fix(driver): fix dynamic snaplen logic (SCAP_FULLCAPTURE_PORT_RANGE and SCAP_STATSD_PORT)

[Andreagit97]

What type of PR is this?

/kind bug

/kind cleanup

Any specific area of the project related to this PR?

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area tests

Does this PR require a change in the driver versions?

What this PR does / why we need it:

This PR tries to fix some dynamic snaplen logics (SCAP_FULLCAPTURE_PORT_RANGE and SCAP_STATSD_PORT). More in detail:

• Rewrite the compute_snaplen logic for the legacy ebpf and kernel module. We now use the local kernel socket when available, if not, we fallback to the userspace structs.
• Adapt the modern ebpf logic to other drivers.
• write ~40 tests to assert this new logic for read,write,sendto,sendmsg,recvfrom,recvmsg

Which issue(s) this PR fixes:

Special notes for your reviewer:

The PR seems huge but apart from the snaplen rework there are only tests.

Working on this I noticed some other warring failures on the old drivers (legacy ebpf and kmod). They are now treated as skipped tests, but we need to fix them at a certain point. More in detail:

[  SKIPPED ] SyscallExit.recvmsgX_ipv4_tcp_message_shorter_than_snaplen

We are in the exit event and we rely on the sockaddr, more in detail on addrlen != 0, but in the exit tracepoint we will always obtain addrlen=0. I verified it with bpftrace, the kernel seems to clear the msg_namelen before returning from recvmsg

[  SKIPPED ] SyscallExit.recvmsgX_ipv4_tcp_NULL_sockaddr
[  SKIPPED ] SyscallExit.recvmsgX_ipv4_udp_NULL_sockaddr

Our code checks for if (usrsockaddr != NULL && addrlen != 0) so if the sockaddr is NULL we will send an empty tuple. In the modern ebpf we try to recover the info from the kernel if available, we should do the same thing...

[  SKIPPED ] SyscallEnter.connectE_INET
[  SKIPPED ] SyscallEnter.connectE_INET6
[  SKIPPED ] SyscallEnter.connectE_UNIX
[  SKIPPED ] SyscallEnter.connectE_UNIX_max_path

In case of negative fd (failure) in the enter event, we don't send sockaddr.

[  SKIPPED ] SyscallEnter.sendmsgE_ipv4_tcp_NULL_sockaddr
[  SKIPPED ] SyscallEnter.sendtoE_ipv4_tcp_NULL_sockaddr

We don't send the tuple if the sockaddr is NULL

The pain point is that to fix these we probably need to completely rewrite the tuple collection logic in the old drivers :/

Our userspace seems able to handle these missing data relying on previous data like the connect/accept once. But for sure here there is room for improvement. Again these issues are only related to the legacy ebpf and the kmod

Does this PR introduce a user-facing change?:

fix(driver): fix dynamic snaplen logic (SCAP_FULLCAPTURE_PORT_RANGE and SCAP_STATSD_PORT)

[github-actions]

Perf diff from master - unit tests

     7.97%     -1.77%  [.] sinsp_evt::get_type
     1.15%     +0.88%  [.] sinsp::fetch_next_event
    11.04%     -0.77%  [.] sinsp_parser::reset
     7.76%     -0.68%  [.] sinsp::next
     1.57%     +0.55%  [.] scap_event_decode_params
     0.73%     +0.53%  [.] std::_Hashtable<long, std::pair<long const, std::shared_ptr<sinsp_threadinfo> >, std::allocator<std::pair<long const, std::shared_ptr<sinsp_threadinfo> > >, std::__detail::_Select1st, std::equal_to<long>, std::hash<long>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::find
     4.22%     -0.51%  [.] sinsp_parser::process_event
     1.02%     +0.47%  [.] 0x00000000000e83d4
     0.37%     +0.46%  [.] scap_event_has_large_payload
     1.51%     +0.46%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release

Heap diff from master - unit tests

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.21%. Comparing base (839efec) to head (10b7a96).
Report is 37 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2006      +/-   ##
==========================================
+ Coverage   74.14%   74.21%   +0.07%     
==========================================
  Files         253      253              
  Lines       30834    30845      +11     
  Branches     5404     5419      +15     
==========================================
+ Hits        22863    22893      +30     
- Misses       7946     7952       +6     
+ Partials       25        0      -25     

Flag	Coverage Δ
libsinsp	74.21% <ø> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Please double check driver/SCHEMA_VERSION file. See versioning.

/hold

[Andreagit97]

kernel testing results: https://github.com/falcosecurity/libs/actions/runs/10562104486/job/29259687424

x86

KERNEL	CMAKE-CONFIGURE	KMOD BUILD	KMOD SCAP-OPEN	BPF-PROBE BUILD	BPF-PROBE SCAP-OPEN	MODERN-BPF SCAP-OPEN
amazonlinux2-4.19	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2-5.10	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2-5.15	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2-5.4	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2022-5.15	🟢	🟢	🟢	🟢	🟢	🟢
amazonlinux2023-6.1	🟢	🟢	🟢	🟢	🟢	🟢
archlinux-6.0	🟢	🟢	🟢	🟢	🟢	🟢
archlinux-6.7	🟢	🟢	🟢	🟢	🟢	🟢
centos-3.10	🟢	🟢	🟢	🟡	🟡	🟡
centos-4.18	🟢	🟢	🟢	🟢	🟢	🟢
centos-5.14	🟢	🟢	🟢	🟢	🟢	🟢
fedora-5.17	🟢	🟢	🟢	🟢	🟢	🟢
fedora-5.8	🟢	🟢	🟢	🟢	🟢	🟢
fedora-6.2	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-3.10	🟢	🟢	🟢	🟡	🟡	🟡
oraclelinux-4.14	🟢	🟢	🟢	🟢	🟢	🟡
oraclelinux-5.15	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-5.4	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-4.15	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-5.8	🟢	🟢	🟢	🟢	🟢	🟡
ubuntu-6.5	🟢	🟢	🟢	🟢	🟢	🟢

arm64

KERNEL	CMAKE-CONFIGURE	KMOD BUILD	KMOD SCAP-OPEN	BPF-PROBE BUILD	BPF-PROBE SCAP-OPEN	MODERN-BPF SCAP-OPEN
amazonlinux2-5.4	🟢	🟢	🟢	🟢	🟢	🟡
amazonlinux2022-5.15	🟢	🟢	🟢	🟢	🟢	🟢
fedora-6.2	🟢	🟢	🟢	🟢	🟢	🟢
oraclelinux-4.14	🟢	🟢	🟢	🟡	🟡	🟡
oraclelinux-5.15	🟢	🟢	🟢	🟢	🟢	🟢
ubuntu-6.5	🟢	🟢	🟢	🟢	🟢	🟢

[FedeDP]

/milestone next-driver

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 2c14369473911ada817e3cc21efee1ebaf2598ad

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[FedeDP]

/unhold