New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(events): create access_remote_vm event #3551
base: main
Are you sure you want to change the base?
feat(events): create access_remote_vm event #3551
Conversation
abeb60f
to
deb4ef0
Compare
deb4ef0
to
93d376b
Compare
93d376b
to
59f34a5
Compare
I loved the event! It LGTM, definitely. There are just minor spell nits, some comments to be added to make it easier to understand your intents (if my interpretation is correct). A small "point to clear" would be the VMA naming strategy/logic. I left a question for you there. Also, If you could add a simple Nice work! |
59f34a5
to
275d6db
Compare
275d6db
to
06d025f
Compare
0ff94d2
to
3a5c024
Compare
Fix your pr.yaml file and force push. Wait for tests to finish and you will see. I dont need to reset anything on my side. Your pr.yaml is wrong. |
Never said it was a definitive answer. My feedback was "it might be related", but it might be an entire different thing. When you fix pr.yaml and tests fail you will be able to see. Let me know if you need a VM with the same images that are failing (but it might be intermittent among all of them, without considering v6.5 which always fails due to other reasoning). |
For the record: https://gist.github.com/rafaeldtinoco/bb0bcf795fb2c821136db01417ca669a Those files show the execution path in a 5.19 (event works) vs a 6.5 (event does not work).
Im using https://gist.github.com/rafaeldtinoco/1e619d9d25a4a934b0ef577304125b87 to test. |
Yea I am aware, but there is enough information in the event to filter regular stuff out.
You are right that it might spam, but it is significant. |
b135467
to
4d31215
Compare
Only pushed to see tests, still not fixed |
ee989e1
to
97963ff
Compare
Looks like the tests failed but when looking at the output the event (at least on 4.18) worked. Needs some fine tuning I believe. |
You can see that the problem is the version check, because the |
bc33179
to
24d5e97
Compare
Add to each probe the option to determine its relevance according to the OS version. If a probe is irrelevant, an attempt to load it won't be initiated. This allows to have different probes for events according to OS version.
The first 6 arguments are passed to functions using registers. From the 7th forward, the arguments pass through the stack. For this reason, only saving the first 6 arguments was supported until now. This commit add the 7th argument also to the saved args between kprobe and kretprobe.
An event for accessing the memroy of a process externally (can be the same process) by the mem file of the process in procfs. Co-authored-by: OriGlassman <39296766+origlassman@users.noreply.github.com>
Add e2e test to check that the access_remote_vm works well.
24d5e97
to
789bd69
Compare
We have this update #3875 Please rebase your PR against main to make use of the new workflow setup. |
1. Explain what the PR does
An event for accessing the memory of a process externally (can be the same process) by the mem file of the process in procfs.
789bd69 test(events): add e2e test to access_remote_vm
fd6e01a feat(events): create access_remote_vm event
0854a88 feat(ebpf): support 7 arguments saving for kretprobe
491ba04 feat(events): add probe relevance attribute
Fix #3518
2. Explain how to test it
3. Other comments