Switch to sys_bind to support more platforms #615
Conversation
| @@ -82,6 +82,10 @@ func (p *Tracer) UProbes() map[string]map[string]ebpfcommon.FunctionPrograms { | |||
| return nil | |||
| } | |||
|
|
|||
| func (p *Tracer) Tracepoints() map[string]ebpfcommon.FunctionPrograms { | |||
There was a problem hiding this comment.
I added support for tracepoints too. I had forgotten that the old helper I used was reading kernel memory only and it was useful to confirm what the addresses of the values were with a tracepoint. I've had to do this a few times in the past, so I keep adding and removing tracepoint support. I decided to add it and keep it for now. We have no tracepoints yet, but it might be useful again in the future.
We also have this outstanding issue where kretprobes can be unreliable, so maybe switching to a tracepoint exit on those would be better.
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #615 +/- ##
==========================================
- Coverage 79.83% 79.32% -0.51%
==========================================
Files 70 70
Lines 5946 5989 +43
==========================================
+ Hits 4747 4751 +4
- Misses 976 1008 +32
- Partials 223 230 +7
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
Thanks Mario! |
We used to tap into
security_socket_bindfor tracking new opened sockets. It was more convenient, since it required one less dereference of memory, e.g. trackingsys_binddirectly requires unwrapping the register context for the syscall.However, some vendors seem to build with more aggressive compiler options, e.g. WSL2 and Docker VM images and this security_socket_bind call appears to be inlined sometimes.
This PR switches the kprobe to run on
sys_bind.Closes #590
@mariomac if would be great if you see if this works properly on your setup too. I tested only on Windows Subsystem for Linux Ubuntu.