Skip to content

new(libsinsp): introduce proc.aargs field #2387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 8, 2025
Merged

new(libsinsp): introduce proc.aargs field #2387

merged 1 commit into from
May 8, 2025

Conversation

incertum
Copy link
Contributor

@incertum incertum commented May 5, 2025

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

Introduce proc.aargs field, community request, see falcosecurity/falco#3534

Which issue(s) this PR fixes:

Part 2 falcosecurity/falco#3534
TBD if we introduce nested proc.aargs lookups in this PR or a follow up PR.

CC @yg-oss

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new(libsinsp): introduce proc.aargs field

@poiana poiana requested review from Andreagit97 and hbrueckner May 5, 2025 23:50
@poiana poiana added the size/M label May 5, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented May 5, 2025
edited
Loading

Perf diff from master - unit tests

     5.85%     -0.59%  [.] sinsp_parser::reset
     0.64%     +0.42%  [.] libsinsp::sinsp_suppress::process_event
     1.48%     -0.38%  [.] scap_event_decode_params
     6.34%     +0.37%  [.] sinsp::next
    34.41%     -0.37%  [.] sinsp_thread_manager::create_thread_dependencies
     1.46%     -0.36%  [.] user_group_updater::~user_group_updater
     1.34%     +0.29%  [.] std::_Hashtable<long, std::pair<long const, std::shared_ptr<sinsp_threadinfo> >, std::allocator<std::pair<long const, std::shared_ptr<sinsp_threadinfo> > >, std::__detail::_Select1st, std::equal_to<long>, std::hash<long>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_find_before_node
     4.14%     -0.25%  [.] sinsp_thread_manager::find_thread
     2.33%     +0.20%  [.] gzfile_read
     0.42%     +0.17%  [.] std::_Hashtable<conversion_key, std::pair<conversion_key const, conversion_info>, std::allocator<std::pair<conversion_key const, conversion_info> >, std::__detail::_Select1st, std::equal_to<conversion_key>, std::hash<conversion_key>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_find_before_node

Heap diff from master - unit tests

peak heap memory consumption: -936B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: -747B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            +0.0082         +0.0082           148           149           148           149
BM_sinsp_split_median                                          +0.0061         +0.0061           148           148           148           148
BM_sinsp_split_stddev                                          +0.2471         +0.2466             1             1             1             1
BM_sinsp_split_cv                                              +0.2370         +0.2365             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  +0.0022         +0.0022            56            56            56            56
BM_sinsp_concatenate_paths_relative_path_median                +0.0284         +0.0285            55            56            55            56
BM_sinsp_concatenate_paths_relative_path_stddev                -0.9212         -0.9211             3             0             3             0
BM_sinsp_concatenate_paths_relative_path_cv                    -0.9213         -0.9213             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     +0.0049         +0.0049            23            24            23            24
BM_sinsp_concatenate_paths_empty_path_median                   +0.0049         +0.0048            23            24            23            24
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.0560         -0.0581             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       -0.0606         -0.0627             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.1057         -0.1057            64            57            64            57
BM_sinsp_concatenate_paths_absolute_path_median                -0.0897         -0.0897            64            58            64            58
BM_sinsp_concatenate_paths_absolute_path_stddev                +1.6065         +1.6073             1             2             1             2
BM_sinsp_concatenate_paths_absolute_path_cv                    +1.9148         +1.9156             0             0             0             0

incertum
incertum commented May 5, 2025
View reviewed changes
userspace/libsinsp/sinsp_filtercheck_thread.cpp Outdated
@@ -1104,16 +1149,18 @@ uint8_t* sinsp_filter_check_thread::extract_single(sinsp_evt* evt,
case TYPE_ARGS: {
m_tstr.clear();

uint32_t j;
uint32_t nargs = (uint32_t)tinfo->m_args.size();
sinsp_threadinfo::populate_args(m_tstr, tinfo);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New helper was due now.

@codecov Codecov
Copy link

codecov bot commented May 5, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 83.72093% with 7 lines in your changes missing coverage. Please review.

Project coverage is 77.19%. Comparing base (8d44eca) to head (d3cbbe1).
Report is 2 commits behind head on master.

Files with missing lines Patch % Lines
userspace/libsinsp/sinsp_filtercheck_thread.cpp 76.66% 7 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2387   +/-   ##
=======================================
  Coverage   77.18%   77.19%           
=======================================
  Files         231      231           
  Lines       30368    30401   +33     
  Branches     4657     4663    +6     
=======================================
+ Hits        23441    23468   +27     
- Misses       6927     6933    +6
Flag Coverage Δ
libsinsp 77.19% <83.72%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

incertum
incertum commented May 6, 2025
View reviewed changes
userspace/libsinsp/sinsp_filtercheck_thread.cpp
@@ -748,6 +762,21 @@ int32_t sinsp_filter_check_thread::extract_arg(std::string_view fldname,
} else {
throw sinsp_exception("filter syntax error: " + string(val));
}
} else if(m_field_id == TYPE_AARGS) {
// Separate statement in order to expand future usage
// to proc.aargs[1][3]; allow for indexed ancestor args access
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leogr and @FedeDP TBD if we want to expand this in this PR or another PR, alongside deciding when (this release or the next one). Either way fine from my perspective.

One option could be to simply expand the string arg extraction logic (either using re2 or a custom approach), and assigning the second index that would access the arg of an ancestor to a new variable called m_argid2 or other naming.

WDYT?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leogr and @FedeDP TBD if we want to expand this in this PR or another PR,

I'd go for two separate PRs, mainly because allowing [1][3] would be a radical change in the syntax, and we need to consider any possible side effects.

alongside deciding when (this release or the next one). Either way fine from my perspective.

Considering Falco 0.41 is due by May 26th, we might be able to merge this PR by the end of the week and bring just proc.aargs[1] for this release. For anything more, we are too late, I guess.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leogr couldn't agree more re timing and possible side effect!

I have just rebased this PR!

@incertum incertum force-pushed the add-proc-aargs-functionality branch from e51f00d to 6bd261d Compare May 6, 2025 16:00
@poiana poiana added size/L and removed size/M labels May 6, 2025
@FedeDP
Copy link
Contributor

FedeDP commented May 7, 2025

(rebasng the PR will fix the CI :D )

@FedeDP
Copy link
Contributor

FedeDP commented May 7, 2025

/milestone 0.21.0

@poiana poiana added this to the 0.21.0 milestone May 7, 2025
@incertum
new(libsinsp): introduce proc.aargs field
d3cbbe1 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
@incertum incertum force-pushed the add-proc-aargs-functionality branch from 6bd261d to d3cbbe1 Compare May 7, 2025 16:23
FedeDP
FedeDP approved these changes May 8, 2025
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
LGTM! Great feat IMHO

@poiana poiana added the lgtm label May 8, 2025
@poiana
Copy link
Contributor

poiana commented May 8, 2025

LGTM label has been added.

Git tree hash: 967b486093f099500d02b8797462237f751d3805

@poiana
Copy link
Contributor

poiana commented May 8, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, incertum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@FedeDP
Copy link
Contributor

FedeDP commented May 8, 2025

@leogr while i like the feature, what about introducing an ancestor transformer instead? I mean we are polluting filterchecks with more and more afoo[x] filters (ancestor[x]->foo).

  • ancestor(foo, x) feels better to type (much more recognizable)
  • also, it seems more generic and thus more powerful

Idea is simple: with ancestor(foo, x) transformer we will first take ancestor threadinfo, and then take the requested filtercheck.

my 2c, just an idea for eg: Falco 1.0.0, considering that i'd also drop all the afoo checks too, thus would be a breaking change.

Looking at the code, the only issue is that by now transformers are bound to work on the extracted values. This time, we should need to work before extracting the value, possibly on the sinsp_evt itself (making a copy of it before extracting).

@leogr
Copy link
Member

leogr commented May 8, 2025

@leogr while i like the feature, what about introducing an ancestor transformer instead? I mean we are polluting filterchecks with more and more afoo[x] filters (ancestor[x]->foo).

The only issue is that transformers are related to a type, and we don't actually have a type for processes. So it sounds inconsistent to me, but I'm still open to this or a similar idea.

That being said, I agree we should get rid of all afoo fields in 1.0, and thus we need a new syntax construct to achieve the same use cases. Maybe, introducing something more general like class.field[x].nested_field[y] at the syntax level would help. Unfortunately, I guess this can't be achieved before 1.0.

@FedeDP wdyt?

@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap May 8, 2025
@poiana poiana merged commit c0b1aea into falcosecurity:master May 8, 2025
47 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap May 8, 2025
@incertum incertum deleted the add-proc-aargs-functionality branch May 8, 2025 18:37
@incertum
Copy link
Contributor Author

incertum commented May 8, 2025

@leogr and @FedeDP great suggestions, would you like to post them or cross-reference them on the Falco issue as well?

@FedeDP FedeDP mentioned this pull request May 12, 2025
Merged
@bevanjkay bevanjkay mentioned this pull request May 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr approved these changes

@FedeDP FedeDP FedeDP approved these changes

@Andreagit97 Andreagit97 Awaiting requested review from Andreagit97

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

Assignees

@leogr leogr

@FedeDP FedeDP

Labels
approved area/libsinsp area/tests dco-signoff: yes kind/cleanup kind/feature New feature or request lgtm release-note size/L
Projects
Falco Roadmap
Status: Done
Milestone
0.21.0
Development

Successfully merging this pull request may close these issues.
4 participants
@incertum @FedeDP @poiana @leogr