decouple tracing sensor #2706
Comments
kkourt
added a commit
that referenced
this issue
Jul 22, 2024
For historic reasons, the tracing sensor has three different aspects: kprobes, tracepoints, and (recently) lsm hooks. Also for historic reasons, we did not allow tracepoints and kprobes in the same policy. With the addition of the LSM sensor (8eb13e8), if a policy includes an lsm section together with either a kprobe section or a tracepoint section, the lsm section will be ignored. This patch rejects policies that have more than one section of kprobes, tracepoints, and lsm hooks in the policy. A better solution would be to decouple the tracing sensor, and create one sensor for kprobes, one for tracepoints, and one for lsm sensors. See: #2706 Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
kkourt
added a commit
that referenced
this issue
Jul 22, 2024
For historic reasons, the tracing sensor has three different aspects: kprobes, tracepoints, and (recently) lsm hooks. Also for historic reasons, we did not allow tracepoints and kprobes in the same policy. With the addition of the LSM sensor (8eb13e8), if a policy includes an lsm section together with either a kprobe section or a tracepoint section, the lsm section will be ignored. This patch rejects policies that have more than one section of kprobes, tracepoints, and lsm hooks in the policy. A better solution would be to decouple the tracing sensor, and create one sensor for kprobes, one for tracepoints, and one for lsm sensors. See: #2706 Fixes: 8eb13e8 Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
kkourt
added a commit
that referenced
this issue
Jul 22, 2024
For historic reasons, the tracing sensor has three different aspects: kprobes, tracepoints, and (recently) lsm hooks. Also for historic reasons, we did not allow tracepoints and kprobes in the same policy. With the addition of the LSM sensor (8eb13e8), if a policy includes an lsm section together with either a kprobe section or a tracepoint section, the lsm section will be ignored. This patch rejects policies that have more than one section of kprobes, tracepoints, and lsm hooks in the policy. A better solution would be to decouple the tracing sensor, and create one sensor for kprobes, one for tracepoints, and one for lsm sensors. See: #2706 Fixes: 8eb13e8 Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For historic reasons, kprobes, tracepoints, and now lsm hooks live under the (generic) tracing sensor
pkg/sensors/tracing.Also for historic reasons, policies that combine any two of the above are not supported.
Splitting the code into:
Might be worthwhile, and it will also allow us to easily support policies that combine them. For that last part, we would need to review whether there are shared objects (e.g., bpf maps) between the different sensors and handle them appropriately. See also: #408
The text was updated successfully, but these errors were encountered: