Title
#ebpf
a

alessandrogario

09/29/2020, 4:39 PM
Latest packages for BPF support. This adds back bpf_socket_events with listen, accept, accept4, socket and connect. There are still no unit tests for this table, so expect hidden bugs!
CptOfEvilMinions

CptOfEvilMinions

09/29/2020, 5:20 PM
@alessandrogario are these packages OS and version specific? Will this run on ubuntu server 20.04?
a

alessandrogario

09/29/2020, 5:21 PM
They have been built with the osquery toolchain, so they should be portable
CptOfEvilMinions

CptOfEvilMinions

09/29/2020, 5:33 PM
I download the ZIP provided and I installed. Based on the PR and this Slack channel I ran the following command:
sudo osqueryd -S --verbose --enable_bpf_socket_events --enable_bpf_process_events --disable_events=false
but received
ubuntuvm:/tmp/20200929_osquery_pr6571_bpf$ sudo osqueryd -S --verbose --enable_bpf_socket_events --enable_bpf_process_events --disable_events=false

ERROR: unknown command line flag 'enable_bpf_process_events'
ERROR: unknown command line flag 'enable_bpf_socket_events'
a

alessandrogario

09/29/2020, 5:37 PM
aaargh I need to update the docs. So since I need to trace all the syscalls regardless of which table the user wants to use, i removed those flags
5:37 PM
the only flag required is --enable_bpf_events
5:42 PM
There are some quirks with the openat/openat2 syscall; looks like you don't always have access to the memory you are required to read because those pages are not mapped. I tried to add some workarounds to this, but it may still throw some "Malformed event for tracer #x" warnings
5:45 PM
Also: there are no options yet to control how much memory to allocate in the ring buffers, which would be helpful to increase when you know you are going to handle a certain number of events per minute
CptOfEvilMinions

CptOfEvilMinions

09/29/2020, 5:46 PM
I had an Ubuntu server 20.04.1 64-bit machine with 2GBs of memory and it was not enough
a

alessandrogario

09/29/2020, 5:52 PM
Yeah, it's the following settings inside bpfeventpublisher.cpp:
const std::size_t kPerfEventArraySize{12U};
const std::size_t kBufferStorageSize{4096U};
const std::size_t kEventMapSize{2048};
kPerfEventArraySize = power of 2, determines how big the main ring buffer containing basic types is (integers, pointers, process id, uid....) Memory usage: 2^kPerfEventArraySize * cpu_count kBufferStorageSize = how many slots of 4k bytes are allocated in each BufferStorage object. 1 slot = 1 string (example: filename in open) or buffer (example: sockaddr in connect) Memory usage: (kBufferStorageSize * 4k * cpu_count) for each buffer storage (we currently have 4) kEventMapSize: memory map used to merge the enter tracepoint with the exit tracepoint. Each slot is really small, and its memory usage is low