This group is locked. No changes can be made to the group while it is locked.
Date 1 - 5 of 5
agenda: IO Visor TSC/Dev Meeting
Hi All,toggle quoted message Show quoted text
Since we haven't received any agenda suggestions for the meeting
today, please consider it canceled.
On Mon, Aug 5, 2019 at 8:55 PM Brenden Blanco <bblanco@...> wrote:
Hello Song!toggle quoted message Show quoted text
I'm using sys_enter_execve/sys_exit_execve and
Bound loops seem really useful! This is going to solve many of the
issues I had.
I don't have code I can show, but I'm using LLVM and Clang directly by
generating IR. Data is acquired in a similar way to execsnoop (i.e.
looping through argv looking for the null terminator).
The second example is causing me issues as I can only capture a low
amount of parameters before I run out of instruction space. Bound loops
will certainly help quite a lot in this scenario!
Thanks so much for your help!
On Tue, 2019-08-06 at 11:17 -0700, Y Song wrote:
On Tue, Aug 6, 2019 at 7:31 AM <alessandro.gario@...> wrote:Hello Brenden!Which tracepoint do you have in mind for your particular use case?
On Tue, Aug 6, 2019 at 7:31 AM <alessandro.gario@...> wrote:
Which tracepoint do you have in mind for your particular use case?
The recent kernel (5.3) added bounded loop support up to 1M
instructions. You can have a bounded loop like
start = ...
for (i = 0; i < 256 && start < end && start[i] == ' ')
The verifier should be able to handle this properly.
In the old kernel, you will have to manually unroll the loop
and do the checking.
Not sure what is the issue here.
Maybe you can describe your bpf program and tracepoint setup
with more details. So we can understand better about the problem.
Hello Brenden!toggle quoted message Show quoted text
I’m not sure if it counts as an agenda item, but I’m interested in
recording process events using tracepoints, and I would like to know
what are the best practices when attempting to do so.
Due to project goals (endpoint monitoring) one of the requirements is
to avoid losing any event data.
It is probably not a surprise given the limits imposed by the verifier,
but I’m having trouble with variadic functions and long strings.
The following are some events I would like to capture with reasonable
String padding, causing the string I need to be truncated:
bash -c “<padding whitespace> /bin/rm -rf /home”
Argument padding, causing the BPF program to not reach the last
sudo bash --verbose --verbose .. --verbose -c ‘printf
“SELINUX=disabled\nSELINUXTYPE=targeted\n” > /etc/selinux/config’
I thought about trying to (tail?) call additional BPF programs to work
around the second issue, but I’m not sure how to proceed with the first
On Mon, 2019-08-05 at 20:55 -0700, Brenden Blanco wrote:
We have the bi-weekly phone conference scheduled for two days from now, does
anybody have a discussion topic to add to the agenda? As a reminder, we are
planning to hold the meeting only if agenda items are proposed.
|1 - 5 of 5|