tetragon: Allow to specify max size of stored arguments for process

Currently we try to read all the process arguments when it's executed. Command line sizes like 130K result in multiple data events being sent to user space ending up possibly lost in perf ring buffer. Adding support to store only configurable portion of the process arguments with --exec-max-args option. By default we try to store everything. Signed-off-by: Jiri Olsa <[email protected]>
cilium · Oct 27, 2023 · fe5cd30 · fe5cd30
1 parent af6f1d7
commit fe5cd30
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 3 deletions.
diff --git a/bpf/lib/environ_conf.h b/bpf/lib/environ_conf.h
@@ -25,7 +25,8 @@ struct tetragon_conf {
 	__u32 tg_cgrp_level; /* Tetragon cgroup level */
 	__u64 tg_cgrpid; /* Tetragon current cgroup ID to avoid filtering blocking itself */
 	__u64 cgrp_fs_magic; /* Cgroupv1 or Cgroupv2 */
-}; // All fields aligned so no 'packed' attribute.
+	__u32 exec_max_args; /* Max size of stored arguments for exec events. */
+} __attribute__((packed));
 
 struct {
 	__uint(type, BPF_MAP_TYPE_HASH);

diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
@@ -28,7 +28,7 @@ struct {
 } data_heap SEC(".maps");
 
 static inline __attribute__((always_inline)) __u32
-read_args(void *ctx, struct msg_execve_event *event)
+read_args(void *ctx, struct msg_execve_event *event, __u32 max)
 {
 	struct task_struct *task = (struct task_struct *)get_current_task();
 	struct msg_process *p = &event->process;
@@ -75,6 +75,8 @@ read_args(void *ctx, struct msg_execve_event *event)
 	 */
 	free_size = (char *)&event->process + BUFFER - args;
 	args_size = end_stack - start_stack;
+	if (max && args_size > max)
+		args_size = max;
 
 	if (args_size < BUFFER && args_size < free_size) {
 		size = args_size & 0x3ff /* BUFFER - 1 */;
@@ -173,6 +175,7 @@ event_execve(struct sched_execve_args *ctx)
 	char *filename = (char *)ctx + (ctx->filename & 0xFFFF);
 	struct msg_execve_event *event;
 	struct execve_map_value *parent;
+	struct tetragon_conf *config;
 	struct msg_process *p;
 	__u32 zero = 0;
 	__u64 pid;
@@ -181,6 +184,10 @@ event_execve(struct sched_execve_args *ctx)
 	if (!event)
 		return 0;
 
+	config = map_lookup_elem(&tg_conf_map, &zero);
+	if (!config)
+		return 0;
+
 	pid = get_current_pid_tgid();
 	parent = event_find_parent();
 	if (parent) {
@@ -207,7 +214,7 @@ event_execve(struct sched_execve_args *ctx)
 	p->uid = get_current_uid_gid();
 
 	p->size += read_path(ctx, event, filename);
-	p->size += read_args(ctx, event);
+	p->size += read_args(ctx, event, config->exec_max_args);
 	p->size += read_cwd(ctx, p);
 
 	event->common.op = MSG_OP_EXECVE;

diff --git a/docs/content/en/docs/reference/daemon-flags.md b/docs/content/en/docs/reference/daemon-flags.md
@@ -22,6 +22,7 @@ Flags:
       --enable-process-cred                       Enable process_cred events
       --enable-process-ns                         Enable namespace information in process_exec and process_kprobe events
       --event-queue-size uint                     Set the size of the internal event queue. (default 10000)
+      --exec-max-args string                      (Max size of stored arguments for exec events (default 0 - store all, allows K/M/G suffix) (default "0")
       --export-aggregation-buffer-size uint       Aggregator channel buffer size (default 10000)
       --export-aggregation-window-size duration   JSON export aggregation time window (default 15s)
       --export-allowlist string                   JSON export allowlist

diff --git a/pkg/api/confapi/confapi.go b/pkg/api/confapi/confapi.go
@@ -11,4 +11,5 @@ type TetragonConf struct {
 	TgCgrpLevel     uint32 `align:"tg_cgrp_level"`      // Tetragon cgroup level
 	TgCgrpId        uint64 `align:"tg_cgrpid"`          // Tetragon cgroup ID
 	CgrpFsMagic     uint64 `align:"cgrp_fs_magic"`      // Cgroupv1 or cgroupv2
+	ExecMaxArgs     uint32 `align:"exec_max_args"`      // Max size of stored arguments for exec events
 }
diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -44,6 +44,8 @@ type config struct {
 	RBSizeTotal int
 	RBQueueSize int
 
+	ExecMaxArgs int
+
 	ProcessCacheSize int
 	DataCacheSize    int
 

diff --git a/pkg/option/flags.go b/pkg/option/flags.go
@@ -89,6 +89,8 @@ const (
 	KeyEnablePodInfo = "enable-pod-info"
 
 	KeyExposeKernelAddresses = "expose-kernel-addresses"
+
+	KeyExecMaxArgs = "exec-max-args"
 )
 
 func ReadAndSetFlags() error {
@@ -119,6 +121,9 @@ func ReadAndSetFlags() error {
 	if Config.RBQueueSize, err = strutils.ParseSize(viper.GetString(KeyRBQueueSize)); err != nil {
 		return fmt.Errorf("failed to parse rb-queue-size value: %s", err)
 	}
+	if Config.ExecMaxArgs, err = strutils.ParseSize(viper.GetString(KeyExecMaxArgs)); err != nil {
+		return fmt.Errorf("failed to parse rb-size value: %s", err)
+	}
 
 	Config.GopsAddr = viper.GetString(KeyGopsAddr)
 
@@ -270,4 +275,6 @@ func AddFlags(flags *pflag.FlagSet) {
 	flags.Bool(KeyEnablePodInfo, false, "Enable PodInfo custom resource")
 
 	flags.Bool(KeyExposeKernelAddresses, false, "Expose real kernel addresses in events stack traces")
+
+	flags.String(KeyExecMaxArgs, "0", "(Max size of stored arguments for exec events (default 0 - store all, allows K/M/G suffix)")
 }
diff --git a/pkg/sensors/config/confmap/confmap.go b/pkg/sensors/config/confmap/confmap.go
@@ -14,6 +14,7 @@ import (
 	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/sensors/base"
 	"github.com/cilium/tetragon/pkg/sensors/program"
+	"github.com/cilium/tetragon/pkg/strutils"
 	"github.com/sirupsen/logrus"
 )
 
@@ -34,6 +35,7 @@ type TetragonConfValue struct {
 	TgCgrpLevel     uint32 `align:"tg_cgrp_level"`      // Tetragon cgroup level
 	TgCgrpId        uint64 `align:"tg_cgrpid"`          // Tetragon cgroup ID
 	CgrpFsMagic     uint64 `align:"cgrp_fs_magic"`      // Cgroupv1 or cgroupv2
+	ExecMaxArgs     uint32 `align:"exec_max_args"`      // Max size of stored arguments for exec events
 }
 
 var (
@@ -101,6 +103,7 @@ func UpdateTgRuntimeConf(mapDir string, nspid int) error {
 		TgCgrpSubsysIdx: cgroups.GetCgrpSubsystemIdx(),
 		NSPID:           uint32(nspid),
 		CgrpFsMagic:     cgroupFsMagic,
+		ExecMaxArgs:     uint32(option.Config.ExecMaxArgs),
 	}
 
 	if err := UpdateConfMap(mapDir, v); err != nil {
@@ -117,6 +120,7 @@ func UpdateTgRuntimeConf(mapDir string, nspid int) error {
 		"cgroup.controller.hierarchyID": v.TgCgrpHierarchy,
 		"cgroup.controller.index":       v.TgCgrpSubsysIdx,
 		"NSPID":                         nspid,
+		"ExecMaxArgs":                   strutils.SizeWithSuffix(option.Config.ExecMaxArgs),
 	}).Info("Updated TetragonConf map successfully")
 
 	return nil