On Tue, Aug 6, 2019 at 7:31 AM <alessandro.gario@...> wrote:

Hello Brenden!

I’m not sure if it counts as an agenda item, but I’m interested in
recording process events using tracepoints, and I would like to
know
what are the best practices when attempting to do so.

Which tracepoint do you have in mind for your particular use case?

Due to project goals (endpoint monitoring) one of the requirements
is
to avoid losing any event data.

It is probably not a surprise given the limits imposed by the
verifier,
but I’m having trouble with variadic functions and long strings.

The following are some events I would like to capture with
reasonable
success:

String padding, causing the string I need to be truncated:

bash -c “<padding whitespace> /bin/rm -rf /home”

The recent kernel (5.3) added bounded loop support up to 1M
instructions. You can have a bounded loop like
start = ...
for (i = 0; i < 256 && start < end && start[i] == ' ')
start++;
The verifier should be able to handle this properly.

In the old kernel, you will have to manually unroll the loop
and do the checking.

Argument padding, causing the BPF program to not reach the last
elements:

sudo bash --verbose --verbose .. --verbose -c ‘printf
“SELINUX=disabled\nSELINUXTYPE=targeted\n” > /etc/selinux/config’

Not sure what is the issue here.
Maybe you can describe your bpf program and tracepoint setup
with more details. So we can understand better about the problem.

I thought about trying to (tail?) call additional BPF programs to
work
around the second issue, but I’m not sure how to proceed with the
first
one.

Thanks!

Alessandro Gario

On Mon, 2019-08-05 at 20:55 -0700, Brenden Blanco wrote:

Hi All,

We have the bi-weekly phone conference scheduled for two days
from
now, does
anybody have a discussion topic to add to the agenda? As a
reminder,
we are
planning to hold the meeting only if agenda items are proposed.

Cheers,
Brenden