to this repository (#151) * De-generify feature logic Since it's existed, the "features" argument passed into ebpf_event_ctx__create via the opts struct has been used for the sole purpose of bpf trampoline detection. There's also no scenario currently where we have to force kprobes over trampolines (i.e. the library always performs the detection logic), meaning having to go through the two-step process of ebpf_detect_system_features and ebpf_event_ctx__new is an unncecessary level of indirection. There is one use case for which *knowing* (but not setting) the features is useful, the TestFeaturesCorrect multi-kernel test case. To ensure we can still test the feature detection logic, add ebpf_event_ctx__get_features to expose the features detected by the library, while removing the ability to set them. If in the future, more features come along and it becomes necessary to toggle them on a rather granular basis, we can revert this, but for the time being, it simplifies the code nicely. * Move support detection logic to this repository Since the very beginning, the logic to detect if we support BPF has been done in endpoint instead of in the ebpf events library. This is wonky. Logically, this logic belongs here, the library should be performing all necessary checks and returning -ENOTSUP if it can't load the probes. library users shouldn't have to divine the specific system characteristics needed for the library to successfully run themselves. * Change stale docs -- minimum kernel is 5.10.16 * Remove tty_write prototype detection logic Since our minimum supported version is now 5.10.16, this is unneeded (prototype change was made in 5.10.11) * Remove --features-autodetect from testrunner * Make verbose log more explicit Co-authored-by: Mattia Meleleo <mattia.meleleo@elastic.co> * Add missing newline Co-authored-by: Nicholas Berlin <56366649+nicholasberlin@users.noreply.github.com> * Fix typo buf -> bug Co-authored-by: Nicholas Berlin <56366649+nicholasberlin@users.noreply.github.com> * Move BPF_CORE_READ calls to tty_write__enter Co-Authored-By: Mattia Meleleo <mattia.meleleo@elastic.co> * Cut down support detection logic This reduces the stuff we check for to just bpf_support && (kernel_version > 5.10.16). While this doesn't cover 100% of cases, it will likely cover 99.9% of cases and give us a easy to read error message in those cases. Probe loading will ultimately fail if we're e.g. on a 5.10.16+ kernel with BTF that doesn't have kprobes or ftrace enabled, which will cause endpoint to not use BPF. * Fix incorrect boolean return * Print full un.release on kernel version error * Fix breakage on Amazonlinux2 kernels Too much logic was removed in the tty_write logic removal. We should still be detecting if tty_write exists in BTF and falling back to a kprobe if so. * Fix incorrect version detection on Ubuntu Ubuntu provides /proc/version_signature so that the true upstream source version can be obtained. Use it instead of utsname.release. * Fix kernel version detection on Debian See comments, we need to use un.version on Debian, as that's the only reliable way to get the upstream source version. Co-authored-by: Mattia Meleleo <mattia.meleleo@elastic.co> Co-authored-by: Nicholas Berlin <56366649+nicholasberlin@users.noreply.github.com> * EventProbe: iterate iovec segs (#158) * EventProbe: iterate iovec segs * Update GPL/Events/Process/Probe.bpf.c Co-authored-by: Nicholas Berlin <56366649+nicholasberlin@users.noreply.github.com> Co-authored-by: Rhys Rustad-Elliott <rhys.rustad-elliott@elastic.co> Co-authored-by: Nicholas Berlin <56366649+nicholasberlin@users.noreply.github.com>
- Loading branch information
1 parent
20d902b
commit b2e9659
Showing
7 changed files
with
204 additions
and
173 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.