iovisor-dev@lists.iovisor.org | agenda: IO Visor TSC/Dev Meeting

Home Messages Hashtags Subgroups

This group is locked. No changes can be made to the group while it is locked.

Date Date 1 - 5 of 5

agenda: IO Visor TSC/Dev Meeting

Brenden Blanco #1773 Hi All, Since we haven't received any agenda suggestions for the meeting today, please consider it canceled. Thanks, Brenden toggle quoted message Show quoted text On Mon, Aug 5, 2019 at 8:55 PM Brenden Blanco <bblanco@...> wrote: Hi All, We have the bi-weekly phone conference scheduled for two days from now, does anybody have a discussion topic to add to the agenda? As a reminder, we are planning to hold the meeting only if agenda items are proposed. Cheers, Brenden
alessandro.gario@... #1771 Hello Song! I'm using sys_enter_execve/sys_exit_execve and sys_enter_execveat/sys_exit_execveat. Bound loops seem really useful! This is going to solve many of the issues I had. I don't have code I can show, but I'm using LLVM and Clang directly by generating IR. Data is acquired in a similar way to execsnoop (i.e. looping through argv[] looking for the null terminator). The second example is causing me issues as I can only capture a low amount of parameters before I run out of instruction space. Bound loops will certainly help quite a lot in this scenario! Thanks so much for your help! Alessandro Gario toggle quoted message Show quoted text On Tue, 2019-08-06 at 11:17 -0700, Y Song wrote: On Tue, Aug 6, 2019 at 7:31 AM <alessandro.gario@...> wrote: Hello Brenden! I’m not sure if it counts as an agenda item, but I’m interested in recording process events using tracepoints, and I would like to know what are the best practices when attempting to do so. Which tracepoint do you have in mind for your particular use case? Due to project goals (endpoint monitoring) one of the requirements is to avoid losing any event data. It is probably not a surprise given the limits imposed by the verifier, but I’m having trouble with variadic functions and long strings. The following are some events I would like to capture with reasonable success: String padding, causing the string I need to be truncated: bash -c “<padding whitespace> /bin/rm -rf /home” The recent kernel (5.3) added bounded loop support up to 1M instructions. You can have a bounded loop like start = ... for (i = 0; i < 256 && start < end && start[i] == ' ') start++; The verifier should be able to handle this properly. In the old kernel, you will have to manually unroll the loop and do the checking. Argument padding, causing the BPF program to not reach the last elements: sudo bash --verbose --verbose .. --verbose -c ‘printf “SELINUX=disabled\nSELINUXTYPE=targeted\n” > /etc/selinux/config’ Not sure what is the issue here. Maybe you can describe your bpf program and tracepoint setup with more details. So we can understand better about the problem. I thought about trying to (tail?) call additional BPF programs to work around the second issue, but I’m not sure how to proceed with the first one. Thanks! Alessandro Gario On Mon, 2019-08-05 at 20:55 -0700, Brenden Blanco wrote: Hi All, We have the bi-weekly phone conference scheduled for two days from now, does anybody have a discussion topic to add to the agenda? As a reminder, we are planning to hold the meeting only if agenda items are proposed. Cheers, Brenden
Yonghong Song #1770 On Tue, Aug 6, 2019 at 7:31 AM <alessandro.gario@...> wrote: Hello Brenden! I’m not sure if it counts as an agenda item, but I’m interested in recording process events using tracepoints, and I would like to know what are the best practices when attempting to do so. Which tracepoint do you have in mind for your particular use case? Due to project goals (endpoint monitoring) one of the requirements is to avoid losing any event data. It is probably not a surprise given the limits imposed by the verifier, but I’m having trouble with variadic functions and long strings. The following are some events I would like to capture with reasonable success: String padding, causing the string I need to be truncated: bash -c “<padding whitespace> /bin/rm -rf /home” The recent kernel (5.3) added bounded loop support up to 1M instructions. You can have a bounded loop like start = ... for (i = 0; i < 256 && start < end && start[i] == ' ') start++; The verifier should be able to handle this properly. In the old kernel, you will have to manually unroll the loop and do the checking. Argument padding, causing the BPF program to not reach the last elements: sudo bash --verbose --verbose .. --verbose -c ‘printf “SELINUX=disabled\nSELINUXTYPE=targeted\n” > /etc/selinux/config’ Not sure what is the issue here. Maybe you can describe your bpf program and tracepoint setup with more details. So we can understand better about the problem. I thought about trying to (tail?) call additional BPF programs to work around the second issue, but I’m not sure how to proceed with the first one. Thanks! Alessandro Gario On Mon, 2019-08-05 at 20:55 -0700, Brenden Blanco wrote: Hi All, We have the bi-weekly phone conference scheduled for two days from now, does anybody have a discussion topic to add to the agenda? As a reminder, we are planning to hold the meeting only if agenda items are proposed. Cheers, Brenden
alessandro.gario@... #1769 Hello Brenden! I’m not sure if it counts as an agenda item, but I’m interested in recording process events using tracepoints, and I would like to know what are the best practices when attempting to do so. Due to project goals (endpoint monitoring) one of the requirements is to avoid losing any event data. It is probably not a surprise given the limits imposed by the verifier, but I’m having trouble with variadic functions and long strings. The following are some events I would like to capture with reasonable success: String padding, causing the string I need to be truncated: bash -c “<padding whitespace> /bin/rm -rf /home” Argument padding, causing the BPF program to not reach the last elements: sudo bash --verbose --verbose .. --verbose -c ‘printf “SELINUX=disabled\nSELINUXTYPE=targeted\n” > /etc/selinux/config’ I thought about trying to (tail?) call additional BPF programs to work around the second issue, but I’m not sure how to proceed with the first one. Thanks! Alessandro Gario toggle quoted message Show quoted text On Mon, 2019-08-05 at 20:55 -0700, Brenden Blanco wrote: Hi All, We have the bi-weekly phone conference scheduled for two days from now, does anybody have a discussion topic to add to the agenda? As a reminder, we are planning to hold the meeting only if agenda items are proposed. Cheers, Brenden
Brenden Blanco #1767 Hi All, We have the bi-weekly phone conference scheduled for two days from now, does anybody have a discussion topic to add to the agenda? As a reminder, we are planning to hold the meeting only if agenda items are proposed. Cheers, Brenden

1 - 5 of 5

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms