Title
#ebpf
zwass

zwass

08/09/2022, 5:03 PM
Bringing some things out of DM from @alessandrogario
alessandrogario  [9:52 AM]
The procfs-based approach can be a really useful addition to the processes table; it can't be used for events if the containers or the processes are shortlived. in that case, we have to update ebpfpub. To do that, we just have to
detect if btf can be constructed
pass a constructed btf object to FunctionTracer (osquery/events/linux/bpf/bpfeventpublisher.cpp), ideally only for fork/vfork/clone so that we don't add 64 bytes of overhead to all the probes
update the sytem state tracker (osquery/events/linux/bpf/systemstatetracker.h) to propagate the cgroup names

alessandrogario  [9:52 AM]
I think having both approaches would be really cool

alessandrogario  [9:55 AM]
I've merged an example
Initializing btf: <https://github.com/trailofbits/ebpfpub/blob/main/examples/execsnoop/src/main.cpp#L167>
Reading the cgroup names: <https://github.com/trailofbits/ebpfpub/blob/main/examples/execsnoop/src/main.cpp#L79>
5:03 PM
cc @Artemis Tosini