Skip to content

update(libsinsp): support indexed proc.args access #2382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 6, 2025
Merged

update(libsinsp): support indexed proc.args access #2382

merged 2 commits into from
May 6, 2025

Conversation

incertum
Copy link
Contributor

@incertum incertum commented May 2, 2025

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

Support indexed proc.args access, community request, see falcosecurity/falco#3534

Which issue(s) this PR fixes:

Part 1 falcosecurity/falco#3534

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

update(libsinsp): support indexed proc.args access

@poiana poiana requested a review from hbrueckner May 2, 2025 19:48
@poiana poiana added the approved label May 2, 2025
@poiana poiana requested a review from mstemm May 2, 2025 19:48
@poiana poiana added the size/M label May 2, 2025
@incertum
Copy link
Contributor Author

incertum commented May 2, 2025

CC @yg-oss

I also notice that we have some new formatting requirements and checks since the last time I contributed -- I'll take a look!

@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2025
edited
Loading

Perf diff from master - unit tests

    35.45%     -0.59%  [.] sinsp_thread_manager::create_thread_dependencies
     6.56%     -0.45%  [.] sinsp::next
     1.60%     +0.28%  [.] sinsp_parser::process_event
     2.63%     -0.23%  [.] gzfile_read
     5.40%     +0.19%  [.] sinsp_evt::get_type
     0.76%     +0.19%  [.] sinsp::fetch_next_event
     0.73%     +0.17%  [.] sinsp_parser::event_cleanup
     2.32%     +0.15%  [.] sinsp_evt::load_params
     0.37%     -0.15%  [.] copy_and_sanitize_path
     1.09%     -0.14%  [.] user_group_updater::user_group_updater

Heap diff from master - unit tests

peak heap memory consumption: -212B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: -212B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            -0.0055         -0.0056           150           149           150           149
BM_sinsp_split_median                                          -0.0047         -0.0048           150           149           150           149
BM_sinsp_split_stddev                                          +1.3304         +1.3291             0             1             0             1
BM_sinsp_split_cv                                              +1.3432         +1.3421             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  -0.0173         -0.0174            56            55            56            55
BM_sinsp_concatenate_paths_relative_path_median                -0.0152         -0.0153            56            55            56            55
BM_sinsp_concatenate_paths_relative_path_stddev                +5.3684         +5.3723             0             1             0             1
BM_sinsp_concatenate_paths_relative_path_cv                    +5.4804         +5.4850             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     -0.0005         -0.0006            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_median                   +0.0041         +0.0040            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.5992         -0.5992             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       -0.5990         -0.5989             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.0964         -0.0965            60            54            60            54
BM_sinsp_concatenate_paths_absolute_path_median                -0.1014         -0.1015            60            54            60            54
BM_sinsp_concatenate_paths_absolute_path_stddev                +1.2367         +1.2368             0             1             0             1
BM_sinsp_concatenate_paths_absolute_path_cv                    +1.4754         +1.4757             0             0             0             0

@codecov Codecov
Copy link

codecov bot commented May 2, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.18%. Comparing base (ca91cb1) to head (12f63be).
Report is 15 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2382      +/-   ##
==========================================
+ Coverage   77.02%   77.18%   +0.15%     
==========================================
  Files         229      231       +2     
  Lines       30316    30357      +41     
  Branches     4657     4658       +1     
==========================================
+ Hits        23352    23430      +78     
+ Misses       6964     6927      -37
Flag Coverage Δ
libsinsp 77.18% <100.00%> (+0.15%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@incertum
update(libsinsp): support indexed proc.args access
f431ecb 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
@incertum incertum force-pushed the add-proc-args-index branch from 42cb298 to f431ecb Compare May 2, 2025 19:59
FedeDP
FedeDP reviewed May 5, 2025
View reviewed changes
userspace/libsinsp/sinsp_filtercheck_thread.cpp
@@ -893,6 +911,22 @@ int32_t sinsp_filter_check_thread::parse_field_name(std::string_view val,
}
}

return res;
} else if(STR_MATCH("proc.args")) {
m_field_id = TYPE_ARGS;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious: who was setting m_field_id = TYPE_ARGS; prior to your changes? Can't find it anywhere :O

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears to only apply to fields that could have an arg passed via [] notation within parse_field_name.

And thanks to your comment I noticed I forgot to adjust the EBPF_* for proc.args, see my follow up commit :)

@FedeDP
Copy link
Contributor

FedeDP commented May 5, 2025

/milestone 0.21.0

@poiana poiana added this to the 0.21.0 milestone May 5, 2025
@incertum
fix(libsinsp): change to EPF_ARG_ALLOWED for proc.args + simplify check
12f63be 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
@incertum incertum force-pushed the add-proc-args-index branch from a212e31 to 12f63be Compare May 5, 2025 23:55
incertum
incertum commented May 5, 2025
View reviewed changes
userspace/libsinsp/sinsp_filtercheck_thread.cpp
m_tstr += tinfo->m_args[j];
if(j < nargs - 1) {
m_tstr += ' ';
if(m_argid >= 0) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@FedeDP Suggesting to further clean this up after rebasing the next PR, new helper is introduced here https://github.com/falcosecurity/libs/pull/2387/files#r2074420790

FedeDP
FedeDP approved these changes May 6, 2025
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! This is a very useful feat!
/approve

@poiana poiana added the lgtm label May 6, 2025
@poiana
Copy link
Contributor

poiana commented May 6, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, incertum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana
Copy link
Contributor

poiana commented May 6, 2025

LGTM label has been added.

Git tree hash: 37b373b119d11f55b94e7db3352141086e945677

@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap May 6, 2025
@poiana poiana merged commit 00641e1 into falcosecurity:master May 6, 2025
47 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap May 6, 2025
@bevanjkay bevanjkay mentioned this pull request May 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr approved these changes

@FedeDP FedeDP FedeDP approved these changes

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

@mstemm mstemm Awaiting requested review from mstemm

Assignees

@leogr leogr

@FedeDP FedeDP

Labels
approved area/libsinsp dco-signoff: yes kind/cleanup lgtm release-note size/M
Projects
Falco Roadmap
Status: Done
Milestone
0.21.0
Development

Successfully merging this pull request may close these issues.
4 participants
@incertum @FedeDP @poiana @leogr