cbsensor-linux-bpf icon indicating copy to clipboard operation
cbsensor-linux-bpf copied to clipboard
verified publisher icon vmware

Options For Redesign of BPF Message Structs - One potential way

Open jrmwooldridge opened this issue 5 years ago • 0 comments

The current struct data_t has quite a few problems is fairly primitive, disorganized and wasn't designed for expansion.

  • Make structures return less unused bytes
  • Allow event contexts to be expandable
  • Investigate struct alignments and potential padding issues.

Ideally it would be easiest to split up struct data_t union into multiple structs based on the event context objects or event types.

// BPF message unique identifier
struct msg_hdr_ctx {
    uint64_t   ts;
    uint32_t   tid;
    uint8_t     event;
    uint8_t     flags;
};

struct ino_dev {
    uint64_t ino;
    uint32_t dev;
};

struct task_ctx_msg {
     struct msg_hdr_ctx; // embed hdr
     uint32_t tgid;
     uint32_t ppid;
     uint32_t mnt_ns;
     struct inode_dev exe;

//    ... Maybe include pid namespace values of pids
};

// Change this to handle BTF filepaths
// when BTF d_path enabled.
struct pathbuf {
    int16_t len; // Probably helpful for `bpf_read_str`
     char buf[255];
};

// roughly 272 bytes
struct filepath_ctx {
    struct msg_hdr_ctx;
    struct pathbuf dname;
};

struct file_open_ctx {
    struct task_ctx_msg;
    struct ino_dev;
    uint64_t fmode;
};

// Example new usage that would make total BPF message payload
// 255 bytes and the 

int on_security_file_open(struct file *file)
{
   struct __file_open_ctx_max {
       union {
            struct file_open_ctx entry;
            struct filepath_ctx path; // roughly send 272 max bytes but less with bpf_read_str enabled distros
       };
    };
    struct __file_open_ctx_max blob = {};
    struct file_open_ctx *entry = &blob.entry;
    // Fill in hdr
   
    // Fill in file open ctx data
    ...
    // Submit event context
    perf_submit(ctx, entry, sizeof(*entry));

    ...
    // Provide do_file_path with max payload sized buffer
    // 
    __do_file_path(ctx, &blob.path, file);
   ...
}

struct raw_exe_args {
    int16_t len;
    uint8_t buf[<perf buffer maxpayload>];
};

struct clone_entry_ctx {
    struct msg_hdr_ctx;
    struct task_ctx_msg;
    struct task_ctx_msg parent;
};

struct exec_entry_ctx {
    struct clone_entry_ctx;
};

struct exec_file_ctx {
    struct exec_entry_ctx;
    struct ino_dev exe;
};

...

jrmwooldridge avatar Oct 20 '20 13:10 jrmwooldridge