-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tetragon: Setup execve_map max entries #3279
base: main
Are you sure you want to change the base?
Conversation
7b664dd
to
ab3513b
Compare
pkg/sensors/base/base.go
Outdated
threads := readFileDefault("/proc/sys/kernel/threads-max", 32768) | ||
ExecveMap.SetMaxEntries(int(threads)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need this? It seems it will make the size of the execve_map even larger as threads-max is often well above 32K. This will take significant space while running threads-max threads is pretty rare nop?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried this as mitigation for https://github.com/isovalent/security/issues/88 .. I think we need some combination of this change (with some reasonable size for execve_map) and other ways mentioned in the issue
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah I see, maybe this is one of the cases where NO_PREALLOC could help so that we can dynamically size to a very large map. But I could see how this can lead to memory issues in the future. That's not an easy problem :/
c64e7e4
to
fcfa0a9
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
pkg/option/flags.go
Outdated
@@ -416,4 +419,6 @@ func AddFlags(flags *pflag.FlagSet) { | |||
flags.Int(KeyEventCacheRetryDelay, defaults.DefaultEventCacheRetryDelay, "Delay in seconds between event cache retries") | |||
|
|||
flags.Bool(KeyCompatibilitySyscall64SizeType, false, "syscall64 type will produce output of type size (compatibility flag, will be removed in v1.4)") | |||
|
|||
flags.String(KeyExecveMapEntries, "", "Set entries for execve_map table (default 32768)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have the default from the actual default value here? If we ever change it, the change should be reflected in help.
55349d5
to
db51eba
Compare
Moving SizeWithSuffix to strutils package, so we can use it from other places. Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
Move '!enter' early in the function which will help following changes to be more readable. There's no functional change. Signed-off-by: Jiri Olsa <[email protected]>
Passing execve_map_value directly to match_binaries to eliminate superfluous event_find_curr in it. Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
so filter tail call can change it Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
db51eba
to
44fdaa4
Compare
when execve_map is full, create local process record in kprobe context and use it
to do the filter and execute actions
on user space side such process is tracked as 'unknown'