From 920785eccb02317c98b817f379753e450a33ee21 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Mon, 21 Aug 2023 11:31:38 +0200 Subject: [PATCH 1/5] new(driver): add 2 new scap stats - n_drops_buffer_close_exit: CLOSE exit event drops. - n_drops_buffer_proc_exit: SCHED_PROC_EXIT event drops. Signed-off-by: Andrea Terzolo --- driver/API_VERSION | 2 +- driver/bpf/fillers.h | 11 +++++++++++ driver/bpf/types.h | 2 ++ driver/main.c | 17 +++++++++++++++-- driver/modern_bpf/helpers/base/stats.h | 7 +++++++ .../shared_definitions/struct_definitions.h | 2 ++ driver/ppm_ringbuffer.h | 2 ++ userspace/libpman/src/stats.c | 8 ++++++++ userspace/libscap/engine/bpf/scap_bpf.c | 6 ++++++ userspace/libscap/engine/bpf/scap_bpf_stats.h | 2 ++ userspace/libscap/engine/kmod/scap_kmod.c | 6 ++++++ userspace/libscap/engine/kmod/scap_kmod_stats.h | 2 ++ userspace/libscap/examples/01-open/README.md | 2 ++ userspace/libscap/scap.c | 2 ++ userspace/libscap/scap.h | 4 +++- 15 files changed, 71 insertions(+), 4 deletions(-) diff --git a/driver/API_VERSION b/driver/API_VERSION index 4d54daddb6..0062ac9718 100644 --- a/driver/API_VERSION +++ b/driver/API_VERSION @@ -1 +1 @@ -4.0.2 +5.0.0 diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index d02cdbc8d1..d7b03a8060 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -190,6 +190,12 @@ FILLER_RAW(terminate_filler) ++state->n_drops_buffer_other_interest_enter; } break; + case PPME_PROCEXIT_E: + case PPME_PROCEXIT_1_E: + if (state->n_drops_buffer_proc_exit != ULLONG_MAX) { + ++state->n_drops_buffer_proc_exit; + } + break; // exit case PPME_SYSCALL_OPEN_X: case PPME_SYSCALL_CREAT_X: @@ -274,6 +280,11 @@ FILLER_RAW(terminate_filler) ++state->n_drops_buffer_other_interest_exit; } break; + case PPME_SYSCALL_CLOSE_X: + if (state->n_drops_buffer_close_exit != ULLONG_MAX) { + ++state->n_drops_buffer_close_exit; + } + break; default: break; } diff --git a/driver/bpf/types.h b/driver/bpf/types.h index 73ff52cb06..b8ac747cc5 100644 --- a/driver/bpf/types.h +++ b/driver/bpf/types.h @@ -270,6 +270,8 @@ struct scap_bpf_per_cpu_state { unsigned long long n_drops_buffer_dir_file_exit; unsigned long long n_drops_buffer_other_interest_enter; /* Category of other system calls of interest, not all other system calls that did not match a category from above. */ unsigned long long n_drops_buffer_other_interest_exit; + unsigned long long n_drops_buffer_close_exit; + unsigned long long n_drops_buffer_proc_exit; unsigned long long n_drops_scratch_map; /* Number of kernel side scratch map drops. */ unsigned long long n_drops_pf; /* Number of kernel side page faults drops (invalid memory access). */ unsigned long long n_drops_bug; /* Number of kernel side bug drops (invalid condition in the kernel instrumentation). */ diff --git a/driver/main.c b/driver/main.c index c349ac0d86..12303ceeed 100644 --- a/driver/main.c +++ b/driver/main.c @@ -591,7 +591,7 @@ static int ppm_release(struct inode *inode, struct file *filp) goto cleanup_release; } - vpr_info("closing ring %d, consumer:%p evt:%llu, dr_buf:%llu, dr_buf_clone_fork_e:%llu, dr_buf_clone_fork_x:%llu, dr_buf_execve_e:%llu, dr_buf_execve_x:%llu, dr_buf_connect_e:%llu, dr_buf_connect_x:%llu, dr_buf_open_e:%llu, dr_buf_open_x:%llu, dr_buf_dir_file_e:%llu, dr_buf_dir_file_x:%llu, dr_buf_other_e:%llu, dr_buf_other_x:%llu, dr_pf:%llu, pr:%llu, cs:%llu\n", + vpr_info("closing ring %d, consumer:%p evt:%llu, dr_buf:%llu, dr_buf_clone_fork_e:%llu, dr_buf_clone_fork_x:%llu, dr_buf_execve_e:%llu, dr_buf_execve_x:%llu, dr_buf_connect_e:%llu, dr_buf_connect_x:%llu, dr_buf_open_e:%llu, dr_buf_open_x:%llu, dr_buf_dir_file_e:%llu, dr_buf_dir_file_x:%llu, dr_buf_other_e:%llu, dr_buf_other_x:%llu, dr_buf_close_exit:%llu, dr_buf_proc_exit:%llu, dr_pf:%llu, pr:%llu, cs:%llu\n", ring_no, consumer_id, ring->info->n_evts, @@ -608,6 +608,8 @@ static int ppm_release(struct inode *inode, struct file *filp) ring->info->n_drops_buffer_dir_file_exit, ring->info->n_drops_buffer_other_interest_enter, ring->info->n_drops_buffer_other_interest_exit, + ring->info->n_drops_buffer_close_exit, + ring->info->n_drops_buffer_proc_exit, ring->info->n_drops_pf, ring->info->n_preemptions, ring->info->n_context_switches); @@ -1520,6 +1522,10 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event case PPME_SYSCALL_CAPSET_E: ring_info->n_drops_buffer_other_interest_enter++; break; + case PPME_PROCEXIT_E: + case PPME_PROCEXIT_1_E: + ring_info->n_drops_buffer_proc_exit++; + break; // exit case PPME_SYSCALL_OPEN_X: case PPME_SYSCALL_CREAT_X: @@ -1592,6 +1598,9 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event case PPME_SYSCALL_CAPSET_X: ring_info->n_drops_buffer_other_interest_exit++; break; + case PPME_SYSCALL_CLOSE_X: + ring_info->n_drops_buffer_close_exit++; + break; default: break; } @@ -2088,7 +2097,7 @@ static int record_event_consumer(struct ppm_consumer_t *consumer, } if (MORE_THAN_ONE_SECOND_AHEAD(ns, ring->last_print_time + 1) && !(drop_flags & UF_ATOMIC)) { - vpr_info("consumer:%p CPU:%d, use:%lu%%, ev:%llu, dr_buf:%llu, dr_buf_clone_fork_e:%llu, dr_buf_clone_fork_x:%llu, dr_buf_execve_e:%llu, dr_buf_execve_x:%llu, dr_buf_connect_e:%llu, dr_buf_connect_x:%llu, dr_buf_open_e:%llu, dr_buf_open_x:%llu, dr_buf_dir_file_e:%llu, dr_buf_dir_file_x:%llu, dr_buf_other_e:%llu, dr_buf_other_x:%llu, dr_pf:%llu, pr:%llu, cs:%llu\n", + vpr_info("consumer:%p CPU:%d, use:%lu%%, ev:%llu, dr_buf:%llu, dr_buf_clone_fork_e:%llu, dr_buf_clone_fork_x:%llu, dr_buf_execve_e:%llu, dr_buf_execve_x:%llu, dr_buf_connect_e:%llu, dr_buf_connect_x:%llu, dr_buf_open_e:%llu, dr_buf_open_x:%llu, dr_buf_dir_file_e:%llu, dr_buf_dir_file_x:%llu, dr_buf_other_e:%llu, dr_buf_other_x:%llu, dr_buf_close_exit:%llu, dr_buf_proc_exit:%llu, dr_pf:%llu, pr:%llu, cs:%llu\n", consumer->consumer_id, smp_processor_id(), (usedspace * 100) / consumer->buffer_bytes_dim, @@ -2106,6 +2115,8 @@ static int record_event_consumer(struct ppm_consumer_t *consumer, ring_info->n_drops_buffer_dir_file_exit, ring_info->n_drops_buffer_other_interest_enter, ring_info->n_drops_buffer_other_interest_exit, + ring->info->n_drops_buffer_close_exit, + ring->info->n_drops_buffer_proc_exit, ring_info->n_drops_pf, ring_info->n_preemptions, ring->info->n_context_switches); @@ -2620,6 +2631,8 @@ static void reset_ring_buffer(struct ppm_ring_buffer_context *ring) ring->info->n_drops_buffer_dir_file_exit = 0; ring->info->n_drops_buffer_other_interest_enter = 0; ring->info->n_drops_buffer_other_interest_exit = 0; + ring->info->n_drops_buffer_close_exit = 0; + ring->info->n_drops_buffer_proc_exit = 0; ring->info->n_drops_pf = 0; ring->info->n_preemptions = 0; ring->info->n_context_switches = 0; diff --git a/driver/modern_bpf/helpers/base/stats.h b/driver/modern_bpf/helpers/base/stats.h index 10271f8cbf..fd7b7cd989 100644 --- a/driver/modern_bpf/helpers/base/stats.h +++ b/driver/modern_bpf/helpers/base/stats.h @@ -95,6 +95,10 @@ static __always_inline void compute_event_types_stats(u16 event_type, struct cou case PPME_SYSCALL_CAPSET_E: counter->n_drops_buffer_other_interest_enter++; break; + case PPME_PROCEXIT_E: + case PPME_PROCEXIT_1_E: + counter->n_drops_buffer_proc_exit++; + break; // exit case PPME_SYSCALL_OPEN_X: case PPME_SYSCALL_CREAT_X: @@ -167,6 +171,9 @@ static __always_inline void compute_event_types_stats(u16 event_type, struct cou case PPME_SYSCALL_CAPSET_X: counter->n_drops_buffer_other_interest_exit++; break; + case PPME_SYSCALL_CLOSE_X: + counter->n_drops_buffer_close_exit++; + break; default: break; } diff --git a/driver/modern_bpf/shared_definitions/struct_definitions.h b/driver/modern_bpf/shared_definitions/struct_definitions.h index 0ddf770770..e48c09bcde 100644 --- a/driver/modern_bpf/shared_definitions/struct_definitions.h +++ b/driver/modern_bpf/shared_definitions/struct_definitions.h @@ -74,5 +74,7 @@ struct counter_map uint64_t n_drops_buffer_dir_file_exit; uint64_t n_drops_buffer_other_interest_enter; uint64_t n_drops_buffer_other_interest_exit; /* Category of other system calls of interest, not all other system calls that did not match a category from above. */ + uint64_t n_drops_buffer_close_exit; + uint64_t n_drops_buffer_proc_exit; uint64_t n_drops_max_event_size; /* Number of drops due to an excessive event size (>64KB). */ }; diff --git a/driver/ppm_ringbuffer.h b/driver/ppm_ringbuffer.h index 60625e8f9c..421ebf44ef 100644 --- a/driver/ppm_ringbuffer.h +++ b/driver/ppm_ringbuffer.h @@ -50,6 +50,8 @@ struct ppm_ring_buffer_info { volatile __u64 n_drops_buffer_dir_file_exit; volatile __u64 n_drops_buffer_other_interest_enter; /* Category of other system calls of interest, not all other system calls that did not match a category from above. */ volatile __u64 n_drops_buffer_other_interest_exit; + volatile __u64 n_drops_buffer_close_exit; + volatile __u64 n_drops_buffer_proc_exit; volatile __u64 n_drops_pf; /* Number of dropped events (page faults). */ volatile __u64 n_preemptions; /* Number of preemptions. */ volatile __u64 n_context_switches; /* Number of received context switch events. */ diff --git a/userspace/libpman/src/stats.c b/userspace/libpman/src/stats.c index a5fbf7295c..dc7c4bacf8 100644 --- a/userspace/libpman/src/stats.c +++ b/userspace/libpman/src/stats.c @@ -35,6 +35,8 @@ typedef enum modern_bpf_kernel_counters_stats MODERN_BPF_N_DROPS_BUFFER_DIR_FILE_EXIT, MODERN_BPF_N_DROPS_BUFFER_OTHER_INTEREST_ENTER, MODERN_BPF_N_DROPS_BUFFER_OTHER_INTEREST_EXIT, + MODERN_BPF_N_DROPS_BUFFER_CLOSE_EXIT, + MODERN_BPF_N_DROPS_BUFFER_PROC_EXIT, MODERN_BPF_N_DROPS_SCRATCH_MAP, MODERN_BPF_N_DROPS, MODERN_BPF_MAX_KERNEL_COUNTERS_STATS @@ -63,6 +65,8 @@ const char *const modern_bpf_kernel_counters_stats_names[] = { [MODERN_BPF_N_DROPS_BUFFER_DIR_FILE_EXIT] = "n_drops_buffer_dir_file_exit", [MODERN_BPF_N_DROPS_BUFFER_OTHER_INTEREST_ENTER] = "n_drops_buffer_other_interest_enter", [MODERN_BPF_N_DROPS_BUFFER_OTHER_INTEREST_EXIT] = "n_drops_buffer_other_interest_exit", + [MODERN_BPF_N_DROPS_BUFFER_CLOSE_EXIT] = "n_drops_buffer_close_exit", + [MODERN_BPF_N_DROPS_BUFFER_PROC_EXIT] = "n_drops_buffer_proc_exit", [MODERN_BPF_N_DROPS_SCRATCH_MAP] = "n_drops_scratch_map", [MODERN_BPF_N_DROPS] = "n_drops", }; @@ -121,6 +125,8 @@ int pman_get_scap_stats(struct scap_stats *stats) stats->n_drops_buffer_dir_file_enter += cnt_map.n_drops_buffer_dir_file_enter; stats->n_drops_buffer_dir_file_exit += cnt_map.n_drops_buffer_dir_file_exit; stats->n_drops_buffer_other_interest_enter += cnt_map.n_drops_buffer_other_interest_enter; + stats->n_drops_buffer_close_exit += cnt_map.n_drops_buffer_close_exit; + stats->n_drops_buffer_proc_exit += cnt_map.n_drops_buffer_proc_exit; stats->n_drops_buffer_other_interest_exit += cnt_map.n_drops_buffer_other_interest_exit; stats->n_drops_scratch_map += cnt_map.n_drops_max_event_size; stats->n_drops += (cnt_map.n_drops_buffer + cnt_map.n_drops_max_event_size); @@ -198,6 +204,8 @@ struct scap_stats_v2 *pman_get_scap_stats_v2(uint32_t flags, uint32_t *nstats, i g_state.stats[MODERN_BPF_N_DROPS_BUFFER_DIR_FILE_EXIT].value.u64 += cnt_map.n_drops_buffer_dir_file_exit; g_state.stats[MODERN_BPF_N_DROPS_BUFFER_OTHER_INTEREST_ENTER].value.u64 += cnt_map.n_drops_buffer_other_interest_enter; g_state.stats[MODERN_BPF_N_DROPS_BUFFER_OTHER_INTEREST_EXIT].value.u64 += cnt_map.n_drops_buffer_other_interest_exit; + g_state.stats[MODERN_BPF_N_DROPS_BUFFER_CLOSE_EXIT].value.u64 += cnt_map.n_drops_buffer_close_exit; + g_state.stats[MODERN_BPF_N_DROPS_BUFFER_PROC_EXIT].value.u64 += cnt_map.n_drops_buffer_proc_exit; g_state.stats[MODERN_BPF_N_DROPS_SCRATCH_MAP].value.u64 += cnt_map.n_drops_max_event_size; g_state.stats[MODERN_BPF_N_DROPS].value.u64 += (cnt_map.n_drops_buffer + cnt_map.n_drops_max_event_size); } diff --git a/userspace/libscap/engine/bpf/scap_bpf.c b/userspace/libscap/engine/bpf/scap_bpf.c index 71d1931dfa..f0396a9ad3 100644 --- a/userspace/libscap/engine/bpf/scap_bpf.c +++ b/userspace/libscap/engine/bpf/scap_bpf.c @@ -64,6 +64,8 @@ static const char * const bpf_kernel_counters_stats_names[] = { [BPF_N_DROPS_BUFFER_DIR_FILE_EXIT] = "n_drops_buffer_dir_file_exit", [BPF_N_DROPS_BUFFER_OTHER_INTEREST_ENTER] = "n_drops_buffer_other_interest_enter", [BPF_N_DROPS_BUFFER_OTHER_INTEREST_EXIT] = "n_drops_buffer_other_interest_exit", + [BPF_N_DROPS_BUFFER_CLOSE_EXIT] = "n_drops_buffer_close_exit", + [BPF_N_DROPS_BUFFER_PROC_EXIT] = "n_drops_buffer_proc_exit", [BPF_N_DROPS_SCRATCH_MAP] = "n_drops_scratch_map", [BPF_N_DROPS_PAGE_FAULTS] = "n_drops_page_faults", [BPF_N_DROPS_BUG] = "n_drops_bug", @@ -1654,6 +1656,8 @@ int32_t scap_bpf_get_stats(struct scap_engine_handle engine, OUT scap_stats* sta stats->n_drops_buffer_dir_file_exit += v.n_drops_buffer_dir_file_exit; stats->n_drops_buffer_other_interest_enter += v.n_drops_buffer_other_interest_enter; stats->n_drops_buffer_other_interest_exit += v.n_drops_buffer_other_interest_exit; + stats->n_drops_buffer_close_exit += v.n_drops_buffer_close_exit; + stats->n_drops_buffer_proc_exit += v.n_drops_buffer_proc_exit; stats->n_drops_scratch_map += v.n_drops_scratch_map; stats->n_drops_pf += v.n_drops_pf; stats->n_drops_bug += v.n_drops_bug; @@ -1714,6 +1718,8 @@ const struct scap_stats_v2* scap_bpf_get_stats_v2(struct scap_engine_handle engi stats[BPF_N_DROPS_BUFFER_DIR_FILE_EXIT].value.u64 += v.n_drops_buffer_dir_file_exit; stats[BPF_N_DROPS_BUFFER_OTHER_INTEREST_ENTER].value.u64 += v.n_drops_buffer_other_interest_enter; stats[BPF_N_DROPS_BUFFER_OTHER_INTEREST_EXIT].value.u64 += v.n_drops_buffer_other_interest_exit; + stats[BPF_N_DROPS_BUFFER_CLOSE_EXIT].value.u64 += v.n_drops_buffer_close_exit; + stats[BPF_N_DROPS_BUFFER_PROC_EXIT].value.u64 += v.n_drops_buffer_proc_exit; stats[BPF_N_DROPS_SCRATCH_MAP].value.u64 += v.n_drops_scratch_map; stats[BPF_N_DROPS_PAGE_FAULTS].value.u64 += v.n_drops_pf; stats[BPF_N_DROPS_BUG].value.u64 += v.n_drops_bug; diff --git a/userspace/libscap/engine/bpf/scap_bpf_stats.h b/userspace/libscap/engine/bpf/scap_bpf_stats.h index 6269b10847..d596540d82 100644 --- a/userspace/libscap/engine/bpf/scap_bpf_stats.h +++ b/userspace/libscap/engine/bpf/scap_bpf_stats.h @@ -32,6 +32,8 @@ typedef enum bpf_kernel_counters_stats { BPF_N_DROPS_BUFFER_DIR_FILE_EXIT, BPF_N_DROPS_BUFFER_OTHER_INTEREST_ENTER, BPF_N_DROPS_BUFFER_OTHER_INTEREST_EXIT, + BPF_N_DROPS_BUFFER_CLOSE_EXIT, + BPF_N_DROPS_BUFFER_PROC_EXIT, BPF_N_DROPS_SCRATCH_MAP, BPF_N_DROPS_PAGE_FAULTS, BPF_N_DROPS_BUG, diff --git a/userspace/libscap/engine/kmod/scap_kmod.c b/userspace/libscap/engine/kmod/scap_kmod.c index 0f91fc959e..47fc113280 100644 --- a/userspace/libscap/engine/kmod/scap_kmod.c +++ b/userspace/libscap/engine/kmod/scap_kmod.c @@ -52,6 +52,8 @@ static const char * const kmod_kernel_counters_stats_names[] = { [KMOD_N_DROPS_BUFFER_DIR_FILE_EXIT] = "n_drops_buffer_dir_file_exit", [KMOD_N_DROPS_BUFFER_OTHER_INTEREST_ENTER] = "n_drops_buffer_other_interest_enter", [KMOD_N_DROPS_BUFFER_OTHER_INTEREST_EXIT] = "n_drops_buffer_other_interest_exit", + [KMOD_N_DROPS_BUFFER_CLOSE_EXIT] = "n_drops_buffer_close_exit", + [KMOD_N_DROPS_BUFFER_PROC_EXIT] = "n_drops_buffer_proc_exit", [KMOD_N_DROPS_PAGE_FAULTS] = "n_drops_page_faults", [KMOD_N_DROPS_BUG] = "n_drops_bug", [KMOD_N_DROPS] = "n_drops", @@ -558,6 +560,8 @@ int32_t scap_kmod_get_stats(struct scap_engine_handle engine, scap_stats* stats) stats->n_drops_buffer_dir_file_exit += dev->m_bufinfo->n_drops_buffer_dir_file_exit; stats->n_drops_buffer_other_interest_enter += dev->m_bufinfo->n_drops_buffer_other_interest_enter; stats->n_drops_buffer_other_interest_exit += dev->m_bufinfo->n_drops_buffer_other_interest_exit; + stats->n_drops_buffer_close_exit += dev->m_bufinfo->n_drops_buffer_close_exit; + stats->n_drops_buffer_proc_exit += dev->m_bufinfo->n_drops_buffer_proc_exit; stats->n_drops_pf += dev->m_bufinfo->n_drops_pf; stats->n_drops += dev->m_bufinfo->n_drops_buffer + dev->m_bufinfo->n_drops_pf; @@ -609,6 +613,8 @@ const struct scap_stats_v2* scap_kmod_get_stats_v2(struct scap_engine_handle eng stats[KMOD_N_DROPS_BUFFER_DIR_FILE_EXIT].value.u64 += dev->m_bufinfo->n_drops_buffer_dir_file_exit; stats[KMOD_N_DROPS_BUFFER_OTHER_INTEREST_ENTER].value.u64 += dev->m_bufinfo->n_drops_buffer_other_interest_enter; stats[KMOD_N_DROPS_BUFFER_OTHER_INTEREST_EXIT].value.u64 += dev->m_bufinfo->n_drops_buffer_other_interest_exit; + stats[KMOD_N_DROPS_BUFFER_CLOSE_EXIT].value.u64 += dev->m_bufinfo->n_drops_buffer_close_exit; + stats[KMOD_N_DROPS_BUFFER_PROC_EXIT].value.u64 += dev->m_bufinfo->n_drops_buffer_proc_exit; stats[KMOD_N_DROPS_PAGE_FAULTS].value.u64 += dev->m_bufinfo->n_drops_pf; stats[KMOD_N_DROPS].value.u64 += dev->m_bufinfo->n_drops_buffer + dev->m_bufinfo->n_drops_pf; diff --git a/userspace/libscap/engine/kmod/scap_kmod_stats.h b/userspace/libscap/engine/kmod/scap_kmod_stats.h index dc7c504198..1beb0a87dd 100644 --- a/userspace/libscap/engine/kmod/scap_kmod_stats.h +++ b/userspace/libscap/engine/kmod/scap_kmod_stats.h @@ -32,6 +32,8 @@ typedef enum kmod_kernel_counters_stats { KMOD_N_DROPS_BUFFER_DIR_FILE_EXIT, KMOD_N_DROPS_BUFFER_OTHER_INTEREST_ENTER, KMOD_N_DROPS_BUFFER_OTHER_INTEREST_EXIT, + KMOD_N_DROPS_BUFFER_CLOSE_EXIT, + KMOD_N_DROPS_BUFFER_PROC_EXIT, KMOD_N_DROPS_PAGE_FAULTS, KMOD_N_DROPS_BUG, KMOD_N_DROPS, diff --git a/userspace/libscap/examples/01-open/README.md b/userspace/libscap/examples/01-open/README.md index 8c7fd7d069..432c4682e5 100644 --- a/userspace/libscap/examples/01-open/README.md +++ b/userspace/libscap/examples/01-open/README.md @@ -111,6 +111,8 @@ Number of dropped events caused by full buffer (n_drops_buffer_dir_file_enter sy Number of dropped events caused by full buffer (n_drops_buffer_dir_file_exit syscall category): 0 Number of dropped events caused by full buffer (n_drops_buffer_other_interest_enter syscall category): 0 Number of dropped events caused by full buffer (n_drops_buffer_other_interest_exit syscall category): 0 +Number of dropped events caused by full buffer (n_drops_buffer_close_exit syscall category): 0 +Number of dropped events caused by full buffer (n_drops_buffer_proc_exit syscall category): 0 Number of dropped events caused by full scratch map: 0 Number of dropped events caused by invalid memory access (page faults): 0 Number of dropped events caused by an invalid condition in the kernel instrumentation (bug): 0 diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c index f5c9b42f52..6864cb3f06 100644 --- a/userspace/libscap/scap.c +++ b/userspace/libscap/scap.c @@ -371,6 +371,8 @@ int32_t scap_get_stats(scap_t* handle, OUT scap_stats* stats) stats->n_drops_buffer_dir_file_exit = 0; stats->n_drops_buffer_other_interest_enter = 0; stats->n_drops_buffer_other_interest_exit = 0; + stats->n_drops_buffer_close_exit = 0; + stats->n_drops_buffer_proc_exit = 0; stats->n_drops_scratch_map = 0; stats->n_drops_pf = 0; stats->n_drops_bug = 0; diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h index b86c38b288..4ae1eb7d7d 100644 --- a/userspace/libscap/scap.h +++ b/userspace/libscap/scap.h @@ -100,7 +100,7 @@ typedef struct ppm_evt_hdr scap_evt; // call `scap_get_driver_api_version()` and/or `scap_get_driver_schema_version()` // and handle the result // -#define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION(4, 0, 0) +#define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION(5, 0, 0) #define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION(2, 0, 0) // @@ -140,6 +140,8 @@ typedef struct scap_stats uint64_t n_drops_buffer_dir_file_exit; uint64_t n_drops_buffer_other_interest_enter; uint64_t n_drops_buffer_other_interest_exit; + uint64_t n_drops_buffer_close_exit; + uint64_t n_drops_buffer_proc_exit; uint64_t n_drops_scratch_map; ///< Number of dropped events caused by full frame scratch map. uint64_t n_drops_pf; ///< Number of dropped events caused by invalid memory access. uint64_t n_drops_bug; ///< Number of dropped events caused by an invalid condition in the kernel instrumentation. From fb43003fc89a9c1110584a0a58362dfdf906d772 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Mon, 21 Aug 2023 11:33:01 +0200 Subject: [PATCH 2/5] new(sinsp): introduce a common print stats function Signed-off-by: Andrea Terzolo --- userspace/libsinsp/capture_stats_source.h | 11 +++ userspace/libsinsp/sinsp.cpp | 90 +++++++++++++---------- userspace/libsinsp/sinsp.h | 6 ++ 3 files changed, 67 insertions(+), 40 deletions(-) diff --git a/userspace/libsinsp/capture_stats_source.h b/userspace/libsinsp/capture_stats_source.h index 4d27f04c28..24cc894306 100644 --- a/userspace/libsinsp/capture_stats_source.h +++ b/userspace/libsinsp/capture_stats_source.h @@ -18,6 +18,7 @@ limitations under the License. #include "sinsp_public.h" #include +#include "logger.h" struct scap_stats; @@ -45,6 +46,16 @@ class SINSP_PUBLIC capture_stats_source */ virtual void get_capture_stats(scap_stats* stats) const = 0; + /** + * Print a log with statistics about the currently + * open capture. + * + * @note This may not work for a file-based capture source. + * + * @param[in] sev severity used to log + */ + virtual void print_capture_stats(sinsp_logger::severity sev) const = 0; + /** * Get engine statistics (including counters and `bpftool prog show` like stats). * diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp index bc5d3e0996..5d02ecfd41 100644 --- a/userspace/libsinsp/sinsp.cpp +++ b/userspace/libsinsp/sinsp.cpp @@ -1378,46 +1378,7 @@ int32_t sinsp::next(OUT sinsp_evt **puevt) { if(m_next_stats_print_time_ns) { - scap_stats stats; - get_capture_stats(&stats); - - g_logger.format(sinsp_logger::SEV_DEBUG, - "n_evts:%" PRIu64 - " n_drops:%" PRIu64 - " n_drops_buffer:%" PRIu64 - " n_drops_buffer_clone_fork_enter:%" PRIu64 - " n_drops_buffer_clone_fork_exit:%" PRIu64 - " n_drops_buffer_execve_enter:%" PRIu64 - " n_drops_buffer_execve_exit:%" PRIu64 - " n_drops_buffer_connect_enter:%" PRIu64 - " n_drops_buffer_connect_exit:%" PRIu64 - " n_drops_buffer_open_enter:%" PRIu64 - " n_drops_buffer_open_exit:%" PRIu64 - " n_drops_buffer_dir_file_enter:%" PRIu64 - " n_drops_buffer_dir_file_exit:%" PRIu64 - " n_drops_buffer_other_interest_enter:%" PRIu64 - " n_drops_buffer_other_interest_exit:%" PRIu64 - " n_drops_scratch_map:%" PRIu64 - " n_drops_pf:%" PRIu64 - " n_drops_bug:%" PRIu64, - stats.n_evts, - stats.n_drops, - stats.n_drops_buffer, - stats.n_drops_buffer_clone_fork_enter, - stats.n_drops_buffer_clone_fork_exit, - stats.n_drops_buffer_execve_enter, - stats.n_drops_buffer_execve_exit, - stats.n_drops_buffer_connect_enter, - stats.n_drops_buffer_connect_exit, - stats.n_drops_buffer_open_enter, - stats.n_drops_buffer_open_exit, - stats.n_drops_buffer_dir_file_enter, - stats.n_drops_buffer_dir_file_exit, - stats.n_drops_buffer_other_interest_enter, - stats.n_drops_buffer_other_interest_exit, - stats.n_drops_scratch_map, - stats.n_drops_pf, - stats.n_drops_bug); + print_capture_stats(sinsp_logger::SEV_DEBUG); } m_next_stats_print_time_ns = ts - (ts % ONE_SECOND_IN_NS) + ONE_SECOND_IN_NS; @@ -1967,6 +1928,55 @@ void sinsp::get_capture_stats(scap_stats* stats) const scap_get_stats(m_h, stats); } +void sinsp::print_capture_stats(sinsp_logger::severity sev) const +{ + scap_stats stats; + get_capture_stats(&stats); + + g_logger.format(sev, + "\nn_evts:%" PRIu64 + "\nn_drops:%" PRIu64 + "\nn_drops_buffer:%" PRIu64 + "\nn_drops_buffer_clone_fork_enter:%" PRIu64 + "\nn_drops_buffer_clone_fork_exit:%" PRIu64 + "\nn_drops_buffer_execve_enter:%" PRIu64 + "\nn_drops_buffer_execve_exit:%" PRIu64 + "\nn_drops_buffer_connect_enter:%" PRIu64 + "\nn_drops_buffer_connect_exit:%" PRIu64 + "\nn_drops_buffer_open_enter:%" PRIu64 + "\nn_drops_buffer_open_exit:%" PRIu64 + "\nn_drops_buffer_dir_file_enter:%" PRIu64 + "\nn_drops_buffer_dir_file_exit:%" PRIu64 + "\nn_drops_buffer_other_interest_enter:%" PRIu64 + "\nn_drops_buffer_other_interest_exit:%" PRIu64 + "\nn_drops_buffer_close_exit:%" PRIu64 + "\nn_drops_buffer_proc_exit:%" PRIu64 + "\nn_drops_scratch_map:%" PRIu64 + "\nn_drops_pf:%" PRIu64 + "\nn_drops_bug:%" PRIu64 + "\n", + stats.n_evts, + stats.n_drops, + stats.n_drops_buffer, + stats.n_drops_buffer_clone_fork_enter, + stats.n_drops_buffer_clone_fork_exit, + stats.n_drops_buffer_execve_enter, + stats.n_drops_buffer_execve_exit, + stats.n_drops_buffer_connect_enter, + stats.n_drops_buffer_connect_exit, + stats.n_drops_buffer_open_enter, + stats.n_drops_buffer_open_exit, + stats.n_drops_buffer_dir_file_enter, + stats.n_drops_buffer_dir_file_exit, + stats.n_drops_buffer_other_interest_enter, + stats.n_drops_buffer_other_interest_exit, + stats.n_drops_buffer_close_exit, + stats.n_drops_buffer_proc_exit, + stats.n_drops_scratch_map, + stats.n_drops_pf, + stats.n_drops_bug); +} + const struct scap_stats_v2* sinsp::get_capture_stats_v2(uint32_t flags, uint32_t* nstats, int32_t* rc) const { /* On purpose ignoring failures to not interrupt in case of stats retrieval failure. */ diff --git a/userspace/libsinsp/sinsp.h b/userspace/libsinsp/sinsp.h index 81a1c53fb3..bbd330e85a 100644 --- a/userspace/libsinsp/sinsp.h +++ b/userspace/libsinsp/sinsp.h @@ -528,6 +528,12 @@ class SINSP_PUBLIC sinsp : public capture_stats_source */ void get_capture_stats(scap_stats* stats) const override; + /*! + \brief Print a log with statistics about the currently + open capture. Use the severity specified as the first parameter. + */ + void print_capture_stats(sinsp_logger::severity sev) const override; + /*! \brief Get engine statistics (including counters and `bpftool prog show` like stats). From ed8276a6a6e2d04e37d7504acb0e2e53e38f6b58 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Mon, 21 Aug 2023 11:58:52 +0200 Subject: [PATCH 3/5] new(sinsp): add some debug logs when the capture is closed Signed-off-by: Andrea Terzolo --- userspace/libsinsp/sinsp.cpp | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp index 5d02ecfd41..a5edab982c 100644 --- a/userspace/libsinsp/sinsp.cpp +++ b/userspace/libsinsp/sinsp.cpp @@ -1811,6 +1811,33 @@ void sinsp::stop_capture() { throw sinsp_exception(scap_getlasterr(m_h)); } + + /* Print scap stats */ + print_capture_stats(sinsp_logger::SEV_DEBUG); + + /* Print the number of threads and fds in our tables */ + uint64_t thread_cnt = 0; + uint64_t fd_cnt = 0; + m_thread_manager->m_threadtable.loop([&thread_cnt, &fd_cnt] (sinsp_threadinfo& tinfo) { + thread_cnt++; + + /* Only main threads have an associated fdtable */ + if(tinfo.is_main_thread()) + { + auto fdtable_ptr = tinfo.get_fd_table(); + if(fdtable_ptr != nullptr) + { + fd_cnt += fdtable_ptr->size(); + } + } + return true; + }); + g_logger.format(sinsp_logger::SEV_DEBUG, + "total threads in the table:%" PRIu64 + ", total fds in all threads:%" PRIu64 + "\n", + thread_cnt, + fd_cnt); } void sinsp::start_capture() From 11c0b2c1157ff137c7843e28790f3661775d49ff Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 23 Aug 2023 16:10:50 +0200 Subject: [PATCH 4/5] cleanup(driver): remove old event versions Signed-off-by: Andrea Terzolo Co-authored-by: Melissa Kilby --- driver/bpf/fillers.h | 29 -------------------------- driver/main.c | 29 -------------------------- driver/modern_bpf/helpers/base/stats.h | 29 -------------------------- 3 files changed, 87 deletions(-) diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index d7b03a8060..f25b6ec138 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -109,7 +109,6 @@ FILLER_RAW(terminate_filler) // enter case PPME_SYSCALL_OPEN_E: case PPME_SYSCALL_CREAT_E: - case PPME_SYSCALL_OPENAT_E: case PPME_SYSCALL_OPENAT_2_E: case PPME_SYSCALL_OPENAT2_E: case PPME_SYSCALL_OPEN_BY_HANDLE_AT_E: @@ -125,40 +124,28 @@ FILLER_RAW(terminate_filler) case PPME_SYSCALL_LCHOWN_E: case PPME_SYSCALL_FCHOWN_E: case PPME_SYSCALL_FCHOWNAT_E: - case PPME_SYSCALL_LINK_E: case PPME_SYSCALL_LINK_2_E: - case PPME_SYSCALL_LINKAT_E: case PPME_SYSCALL_LINKAT_2_E: - case PPME_SYSCALL_MKDIR_E: case PPME_SYSCALL_MKDIR_2_E: case PPME_SYSCALL_MKDIRAT_E: case PPME_SYSCALL_MOUNT_E: - case PPME_SYSCALL_UMOUNT_E: case PPME_SYSCALL_UMOUNT_1_E: case PPME_SYSCALL_UMOUNT2_E: case PPME_SYSCALL_RENAME_E: case PPME_SYSCALL_RENAMEAT_E: case PPME_SYSCALL_RENAMEAT2_E: - case PPME_SYSCALL_RMDIR_E: case PPME_SYSCALL_RMDIR_2_E: case PPME_SYSCALL_SYMLINK_E: case PPME_SYSCALL_SYMLINKAT_E: - case PPME_SYSCALL_UNLINK_E: case PPME_SYSCALL_UNLINK_2_E: - case PPME_SYSCALL_UNLINKAT_E: case PPME_SYSCALL_UNLINKAT_2_E: if (state->n_drops_buffer_dir_file_enter != ULLONG_MAX) { ++state->n_drops_buffer_dir_file_enter; } break; - case PPME_SYSCALL_CLONE_11_E: - case PPME_SYSCALL_CLONE_16_E: - case PPME_SYSCALL_CLONE_17_E: case PPME_SYSCALL_CLONE_20_E: case PPME_SYSCALL_CLONE3_E: - case PPME_SYSCALL_FORK_E: case PPME_SYSCALL_FORK_20_E: - case PPME_SYSCALL_VFORK_E: case PPME_SYSCALL_VFORK_20_E: if (state->n_drops_buffer_clone_fork_enter != ULLONG_MAX) { ++state->n_drops_buffer_clone_fork_enter; @@ -175,7 +162,6 @@ FILLER_RAW(terminate_filler) ++state->n_drops_buffer_connect_enter; } break; - case PPME_SYSCALL_BPF_E: case PPME_SYSCALL_BPF_2_E: case PPME_SYSCALL_SETPGID_E: case PPME_SYSCALL_PTRACE_E: @@ -190,7 +176,6 @@ FILLER_RAW(terminate_filler) ++state->n_drops_buffer_other_interest_enter; } break; - case PPME_PROCEXIT_E: case PPME_PROCEXIT_1_E: if (state->n_drops_buffer_proc_exit != ULLONG_MAX) { ++state->n_drops_buffer_proc_exit; @@ -199,7 +184,6 @@ FILLER_RAW(terminate_filler) // exit case PPME_SYSCALL_OPEN_X: case PPME_SYSCALL_CREAT_X: - case PPME_SYSCALL_OPENAT_X: case PPME_SYSCALL_OPENAT_2_X: case PPME_SYSCALL_OPENAT2_X: case PPME_SYSCALL_OPEN_BY_HANDLE_AT_X: @@ -215,40 +199,28 @@ FILLER_RAW(terminate_filler) case PPME_SYSCALL_LCHOWN_X: case PPME_SYSCALL_FCHOWN_X: case PPME_SYSCALL_FCHOWNAT_X: - case PPME_SYSCALL_LINK_X: case PPME_SYSCALL_LINK_2_X: - case PPME_SYSCALL_LINKAT_X: case PPME_SYSCALL_LINKAT_2_X: - case PPME_SYSCALL_MKDIR_X: case PPME_SYSCALL_MKDIR_2_X: case PPME_SYSCALL_MKDIRAT_X: case PPME_SYSCALL_MOUNT_X: - case PPME_SYSCALL_UMOUNT_X: case PPME_SYSCALL_UMOUNT_1_X: case PPME_SYSCALL_UMOUNT2_X: case PPME_SYSCALL_RENAME_X: case PPME_SYSCALL_RENAMEAT_X: case PPME_SYSCALL_RENAMEAT2_X: - case PPME_SYSCALL_RMDIR_X: case PPME_SYSCALL_RMDIR_2_X: case PPME_SYSCALL_SYMLINK_X: case PPME_SYSCALL_SYMLINKAT_X: - case PPME_SYSCALL_UNLINK_X: case PPME_SYSCALL_UNLINK_2_X: - case PPME_SYSCALL_UNLINKAT_X: case PPME_SYSCALL_UNLINKAT_2_X: if (state->n_drops_buffer_dir_file_exit != ULLONG_MAX) { ++state->n_drops_buffer_dir_file_exit; } break; - case PPME_SYSCALL_CLONE_11_X: - case PPME_SYSCALL_CLONE_16_X: - case PPME_SYSCALL_CLONE_17_X: case PPME_SYSCALL_CLONE_20_X: case PPME_SYSCALL_CLONE3_X: - case PPME_SYSCALL_FORK_X: case PPME_SYSCALL_FORK_20_X: - case PPME_SYSCALL_VFORK_X: case PPME_SYSCALL_VFORK_20_X: if (state->n_drops_buffer_clone_fork_exit != ULLONG_MAX) { ++state->n_drops_buffer_clone_fork_exit; @@ -265,7 +237,6 @@ FILLER_RAW(terminate_filler) ++state->n_drops_buffer_connect_exit; } break; - case PPME_SYSCALL_BPF_X: case PPME_SYSCALL_BPF_2_X: case PPME_SYSCALL_SETPGID_X: case PPME_SYSCALL_PTRACE_X: diff --git a/driver/main.c b/driver/main.c index 12303ceeed..4cea5b04a4 100644 --- a/driver/main.c +++ b/driver/main.c @@ -1453,7 +1453,6 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event // enter case PPME_SYSCALL_OPEN_E: case PPME_SYSCALL_CREAT_E: - case PPME_SYSCALL_OPENAT_E: case PPME_SYSCALL_OPENAT_2_E: case PPME_SYSCALL_OPENAT2_E: case PPME_SYSCALL_OPEN_BY_HANDLE_AT_E: @@ -1467,38 +1466,26 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event case PPME_SYSCALL_LCHOWN_E: case PPME_SYSCALL_FCHOWN_E: case PPME_SYSCALL_FCHOWNAT_E: - case PPME_SYSCALL_LINK_E: case PPME_SYSCALL_LINK_2_E: - case PPME_SYSCALL_LINKAT_E: case PPME_SYSCALL_LINKAT_2_E: - case PPME_SYSCALL_MKDIR_E: case PPME_SYSCALL_MKDIR_2_E: case PPME_SYSCALL_MKDIRAT_E: case PPME_SYSCALL_MOUNT_E: - case PPME_SYSCALL_UMOUNT_E: case PPME_SYSCALL_UMOUNT_1_E: case PPME_SYSCALL_UMOUNT2_E: case PPME_SYSCALL_RENAME_E: case PPME_SYSCALL_RENAMEAT_E: case PPME_SYSCALL_RENAMEAT2_E: - case PPME_SYSCALL_RMDIR_E: case PPME_SYSCALL_RMDIR_2_E: case PPME_SYSCALL_SYMLINK_E: case PPME_SYSCALL_SYMLINKAT_E: - case PPME_SYSCALL_UNLINK_E: case PPME_SYSCALL_UNLINK_2_E: - case PPME_SYSCALL_UNLINKAT_E: case PPME_SYSCALL_UNLINKAT_2_E: ring_info->n_drops_buffer_dir_file_enter++; break; - case PPME_SYSCALL_CLONE_11_E: - case PPME_SYSCALL_CLONE_16_E: - case PPME_SYSCALL_CLONE_17_E: case PPME_SYSCALL_CLONE_20_E: case PPME_SYSCALL_CLONE3_E: - case PPME_SYSCALL_FORK_E: case PPME_SYSCALL_FORK_20_E: - case PPME_SYSCALL_VFORK_E: case PPME_SYSCALL_VFORK_20_E: ring_info->n_drops_buffer_clone_fork_enter++; break; @@ -1509,7 +1496,6 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event case PPME_SOCKET_CONNECT_E: ring_info->n_drops_buffer_connect_enter++; break; - case PPME_SYSCALL_BPF_E: case PPME_SYSCALL_BPF_2_E: case PPME_SYSCALL_SETPGID_E: case PPME_SYSCALL_PTRACE_E: @@ -1522,14 +1508,12 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event case PPME_SYSCALL_CAPSET_E: ring_info->n_drops_buffer_other_interest_enter++; break; - case PPME_PROCEXIT_E: case PPME_PROCEXIT_1_E: ring_info->n_drops_buffer_proc_exit++; break; // exit case PPME_SYSCALL_OPEN_X: case PPME_SYSCALL_CREAT_X: - case PPME_SYSCALL_OPENAT_X: case PPME_SYSCALL_OPENAT_2_X: case PPME_SYSCALL_OPENAT2_X: case PPME_SYSCALL_OPEN_BY_HANDLE_AT_X: @@ -1543,38 +1527,26 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event case PPME_SYSCALL_LCHOWN_X: case PPME_SYSCALL_FCHOWN_X: case PPME_SYSCALL_FCHOWNAT_X: - case PPME_SYSCALL_LINK_X: case PPME_SYSCALL_LINK_2_X: - case PPME_SYSCALL_LINKAT_X: case PPME_SYSCALL_LINKAT_2_X: - case PPME_SYSCALL_MKDIR_X: case PPME_SYSCALL_MKDIR_2_X: case PPME_SYSCALL_MKDIRAT_X: case PPME_SYSCALL_MOUNT_X: - case PPME_SYSCALL_UMOUNT_X: case PPME_SYSCALL_UMOUNT_1_X: case PPME_SYSCALL_UMOUNT2_X: case PPME_SYSCALL_RENAME_X: case PPME_SYSCALL_RENAMEAT_X: case PPME_SYSCALL_RENAMEAT2_X: - case PPME_SYSCALL_RMDIR_X: case PPME_SYSCALL_RMDIR_2_X: case PPME_SYSCALL_SYMLINK_X: case PPME_SYSCALL_SYMLINKAT_X: - case PPME_SYSCALL_UNLINK_X: case PPME_SYSCALL_UNLINK_2_X: - case PPME_SYSCALL_UNLINKAT_X: case PPME_SYSCALL_UNLINKAT_2_X: ring_info->n_drops_buffer_dir_file_exit++; break; - case PPME_SYSCALL_CLONE_11_X: - case PPME_SYSCALL_CLONE_16_X: - case PPME_SYSCALL_CLONE_17_X: case PPME_SYSCALL_CLONE_20_X: case PPME_SYSCALL_CLONE3_X: - case PPME_SYSCALL_FORK_X: case PPME_SYSCALL_FORK_20_X: - case PPME_SYSCALL_VFORK_X: case PPME_SYSCALL_VFORK_20_X: ring_info->n_drops_buffer_clone_fork_exit++; break; @@ -1585,7 +1557,6 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event case PPME_SOCKET_CONNECT_X: ring_info->n_drops_buffer_connect_exit++; break; - case PPME_SYSCALL_BPF_X: case PPME_SYSCALL_BPF_2_X: case PPME_SYSCALL_SETPGID_X: case PPME_SYSCALL_PTRACE_X: diff --git a/driver/modern_bpf/helpers/base/stats.h b/driver/modern_bpf/helpers/base/stats.h index fd7b7cd989..2c06ec0f9c 100644 --- a/driver/modern_bpf/helpers/base/stats.h +++ b/driver/modern_bpf/helpers/base/stats.h @@ -26,7 +26,6 @@ static __always_inline void compute_event_types_stats(u16 event_type, struct cou // enter case PPME_SYSCALL_OPEN_E: case PPME_SYSCALL_CREAT_E: - case PPME_SYSCALL_OPENAT_E: case PPME_SYSCALL_OPENAT_2_E: case PPME_SYSCALL_OPENAT2_E: case PPME_SYSCALL_OPEN_BY_HANDLE_AT_E: @@ -40,38 +39,26 @@ static __always_inline void compute_event_types_stats(u16 event_type, struct cou case PPME_SYSCALL_LCHOWN_E: case PPME_SYSCALL_FCHOWN_E: case PPME_SYSCALL_FCHOWNAT_E: - case PPME_SYSCALL_LINK_E: case PPME_SYSCALL_LINK_2_E: - case PPME_SYSCALL_LINKAT_E: case PPME_SYSCALL_LINKAT_2_E: - case PPME_SYSCALL_MKDIR_E: case PPME_SYSCALL_MKDIR_2_E: case PPME_SYSCALL_MKDIRAT_E: case PPME_SYSCALL_MOUNT_E: - case PPME_SYSCALL_UMOUNT_E: case PPME_SYSCALL_UMOUNT_1_E: case PPME_SYSCALL_UMOUNT2_E: case PPME_SYSCALL_RENAME_E: case PPME_SYSCALL_RENAMEAT_E: case PPME_SYSCALL_RENAMEAT2_E: - case PPME_SYSCALL_RMDIR_E: case PPME_SYSCALL_RMDIR_2_E: case PPME_SYSCALL_SYMLINK_E: case PPME_SYSCALL_SYMLINKAT_E: - case PPME_SYSCALL_UNLINK_E: case PPME_SYSCALL_UNLINK_2_E: - case PPME_SYSCALL_UNLINKAT_E: case PPME_SYSCALL_UNLINKAT_2_E: counter->n_drops_buffer_dir_file_enter++; break; - case PPME_SYSCALL_CLONE_11_E: - case PPME_SYSCALL_CLONE_16_E: - case PPME_SYSCALL_CLONE_17_E: case PPME_SYSCALL_CLONE_20_E: case PPME_SYSCALL_CLONE3_E: - case PPME_SYSCALL_FORK_E: case PPME_SYSCALL_FORK_20_E: - case PPME_SYSCALL_VFORK_E: case PPME_SYSCALL_VFORK_20_E: counter->n_drops_buffer_clone_fork_enter++; break; @@ -82,7 +69,6 @@ static __always_inline void compute_event_types_stats(u16 event_type, struct cou case PPME_SOCKET_CONNECT_E: counter->n_drops_buffer_connect_enter++; break; - case PPME_SYSCALL_BPF_E: case PPME_SYSCALL_BPF_2_E: case PPME_SYSCALL_SETPGID_E: case PPME_SYSCALL_PTRACE_E: @@ -95,14 +81,12 @@ static __always_inline void compute_event_types_stats(u16 event_type, struct cou case PPME_SYSCALL_CAPSET_E: counter->n_drops_buffer_other_interest_enter++; break; - case PPME_PROCEXIT_E: case PPME_PROCEXIT_1_E: counter->n_drops_buffer_proc_exit++; break; // exit case PPME_SYSCALL_OPEN_X: case PPME_SYSCALL_CREAT_X: - case PPME_SYSCALL_OPENAT_X: case PPME_SYSCALL_OPENAT_2_X: case PPME_SYSCALL_OPENAT2_X: case PPME_SYSCALL_OPEN_BY_HANDLE_AT_X: @@ -116,38 +100,26 @@ static __always_inline void compute_event_types_stats(u16 event_type, struct cou case PPME_SYSCALL_LCHOWN_X: case PPME_SYSCALL_FCHOWN_X: case PPME_SYSCALL_FCHOWNAT_X: - case PPME_SYSCALL_LINK_X: case PPME_SYSCALL_LINK_2_X: - case PPME_SYSCALL_LINKAT_X: case PPME_SYSCALL_LINKAT_2_X: - case PPME_SYSCALL_MKDIR_X: case PPME_SYSCALL_MKDIR_2_X: case PPME_SYSCALL_MKDIRAT_X: case PPME_SYSCALL_MOUNT_X: - case PPME_SYSCALL_UMOUNT_X: case PPME_SYSCALL_UMOUNT_1_X: case PPME_SYSCALL_UMOUNT2_X: case PPME_SYSCALL_RENAME_X: case PPME_SYSCALL_RENAMEAT_X: case PPME_SYSCALL_RENAMEAT2_X: - case PPME_SYSCALL_RMDIR_X: case PPME_SYSCALL_RMDIR_2_X: case PPME_SYSCALL_SYMLINK_X: case PPME_SYSCALL_SYMLINKAT_X: - case PPME_SYSCALL_UNLINK_X: case PPME_SYSCALL_UNLINK_2_X: - case PPME_SYSCALL_UNLINKAT_X: case PPME_SYSCALL_UNLINKAT_2_X: counter->n_drops_buffer_dir_file_exit++; break; - case PPME_SYSCALL_CLONE_11_X: - case PPME_SYSCALL_CLONE_16_X: - case PPME_SYSCALL_CLONE_17_X: case PPME_SYSCALL_CLONE_20_X: case PPME_SYSCALL_CLONE3_X: - case PPME_SYSCALL_FORK_X: case PPME_SYSCALL_FORK_20_X: - case PPME_SYSCALL_VFORK_X: case PPME_SYSCALL_VFORK_20_X: counter->n_drops_buffer_clone_fork_exit++; break; @@ -158,7 +130,6 @@ static __always_inline void compute_event_types_stats(u16 event_type, struct cou case PPME_SOCKET_CONNECT_X: counter->n_drops_buffer_connect_exit++; break; - case PPME_SYSCALL_BPF_X: case PPME_SYSCALL_BPF_2_X: case PPME_SYSCALL_SETPGID_X: case PPME_SYSCALL_PTRACE_X: From d22d8b787115ecaf0480b8521ae5fe7826566d4f Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 23 Aug 2023 16:17:24 +0200 Subject: [PATCH 5/5] docs: update scap-open README Signed-off-by: Andrea Terzolo Co-authored-by: Melissa Kilby --- userspace/libscap/examples/01-open/README.md | 88 +++++++++++++------- 1 file changed, 60 insertions(+), 28 deletions(-) diff --git a/userspace/libscap/examples/01-open/README.md b/userspace/libscap/examples/01-open/README.md index 432c4682e5..39ed036aff 100644 --- a/userspace/libscap/examples/01-open/README.md +++ b/userspace/libscap/examples/01-open/README.md @@ -92,34 +92,66 @@ sudo ./libscap/examples/01-open/scap-open --bpf driver/bpf/probe.o As soon as you quit (`CTRL-C`) the `scap-open` program, you will be prompted with detailed information on the capture: ``` ----------------------- STATS ----------------------- -Events captured: 20 -Seen by driver: 20 -Time elapsed: 2 s -Number of events/per-second: 10 -Number of dropped events: 0 -Number of dropped events caused by full buffer (total / all buffer drops - includes all categories below, likely higher than sum of syscall categories): 0 -Number of dropped events caused by full buffer (n_drops_buffer_clone_fork_enter syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_clone_fork_exit syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_execve_enter syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_execve_exit syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_connect_enter syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_connect_exit syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_open_enter syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_open_exit syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_dir_file_enter syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_dir_file_exit syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_other_interest_enter syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_other_interest_exit syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_close_exit syscall category): 0 -Number of dropped events caused by full buffer (n_drops_buffer_proc_exit syscall category): 0 -Number of dropped events caused by full scratch map: 0 -Number of dropped events caused by invalid memory access (page faults): 0 -Number of dropped events caused by an invalid condition in the kernel instrumentation (bug): 0 -Number of preemptions: 0 -Number of events skipped due to the tid being in a set of suppressed tids: 0 -Number of threads currently being suppressed: 0 ------------------------------------------------------ +----------------------------- STATS ------------------------------ + +[SCAP-OPEN]: General statistics + +Events correctly captured (SCAP_SUCCESS): 232471 +Seen by driver (kernel side events): 232817 +Time elapsed: 3 s +Rate of userspace events (events/second): 77490 +Rate of kernel side events (events/second): 77605 +Number of timeouts: 123 +Number of 'next' calls: 232594 + +[SCAP-OPEN]: Stats v2. + +[SCAP-OPEN]: 41 metrics in total +[SCAP-OPEN]: [1] kernel-side counters +[SCAP-OPEN]: [2] libbpf stats (compare to `bpftool prog show` CLI) + +[1] n_evts: 232817 +[1] n_drops_buffer_total: 0 +[1] n_drops_buffer_clone_fork_enter: 0 +[1] n_drops_buffer_clone_fork_exit: 0 +[1] n_drops_buffer_execve_enter: 0 +[1] n_drops_buffer_execve_exit: 0 +[1] n_drops_buffer_connect_enter: 0 +[1] n_drops_buffer_connect_exit: 0 +[1] n_drops_buffer_open_enter: 0 +[1] n_drops_buffer_open_exit: 0 +[1] n_drops_buffer_dir_file_enter: 0 +[1] n_drops_buffer_dir_file_exit: 0 +[1] n_drops_buffer_other_interest_enter: 0 +[1] n_drops_buffer_other_interest_exit: 0 +[1] n_drops_buffer_close_exit: 0 +[1] n_drops_buffer_proc_exit: 0 +[1] n_drops_scratch_map: 0 +[1] n_drops_page_faults: 0 +[1] n_drops_bug: 0 +[1] n_drops: 0 +[2] sys_enter.run_cnt: 98656 +[2] sys_enter.run_time_ns: 81056465 +[2] sys_enter.avg_time_ns: 821 +[2] sys_exit.run_cnt: 98660 +[2] sys_exit.run_time_ns: 85784377 +[2] sys_exit.avg_time_ns: 869 +[2] sched_process_e.run_cnt: 24 +[2] sched_process_e.run_time_ns: 41894 +[2] sched_process_e.avg_time_ns: 1745 +[2] sched_switch.run_cnt: 24481 +[2] sched_switch.run_time_ns: 47855905 +[2] sched_switch.avg_time_ns: 1954 +[2] page_fault_user.run_cnt: 11605 +[2] page_fault_user.run_time_ns: 4440998 +[2] page_fault_user.avg_time_ns: 382 +[2] page_fault_kern.run_cnt: 5127 +[2] page_fault_kern.run_time_ns: 590651 +[2] page_fault_kern.avg_time_ns: 115 +[2] signal_deliver.run_cnt: 22 +[2] signal_deliver.run_time_ns: 20848 +[2] signal_deliver.avg_time_ns: 947 +------------------------------------------------------------------ ``` To run it with the kernel module, you first have to inject the kernel module into the kernel: