Skip to content

Add remaining events from bypass #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 30, 2025
Merged

Add remaining events from bypass #247

merged 4 commits into from
Oct 30, 2025

Conversation

@haesbaert
Copy link
Collaborator

@haesbaert haesbaert commented Oct 28, 2025
edited
Loading

commit bdffe76 (HEAD -> rem-events, origin/rem-events)
Author: Christiano Haesbaert haesbaert@elastic.co
Date: Wed Oct 29 15:28:42 2025 +0100

Mount /dev/shm and fix "source" for all mounts.

This virtual mounts can have any arbitrary string in the first parameter, it's
what it shows up on /proc/mounts as the first word.

Our cgroup2 code is incorrectly looking at the first word of each line, instead
of the third, see https://github.com/elastic/quark/issues/257

RHEL 9.3 doesn't work for shmget.

Since t_memfd and t_shm_open depend on QQ_FILE, also disable them where we know
our file probes fail.

commit cefe5ff
Author: Christiano Haesbaert haesbaert@elastic.co
Date: Tue Oct 28 20:19:58 2025 +0100

Add QQ_SHM

This enables all the shared memory related events outside of bypass under
QQ_SHM.

They were condensed into quark_shm{} since it fits quark better, to have on
event type by "subject".

Bugs
~~~~
MEMFD_OPEN's path is broken in the probe, so disable it.
SHMEM_OPEN is a bit buggy, a shmem_open(O_CREAT...) generates a file event
instead of a SHMEM_OPEN event, but an open on an existing one works.

https://github.com/elastic/quark/issues/255
https://github.com/elastic/quark/issues/256

commit c1e2f26
Author: Christiano Haesbaert haesbaert@elastic.co
Date: Tue Oct 28 11:57:21 2025 +0100

Add QQ_MODULE_LOAD

Pretty straightforward, don't bother saving allocations for strings like we do
for QQ_FILE, this is a uber low volume event, so just allocate and save some
code.

commit c7827c6
Author: Christiano Haesbaert haesbaert@elastic.co
Date: Tue Oct 28 09:18:54 2025 +0100

Add QQ_PTRACE

Before we could only use the ptrace probes in bypass mode, and for that we were
abusing QQ_MEMFD, start peeling the stuff out of QQ_MEMFD so we can have it all
outside bypass.

PTRACE is pretty straightforward, we just bubble up what we get from the probes.

ptrace

@haesbaert haesbaert requested a review from a team as a code owner October 28, 2025 09:01
@haesbaert haesbaert changed the title Add QQ_PTRACE Add remaining events from bypass Oct 28, 2025
nicholasberlin
nicholasberlin reviewed Oct 28, 2025
View reviewed changes
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was fast. Thanks!

stanek-michal
stanek-michal reviewed Oct 28, 2025
View reviewed changes
@haesbaert haesbaert force-pushed the rem-events branch 3 times, most recently from a7d4ffe to 5977d0b Compare October 28, 2025 19:20
@haesbaert
Copy link
Collaborator Author

I think this is ready for some bashing, I didn't obsess much so there's likely still something wrong.
Tomorrow I'll properly test it, have to write some test programs to trigger the events and whatnot.

@haesbaert haesbaert force-pushed the rem-events branch 2 times, most recently from b269b15 to 6864f7e Compare October 29, 2025 11:56
@haesbaert
Add QQ_PTRACE
c7827c6 
Before we could only use the ptrace probes in bypass mode, and for that we were
abusing QQ_MEMFD, start peeling the stuff out of QQ_MEMFD so we can have it all
outside bypass.

PTRACE is pretty straightforward, we just bubble up what we get from the probes.

ptrace
@haesbaert
Add QQ_MODULE_LOAD
c1e2f26 
Pretty straightforward, don't bother saving allocations for strings like we do
for QQ_FILE, this is a uber low volume event, so just allocate and save some
code.
@haesbaert
Add QQ_SHM
cefe5ff 
This enables all the shared memory related events outside of bypass under
QQ_SHM.

They were condensed into quark_shm{} since it fits quark better, to have on
event type by "subject".

Bugs
~~~~
MEMFD_OPEN's path is broken in the probe, so disable it.
SHMEM_OPEN is a bit buggy, a shmem_open(O_CREAT...) generates a file event
instead of a SHMEM_OPEN event, but an open on an existing one works.

#255
#256
@haesbaert haesbaert force-pushed the rem-events branch 3 times, most recently from 7785709 to bdffe76 Compare October 30, 2025 08:28
@haesbaert
Mount /dev/shm and fix "source" for all mounts.
2a6f2eb 
This virtual mounts can have any arbitrary string in the first parameter, it's
what it shows up on /proc/mounts as the first word.

Our cgroup2 code is incorrectly looking at the first word of each line, instead
of the third, see #257

RHEL 9.3 doesn't work for shmget.

Since t_memfd and t_shm_open depend on QQ_FILE, also disable them where we know
our file probes fail.
nicholasberlin
nicholasberlin approved these changes Oct 30, 2025
View reviewed changes
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@haesbaert haesbaert merged commit aa2895c into main Oct 30, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stanek-michal stanek-michal stanek-michal left review comments

@nicholasberlin nicholasberlin nicholasberlin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@haesbaert @nicholasberlin @stanek-michal