Tags: axrayn/ebpf
Tags
8.5: cherry-pick bafa987 and aea0f04 from main (elastic#160) * Move BPF support-detection logic from endpoint to this repository (elastic#151) * De-generify feature logic Since it's existed, the "features" argument passed into ebpf_event_ctx__create via the opts struct has been used for the sole purpose of bpf trampoline detection. There's also no scenario currently where we have to force kprobes over trampolines (i.e. the library always performs the detection logic), meaning having to go through the two-step process of ebpf_detect_system_features and ebpf_event_ctx__new is an unncecessary level of indirection. There is one use case for which *knowing* (but not setting) the features is useful, the TestFeaturesCorrect multi-kernel test case. To ensure we can still test the feature detection logic, add ebpf_event_ctx__get_features to expose the features detected by the library, while removing the ability to set them. If in the future, more features come along and it becomes necessary to toggle them on a rather granular basis, we can revert this, but for the time being, it simplifies the code nicely. * Move support detection logic to this repository Since the very beginning, the logic to detect if we support BPF has been done in endpoint instead of in the ebpf events library. This is wonky. Logically, this logic belongs here, the library should be performing all necessary checks and returning -ENOTSUP if it can't load the probes. library users shouldn't have to divine the specific system characteristics needed for the library to successfully run themselves. * Change stale docs -- minimum kernel is 5.10.16 * Remove tty_write prototype detection logic Since our minimum supported version is now 5.10.16, this is unneeded (prototype change was made in 5.10.11) * Remove --features-autodetect from testrunner * Make verbose log more explicit Co-authored-by: Mattia Meleleo <[email protected]> * Add missing newline Co-authored-by: Nicholas Berlin <[email protected]> * Fix typo buf -> bug Co-authored-by: Nicholas Berlin <[email protected]> * Move BPF_CORE_READ calls to tty_write__enter Co-Authored-By: Mattia Meleleo <[email protected]> * Cut down support detection logic This reduces the stuff we check for to just bpf_support && (kernel_version > 5.10.16). While this doesn't cover 100% of cases, it will likely cover 99.9% of cases and give us a easy to read error message in those cases. Probe loading will ultimately fail if we're e.g. on a 5.10.16+ kernel with BTF that doesn't have kprobes or ftrace enabled, which will cause endpoint to not use BPF. * Fix incorrect boolean return * Print full un.release on kernel version error * Fix breakage on Amazonlinux2 kernels Too much logic was removed in the tty_write logic removal. We should still be detecting if tty_write exists in BTF and falling back to a kprobe if so. * Fix incorrect version detection on Ubuntu Ubuntu provides /proc/version_signature so that the true upstream source version can be obtained. Use it instead of utsname.release. * Fix kernel version detection on Debian See comments, we need to use un.version on Debian, as that's the only reliable way to get the upstream source version. Co-authored-by: Mattia Meleleo <[email protected]> Co-authored-by: Nicholas Berlin <[email protected]> * EventProbe: iterate iovec segs (elastic#158) * EventProbe: iterate iovec segs * Update GPL/Events/Process/Probe.bpf.c Co-authored-by: Nicholas Berlin <[email protected]> Co-authored-by: Rhys Rustad-Elliott <[email protected]> Co-authored-by: Nicholas Berlin <[email protected]>