new(bpf-driver): Introduce bpf_probe_read_user and bpf_probe_read_kernel variants

[hbrueckner]

What type of PR is this?

/kind feature
/kind bug

Any specific area of the project related to this PR?

/area driver-bpf

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

tbd

What this PR does / why we need it:

This PR introduces the bpf_probe_read_user and bpf_probe_read_kernel variants to correctly read memory either from kernel or user space. This PR would also be the base to enable the BPF driver for the s390x architecture as well. Please note that for s390x there is yet another issue to be solved (here and in modern-bpf as well): new(bpf, modern-bpf): Add socketcall support

Which issue(s) this PR fixes:

Fixes #497

Special notes for your reviewer:

This PR evolved over the last couple of weeks and months. And I think it's time to open to obtain feedback and thoughts from you. There is some more testing required along the way and I also look forward towards the shared driver test cases being worked on.

There are basically three areas that where the user and kernel bpf probe read variants are introduced:

1. Direct calls are replaced.
2. Helper routines to be adjusted which also affects the ringbuffer routines
3. _READ() macro
   The commits are structured in the way to introduce and then adjust helper occurrences, e.g., by adding information from where to read memory (similar as in modern-bpf-driver).

cc: @Andreagit97, @FedeDP , @Molter73

Does this PR introduce a user-facing change?:

new(bpf-driver): Introduce `bpf_probe_read_user` and `bpf_probe_read_kernel` variants

[FedeDP]

This is tremendous work @hbrueckner ! Thank you very much!
On a quick glance, it seems like you did a great job reducing this work to the bare minimum, i really appreciate that.
Everything seems pretty well reasonated; will need to give it an in-depth review in the upcoming days (or well, first days of the new year :D )

[hbrueckner]

Hi @FedeDP

This is tremendous work @hbrueckner ! Thank you very much! On a quick glance, it seems like you did a great job reducing this work to the bare minimum, i really appreciate that. Everything seems pretty well reasonated; will need to give it an in-depth review in the upcoming days (or well, first days of the new year :D )

Thank you so much! And, sure, take your time to review. Also, I liked to have it out before leaving for holidays.

[Andreagit97]

Wow that's amazing, as @FedeDP correctly said it seems really well resonated and smart, thank you very much for that!
Just 2 quick questions:

• Do many kernels backport these bpf helpers bpf_probe_read_user/kernel? Or we can take advantage of them only in kernels >= 5.5?
• Have you ever tested it on old kernel versions (like 4.14)? I'm a little bit worried about old verifiers. There is no so much additional complexity but never say never :/

[gnosek]

Nice! A few minor comments inline

[gnosek]

We pass param_info->type to __bpf_val_to_ring, so we should be able to call param_type_to_mem in there and keep the signature unchanged, right?

[hbrueckner]

I had a version with unchanged signature. The problem here is that param_type_to_mem makes the decision that for PT_CHARBUF and PT_BYTEBUF user space memory is being copied. Unfortunately, this does not work in all cases.

Here are some places where for char/byte buffers are copied from kernel space (either from kernel structures or already copied into the scratch area):

git grep -n __bpf_val_to_ring driver/bpf/ |grep  'BUF' |grep 'KERNEL'
driver/bpf/fillers.h:709:               return __bpf_val_to_ring(data, 0, size, PT_BYTEBUF, -1, true, KERNEL);
driver/bpf/fillers.h:2378:              res = __bpf_val_to_ring(data, 0, exe_len, PT_CHARBUF, -1, false, KERNEL);
driver/bpf/fillers.h:2386:              res = __bpf_val_to_ring(data, 0, args_len - exe_len, PT_BYTEBUF, -1, false, KERNEL);
driver/bpf/fillers.h:2528:      res = __bpf_val_to_ring(data, (unsigned long)data->tmp_scratch, cgroups_len, PT_BYTEBUF, -1, false, KERNEL);
driver/bpf/fillers.h:2735:              res = __bpf_val_to_ring(data, 0, env_len, PT_BYTEBUF, -1, false, KERNEL);
driver/bpf/fillers.h:6208:              res = __bpf_val_to_ring(data, 0, exe_len, PT_CHARBUF, -1, false, KERNEL);
driver/bpf/fillers.h:6216:              res = __bpf_val_to_ring(data, 0, args_len - exe_len, PT_BYTEBUF, -1, false, KERNEL);
driver/bpf/fillers.h:6357:      res = __bpf_val_to_ring(data, (unsigned long)data->tmp_scratch, cgroups_len, PT_BYTEBUF, -1, false, KERNEL);
driver/bpf/fillers.h:6410:      res = __bpf_val_to_ring(data, 0, env_len, PT_BYTEBUF, -1, false, KERNEL);
driver/bpf/fillers.h:6617:              res = __bpf_val_to_ring(data, 0, exe_len, PT_CHARBUF, -1, false, KERNEL);
driver/bpf/fillers.h:6625:              res = __bpf_val_to_ring(data, 0, args_len - exe_len, PT_BYTEBUF, -1, false, KERNEL);
driver/bpf/fillers.h:6767:      res = __bpf_val_to_ring(data, (unsigned long)data->tmp_scratch, cgroups_len, PT_BYTEBUF, -1, false, KERNEL);

[gnosek]

Hmm, so how about we

#define __bpf_val_to_ring(..., param_type, ...) __bpf_val_to_ring_with_explicit_mem(..., param_type, ..., param_type_to_mem(param_type))

(or do the equivalent static inline) and use __bpf_val_to_ring_with_explicit_mem in the few spots where the default guess is wrong?

[hbrueckner]

Hi @gnosek ,
let me think a bit about to have an explicit mem version for __bpf_val_to_ring.

# git grep -n __bpf_val_to_ring driver/bpf/  |grep 'KERNEL' |wc -l
17
# git grep -n __bpf_val_to_ring driver/bpf/  |grep 'USER' |wc -l
7

This would at least reduce those 7 occurrences where USER has to be specified directly.

[hbrueckner]

Wow that's amazing, as @FedeDP correctly said it seems really well resonated and smart, thank you very much for that!

❤️

Just 2 quick questions:
* Do many kernels backport these bpf helpers bpf_probe_read_user/kernel? Or we can take advantage of them only in kernels >= 5.5?

Let's be smart and start with kernels >= 5.5. For backports/distributions, let's use the feature_gates here to have some control.

* Have you ever tested it on old kernel versions (like `4.14`)? I'm a little bit worried about old verifiers. There is no so much additional complexity but never say never :/

No I have not. Regarding BPF issues, I had more trouble on the socketcall part.

[Andreagit97]

This PR LGTM, to be honest i don't like too much all these bpf_val_to_ring flavors but I also understand that there are not so many ways to do that in a clear way. One thing we can try to do in the next future is use helpers like push_charbuf like in the modern probe or something similar, but right now we don't many choices :/

[Andreagit97]

moreover i've tried it on a 4.14 kernel and it seems to work 🥳

[Andreagit97]

i've seen both PRs this one and the socketcall one and they look good to me! Probably the best way to go here is: to merge the entire driver testing framework (we miss only the last PR IIRC) so we can try to avoid regressions on BPF, then rebase this one that unfortunately now has some conflicts (sorry for that), and then go with the socketcalls for both BPF and modern BPF (WDYT?)

It would be amazing to use the same approach we use in the modern bpf and also here in the old probe, I need to double-check it but as far as I saw it would be quite difficult to do that, mainly because we extract argument also in nested helpers and this complicates the whole story :(

Sorry if we are not so active but the release consumes almost all our time :/

[hbrueckner]

Hi @Andreagit97

i've seen both PRs this one and the socketcall one and they look good to me!

Thanks! ❤️

Probably the best way to go here is: to merge the entire driver testing framework (we miss only the last PR IIRC) so we can try to avoid regressions on BPF, then rebase this one that unfortunately now has some conflicts (sorry for that), and then go with the socketcalls for both BPF and modern BPF (WDYT?)

Make sense to me. The 4 parts of #783 are merged, so if there is no further driver testing framework changes, I would go with rebasing. I think there were few more probe reads to be converted during the rebase. Once the rebase is done, I will go thru above review comments.

It would be amazing to use the same approach we use in the modern bpf and also here in the old probe, I need to double-check it but as far as I saw it would be quite difficult to do that, mainly because we extract argument also in nested helpers and this complicates the whole story :(

It would be indeed nice and, actually, there are conceptually not too far away. Instead of having the arguments on stack variable like in modern bpf , they are in the bpf map ;-) And, yes, there couple of nested helpers to consider in the bpf driver.
Further, the current implementation is based on having BPF_SUPPORTS_RAW_TRACEPOINTS to get the arguments directly from the ctx. Without BPF_SUPPORTS_RAW_TRACEPOINTS, the argument bpf map is required additionally to obtain arguments, especially, in the exit fillers (where there are no arguments in the tracepoint format). Accessing then socketcall arguments would always need to go through argument bpf map first. Let me know if it makes sense to also cover the non-BPF_SUPPORTS_RAW_TRACEPOINTS; it should be easy to extract from the argument bpf map first and, then, fill the socketcall argument map.

[Andreagit97]

Make sense to me. The 4 parts of #783 are merged, so if there is no further driver testing framework changes, I would go with rebasing. I think there were few more probe reads to be converted during the rebase. Once the rebase is done, I will go thru above review comments.

We have also part 5 but this should be the last one 🤣 we are a little bit blocked by the release, but I will try to do that ASAP

It would be indeed nice and, actually, there are conceptually not too far away. Instead of having the arguments on stack variable like in modern bpf , they are in the bpf map ;-)

That's true I think we cannot do that without an auxiliary BPF map for the socketcall args :/

And, yes, there couple of nested helpers to consider in the bpf driver. Further, the current implementation is based on having BPF_SUPPORTS_RAW_TRACEPOINTS to get the arguments directly from the ctx. Without BPF_SUPPORTS_RAW_TRACEPOINTS, the argument bpf map is required additionally to obtain arguments, especially, in the exit fillers (where there are no arguments in the tracepoint format). Accessing then socketcall arguments would always need to go through argument bpf map first. Let me know if it makes sense to also cover the non-BPF_SUPPORTS_RAW_TRACEPOINTS; it should be easy to extract from the argument bpf map first and, then, fill the socketcall argument map.

This is a good question, on one side I would have our drivers consistent between kernel versions on the other side our BPF code is already a mess and I wouldn't add a feature if we don't really need that... if we don't implement it we will lose support for soscketcall in kernels 4.14 <= x < 4.17. WDYT @FedeDP @gnosek ?

[hbrueckner]

Let me know if it makes sense to also cover the non-BPF_SUPPORTS_RAW_TRACEPOINTS; it should be easy to extract from the argument bpf map first and, then, fill the socketcall argument map.

This is a good question, on one side I would have our drivers consistent between kernel versions on the other side our BPF code is already a mess and I wouldn't add a feature if we don't really need that... if we don't implement it we will lose support for soscketcall in kernels 4.14 <= x < 4.17. WDYT @FedeDP @gnosek ?

To enable it, it is just about this additional helper to be called in handle_socketcall (and using stack_ctx instead of ctx) to extract socketcall ID and socketcall arguments:

/* For socketcalls, arguments needs to be accessed early, i.e., before
 * and filler are initialized.  Therefore, the bpf_syscall_get_argument*
 * functions cannot be used.
 */
static __always_inline unsigned long socketcall_get_argument(void *ctx, int idx)
{
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
	return bpf_syscall_get_argument_from_ctx(ctx, idx);
#else
	unsigned long arg = 0;
	unsigned long *args = unstash_args();
	if (args)
		arg = bpf_syscall_get_argument_from_args(args, idx);
	return arg;
#endif
}

[Andreagit97]

Let me know if it makes sense to also cover the non-BPF_SUPPORTS_RAW_TRACEPOINTS; it should be easy to extract from the argument bpf map first and, then, fill the socketcall argument map.

This is a good question, on one side I would have our drivers consistent between kernel versions on the other side our BPF code is already a mess and I wouldn't add a feature if we don't really need that... if we don't implement it we will lose support for soscketcall in kernels 4.14 <= x < 4.17. WDYT @FedeDP @gnosek ?

To enable it, it is just about this additional helper to be called in handle_socketcall (and using stack_ctx instead of ctx) to extract socketcall ID and socketcall arguments:

/* For socketcalls, arguments needs to be accessed early, i.e., before
 * and filler are initialized.  Therefore, the bpf_syscall_get_argument*
 * functions cannot be used.
 */
static __always_inline unsigned long socketcall_get_argument(void *ctx, int idx)
{
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
	return bpf_syscall_get_argument_from_ctx(ctx, idx);
#else
	unsigned long arg = 0;
	unsigned long *args = unstash_args();
	if (args)
		arg = bpf_syscall_get_argument_from_args(args, idx);
	return arg;
#endif
}

Ok, so I would say yes, we can support also the bpf without BPF_SUPPORTS_RAW_TRACEPOINTS

[hbrueckner]

Rebased the series to latest master and added few more commits regarding driver tests. I happy to say that the driver tests pass on s390x:

[----------] Global test environment tear-down
[==========] 249 tests from 4 test suites ran. (23011 ms total)
[  PASSED  ] 242 tests.
[  SKIPPED ] 7 tests, listed below:
[  SKIPPED ] SyscallExit.open_by_handle_atX_success_mp
[  SKIPPED ] SyscallExit.recvmsgX_no_snaplen
[  SKIPPED ] SyscallExit.recvmsgX_snaplen
[  SKIPPED ] SyscallEnter.connectE_INET
[  SKIPPED ] SyscallEnter.connectE_INET6
[  SKIPPED ] SyscallEnter.connectE_UNIX
[  SKIPPED ] SyscallEnter.connectE_UNIX_max_path

(Note that I need to add socketcall though and to make network tests happy, I had to do socket calibration in libscap directly but should then work once socketcall is ready.)

Next steps for me is to go through the review feedback above and continue with socketcall integration.

[hbrueckner]

self-comment: We need to add the same check for kmod driver as well.

[FedeDP]

Are you willing to open another PR about this, before we forget? 🤣
Thank you!

[hbrueckner]

Looking at the kmod, the respective driver test passes w/o change 🤔 However, I will try to make the change for consistency.

[hbrueckner]

Done w/ 28650fd

[Andreagit97]

we should be ready!
/approve

[poiana]

LGTM label has been added.

Git tree hash: 0c49e0e9ce61a05b8e9086f6ccdf050d4cac63a6

[FedeDP]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, hbrueckner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• driver/OWNERS [Andreagit97,FedeDP,hbrueckner]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment